摘要 |
PROBLEM TO BE SOLVED: To provide an IDS(intruder detection system) deception preventing mechanism capable of surely preventing deficiency that an IDS is deceived to miss an attack even when a data area is overlapped and a packet wherein data carried by the overlapped part is different is sent for the purpose of deceiving the IDS. SOLUTION: A fragmented IP packet comparison mechanism 104 retrieves whether or not a fragmented IP packet carrying data overlapping an IP packet extracted by a fragmented IP packet extraction mechanism 103 is registered in a past packet database 107, compares the pieces of data carried by the both packets to check whether or not both the pieces of data coincide, transmits a packet discard instruction signal (DT1) to a packet transfer control mechanism 105 if both the pieces of data are different, and instructs the packet transfer control mechanism 105 to suppress the transfering of a packet received by an external network interface 101. |