1. Field of the Invention
The present invention relates to a packet data comparator, as well as a virus filter, a virus checker and a network system using the same which can quickly detect harmful data which is referred to as “computer virus” or “network virus” or simply as “virus”, or other hazardous data partly similar to the harmful data, from digital data obtained via a communication network.
2. Description of the Prior Art
As the number of computers connecting to one communication network increases, amount of data flowing through the communication network dramatically increases. These data may include a computer virus (or a network virus or harmful data similar to it) which harms operations of the computer. Consequently, in order to keep integrity of the computer connecting to the network, information data accumulated therein or the like, there is a growing need for monitoring the computer virus flowing through the network.
Conventionally, such monitoring of the computer virus has been performed by using dedicated software in individual computers, devices which relay the data or the like. Some examples are shown in the following prior art references.
JP-T 2001-508564 discloses detection and removal of a virus in a macro command. A macro virus detecting module includes a macro locating and decoding module, a macro virus scanning module, a macro repairing module, a file correcting module and a virus information module, and their respective functions are as follows. The macro locating and decoding module determines whether or not a targeted file includes the macro, and if the targeted file includes the macro, the macro locating and decoding module locates the macro and decodes the macro to produce a decoded macro. The macro virus scanning module accesses the decoded macro and scans the macro to determine whether or not the macro includes the virus. Detection of an unknown macro virus is performed by the macro virus scanning module based on loading of comparison data including an instruction identifier set from the virus information module and determination of whether or not the above described decoded macro includes a suspect instruction combination corresponding to the above described instruction identifiers. The macro repairing module uses the above described comparison data to locate a suspect instruction in the above described decoded macro and removes the suspect instruction to produce a repaired macro. The file correcting module accesses the targeted file including a infected macro and replaces the infected macro with the repaired macro from the macro processing module.
JP-A 1998-307776 discloses a computer virus reception monitoring device and a system thereof which prevent a receiving device connected to a computer line network from receiving communication data infected by a computer virus to prevent computer virus infection in the receiving device from occurring. This causes the computer virus reception monitoring device to intervene between the computer line network and the receiving device, and the computer virus reception monitoring device is provided with reception processing means which receives the data from the computer line network, received data processing means which diagnoses whether or not the received data received by the above described reception processing means has been infected by the computer virus, means of processing communication with the receiving device which, if the above described received data has been infected by the above described computer virus, notifies a infection signal showing this infection to the receiving device, and transmission processing means which, if the above described received data has not been infected by the above described computer virus, transmits the above described received data to the above described receiving device.
JP-A 1998-049365 discloses a floppy disk drive which can prevent virus contamination in a computer system. In this disclosure, the floppy disk drive is provided with a buffer which temporarily stores data read from a floppy disk in accordance with a data read request from the computer system, a ROM in which a virus checking program has been stored, a virus checking control unit consisting of a virus checking controller which operates according to the virus checking program to check whether or not a virus exists in the data stored in the buffer, and a cache memory which holds the data from the floppy disk in which no anomaly has been found as a result of the virus checking and gives the data to the computer system. This disclosure prevents the virus contamination in the computer system from occurring when the computer system itself checks whether or not the virus exists.
However, according to an improvement in a transfer rate of a communication channel such as the network, amount of data flowing through the communication channel has increased. Since the amount of the data tends to further increase according to a speeding up of the communication channel, it is anticipated that, in virus monitoring system using software process, a processing speed of the system will not be able to follow this tendency over time and for a personal computer a CPU load will be so high that the processing speed becomes a bottleneck.
Generally, hardware processing speed can be more accelerated in comparison with software processing. Therefore, with respect to the data on the communication channel, it is possible to keep delay less and perform the monitoring more rapidly in the hardware processing. However, generally, if the virus has been updated, it is necessary to modify virus check patterns. In order to perform the modification, data which is formed in virus checking hardware and becomes a monitoring target, that is the virus check patterns, has to be modified. In this is case, the modification of the virus check patterns means modification of the hardware. Since such modification of the hardware is not easy, this is not adequate to be used for responding by adapting it to the monitoring target data changing from day to day.
In order to solve this problem, a virus checking device using a rewritable or reconfigurable LSI logical device or the like, which is referred to as “FPGA (Field Programmable Gate Array)”, “CPLD (Complex Programmable Logic Device)” or the like, has been disclosed, for example, in WO 2004/075056 A1.
However, the above described rewritable logical device such as the FPGA or the CPLD can be caused to malfunction by the computer virus due to its high versatility, which means that the rewritable logical device has a possibility of becoming a new security risk (that is, a risk of being targeted by the computer virus and the like). Moreover, since such a rewritable logical device generally cannot rewrite its own configuration data, it is necessary to prepare another CPU and the like for the rewriting.