Abstract: A monitoring apparatus holds extracted information including: extracted data from first communication between a proxy and a first network and from second communication between the proxy and a second network; and reception times of a target data, wherein the extracted data includes kinds of communication, sources and destinations of the target data in the first communication, and the sources in the second network and the destinations in the first network after the target data is relayed by the proxy in the second communication, the monitoring apparatus: for first extracted data of first kind of communication in the first communication, acquires second extracted data in the second communication whose reception time is coincidental time zone of the reception time of the first extracted data; and determines whether communication using the target data from which the acquired second extracted data is extracted is included in a series of end-to-end communication.
Abstract: A relay apparatus for relaying data in a network comprises: a storage configured to store therein a whitelist in which normal information is registered, the normal information indicating that said data is normal based on a destination and source thereof; a receiver configured to receive first data; a determining part configured to determine whether normal information for the first data received is registered in the whitelist or not; a rewriting part configured to rewrite, when the determining part determines that the whitelist does not have normal information of the first data, a remaining lifespan required to reach the destination of the first data to a prescribed lifespan required to reach a specific communication apparatus that exists between the nearest communication apparatus and the furthest communication apparatus from the relay apparatus in the network; and a transmitter configured to transmit the first data that has gone through a rewriting process.
Abstract: A whitelist generation possibility/impossibility determination unit transmits a signal for permitting generation of a whitelist to a whitelist generating unit, in a case where an IP address corresponding to a source MAC address stored in a protocol information table matches the extracted source IP address, and in a case where an IP address corresponding to a destination MAC address stored in the protocol information table matches the extracted destination IP address.
Abstract: A transfer apparatus comprises: a first storage unit configured to store a whitelist for storing reliable information indicating that communication between a source address and a destination address is authorized; a second storage unit configured to store an addition list including a specific address not included in the reliable information and a valid period of the specific address; a receiving unit configured to receive data; a check unit configured to check whether either a destination address or a source address included in data within the valid period is the specific address; and a generation unit configured to generate specific reliable information indicating that communication between the destination address and the source address included in the data is authorized and register the generated specific reliable information to the whitelist in a case where the check unit confirms within the valid period that either address is the specific address.
Abstract: A communication apparatus that transfers received data stores a whitelist to manage an allowed object that is allowed to perform communications via the communication apparatus, comprises: a transfer unit that performs transfer control on the received data based on the whitelist; and a control unit that analyzes behavior related to communications performed by the allowed object. The control unit being configured to calculate a monitoring parameter that indicates the behavior related to the communications performed by the allowed object, and detect the allowed object where an abnormality occurred based on the monitoring parameter.
Abstract: A communication system, comprising: a communication apparatus controlling transmission and reception of data in a network connecting a server and a user terminal; and a management apparatus, the network including an edge apparatus, the communication apparatus including a relay unit which has a queue for each communication flow, and controls the transmission and reception of data using the queue, the management apparatus including a monitoring unit which identifies a communication flow where data loss has occurred, calculates modifications for settings for communication control used for a queue corresponding to the identified communication flow, and transmits to the communication apparatus a modification command including the modifications, and the relay unit modifies settings for communication control using the queue corresponding to the identified communication flow on the basis of the modifications included in the modification command.
Abstract: A communication device: stores flow condition information for identifying a flow and flow counter information that indicates, for each flow, an input flow volume of a flow inputted to the communication device, and an output flow volume of a flow outputted by the communication device; identifies a flow to which data inputted to the communication device belongs, with reference to the flow condition information; updates the input flow volume of the flow in the flow counter information; identifies a flow to which data outputted by the communication device belongs, with reference to the flow condition information; updates the output flow volume of the flow in the flow counter information; and identifies a flow in which a communication anomaly has occurred on the basis of results of a comparison process for comparing the input flow volume to the output flow volume with reference to the flow counter information.
Abstract: A packet relay apparatus, which is configured to transmit from a mirror port a mirror packet copied from one of a packet to be received and a packet to be transmitted, the packet relay apparatus comprising: a packet receiving module configured to receive a packet from an input port; a security judgment module configured to judge whether or not the packet is possibly one of an attack and an attack sign; a mirror processing module configured to generate, when it is judged that the packet is possibly one of an attack and an attack sign, a replica of the packet as the mirror packet; and a transmitting module configured to transmit the mirror packet from the mirror port.
Abstract: It is an object of the present invention to achieve improvement of security by a whitelist function and improvement of network reliability by a network redundancy function at the same time. A packet relay device 100 includes packet reception units 200, a packet transfer unit 300, a S/W control unit 400, packet transmission units 500, and an input/output interface 600 and automatically generates a whitelist including an allowed communication rule. It is possible to select whether to perform communication control using the whitelist or to carry out data communication without using the whitelist for each data reception unit 200 that receives data.
Abstract: A packet relay device automatically generates a whitelist including an authorized communication rule. The packet relay device snoops on communications between a DHCP server and a DHCP client in accordance with DHCP. When the IP address of a DHCP client is changed, the packet relay device also automatically changes IP address information included in a whitelist related to the DHCP client to IP address information newly allocated to the DHCP client.
Abstract: A transfer device transfers communication data, comprising: a search unit having a first search means that includes a first table and a first search circuit, the search unit referring to the first table using the first search circuit to search for the first transfer destination information from the first destination information; a search control unit that is a reconfigurable mechanism that creates search designation information and executes a first search designation information creation process of creating first search designation information; a control unit that controls the search unit and creates in the search unit at least a second search means including a second table and a second search circuit, the control unit controlling the search control unit to add to the search control unit a second search designation information creation process; and a transfer unit that receives the communication data and transmits the communication data to a transfer destination.
Abstract: In a core node, packet related information included in a packet is extracted, a virtual queue length, which is an estimated value of a queue length of a transmission queue addressed to a user in an edge device, is calculated and held on a user basis on the basis of the packet related information and band information of a line between the edge device and the user, and a determination is made, on a user basis, as to whether or not band control is required, on the basis of the virtual queue length and predetermined conditions so as to perform, on the basis of the result of the determination, the band control of the packet addressed to the user on a user basis in a packet relay part.
Abstract: Provided is a communication device in which communication between hosts of a layer 2 network is overlaid on a layer 3 network. The communication device manages a first MTU length of each communication path with respect to a plurality of communication paths in the layer 3 network, determines a second MTU length based on information to be added in cases where communication between the hosts of the layer 2 network is overlaid via the plurality of communication paths, and notifies the hosts of the second MTU length.
April 24, 2017
Date of Patent:
April 9, 2019
Alaxala Networks Corporation
Yasunori Yamamoto, Motohide Noumi, Kohei Oka
Abstract: A transfer device includes: first and second ports connected to L3 and L2 networks, respectively; a storage unit that stores data processing information which brings a MAC address of a communication device in the L2 network into correspondence with information regarding processing of data, and address information which brings an IP address of the communication device in the L2 network into correspondence with the MAC address thereof; and a transfer unit that, upon receiving data addressed to the communication device in the L2 network through the first port, searches the address information with an IP address in the data to acquire a MAC address corresponding to the IP address, searches the data processing information with the acquired MAC address, and depending on a search result, controls whether to transfer the data through the first port based on information regarding processing of data corresponding to the acquired MAC address.
Abstract: A communication apparatus receives control information of first data and a plurality of types of header information of first data, the first data being received by a first data receiver; selects a parameter from the plurality of types of header information of the first data based on a priority of a first data receiver group to which the first data receiver belongs and a storage condition, the priority being indicated by priority information, the storage condition indicating the number of entries of a whitelist that can be stored in a whitelist storage first memory; and add, to the whitelist, an entry that includes control information of the first data and at least one parameter selected above.
Abstract: A packet communication apparatus is configured to relay packets transmitted and received between information processing apparatuses. The packet communication apparatus includes: a network interface connectable to a network; a CPU to be a destination of at least one of a plurality of packets to be received through the network interface; a first buffer configured to hold the packets destined to the CPU in order to output the packets to the CPU; a second buffer having a plurality of planes and configured to hold copies of the packets destined to the CPU held in the first buffer in one of the plurality of planes; and a reception history controller configured to store a copy of a packet to a specified plane of the second buffer or to save copies of packets held in the second buffer to another storage area based on usage of the first buffer.
Abstract: A network device is configured to: detect a virtual network that is unable to relay communication as a failed virtual network; identify, as a failed virtual network identifier, a virtual network identifier assigned to a combination of the failed virtual network and a physical port through which communication of the failed virtual network pass, based on mapping information; identify a first virtual tunnel end point that relays communication of the failed virtual network; identify a second virtual tunnel end point of another network device that communicates with the first virtual tunnel end point based on the tunnel information; and send, to the second virtual tunnel end point, a clear request including the failed virtual network identifier and an IP address of the first virtual tunnel end point, and the clear request being used for clearing a MAC address used in Layer 2 protocol.
Abstract: A transfer apparatus includes a CPU, a memory, a recovery control unit, a non-volatile memory coupled to the recovery control unit, a transfer engine, and a volatile memory, wherein the volatile memory stores a first transfer information base, wherein the non-volatile memory stores a second transfer information base, and the recovery control unit is configured to update the second transfer information base in a case of receiving an instruction to update the second transfer information base, transmit an instruction to update the first transfer information base to the transfer engine, check the consistency of the first transfer information base and the second transfer information base in a case where the transfer apparatus is rebooted, and recover the first transfer information base by using the second transfer information base in a case where the first transfer information base and the second transfer information base are consistent.
Abstract: A communication apparatus including: a plurality of physical ports to be coupled to different terminals via a network; a plurality of authentication processing units configured to execute an authentication process; and a controller configured to determine which one of the physical ports on which a packet was received from a terminal, to specify a preset authentication process corresponding to the determined physical port on which a packet was received, and to distribute the specified authentication process of the packet from the terminal to an authentication processing unit for executing.
Abstract: Network switching arrangements including: setting an operation mode of a target switching block to a operation mode that is different from an operation mode of a first switching block while the first switching block is handling a switching process, the target switching block being one switching block selected from second switching blocks; performing a switchover process including starting the switching process using the target switching block instead of the first switching block, after completion of setting the operation mode of the target switching block; and copying the switching information held by the first switching block to the target switching block, prior to starting the switching process using the target switching block, after completion of setting the operation mode of the target switching block.