The present invention relates generally to an IP (Internet Protocol) communication network system having a function of preventing an illegal act, and more particularly to an IP communication network system capable of preventing the illegal act by detecting (tracing) malicious data communications with a host computer of an autonomous system (AS) in the Internet.
The host computer and the Internet are required to be protected from an illegal act party (which might hereinafter be simply referred to as an illegal party) by pinpointing an originator of the illegal act (which might hereinafter be termed an unauthorized access) occurred in the Internet defined as an IP network spreading on a worldwide scale and automatically shutting off the same originator.
This illegal act may include categories such as a DoS (Denial of Service) attack scheming a system-down of the host computer by, for example, deliberately transmitting a tremendous quantity of invalid packets to the specified host computer, and repeated unauthorized accessing to the host computer in a way that seeks out a password of an authorized user by changing it in order to illegally obtain this password.
The data are forwarded (which includes being transferred and switched) in the form of packets in the IP network such as the Internet, and it is therefore feasible to pinpoint the illegal party by tracing network routers (which might hereinafter be simply routers) via which the IP packet arrived, back to the illegal party.
There is an algorithm for searching an intruding route of the unauthorized packet within the IP network by comparing logs of the IP packets that are recorded in the network routers with a time when the unauthorized intrusion occurs, and thus pinpointing the illegal party.
Moreover, there is an architecture for safeguarding the host computer and the IP network, wherein a specially-designed computer known as a Fire Wall is provided between the internal network and an external network in order to block the unauthorized intrusion, and the Fire Wall restricts specified packets (specified addresses and service port) by use of a packet filtering technology.
Further, there are two types of conventional technologies that will be shown as follows. The first technology is NetRanger (registered trademark) made by Cisco Corp. FIG. 1 is a diagram showing a concept of NetRanger. Referring to FIG. 1, if the illegal party schemes an unauthorized access to and thus intrudes a host computer (HOST) 3 via the IP network, this system functions so that an unauthorized access monitoring unit (intrusion detection tool) 4 attached to the host computer 3 detects an abnormality by making a judgement about log-in for checking a connectability of the network and about a threshold value of ping (Packet Internet Groper), and recognizing an operation pattern characteristic (which may be called a search for “spoofing”).
The unauthorized access monitoring unit 4 notifies the router 1 and the Fire Wall 2 of a detection of the abnormal state, and requests the router 1 and the Fire Wall 2 to create a filtering table 5 for cutting off a connection to the host computer 3 at which the unauthorized access is targeted.
Owing to the creation of this filtering table 5, even if scheming the intrusion once again, the unauthorized packet is filtered and discarded at the stage anterior to the host computer 5, with the result that the illegal party is unable to attack at host computer 5.
The second technology is a data tracing system disclosed in Japanese Patent Application Laying-Open Publication No.2000-124952. FIG. 2 is a diagram showing a concept of this data tracing system. Referring to FIG. 2, this system functions so that if an unauthorized access party 6 intrudes a host computer 9A via the IP network, an unauthorized access detection unit 9B attached to the host computer 9A detects a fact of the unauthorized access, and notifies a management system 9C of this unauthorized access.
The management system 9C requests a router 7C disposed anterior to the detection unit 9B to trace the routers back to the source of this unauthorized access. The router 7C accepting the tracing request functions to compare characteristic information of the unauthorized access party 6 with data to be routed by the router 7C itself, and is, when detecting the unauthorized data, capable of detecting a router 7B having routed the unauthorized data, which is disposed one anterior to the router 7C itself, on the basis of an intra unauthorized data analysis 8C of a data link layer.
The router 7C requests the traced-back router 7B to further trace routers back to the source of the unauthorized access, and simultaneously notifies the management system 9C of information on the traced-back router 7B disposed anterior thereto. The routers 7A, 7B and 7C (including analyses 8A, 8B and 8C of the data link layer) each having such a function are provided in chain in the network, whereby the originator, i.e., the unauthorized access party 6 can be eventually pinpointed.
According to this data tracing system, if the unauthorized access party 6 is pinpointed, an alarm is issued to this party 6, and the network administrator is notified of this issuance of alarm.
The IP communication network system where a multiplicity of unspecified individual and office users use the IP network as they intend, has a potentiality of hazard in which the unauthorized access may come from anywhere in the IP network on the whole.
The conventional technologies described above, though capable of detecting the unauthorized party in the comparatively small-configured IP network and safeguarding the network from the intrusion, do not exhibit sufficient effect in the IP network expanding on the worldwide scale.
Namely, each of the conventional technologies, through capable of safeguarding the most computer from the illegal act such as deliberately forwarding a tremendous quantity IP packets by filtering those packets with the Fire Wall etc, has such an inevitability that the normal packet control is adversely influenced by a rise in traffic in the whole IP network due to the large quantity of unauthorized packets.
Further, for detecting the unauthorized access and pinpointing the unauthorized access party, the routers must be traced one by one back to the unauthorized access party, and this operation requires a great deal of time till the unauthorized access party is pinpointed in the Internet where the multiplicity of routers are provided on the routes.
Moreover, the routes are frequently changed in the Internet, and, according to the router tracing algorithm, when the route is changed, the tracing might be performed again from the beginning.