公开(公告)号：US07564837B2

公开(公告)日：2009-07-21

申请号：US11364002

申请日：2006-03-01

申请人： Masahiro Komura ,  Kazumasa Omote ,  Yoshiki Higashikado ,  Masashi Mitomo ,  Bintatsu Noda ,  Satoru Torii

发明人： Masahiro Komura ,  Kazumasa Omote ,  Yoshiki Higashikado ,  Masashi Mitomo ,  Bintatsu Noda ,  Satoru Torii

IPC分类号： H04L12/66

CPC分类号： H04L63/145

摘要： A recording medium recording a network shutdown control program permitting suitable preventive measures to be taken. A detector monitors each network segment to be managed, and on detecting a communication fulfilling a predetermined condition, the detector generates a detection notification and sends the notification to a quarantine manager. On acquiring the detection notification generated by the detector of the local device or a detection notification generated by a remote network shutdown device, the quarantine manager generates a shutdown operation request in accordance with quarantine policy stored in a quarantine policy storage, and sends the request to a communication shutdown unit. In accordance with the shutdown operation request, the communication shutdown unit sets shutdown data identifying a target of shutdown and controls packets to be input to and output from the network segment so that the packets may be shut off or passed.

摘要翻译： 记录网络关闭控制程序的记录介质，允许采取适当的预防措施。 检测器监视要管理的每个网段，并且在检测到满足预定条件的通信时，检测器生成检测通知，并将该通知发送到隔离管理器。 在获取由本地设备的检测器产生的检测通知或由远程网络关闭设备生成的检测通知时，隔离管理器根据存储在隔离策略存储器中的隔离策略生成关闭操作请求，并将请求发送到 通信关闭单元。 根据关机操作请求，通信关机单元设置识别关机目标的关闭数据，并控制要从网段输入和输出的分组，使得分组可以被切断或通过。

公开(公告)号：US20070101404A1

公开(公告)日：2007-05-03

申请号：US11368429

申请日：2006-03-07

申请人： Yoshiki Higashikado ,  Masashi Mitomo ,  Masahiro Komura ,  Bintatsu Noda ,  Kazumasa Omote ,  Satoru Torii

发明人： Yoshiki Higashikado ,  Masashi Mitomo ,  Masahiro Komura ,  Bintatsu Noda ,  Kazumasa Omote ,  Satoru Torii

IPC分类号： H04L9/32

CPC分类号： H04L29/12924 ,  H04L29/12584 ,  H04L61/2596 ,  H04L61/6063 ,  H04L63/0236

摘要： In a network relay device, unauthorized access from an internal computer to an external network is detected, an unauthorized destination service port used for the unauthorized access is specified, and a substitute port is allocated. A service relay unit and the internal computer are instructed to use the substitute port instead of the unauthorized destination service port, and an unauthorized access notification is sent. Mutual conversion of the unauthorized destination service port and a substitute service port is carried out, to relay a packet between an internal network and the external network.

摘要翻译： 在网络中继装置中，检测到从内部计算机到外部网络的未经授权的访问，指定用于未经授权的访问的未经授权的目的地服务端口，并且分配替代端口。 指示服务中继单元和内部计算机使用替代端口而不是未经授权的目的地服务端口，并发送未经授权的访问通知。 执行未经授权的目的地业务端口和替代业务端口的相互转换，以在内部网络与外部网络之间转发数据包。

公开(公告)号：US20060291469A1

公开(公告)日：2006-12-28

申请号：US11348335

申请日：2006-02-07

申请人： Kazumasa Omote ,  Yoshiki Higashikado ,  Masahiro Komura ,  Bintatsu Noda ,  Masashi Mitomo ,  Satoru Torii

发明人： Kazumasa Omote ,  Yoshiki Higashikado ,  Masahiro Komura ,  Bintatsu Noda ,  Masashi Mitomo ,  Satoru Torii

IPC分类号： H04L12/56

CPC分类号： H04L63/1408 ,  H04L63/145

摘要： A computer-readable recording medium recording a worm detection program which is preferably usable for a large-scale network and is capable of detecting worm communication with little information. A worm detection device which runs this program has a switching hub function, and comprises five physical ports that are network interfaces, a communication acquisition section, and a worm detector, for example. The communication acquisition section acquires ICMP type3 (destination unreachable message) packets going out of the physical ports. The worm detector determines whether the packet communication is worm communication, based on information on the ICMP type3 packets obtained for each source MAC address by the communication acquisition section and worm criteria set for determining whether communication is worm communication.

摘要翻译： 记录蠕虫检测程序的计算机可读记录介质，其优选地可用于大规模网络，并且能够检测到具有很少信息的蠕虫通信。 运行该程序的蠕虫检测装置具有交换集线器功能，例如包括作为网络接口的五个物理端口，通信采集部分和蠕虫检测器。 通信获取部分获取离开物理端口的ICMP类型3（目的地不可达消息）。 蠕虫检测器基于通过通信获取部分针对每个源MAC地址获得的ICMP类型3分组的信息和用于确定通信是否是蠕虫通信的蠕虫标准来确定分组通信是否是蠕虫通信。

公开(公告)号：US08307445B2

公开(公告)日：2012-11-06

申请号：US12168281

申请日：2008-07-07

申请人： Bintatsu Noda ,  Kazumasa Omote ,  Yoshiki Higashikado ,  Masahiro Komura ,  Masashi Mitomo ,  Satoru Torii

发明人： Bintatsu Noda ,  Kazumasa Omote ,  Yoshiki Higashikado ,  Masahiro Komura ,  Masashi Mitomo ,  Satoru Torii

IPC分类号： H04L29/06

CPC分类号： H04L63/1408 ,  G06F21/50

摘要： An anti-worm program allows a computer to execute control of communication suspected as worm communication, the program allowing the computer to execute: a communication information acquisition step that acquires communication information which is information concerning communication from a target source; and a communication control step that has a control amount calculation formula for calculating the control amount of the communication from the target source using the communication information and performs control of the communication from the target source based on the communication control amount obtained using the control amount calculation formula.

摘要翻译： 防蠕虫程序允许计算机执行怀疑为蠕虫通信的通信的控制，所述程序允许计算机执行：通信信息获取步骤，获取作为来自目标源的通信的信息的通信信息; 以及通信控制步骤，具有控制量计算公式，用于使用所述通信信息从目标源计算通信的控制量，并且基于使用所述控制量计算获得的通信控制量来执行来自所述目标源的通信的控制 式。

公开(公告)号：US20080271148A1

公开(公告)日：2008-10-30

申请号：US12168281

申请日：2008-07-07

申请人： Bintatsu NODA ,  Kazumasa Omote ,  Yoshiki Higashikado ,  Masahiro Komura ,  Masashi Mitomo ,  Satoru Torii

发明人： Bintatsu NODA ,  Kazumasa Omote ,  Yoshiki Higashikado ,  Masahiro Komura ,  Masashi Mitomo ,  Satoru Torii

IPC分类号： G06F21/00

CPC分类号： H04L63/1408 ,  G06F21/50

摘要： An anti-worm program allows a computer to execute control of communication suspected as worm communication, the program allowing the computer to execute: a communication information acquisition step that acquires communication information which is information concerning communication from a target source; and a communication control step that has a control amount calculation formula for calculating the control amount of the communication from the target source using the communication information and performs control of the communication from the target source based on the communication control amount obtained using the control amount calculation formula.

摘要翻译： 防蠕虫程序允许计算机执行怀疑为蠕虫通信的通信的控制，所述程序允许计算机执行：通信信息获取步骤，获取作为来自目标源的通信的信息的通信信息; 以及通信控制步骤，具有控制量计算公式，用于使用所述通信信息从目标源计算通信的控制量，并且基于使用所述控制量计算获得的通信控制量来执行来自所述目标源的通信的控制 式。

公开(公告)号：US20060291490A1

公开(公告)日：2006-12-28

申请号：US11346243

申请日：2006-02-03

申请人： Kazumasa Omote ,  Yoshiki Higashikado ,  Masahiro Komura ,  Bintatsu Noda ,  Masashi Mitomo ,  Satoru Torii

发明人： Kazumasa Omote ,  Yoshiki Higashikado ,  Masahiro Komura ,  Bintatsu Noda ,  Masashi Mitomo ,  Satoru Torii

IPC分类号： H04L12/56

CPC分类号： H04L63/145

摘要： A computer-readable recording medium having recorded a worm determination program capable of reliably determining a worm-infected communication. A worm determination apparatus for executing the program includes a plurality of physical ports functioning as network connection ports, a communication-information-acquisition unit, and a worm determination unit. The communication-information-acquisition unit acquires information about a packet type, classified according to a transmission-source address. The worm determination unit determines whether a communication is performed by a worm, based on the information about the packet type, classified according to the transmission-source address, acquired by the communication-information-acquisition unit and a determination criterion used for determining whether a communication is performed by a worm.

摘要翻译： 一种记录了能够可靠地确定蠕虫感染通信的蠕虫确定程序的计算机可读记录介质。 用于执行程序的蠕虫确定装置包括用作网络连接端口的多个物理端口，通信信息获取单元和蠕虫确定单元。 通信信息获取单元获取关于根据发送源地址分类的分组类型的信息。 蠕虫确定单元基于由通信信息获取单元获取的根据发送源地址分类的关于分组类型的信息，以及用于确定是否由 通信由蠕虫执行。

公开(公告)号：US20070011745A1

公开(公告)日：2007-01-11

申请号：US11376083

申请日：2006-03-16

申请人： Masashi Mitomo ,  Yoshiki Higashikado ,  Masahiro Komura ,  Bintatsu Noda ,  Kazumasa Omote ,  Satoru Torii

发明人： Masashi Mitomo ,  Yoshiki Higashikado ,  Masahiro Komura ,  Bintatsu Noda ,  Kazumasa Omote ,  Satoru Torii

IPC分类号： G06F12/14

CPC分类号： H04L63/1425

摘要： A computer-readable recording medium recording a worm detection parameter setting program for setting an appropriate worm detection parameter for target environments. When a log reader loads a communication log created within a prescribed time period, a log classifier classifies the entries of the communication log into categories based on communication contents. A frequency distribution creator analyzes the entries of a category, counts the number of appearance of each worm detection parameter value for each object of a preset network unit, and creates frequency distribution information. A threshold derivation unit analyzes the frequency distribution information and derives a threshold value that is used for determining whether a worm is propagating. An output unit outputs to an output device the threshold value for the worm detection parameter for the category, together with the frequency distribution information created by the frequency distribution creator, thereby providing a user with the information.

摘要翻译： 记录用于针对目标环境设定适当的蠕虫检测参数的蠕虫检测参数设定程序的计算机可读记录介质。 当日志读取器加载在规定时间段内创建的通信日志时，日志分类器基于通信内容将通信日志的条目分类成类别。 频率分布创建者分析类别的条目，计算预设网络单元的每个对象的每个蠕虫检测参数值的出现次数，并且创建频率分布信息。 阈值导出单元分析频率分布信息并导出用于确定蠕虫正在传播的阈值。 输出单元向输出设备输出用于该类别的蠕虫检测参数的阈值以及由频率分布创建者创建的频率分布信息，从而向用户提供该信息。

公开(公告)号：US20070002838A1

公开(公告)日：2007-01-04

申请号：US11364002

申请日：2006-03-01

申请人： Masahiro Komura ,  Kazumasa Omote ,  Yoshiki Higashikado ,  Masashi Mitomo ,  Bintatsu Noda ,  Satoru Torii

发明人： Masahiro Komura ,  Kazumasa Omote ,  Yoshiki Higashikado ,  Masashi Mitomo ,  Bintatsu Noda ,  Satoru Torii

IPC分类号： H04L12/66

CPC分类号： H04L63/145

摘要： A recording medium recording a network shutdown control program permitting suitable preventive measures to be taken. A detector monitors each network segment to be managed, and on detecting a communication fulfilling a predetermined condition, the detector generates a detection notification and sends the notification to a quarantine manager. On acquiring the detection notification generated by the detector of the local device or a detection notification generated by a remote network shutdown device, the quarantine manager generates a shutdown operation request in accordance with quarantine policy stored in a quarantine policy storage, and sends the request to a communication shutdown unit. In accordance with the shutdown operation request, the communication shutdown unit sets shutdown data identifying a target of shutdown and controls packets to be input to and output from the network segment so that the packets may be shut off or passed.

摘要翻译： 记录网络关闭控制程序的记录介质，允许采取适当的预防措施。 检测器监视要管理的每个网段，并且在检测到满足预定条件的通信时，检测器生成检测通知，并将该通知发送到隔离管理器。 在获取由本地设备的检测器产生的检测通知或由远程网络关闭设备生成的检测通知时，隔离管理器根据存储在隔离策略存储器中的隔离策略生成关闭操作请求，并将请求发送到 通信关闭单元。 根据关机操作请求，通信关机单元设置识别关机目标的关闭数据，并控制要从网段输入和输出的分组，使得分组可以被切断或通过。

公开(公告)号：US20050091513A1

公开(公告)日：2005-04-28

申请号：US10822558

申请日：2004-04-12

申请人： Masashi Mitomo ,  Yoshiki Higashikado ,  Fumie Takizawa ,  Satoru Torii ,  Osamu Koyano

发明人： Masashi Mitomo ,  Yoshiki Higashikado ,  Fumie Takizawa ,  Satoru Torii ,  Osamu Koyano

IPC分类号： H04L12/66 ,  H04L9/00 ,  H04L29/06

CPC分类号： H04L63/10 ,  H04L63/1408 ,  H04L63/1416

摘要： An unauthorized access detection device capable of detecting unauthorized accesses which are made through preparation, in real time. When a packet travels on a network, a key data extractor obtains the packet and obtains key data. Next an ongoing scenario detector searches an ongoing scenario storage unit for an ongoing scenario with the key data as search keys. A check unit determines whether the execution of the process indicated by the packet after the ongoing scenario detected by the ongoing scenario detector follows an unauthorized access scenario being stored in an unauthorized access scenario storage unit. Then a report output unit outputs an unauthorized access report depending on the check result of the check unit.

摘要翻译： 一种未经授权的访问检测装置，能够通过准备来实时检测未经授权的访问。 当分组在网络上传播时，密钥数据提取器获得分组并获得密钥数据。 接下来，正在进行的情景检测器使用密钥数据作为搜索关键字来搜索正在进行的情景的持续场景存储单元。 检查单元确定在由正在进行的方案检测器检测到的进行方式之后由分组指示的处理的执行是否遵循未经授权的访问方案存储在未经授权的访问方案存储单元中。 然后报告输出单元根据检查单元的检查结果输出未经授权的访问报告。

公开(公告)号：US20050289649A1

公开(公告)日：2005-12-29

申请号：US11042353

申请日：2005-01-26

申请人： Masashi Mitomo ,  Yoshiki Higashikado ,  Fumie Takizawa ,  Satoru Torii ,  Osamu Koyano

发明人： Masashi Mitomo ,  Yoshiki Higashikado ,  Fumie Takizawa ,  Satoru Torii ,  Osamu Koyano

IPC分类号： G06F21/20 ,  G06F13/00 ,  G06F15/00 ,  H04L9/00 ,  H04L12/22 ,  H04L12/66 ,  H04L29/06

CPC分类号： H04L63/10 ,  H04L63/1416

摘要： A malicious access-detecting apparatus which is cable of grasping the whole aspect of an attack which can occur, before it actually occurs. A monitoring information-collecting section collects monitoring information including the network events detected by the monitoring devices on networks. A malicious apparatus group-deriving section retrieves a corresponding piece of the event information from an event information storage device, and derives, based on the retrieved piece of the event information, apparatuses that are involved in relevant detected network events which belong to the predetermined type of network events and of which addresses of senders or recipients are same, as a malicious apparatus group involved in the predetermined type of malicious access. A storage section stores information on each derived malicious apparatus group. An output section outputs a list of the each derived malicious apparatus group.

摘要翻译： 一种恶意访问检测装置，其是在实际发生之前抓住可能发生的攻击的整个方面的电缆。 监控信息收集部分收集包括由网络上的监视设备检测到的网络事件的监控信息。 恶意装置组导出部从事件信息存储装置检索对应的事件信息，根据检索到的事件信息，导出涉及检测到的属于预定类型的网络事件的装置 的网络事件以及发送者或接收者的哪个地址相同，作为涉及预定类型的恶意访问的恶意装置组。 存储部存储关于每个导出的恶意装置组的信息。 输出部分输出每个导出的恶意装置组的列表。