In recent years, it is necessary to take measures to prevent attackers from intruding into networks in critical infrastructures such as power plants and depriving control of a system. In a network of a critical infrastructure, defense measures by a firewall device, virus software installed in a terminal such as a personal computer, and the like are carried out. However, in order to prevent the intrusion of attackers trying to deprive system control, more intensified measures are required. There is a method of using a whitelist function as a technique to reduce the risk of intrusion by an attacker. The whitelist function is a function to register legitimate terminal information included in in-legitimate communication information flowing in a network to a whitelist accommodating device and block non-legitimate communication from terminals other than legitimate terminals registered in the whitelist accommodating device, thereby enhancing the security level.
As background fields of the present technology, there are JP 2015-050767 A (PTL 1) and JP 2009-239525 A (PTL 2).
PTL 1 discloses that “a network switch includes: a whitelist monitoring unit in which a whitelist including an allowed communication rule is retained in advance, the whitelist monitoring unit monitoring one or more packets input via a plurality of switch interfaces on the basis of the whitelist and allowing communication for a packet conforming to the whitelist; and a whitelist management unit that updates the whitelist to send to the whitelist monitoring unit” (refer to the abstract).
PTL 2 discloses that “a packet filtering device receives a packet transmitted from a session initiation protocol (SIP) server, judges whether the received packet is a response to an authentication request transmitted from a SIP client at a predetermined interval, and, when it is judged that the received packet is a response to the authentication request and transmission source information on this packet is not stored in a whitelist, acquires the transmission source information on this packet to retain in the whitelist; then, when detecting that congestion has occurred in a network, the packet filtering device receives a packet on the network, and, among the received packets, transfers a packet whose transmission source is stored in the whitelist to a transmission destination in preference to a packet whose transmission source is not stored in the whitelist” (refer to the abstract).