View All Documents & Correspondence
Packet Filtering Device And Packet Filtering Method
Abstract: The present invention pertains to: a packet filtering device that expresses a packet filtering rule set which is a technology for preventing cyber attack by using a tree structure suitable for calculation of a logical expression thereby improving processing efficiency; and a packet filtering method therefor. The packet filtering device is provided with: a rule set that stores a rule in which a condition and an action are associated with each other and a zero suppressed binary decision diagram (ZDD) which represents a logical expression in which the condition of the rule is written using a logical variable; a packet analyzing unit that analyses a packet received from a network and extracts collation information which is a character string to be collated; and a filtering unit that collates with the ZDD the collation information extracted by the packet analyzing unit executes an action associated with a condition with which the collation information matches and permits or refuses communication of the packet.
Notices, Deadlines & Correspondence
Patent Information
Applicants
MITSUBISHI ELECTRIC CORPORATION
Inventors
1. SHIMIZU, Koichi
2. YAMAGUCHI, Teruyoshi
Specification
Claims
[Claim 1] A packet filtering apparatus comprising:
a rule set containing a rule in which a condition and an action are associated with each other, and a Zero-Suppressed Binary Decision Diagram (ZDD) that represents a logical expression in which the condition of the rule is described using a logical variable;
a packet analyzing unit to analyze a packet received from a network and extract collation information being a character string to be collated; and
a filtering unit to collate the collation information extracted by the packet analyzing unit with the ZDD, execute the action associated with the condition that the collation information matches, and permit or deny communication of the packet. [Claim 2] The packet filtering apparatus according to claim 1,
wherein the filtering unit, in collation of the collation information with the ZDD, overwrites a value of the logical variable for which collation has been completed with 0, and determines whether or not a value of the logical expression including the logical variable overwritten with 0 is 0 when collation on the entire ZDD has been completed. [Claim 3] The packet filtering apparatus according to claim 2,
wherein the filtering unit, when the collation on the entire ZDD has been completed, in a case where the value of the logical expression calculated using the ZDD is 0, sets a determination result of the value of the logical expression to 0, in a case where the value of the logical expression calculated using the ZDD is 1, sets the determination result of the value of the logical expression to 1 if the value of the logical expression including the logical variable overwritten with 0 is 0, and sets the determination result of the value of the logical expression to 0 if the value of the logical
expression including the logical variable overwritten with 0 is not 0. [Claim 4] The packet filtering apparatus according to claim 1,
wherein the rule set contains a bit inverted ZDD that represents the logical expression in which a value of a bit of the logical variable is inverted in accordance with statistical appearance tendency of 0 and 1 of the collation information obtained by observing the packet, and
wherein the filtering unit collates the collation information with the ZDD using the bit inverted ZDD contained in the rule set.
[Claim 5] A packet filtering method of a packet filtering apparatus including a storage unit to store a rule set containing a rule in which a condition and an action are associated with each other, and a Zero-Suppressed Binary Decision Diagram (ZDD) that represents a logical expression in which the condition of the rule is described using a logical variable, a packet analyzing unit, and a filtering unit, the packet filtering method comprising:
a packet analyzing step to analyze a packet received from a network and extract collation information being a character string to be collated, by the packet analyzing unit; and
a filtering step to collate the collation information extracted by the packet analyzing unit with the ZDD stored in the storage unit, execute the action associated with the condition that the collation information matches, and permit or deny communication of the packet, by the filtering unit.