In communication fields such as packet communication, the filtering of inappropriate data is generally performed based on predetermined filter rules.
More specifically, it observes communicated data in packet units. Then, the contents in predetermined items such as the address, port number and class of protocol, which are included in header information of a packet that is an observation target, and the pattern of predetermined items such as the address of the packet, port number and class of protocol, which are converted to database as filter rules, are compared. Then, based on whether the compared contents of both agree, it is determined whether to allow the packet that is the observation target to pass.
In the case of performing such filtering, in order to accurately and quickly judge all packets, sufficient processing ability is required in the device performing the filtering based on the set filter rules (hereinafter referred to as “filter device”). In other words, the performance of the filter device and the ability for filtering are in a trade-off relationship. Then, it is not necessarily possible to provide a filter device of sufficient processing ability such that problems do not arise under any conditions.
For example, a function of filtering packets is included in the majority of existing routers and firewalls. In other words, routers and firewalls act as filter devices. However, there is a limit to the processing ability of these routers, etc. For this reason, even if no problems arise during normal usage, if receiving an abundance of packets from an illegal attack such as a Dos attack (Denial of Service attack), the load on the CPU (Central Processing Unit) performing the processing will increase, a result of which the filtering function itself may stop.
In order to prevent the occurrence of a situation like the interruption of this filtering function, upon suppressing as much as possible the load acting on the filter device such as a router, it is necessary to perform examination of communication packets.
In addition, as a special challenge, unauthorized access problems from not only external networks such as the Internet, but also internal networks such as LAN (Local Area Network) have also increased, and the necessity for strengthening internal security has also arisen.
Herein, as one method for reducing the load acting on filter devices, along with resolving the unauthorized access problem by internal networks, there is a technique of installing a plurality of filter devices in external and internal networks, and distributing the processing of filtering among this plurality of devices.
By distributing the filtering processing to a plurality of filter devices in this way, it becomes possible to reduce the load acting on each filter device, as well as revolve the unauthorized access problem by internal networks.
One example of technology for distribution of such load is described in Patent Document 1. The technology described in Patent Document 1 sets filter rules to distribute in the plurality of filter devices. In addition, the technology described in Patent Document 1 sets filter rules of respectively different contents in devices installed in the external network, and devices installed in the internal network.
More specifically, filter rules of light load are set in filter devices of the external network which have a large number of packets defined as observation targets due to the large traffic volume passing through. For example, filter rules are set having a comparatively small number of rules as well as low update frequency.
On the other hand, in a device in the internal network for which the number of packets defined as the observation target is small due to the traffic volume passing through being small, filter rules of heavy load are set. For example, filter rules for every subnet for which the rule number is liable to increase, and filter rules having a high update frequency have heavy load; therefore, these filter rules are set in the filter devices of the internal network. It should be noted that the management of information related to the setting of such filter rules and setting of filter rules are managed by a dedicated filter management server.
The technology described in Patent Document 1 distributes the load acting on each filter device by the filter management server decentralizing the filter rules upon considering the number of packets that are the observation target by each filter device, a result of which the scalability related to an increase in load is ensured.    Patent Document 1: Japanese Unexamined Patent Application, Publication No. 2003-244247    Non-Patent Document 1: DOI, Hiroshi; “Regarding Secret Sharing Schemes and Application Thereof” (online), November 2012, Institute of Information Security, Vol. 4 (Searched Jun. 30, 2016), Internet <URL: www.iisec.ac.jp/proc/vol0004/doi.pdf>    Non-Patent Document 2: IWAMOTO, Mitsugi; “Secret Sharing Schemes,” (online), (Searched Jun. 30, 2016), Internet <URL: http://ohta-lab.jp/users/mitsugu/research/SSS/main.html>