JP2010177733A - Communication monitoring device, communication monitoring method of communication monitoring device, and communication monitoring program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To specify an abnormal flow (abnormal communication) by a network monitoring system with a small computational quantity. <P>SOLUTION: A flow information processing section 110 inputs each piece of gathered flow information to one or a plurality of specific abnormality detection sections 120 corresponding to a flow ID of the flow information. Each abnormality detection section 120 determines whether the input flow information includes flow information on an abnormal flow, and outputs "1" when the flow information is included or "0" when not. An abnormal flow specification section 130 specifies the flow ID of the abnormal flow by arranging outputs of the abnormality detection sections 120. An abnormal flow notification section 140 notifies an administrator 220 of the abnormality flow based upon the specified flow ID. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to, for example, a communication monitoring apparatus that identifies abnormal communication, a communication monitoring method for the communication monitoring apparatus, and a communication monitoring program.

  As a conventional anomaly detection type network monitoring technology, there is a technology that learns the time series of traffic flows that flow through a normal network and regards it as unauthorized access when the observed flow is statistically significantly different from normal Proposed. For example, in Patent Document 1, a flow that flows on a monitored network is observed, and the flows are classified based on a transmission destination address or a transmission source address. In addition, when the number of packets included in the flow or the data size is aggregated per unit time, time series information is generated, and when the aggregate amount is different from normal, it is detected using the threshold method, and the aggregate amount is different from normal It is assumed that unauthorized access occurred.

JP 2007-13590 A JP 2008-146157 A

  In the conventional method, when the number of flow types to be determined as abnormal is N, it is necessary to generate N time-series data and monitor each. For example, when the communication from 10000 client PCs (personal computers) to a specific server device is monitored and a client PC performing abnormal communication with the server device is detected, the following is considered. In this case, the flow toward the server apparatus must be classified for each transmission source address to create 10,000 groups, and time series changes must be constantly monitored for each of the 10,000 groups. The conventional method has a problem that the amount of time / space calculation increases in proportion to N.

  In Patent Document 1, in order to reduce the number of groups to be constantly monitored, N types of flows are grouped into several (for example, for each source LAN), and it is also possible to monitor time-series changes in a group unit. However, when an abnormality is detected in a certain group, it is necessary to individually analyze (including learning) the flows in the group again in order to identify which flow in the group is abnormal. Even when monitoring in groups, there is a problem that it takes time to specify a flow.

  An object of the present invention is to make it possible to identify an abnormal flow with a small amount of calculation in a network monitoring system, for example.

  The communication monitoring apparatus according to the present invention divides each communication ID of a plurality of communications into a plurality of partial IDs, and sets the communication information of each communication in which the partial ID has a predetermined value for each partial ID as a communication information group as a CPU (Central Processing). Communication information group output unit output using unit), and each communication information group output for each partial ID by the communication information group output unit is normal communication information in which the characteristics of the communication information group exhibit predetermined characteristics A communication information group determination unit for determining, using the CPU for each communication information group, whether the group is an abnormal communication information group in which the characteristic of the communication information group does not exhibit a predetermined characteristic, and the communication information group determination Communication corresponding to the communication information included in each of the abnormal communication information groups determined by the An abnormal communication specifying unit for specifying communication corresponding to communication information not included in any of the normal communication information groups determined by the communication information group determination unit using the CPU as abnormal communication. Prepare.

  According to the present invention, for example, in a network monitoring system, an abnormal flow (abnormal communication) can be specified with a small amount of calculation. Thereby, the abnormal flow is detected earlier. Further, since a communication monitoring device with low performance can be used, the cost of the network monitoring system is reduced.

1 is a configuration diagram of a network monitoring system 200 according to Embodiment 1. FIG. FIG. 3 is a diagram illustrating an example of hardware resources of the network monitoring apparatus 100 according to the first embodiment. 5 is a flowchart showing a method for identifying an abnormal flow occurrence host of the network monitoring apparatus 100 according to the first embodiment. The figure which shows the flow information storage table 191 in Embodiment 1. FIG. The figure which shows the flow management table 181 in Embodiment 1. FIG. 5 is a flowchart showing flow information input processing (S110) in the first embodiment. The figure which shows the operation | movement principle of the flow information input process (S110) in Embodiment 1. FIG. 6 is a flowchart showing an abnormal flow identification process (S130) in the first embodiment. FIG. 3 is a diagram illustrating an operation principle of a method for identifying an abnormal flow occurrence host in the first embodiment. The block diagram of the network monitoring system 200 in Embodiment 2. FIG. 9 is a flowchart showing flow information input processing (S110) in the second embodiment. 9 is a flowchart showing an abnormal flow identification process (S130) in the second embodiment. The schematic diagram of the flow information input process (S110)-abnormal flow specific process (S130) in Embodiment 2. FIG. FIG. 6 is a configuration diagram of a network monitoring system 200 in a third embodiment. FIG. 10 is a diagram illustrating an example of a flow management table 181 according to the third embodiment. 10 is a flowchart showing an abnormal flow identification process (S130) in the third embodiment.

Embodiment 1 FIG.
A description will be given of a mode of detecting a flow group including an abnormal flow and specifying which flow in the flow group is abnormal without individually checking each flow included in the flow group.

FIG. 1 is a configuration diagram of a network monitoring system 200 according to the first embodiment.
The configuration of the network monitoring system 200 in the first embodiment will be described below with reference to FIG.

The network monitoring system 200 includes a monitoring target network 201, a flow information collection device 210, and a network monitoring device 100 (an example of a communication monitoring device).
The network monitoring system 200 collects flow information related to the traffic of the monitored network 201 (packets 202 transmitted and received via the monitored network 201), and aggregates the collected flow information at regular time intervals to generate time-series data. Then, it is checked whether or not the time-series data includes abnormal fluctuations. When the abnormal fluctuation is found in the time-series data, the administrator 220 is notified of the flow type of the abnormal flow.

  “Flow” corresponds to communication in a specific unit, and means communication, the communication packet 202, the flow of the packet 202, the communication order of the packet 202, the communication path of the packet 202, and the like. For example, communication between specific communication devices is one flow. In this case, the communication between the communication device A and the communication device B is a flow different from the communication between the communication device A and the communication device C.

  The “flow information” is a total of information of one or more packets 202 related to the corresponding communication, and is information for specifying a flow in which the packet 202 is transmitted and received. For example, the flow information includes a time when the flow occurs (“flow occurrence time”), a transmission source address, a transmission destination address, a protocol, a data size, the number of packets, and the like. The flow information format includes an industry standard format called Netflow. The format of the flow information may be a Netflow format or a format other than Netflow.

  An “abnormal flow” is a flow in which unauthorized access to a communication device or a failure of the communication device has occurred.

  “Flow type” is information (for example, group name) for identifying a flow corresponding to the flow information. For example, if it is desired to monitor communication from 10,000 PCs to a server device and identify a PC that has generated an abnormal flow, the number of flow types is “10000”, which is the same as the number of PCs.

  The monitoring target network 201 is a target network monitored by the network monitoring apparatus 100. A plurality of communication devices (for example, client PCs and server devices) are connected to the monitoring target network 201, and each communication device transmits and receives a packet 202 via the monitoring target network 201.

The flow information collection device 210 observes each packet 202 transmitted / received via the monitored network 201, collects each packet 202 from the monitored network 201, and extracts and extracts flow information from each collected packet 202 Among the flow information, the flow information to be monitored is transferred to the network monitoring apparatus 100.
As the flow information collection device 210, a commercially available traffic monitoring device having such a function can be used.

The network monitoring device 100 identifies an abnormal flow based on each flow information transferred from the flow information collection device 210 and notifies the administrator 220 of the identified abnormal flow.
The network monitoring apparatus 100 includes a flow information processing unit 110 (an example of a communication information group output unit), an abnormality detection unit 120 (an example of an abnormal communication information group determination unit), an abnormal flow identification unit 130 (an example of an abnormal communication identification unit), An abnormal flow notification unit 140, a flow management unit 180, and a flow information storage unit 190 are provided.

  The flow information storage unit 190 is a storage device that receives the flow information transferred from the flow information collection device 210, and sets and stores the received flow information in the flow information storage table 191. The flow information accumulation unit 190 has a sufficient storage capacity, and the flow information collection device 210 during a time interval (for example, 10 minutes) (hereinafter, referred to as “abnormal detection time interval”) for performing processing for detecting an abnormal flow. It is assumed that a plurality of pieces of flow information arriving from can be accumulated.

The flow management unit 180 is a storage device that stores the flow management table 181.
The flow management table 181 includes a “flow ID” that is information for identifying a flow, a “flow type name” that is a name that identifies the flow, and a “flow condition” that is a condition that identifies the flow. Is set in advance. The “flow ID” is represented by a specific number of bits (for example, several bits).

The flow information processing unit 110 acquires each flow information from the flow information accumulation unit 190, specifies a flow ID corresponding to each acquired flow information based on the flow management table 181, and each flow information based on the specified flow ID. Flow information is input to one or more specific abnormality detection units 120.
The flow information processing unit 110 includes a flow information acquisition unit 111, a flow information correspondence ID specifying unit 112, and a flow information input unit 113 (an example of a communication information group output unit).

  The flow information acquisition unit 111 acquires each piece of flow information stored in the flow information storage unit 190 for each abnormality detection time interval.

  The flow information corresponding ID specifying unit 112 specifies the flow ID corresponding to each flow information acquired by the flow information acquiring unit 111 using the CPU based on the flow management table 181.

The flow information input unit 113 inputs each flow information to one or a plurality of specific abnormality detection units 120 based on the flow ID specified by the flow information corresponding ID specifying unit 112.
Specifically, the flow information input unit 113 divides the flow ID into a plurality of partial IDs (for example, bits), and identifies each flow information in which the partial ID has a predetermined value for each partial ID as a flow information group. Input to the detection unit 120.

There are as many abnormality detection units 120 as there are partial IDs. For example, when the flow ID is divided into three partial IDs, there are three abnormality detection units 120.
The plurality of anomaly detection units 120 are configured such that each flow information group output for each partial ID by the flow information processing unit 110 includes a normal flow information group in which a feature of the flow information group indicates a predetermined feature, and the flow information group It is determined by using the CPU for each flow information group whether it is an abnormal flow information group that does not show a predetermined feature.

  The abnormal flow identification unit 130 is a flow ID corresponding to the flow information included in any abnormal flow information group determined by the abnormality detection unit 120, and each normal flow information determined by the abnormality detection unit 120. The flow ID corresponding to the flow information not included in any of the groups is specified using the CPU as the flow ID of the abnormal flow.

  The abnormal flow notifying unit 140 specifies the flow type name of the flow corresponding to the flow ID specified by the abnormal flow specifying unit 130 based on the flow management table 181 and outputs the specified flow type name as the abnormal flow identification information. Output to a device (eg, display device, speaker).

FIG. 2 is a diagram illustrating an example of hardware resources of the network monitoring apparatus 100 according to the first embodiment.
2, the network monitoring apparatus 100 includes a CPU 911 (Central Processing Unit) that executes a program. The CPU 911 includes a ROM 913, a RAM 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, an FDD 904 (Flexible Disk Drive), a CDD 905 (compact disk device), a printer device 906, a scanner device 907, via a bus 912. It is connected to a microphone 908, a speaker 909, and a magnetic disk device 920, and controls these hardware devices. Instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card read / write device may be used.

  The communication board 915 is connected to a communication network such as a LAN (local area network), the Internet, or a telephone line by wire or wireless.

  The magnetic disk device 920 stores an OS 921 (operating system), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the OS 921, and the window system 922.

  The program group 923 stores a program for executing a function described as “˜unit” in the embodiment. The program is read and executed by the CPU 911.

In the file group 924, in the embodiment, result data such as “determination result”, “calculation result of”, “processing result of” when executing the function of “to part”, “to part” The data to be passed between programs that execute the function “,” other information, data, signal values, variable values, and parameters are stored as items “˜file” and “˜database”. The flow management table 181 and the flow information accumulation table 191 are examples of those included in the file group 924.
The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, output, printing, and display. During these operations of the CPU 911, information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory.
In addition, arrows in the flowcharts described in the embodiments mainly indicate input / output of data and signals. The data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic disk device 920 magnetic field. It is recorded on a recording medium such as a disc, other optical discs, mini discs, DVD (Digital Versatile Disc). Data and signal values are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “˜unit” in the embodiment may be “˜circuit”, “˜device”, “˜device”, and “˜step”, “˜procedure”, “˜”. Processing ". That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the network monitoring apparatus 100 (an example of a computer) to function as “˜unit”. Alternatively, the network monitoring device 100 is caused to execute the procedure and method of “˜unit”.

FIG. 3 is a flowchart illustrating a method for identifying an abnormal flow occurrence host of the network monitoring apparatus 100 according to the first embodiment.
A method for identifying an abnormal flow occurrence host (an example of a communication monitoring method) of the network monitoring apparatus 100 according to the first embodiment will be described below with reference to FIG.
Each “˜unit” of the network monitoring apparatus 100 executes processing described below using a CPU.
The process described below is executed at predetermined abnormality detection time intervals.

<S110 (an example of communication information group output processing)>
The flow information processing unit 110 acquires each flow information collected after the previous processing (S110 to S140) from the flow information storage unit 190, and based on the flow management unit 180, the flow ID corresponding to each acquired flow information. The flow information is input to one or more specific abnormality detection units 120 based on the specified flow ID.
Details of S110 will be described below.

FIG. 4 is a diagram showing the flow information accumulation table 191 in the first embodiment.
Each flow information collected by the flow information collection device 210 is set in the flow information accumulation table 191 as shown in FIG. One record (one line) in the flow information accumulation table 191 is one piece of flow information.
The flow information includes “flow occurrence time”, “source IP address”, “source port number”, “destination IP address”, “destination port number”, “protocol”, and “data size”.
The flow information accumulation table 191 is stored in the flow information accumulation unit 190.

FIG. 5 is a diagram showing the flow management table 181 in the first embodiment.
As shown in FIG. 5, “flow ID”, “flow type name”, and “flow condition” are set for each flow in the flow management table 181. One record of the flow management table 181 indicates information related to one flow.
The flow ID is represented by an unsigned integer value “1, 2,..., N (N: number of flows)”. The data size of the flow ID is “log ₂ (N + 1) bits” (rounded up after the decimal point). That is, the data size of the flow ID is “m bits” where “m” is the minimum integer value that is not less than the logarithm of (N + 1) with 2 as the base. For example, when the number of flows N is “5”, the data size of the flow ID is “3 bits”.
The flow type name is preferably a character string that is easy for a human (administrator 220) to understand what kind of flow it is.
“*” Set in the “transmission source port” of the flow condition means that the transmission source port can be any number.
The flow management table 181 is generated in advance and stored in the flow management unit 180 in advance.

FIG. 6 is a flowchart showing the flow information input process (S110) in the first embodiment.
The flow information input process (S110) in the first embodiment will be described below based on FIG.
In the flow information input process (S110), S111 to S118 are executed as shown in FIG.

<S111>
The flow information acquisition unit 111 acquires each flow information collected since the previous process from the flow information storage unit 190.
Hereinafter, the number of pieces of flow information acquired in S111 is referred to as “n”, and each piece of flow information is referred to as “F _x (x: 1, 2,..., N)”.
After S111, the process proceeds to S112.

<S112>
The flow information corresponding ID specifying unit 112 executes the first loop process (S112 to S118) based on the first loop condition “k = 1, n, 1” or ends the first loop process. Judge whether to do.
The first loop condition “k = 1, n, 1” indicates that the initial value of the variable “k” is “1”, the loop end value is “n”, and the increment value of k is “1”. Yes.
Thereafter, the first loop process (S112 to S118) is repeated n times based on the first loop condition.
When the first loop process is executed (k ≦ n), the process proceeds to S113.
When the first loop process ends (k> n [k = n + 1]), the flow information input process (S110) ends.

<S113>
The flow information corresponding ID specifying unit 112 specifies the flow ID _k corresponding to the flow information F _k based on the flow management table 181.
For example, the flow information F _k is a record on the first line of the flow information accumulation table 191 shown in FIG. 4 (flow generation time: 2008/1/1 10:28:30), and the flow management table 181 shows the flow information F _k as shown in FIG. When the record is set, the flow information corresponding ID specifying unit 112 specifies the flow ID “1” set in the record in the first row of the flow management table 181 as the flow ID _k corresponding to the flow information F _k. To do. This is because the first line record (flow information F _k ) in the flow information accumulation table 191 matches the flow condition of the first line record in the flow management table 181.
After S113, the process proceeds to S114.

<S114>
Whether the flow information input unit 113 executes the second loop process (S114 to S117) or ends the second loop process based on the second loop condition “i = 1, m, 1”. judge.
The second loop condition “i = 1, m, 1” indicates that the initial value of the variable “i” is “1”, the loop end value is “m”, and the increment value of i is “1”. Yes.
Here, “m” means the number of bits of the flow ID.
Thereafter, the second loop process (S114 to S117) is repeated m times based on the second loop condition.
When the second loop process is executed (i ≦ m), the process proceeds to S115.
When the second loop process is terminated (i> m [i = m + 1]), the process proceeds to S118.

<S115>
The flow information input unit 113 determines whether or not the i-th bit of the flow ID _k specified in S113 is “1”.
For example, when the flow ID _k is “1”, the variable i is “1”, and m is “3”, the bit string representing the flow ID _k in binary number is “001”, and the LSB (Least Significant Bit: highest). Since the i (1) -th bit counted from the least significant bit (the rightmost bit) is “1”, the determination result is “YES”.
If the i-th bit of the flow ID _k is “1” (YES), the process proceeds to S116.
When the i-th bit of the flow ID _k is not “1” but “0” (NO), the process proceeds to S117.

<S116>
When the i-th bit of the flow ID _k is “1” in S115 (YES), the flow information input unit 113 inputs the flow information F _k to the i-th abnormality detection unit 120.
After S116, the process proceeds to S117.

<S117>
The process returns to S114.
In step S114, the flow information input unit 113 adds the increment value “1” to the variable i, and compares the variable i added with “1” with the loop end value m. If “i ≦ m”, the process proceeds to S115, and if “i> m [i = m + 1]”, the process proceeds to S118.

<S118>
The process returns to S112.
In S112, the flow information correspondence ID specifying unit 112 adds the increment value “1” to the variable k, and compares the variable k added with “1” with the loop end value n. If “k ≦ n”, the process proceeds to S113. If “k> n [k = n + 1]”, the flow information input process (S110) ends.

Through the above flow information input processing (S110), each flow information is input to one or a plurality of abnormality detection units 120.
For example, the flow information with the flow ID “1” is input to the first abnormality detection unit 120 according to the bit string “001” of the flow ID “1”.
Further, the flow information with the flow ID “2” is input to the second abnormality detection unit 120 according to the bit string “010” of the flow ID “2”.
The flow information with the flow ID “3” is input to the first abnormality detection unit 120 and the second abnormality detection unit 120 according to the bit string “011” of the flow ID “3”.
In addition, the flow information with the flow ID “7” includes the first abnormality detection unit 120, the second abnormality detection unit 120, and the third abnormality detection unit 120 according to the bit string “111” of the flow ID “7”. Is input.

FIG. 7 is a diagram showing the operation principle of the flow information input process (S110) in the first embodiment.
In FIG. 7, the flow information processing unit 110 inputs one piece of flow information from the flow information storage unit 190 (S111), and specifies the flow ID “6” corresponding to the input flow information based on the flow management table 181 ( S113) indicates that the flow information is input to the second abnormality detection unit 120 and the third abnormality detection unit 120 based on the bit string “110” representing the acquired flow ID “6” (S116).

Returning to FIG. 3, the description of the method for identifying the abnormal flow occurrence host will be continued.
After S110, the process proceeds to S120.

<S120 (an example of communication information group determination processing)>
Each abnormality detection unit 120 determines whether or not each flow information (an example of a communication information group) input in S110 includes abnormal flow information or does not include abnormal flow information.
Each abnormality detection unit 120 inputs the determination result to the abnormality flow identification unit 130.
Hereinafter, the determination result that the flow information of the abnormal flow is included is “abnormal”, and the determination result that the flow information of the abnormal flow is not included is “normal”.

For example, each anomaly detection unit 120 is configured to calculate the total number, average value, or variance of the data size, which is one of the items of flow information and flow information, based on each input flow information. Calculate as
Each abnormality detection unit 120 compares the target time-series data with the normal time-series data calculated in advance based on the normal flow information, and the target time-series data is the normal time-series data. Judge whether it is deviating from.
When the target time-series data is largely separated from the normal time-series data, each abnormality detection unit 120 determines that the target time-series data is largely isolated from the normal time-series data. If not, it is determined as “normal”.
Each abnormality detection unit 120 outputs the determination result to the abnormality flow identification unit 130.

Patent Document 1 and Patent Document 2 are examples of methods for determining whether the target time-series data deviates from the normal time-series data.
Patent Document 1 discloses a method using a threshold method.
In Patent Document 2, principal component analysis is performed by combining time series data for a certain period of time (normal time series data) and newly generated time series data (target time series data). A method for determining whether or not there is an abnormality based on the principal component score of the generated time-series data is disclosed.
The method for determining whether the target time-series data deviates from the normal time-series data may be other methods.

When the i-th abnormality detection unit 120 outputs the determination result “abnormal”, it means that at least one of the flows whose i-th bit of the flow ID is “1” is an abnormal flow.
In addition, when the i-th abnormality detection unit 120 outputs the determination result “0 (normal)”, all the flows whose i-th bit of the flow ID is “1” are excluded from the “abnormal flow” candidates. means.

  For example, the bit number m of the flow ID is “3”, the determination result of the first abnormality detection unit 120 is “abnormal”, the determination result of the second abnormality detection unit 120 is “abnormal”, and the third abnormality detection unit 120 Is “normal”, the flow ID “3” in which the first bit is “1”, the second bit is “1”, and the third bit is “0” (bit string “011”). Is the flow ID of the abnormal flow.

  After S120, the process proceeds to S130.

<S130 (an example of abnormal communication identification process)>
The abnormal flow identification unit 130 identifies the flow ID of the abnormal flow based on the determination result input in S120, and inputs the identified abnormal flow ID to the abnormal flow notification unit 140.
At this time, the abnormal flow identifying unit 130 represents the determination result of each abnormality detecting unit 120 as 1 bit (normal “0”, abnormal “1”) and arranged in order as the flow ID of the abnormal flow.
Details of S130 will be described below.

FIG. 8 is a flowchart showing the abnormal flow identification process (S130) in the first embodiment.
The abnormal flow identification process (S130) in the first embodiment will be described below with reference to FIG.

<S131>
The abnormal flow identification unit 130 initializes the variable detectID by setting “0 (all bits“ 0 ”)” to the variable detectID. The variable detectID is a variable for an unsigned integer value used for setting the flow ID of the abnormal flow, and has the same number of bits as the flow ID.
After S131, the process proceeds to S132.

<S132>
The abnormal flow identification unit 130 determines whether to execute the loop processing (S132 to S136) or to end the loop processing based on the loop condition “i = 1, m, 1”.
The loop condition “i = 1, m, 1” indicates that the initial value of the variable “i” is “1”, the loop end value is “m”, and the increment value of i is “1”.
Here, “m” means the number of bits of the flow ID and the variable detectID.
Thereafter, the loop process (S132 to S136) is repeated m times based on the loop condition.
When the loop process is executed (i ≦ m), the process proceeds to S133.
When the loop process is to be ended (i> m [i = m + 1]), the process proceeds to S137.

<S133>
The abnormal flow identification unit 130 sets the determination result of the i-th abnormality detection unit 120 to the variable r.
After S133, the process proceeds to S134.

<S134>
The abnormal flow identification unit 130 determines whether the variable r indicates “abnormal”.
When the variable r indicates “abnormal” (YES), the process proceeds to S135, and when the variable r indicates “normal” (NO), the process proceeds to S136.

<S135>
The abnormal flow identification unit 130 sets “1” to the i-th bit counted from the LSB of the variable detectID.
After S135, the process proceeds to S136.

<S136>
The process returns to S132.
In S132, the abnormal flow identification unit 130 adds the increment value “1” to the variable i, and compares the variable i added with “1” with the loop end value m. If “i ≦ m”, the process proceeds to S133. If “i> m [i = m + 1]”, the process proceeds to S137.

At the end of the loop processing (S132 to S136), the variable detectID indicates a specific flow ID.
For example, “m = 3”, the determination result “abnormal” of the first abnormality detection unit 120, the determination result “abnormal” of the second abnormality detection unit 120, and the determination result “normal” of the third abnormality detection unit 120 In this case, the bit string of the variable detectID is “011”, and the variable detectID indicates the flow ID “3”.

<S137>
After the loop processing (S132 to S136), the abnormal flow identification unit 130 determines whether the variable detectID is other than “0”, that is, whether at least one bit of the variable detectID is “1”.
If the variable detectID is other than “0”, that is, if at least one bit of the variable detectID is “1” (YES), the process proceeds to S138.
When the variable detectID is “0”, that is, when all the bits of the variable detectID are “0” (NO), the abnormal flow specifying process (S130) ends.

<S138>
The abnormal flow identification unit 130 outputs the flow ID set in the variable detectID to the abnormal flow notification unit 140 as the flow ID of the abnormal flow.
After S138, the abnormal flow identification process (S130) ends.

The abnormal flow specifying process (S130) may be executed as follows.
Each abnormality detection unit 120 outputs bit “0” as a determination result when it is determined as “normal”, and outputs bit “1” as a determination result when it is determined as “abnormal”.
The abnormal flow identification unit 130 generates a bit string by arranging the determination results of the respective abnormality detection units 120 in the order of the abnormality detection unit 120, and outputs the generated bit string to the abnormal flow notification unit 140 as a bit string representing the flow ID of the abnormal flow. .
For example, the number of bits m of the flow ID is “3”, the output of the first abnormality detection unit 120 is “1”, the output of the second abnormality detection unit 120 is “1”, and the output of the third abnormality detection unit 120 Is “0”, the abnormal flow identification unit 130 outputs “011” to the abnormal flow notification unit 140 as a bit string representing the flow ID of the abnormal flow.

Returning to FIG. 3, the description of the method for identifying the abnormal flow occurrence host will be continued.
After S130, the process proceeds to S140.

<S140>
The abnormal flow notification unit 140 identifies the flow type name of the abnormal flow corresponding to the flow ID of the abnormal flow input in S130 based on the flow management table 181, and specifies the flow type name of the specified abnormal flow to the administrator 220. Notice.
For example, when the flow ID of the abnormal flow is “3”, the abnormal flow notification unit 140 refers to the flow management table 181 illustrated in FIG. 5 and starts the Web from the flow type name “192.168.0.3” of the abnormal flow. The server "is output to an output device (for example, a display device or a speaker) to notify the administrator 220.
After S140, the processing of the method for identifying the abnormal flow occurrence host ends.

FIG. 9 is a diagram illustrating an operation principle of the method for identifying an abnormal flow occurrence host in the first embodiment.
The operation principle of the abnormal flow generation host identification method (S110 to S140) will be described below with reference to FIG.

When the bit number m of the flow ID is “3”, the flow information processing unit 110 inputs the flow information in which the first bit of the flow ID is “1” to the first abnormality detection unit 120.
In addition, the flow information processing unit 110 inputs flow information in which the second bit of the flow ID is “1” to the second abnormality detection unit 120, and the third abnormality detection unit 120 receives the third flow ID. The flow information whose bit is “1” is input (S110).

Each abnormality detection unit 120 determines whether or not the input flow information includes the flow information of the abnormal flow, and outputs the determination result to the abnormal flow identification unit 130.
Here, the first abnormality detection unit 120 outputs the bit “1 (abnormal)” as the determination result, and the second abnormality detection unit 120 outputs the bit “0 (normal)” as the determination result. It is assumed that the abnormality detection unit 120 outputs the bit “1 (abnormal)” as the determination result (S120).

  The abnormal flow identification unit 130 generates the bit string “101” by arranging the determination results of the respective abnormality detection units 120, and outputs the flow ID “5” represented by the generated bit string “101” to the abnormal flow notification unit 140 ( S130).

  The abnormal flow notification unit 140 specifies the flow type name “srcIP = B, dstIP = Y” corresponding to the flow ID “5” output by the abnormal flow specifying unit 130 based on the flow management table 181, and specifies the specified flow The type name is notified to the administrator 220 as the name of the abnormal flow (S140).

In the first embodiment, the following network monitoring system 200 has been described.
The network monitoring system 200 includes a network monitoring device 100 that detects the occurrence of unauthorized access and device failure.
The network monitoring apparatus 100 includes a flow type-ID correspondence management unit (flow management unit 180), a flow input unit (flow information processing unit 110), a detection result-ID conversion unit (abnormal flow identification unit 130), and a notification unit (abnormal flow). A notification unit 140).
The flow type-ID correspondence management means returns a flow ID defined in advance according to the content of the flow information.
The flow input means selectively inputs flow information to a plurality of abnormality detection means (abnormality detection unit 120) according to the bit string when the flow ID is expressed in binary.
The detection result-ID conversion means calculates an integer value from the detection results of the plurality of abnormality detection means.
The notifying means regards the integer value as an ID, and notifies the administrator 220 of information on the corresponding flow type as information on the flow in which an abnormality has occurred.

The operation principle of the network monitoring apparatus 100 will be supplementarily described.
When the flow input unit extracts the flow information from the flow storage unit (flow information storage unit 190), a bit in which “1” is set when the flow ID corresponding to the flow type is expressed by a binary number in the extracted flow information. Is input to the abnormality detection means corresponding to. Therefore, if an abnormality occurs on the flow classified into the flow type identified by a certain flow ID, it corresponds to the abnormality detection means to which the flow information is input, that is, the bit with “1” set in the flow ID. Only the abnormality detecting means that reports “abnormal”, and the remaining abnormality detecting means report “normal”. Therefore, the detection result-ID conversion unit reconstructs the flow ID in which an abnormality has occurred by obtaining an m-bit numerical value in which only the bit corresponding to the abnormality detection unit that has reported “abnormality” is “1”. can do.

As described above, the network monitoring apparatus 100 assigns a flow ID to a flow type to be identified, and selectively inputs flow information to a plurality of abnormality detection units according to the bit pattern of the flow ID. As a result, when an abnormality occurs on a certain flow, the abnormality is reported from the abnormality detecting means corresponding to the bit pattern of the flow ID. For this reason, the detection result-ID conversion means can easily identify the flow ID in which an abnormality has occurred by counting from which abnormality detection means the abnormality is reported. By using this method, the network monitoring system 200 only monitors about log ₂ N groups, and in which flow of the N types an abnormality has occurred without performing individual flow analysis after the abnormality is detected. Can be specified. The network monitoring system 200 has an effect of solving the trade-off between the number of abnormality detection means (= the amount of calculation required for continuous monitoring) and the amount of calculation required for specifying a flow when an abnormality occurs, which has been a problem of the prior art.

  In the above description, the flow ID corresponding to the flow information is determined by associating the flow ID and the flow condition with a statically configured table (flow management table 181). However, it is also possible to directly implement the ID determination condition in the program. For example, if the flow type is classified based only on the source IP address (source IP address) in the flow information, a method can be considered in which the IP address is regarded as a 32-bit (bit) flow ID. In this case, the flow type name needs to be dynamically created from the flow ID, but can be realized by performing processing such as converting a given flow ID into a character string representing an IP address.

The “source IP address”, “source port number”, “destination IP address”, “destination port number”, and “protocol” shown in FIG. 4 are examples of information (flow specifying information) necessary for flow classification. The “data size” is an example of quantitative data necessary for generating time-series data.
For example, if the classification including the port number is not performed, the “transmission source port number” and the “destination port number” may not be included in the flow specifying information. It is also conceivable to use “number of packets” instead of “data size” as quantitative data necessary for generating time-series data. In an extreme case, the number of flows generated within a certain time for each flow classification may be used as time series data. For example, the number of flows is the number of application data or the number of processing of a sequence (a predetermined plurality of transmission / reception). In this case, quantitative data necessary for generating time-series data may not be included in the flow information.

  Moreover, although the structure provided with the some abnormality detection part 120 was shown as a structure of the network monitoring apparatus 100, each abnormality detection part 120 does not need to operate | move simultaneously at all, Of course, it is also possible to operate | move in order. Furthermore, the network monitoring apparatus 100 may include only one abnormality detection unit 120 instead of a plurality. For example, the flow information processing unit 110 sets each flow information whose i-th bit of the flow ID is “1” (each flow information input to the i-th abnormality detection unit 120 above) as the i-th flow information group. In summary, each flow information group is input to the abnormality detection unit 120. The abnormality detection unit 120 uses the determination result for each piece of flow information included in the i-th flow information group as the i-th determination result (the determination result output from the i-th abnormality detection unit 120 above) to the abnormal flow identification unit 130. Output. Information unique to each abnormality detection unit 120, that is, flow information input at the time of each monitoring execution and normal time-series information are separated and managed, so that these pieces of information are replaced, and one abnormality detection unit 120 is obtained. Thus, it is possible to perform processing equivalent to that of the plurality of abnormality detection units 120.

  Furthermore, the network monitoring system 200 may include a plurality of flow information collection devices 210. For example, one flow information collection device 210 may be installed in each of the plurality of monitoring target networks 201, and the flow information of different monitoring target networks 201 may be collected by different flow information collection devices 210.

  Furthermore, it is of course possible to adopt a form in which each “˜unit” in the network monitoring apparatus 100 is an individual apparatus, and each apparatus exchanges data via the flow information collection apparatus 210. Conversely, a form in which the flow information collection device 210 and the network monitoring device 100 are integrated in one device is also possible.

Each abnormality detection unit 120 may not correspond to each bit representing a flow ID. For example, the flow ID may be a character string in which “0” or “1” is arranged, and the abnormality detection unit 120 may correspond to each character representing the flow ID. Further, for example, the flow ID is a character string (for example, “aab”) that is a combination of three “a”, “b”, and “c”, and the abnormality detection unit 120 displays each character (first character “a”) There may be nine corresponding to the first character “b”, the first character “c”, the second character “a”,..., The third character “c”). When the flow ID is “aab”, the flow information corresponds to the abnormality detection unit 120 corresponding to the first character “b”, the abnormality detection unit 120 corresponding to the second character “a”, and the third character “a”. Input to the abnormality detection unit 120.
Also, the abnormal flow is not specified as one, but may be limited to a plurality of candidates.

Embodiment 2. FIG.
In the abnormality detection process (S120), a mode in which it is determined whether or not an erroneous determination result is included in a plurality of determination results output from the plurality of abnormality detection units 120, and the erroneous determination result is corrected will be described.
Hereinafter, items different from the first embodiment will be mainly described. Matters whose description is omitted are the same as those in the first embodiment.

FIG. 10 is a configuration diagram of the network monitoring system 200 according to the second embodiment.
In FIG. 10, the number of anomaly detection units 120 included in the network monitoring system 200 is an error correction code obtained by encoding a flow ID (excluding the number of bits of an extended part obtained by extending a flow ID for encoding as will be described later). The same applies hereinafter). When the number of bits of the flow ID is “m” and the number of bits for error correction (redundant information) is “b”, the network monitoring system 200 includes “m + b” abnormality detection units 120.
For example, if the flow ID bit number m is “4” and the encoding method is “(7,4) Hamming code”, the bit number b of error correction bits is “3 (= 7-4)”. The number of bits of the error correction code is “7”. In this case, the network monitoring system 200 includes seven abnormality detection units 120.

The flow information processing unit 110 has an error correction coding function, and the abnormal flow identification unit 130 (an example of a communication information group determination result correction unit) has an error correction decoding function.
Other configurations are the same as those of the first embodiment (see FIG. 1).

The method for identifying the abnormal flow generation host is the same as in the first embodiment (see FIG. 3). However, the error correction coding process for converting the flow ID into the error correction code is added to the flow information input process (S110), and the error correction decoding process for decoding the error correction code into the flow ID is changed to the abnormal flow specifying process (S130). Join.
Hereinafter, the error correction coding process added to the flow information input process (S110) and the error correction decoding process added to the abnormal flow identification process (S130) will be described.

FIG. 11 is a flowchart showing flow information input processing (S110) in the second embodiment.
The flow information input process (S110) in the second embodiment will be described below based on FIG.

The flowchart shown in FIG. 11 is obtained by adding an error correction coding process (S119) to the flow information input process (S110) described in the first embodiment (see FIG. 6) and changing S114 and S115 to S114a and S115a. It is.
Hereinafter, the error correction coding process (S119), S114a, and S115a will be described, and the description of the other processes (S111 to S113, S116 to S118) will be omitted.

After the flow ID _k corresponding to the flow information F _k is specified in S113, the process proceeds to S119.

<S119>
Flow information corresponding ID identifying unit 112, a flow ID _k coded (then the encode), sets coded flow ID _k a (error correction code k) to the variable v.
The error correction code k set in the variable v is _obtained by adding an error correction bit to the flow ID _k , and “m + b” obtained by adding the bit number b of the error correction bit to the bit number m of the flow ID _k. The number of bits.
The encoding of the flow ID _k will be described later.
After S119, the process proceeds to S114a.

<S114a>
Whether the flow information input unit 113 executes the second loop process (S114a to S117) or ends the second loop process based on the second loop condition “i = 1, m + b, 1”. judge.
S114a is a process in which the second loop condition of S114 described in the first embodiment (see FIG. 6) is partially changed. The change is that the loop end value is changed from “m” to “m + b”.
“M + b” is the number of bits of the error correction code k set in the variable v in S119.
Thereafter, the second loop process (S114a to S117) is repeated m + b times based on the second loop condition.

<S115a>
The flow information input unit 113 determines whether the i-th bit of the variable v is “1”.
If the i-th bit of the variable v is “1” (YES), the process proceeds to S116.
When the i-th bit of the variable v is “0” instead of “1” (NO), the process proceeds to S117.

FIG. 12 is a flowchart showing the abnormal flow identification process (S130) in the second embodiment.
The abnormal flow identification process (S130) in the second embodiment will be described below with reference to FIG.

In the flowchart shown in FIG. 12, the error correction decoding process (S139) is performed by changing S131, S132, and S135 of the abnormal flow specifying process (S130) described in the first embodiment (see FIG. 8) to S131a, S132a, and S135a. Is added.
Hereinafter, S131a, S132a, S135a and the error correction decoding process (S139) will be described, and description of other processes (S133, S134, S136 to S138) will be omitted.

<S131a>
The abnormal flow identification unit 130 initializes the variable v by setting “0 (all bits“ 0 ”)” to the variable v. The number of bits of the variable v is equal to or greater than the total value “m + b” of the number of bits m of the flow ID and the number of bits b of the error correction bits.
After S131a, the process proceeds to S132a.

<S132a>
The abnormal flow identification unit 130 determines whether to execute the loop processing (S132a to S136) or to end the loop processing based on the loop condition “i = 1, m + b, 1”.
S132a is a process in which the loop condition of S132 described in the first embodiment (see FIG. 8) is partially changed. The change is that the loop end value is changed from “m” to “m + b”.
Thereafter, the loop process (S132a to S136) is repeated m + b times based on the loop condition.

<S135a>
The abnormal flow identification unit 130 sets “1” to the i-th bit counted from the LSB of the variable v.

  In the loop processing (S132a to S136), the i-th (i: 1 to m + b) bits of the variable v are set to values (normal “0”, abnormal “1”) corresponding to the determination result of the i-th abnormality detection unit 120. Then, the process proceeds to S139.

<S139>
The abnormal flow identification unit 130 decodes the variable v and sets a value (flow ID) obtained by decoding the variable v to the variable detectID.
A value obtained by decoding the variable v and set in the variable detectID corresponds to the flow ID of the abnormal flow.
Decoding from the variable v to the flow ID will be described later.
After S139, the process proceeds to S137.

FIG. 13 is a schematic diagram of flow information input processing (S110) to abnormal flow identification processing (S130) in the second embodiment.
The flow ID encoding in the error correction encoding process (S119) and the decoding to the flow ID in the error correction decoding process (S139) will be described below with reference to FIG.
Here, the number of bits of the flow ID is “6” and the encoding method is “(15,4) Hamming code”. The (15, 4) Hamming code is a method of generating a 15-bit error correction code by adding a 4-bit error correction code (redundant information).

  In the error correction encoding process (S119), in order to encode the flow ID by the (15, 4) Hamming code, 5 extension bits are added to the 6-bit flow ID. The value of each bit of the extension bits is “0”. The reason why the extension bits are added is that an arbitrary bit length cannot be taken as the original data length (here, the number of bits of the flow ID) when generating the error correction code. For example, in the Hamming code, the original data length must be “4” “11” “26”... “2n−n−1” bits (n is a positive integer). The 11-bit flow ID to which the extension bits are added is encoded by the (15, 4) Hamming code, and a 15-bit error correction code is generated. The 15-bit error correction code includes a 4-bit error correction bit, a 6-bit flow ID, and a 5-bit extension bit. The error correction bit is a bit string having consistency with the flow ID. Extension bits are discarded.

  In S116, each flow information in which the i-th bit (i: 1 to 10) of the error correction code (excluding the extension bits) is “1” is input to the i-th abnormality detection unit 120.

In the error correction decoding process (S139), a 5-bit extension bit is added to a 10-bit bit string in which values (normal “0”, abnormal “1”) corresponding to the determination result of each abnormality detection unit 120 are arranged. A 15-bit error correction code is generated. Then, the 15-bit error correction code is decoded by the (15, 4) Hamming code, and a 6-bit flow ID and a 5-bit extension bit are generated. Extension bits are discarded.
In decoding by the (15, 4) Hamming code, the consistency between the error correction bit included in the error correction code and the flow ID is checked, and the error included in the flow ID is checked by the check (incorrect determination of the abnormality detection unit 120). Result) is detected, and the error of the detected flow ID is corrected based on the error correction bits. In other words, when an erroneous determination result is obtained by the abnormality detection unit 120 corresponding to the flow ID, the erroneous determination result is detected and corrected based on the determination result of the abnormality detection unit 120 corresponding to the error correction bit. Is done.

In the second embodiment, the following network monitoring system 200 has been described.
The network monitoring system 200 is an improvement of the first embodiment. The flow information processing unit 110 converts the flow ID into a bit string, adds an error correction bit, selects an abnormality detection means (abnormality detection unit 120) according to the bit string (error correction code) obtained as a result, and selects the selected abnormality. Flow information is input to the detection means.

  As a result, the network monitoring system 200 may generate a determination error in each abnormality detection unit, that is, determine that the abnormality is normal when it should be determined to be normal, or that it is determined normal when it should be determined that it is abnormal. Even in this case, a correct flow ID can be calculated to some extent. The network monitoring system 200 can reduce the possibility of notifying the administrator 220 of the wrong flow type by suppressing the occurrence of a specific error in the flow ID.

  The function for encoding the flow ID (encode function) and the function for decoding the encoded flow ID (decode function) include an error correction encoding function for a bit string of at least m bits (m: the number of bits of the flow ID) and The present embodiment can be realized with a decoding function. Many error correction functions are already known, and there are BCH codes, Reed-Solomon codes, etc. in addition to the above-mentioned Hamming codes. However, the error correction code schemes that can be used are limited depending on the required error correction capability, and the number b of error correction bits also changes.

Embodiment 3 FIG.
An embodiment will be described in which when there are a plurality of abnormal flows instead of one, a normal flow is prevented from being notified to the administrator 220 as an abnormal flow based on a flow ID obtained by combining the flow IDs of the abnormal flows.
Hereinafter, items different from the first embodiment will be mainly described. Matters whose description is omitted are the same as those in the first embodiment.

FIG. 14 is a configuration diagram of the network monitoring system 200 according to the third embodiment.
In FIG. 14, the number of abnormality detection units 120 included in the network monitoring system 200 is the number of bits m ′ of the flow ID. “M ′” is the smallest positive integer that satisfies “ _{m ′} C _p ≧ N” (p: any positive integer) when the number of flow types is “N”. The notation “ _{xC y} ” represents the number of combinations for selecting y elements from x elements.
Each of the N flow IDs always has p bits in which “1” is set.

FIG. 15 is a diagram illustrating an example of the flow management table 181 according to the third embodiment.
For example, if the flow type number N is “10” and the number p of bits “1” included in each flow ID is “2”, the bit number m ′ of the flow ID is “5” as shown in FIG. is there.
Each flow ID (3, 5,..., 24) has “1” set in 2 (= p) bits out of 5 bits.
Hereinafter, the p is referred to as ““ 1 ”bit number p”.

FIG. 16 is a flowchart showing the abnormal flow specifying process (S130) in the third embodiment.
The abnormal flow identification process (S130) in the third embodiment will be described below with reference to FIG.

In the flowchart shown in FIG. 16, S131, S132, S135, and S137 in the abnormal flow specifying process (S130) described in the first embodiment (see FIG. 8) are changed to S131b, S132b, S135b, and S137b, and S138b is added. Is.
Hereinafter, S131b, S132b, S135b, S137b, and S138b will be described, and descriptions of other processes (S132 to S134, S136 to S138) will be omitted.

<S131b>
The abnormal flow identification unit 130 initializes the variable detectID to “0” and initializes the variable P to “0”. The variable P is a variable used for counting the number of bits “1” set in the variable detectID.
After S131b, the process proceeds to S132.

<S132b>
The abnormal flow identification unit 130 determines whether to execute the loop processing (S132b to S136) or to end the loop processing based on the loop condition “i = 1, m ′, 1”.
S132b is a process in which the loop condition of S132 described in the first embodiment (see FIG. 8) is partially changed. The change is that the loop end value is changed from “m” to “m ′”.
Thereafter, the loop processing (S132b to S136) is repeated m 'times based on the loop condition.

<S135b>
The abnormal flow identification unit 130 sets “1” to the i-th bit of the variable detectID and adds 1 to the variable P.
After S135b, the process proceeds to S136.

<S137b>
After the loop processing (S132 to S136), the abnormal flow identification unit 130 determines the set value of the variable P.
When the variable P is “0” (P = 0), the abnormal flow specifying process (S130) ends.
When the variable P is “p (predetermined“ 1 ”bit number)” (P = p), the process proceeds to S138.
If the variable P is any other value (P ≠ 0, p), the process proceeds to S138b.

<S138b>
The abnormal flow identification unit 130 inputs predetermined information indicating that an abnormality has occurred in a plurality of flows to the abnormal flow notification unit 140.
Then, the abnormal flow notification unit 140 notifies the administrator 220 that an abnormality has occurred in a plurality of flows (S140).
After S138b, the abnormal flow identification process (S130) ends.

In the third embodiment, the following network monitoring system 200 has been described.
The network monitoring system 200 is an improvement of the first embodiment. When the flow ID to be assigned to each flow type is represented by a bit string, the network monitoring system 200 always assigns the flow ID so as to include the same number “1” (flow management table 181). ).

  When all flow IDs contain the same number of “1” s, when an abnormality occurs in a plurality of flows, the detection result-ID conversion unit (abnormal flow specifying unit 130) detects the abnormality (an abnormality detection unit 120). The flow ID specified based on the output from always includes “1” of p + 1 bits or more (becomes the bit sum of each flow ID of the flow in which an abnormality has occurred). For this reason, the abnormal flow identification unit 130 can easily detect that an abnormality has occurred in a plurality of flows simultaneously.

  Similarly to the second embodiment, the network monitoring system 200 according to the third embodiment may have an error correction function that checks and corrects the determination result of the abnormality detection unit 120.

  DESCRIPTION OF SYMBOLS 100 Network monitoring apparatus, 110 Flow information processing part, 111 Flow information acquisition part, 112 Flow information corresponding ID specific part, 113 Flow information input part, 120 Abnormality detection part, 130 Abnormal flow specific part, 140 Abnormal flow notification part, 180 flow Management unit, 181 flow management table, 190 flow information storage unit, 191 flow information storage table, 200 network monitoring system, 201 monitored network, 202 packets, 210 flow information collection device, 220 administrator, 901 display device, 902 keyboard, 903 Mouse, 904 FDD, 905 CDD, 906 Printer, 907 Scanner, 908 Microphone, 909 Speaker, 911 CPU, 912 Bus, 913 ROM, 914 RAM, 915 Board, 920 a magnetic disk device, 921 OS, 922 Window system, 923 Program group, 924 File group.

Claims (10)

Communication which divides each communication ID of a plurality of communications into a plurality of partial IDs, and outputs communication information of each communication in which the partial ID has a predetermined value for each partial ID as a communication information group using a CPU (Central Processing Unit) An information group output section;
Each communication information group output for each partial ID by the communication information group output unit includes a normal communication information group in which the characteristic of the communication information group indicates a predetermined characteristic, and a characteristic of the communication information group includes a predetermined characteristic. A communication information group determination unit that determines whether the communication information group is an abnormal communication information group that is not shown using the CPU for each communication information group;
Communication corresponding to communication information included in any of the abnormal communication information groups determined by the communication information group determination unit, and to each of the normal communication information groups determined by the communication information group determination unit A communication monitoring device comprising: an abnormal communication specifying unit that specifies communication corresponding to communication information that is not included as abnormal communication using a CPU. The communication monitoring apparatus according to claim 1, wherein the communication information group output unit divides a bit string of communication IDs of a plurality of communications into a plurality of partial IDs, and outputs the communication information group for each partial ID. The communication information group output unit divides each communication ID of a plurality of communications into partial IDs of the specific number of bits based on a bit string of communication IDs expressed by a specific number of bits, and the communication information for each partial ID The communication monitoring apparatus according to claim 2, wherein a group is output. The communication information group output unit outputs communication information of each communication in which the i-th bit of the bit string indicates “1” as the predetermined value as an i-th communication information group,
When the communication information group determination unit determines that the i-th communication information group is a normal communication information group, the abnormal communication identification unit sets the value of the i-th bit to “0” and the communication information group determination unit When the i-th communication information group is determined as an abnormal communication information group, a specific bit string is generated with the value of the i-th bit being “1”, and the abnormal communication is specified based on the generated bit string. The communication monitoring apparatus according to claim 3.   The communication monitoring apparatus according to claim 4, wherein each communication ID includes a specific number of bits indicating “1”. The abnormal communication identification unit identifies that there are a plurality of abnormal communications instead of identifying the abnormal communication when the generated specific bit string includes a number of “1” different from the specific number. The communication monitoring apparatus according to claim 5, wherein: The communication information group output unit generates redundant information corresponding to each communication ID of a plurality of communications, generates an error correction code in which the generated redundant information is added to the communication ID, and generates the generated error correction code The communication monitoring apparatus according to claim 1, wherein the communication information group is divided into partial IDs and the communication information group is output for each partial ID. The communication monitoring device further includes:
Based on a determination result corresponding to the partial ID of the redundant information among determination results of the communication information group determination unit, a determination result corresponding to the partial ID of the communication ID among determination results of the communication information group determination unit A communication information group determination result correction unit that corrects the error using a CPU,
The abnormal communication identification unit identifies the abnormal communication based on a determination result corresponding to the partial ID in the communication ID corrected by the communication information group determination result correction unit. 7. The communication monitoring device according to 7. The communication information group output unit divides each communication ID of a plurality of communications into a plurality of partial IDs, and sets the communication information of each communication in which the partial ID has a predetermined value for each partial ID as a communication information group to a CPU (Central Processing Unit). ) Is used to perform communication information group output processing,
Each communication information group output by the communication information group determination unit for each partial ID by the communication information group output unit includes a normal communication information group in which a characteristic of the communication information group indicates a predetermined characteristic, and the communication information group A communication information group determination process is performed to determine, using the CPU for each communication information group, whether the characteristic of the abnormal communication information group does not show a predetermined characteristic,
The abnormal communication identification unit is communication corresponding to communication information included in any of the abnormal communication information groups determined by the communication information group determination unit, and each normal communication determined by the communication information group determination unit A communication monitoring method for a communication monitoring apparatus, comprising: performing abnormal communication specifying processing for specifying communication corresponding to communication information not included in any of the communication information groups using the CPU as abnormal communication.   A communication monitoring program for causing a communication monitoring apparatus to execute the communication monitoring method according to claim 9.

Images