JP2016010089A - Traffic monitoring system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve the problems in which: a conventional network monitoring method performs setting in advance, and permits or shuts off communication corresponding to the setting; such a method cannot cope when an authorized user behaves improperly, takes time to find out improper communication, and damage gets serious; therefore, there is a need for a method that dynamically finds out improper communication, and shuts it off.SOLUTION: A method performs packet capture at an L3SW. The method calculates a threshold value for monitoring traffic per user from captured data, and monitors the traffic so that the communication traffic per user is within a threshold value.

Description

  The present invention relates to a method and system for detecting and blocking unauthorized traffic.

  The Internet usage time depends on the life cycle of the person, and the number of packets on the network changes in a similar pattern every day. For this reason, users who use a certain system concentrate to some extent the time of use of the system, and there are parts that depend on the user. However, unless there is a special event, it occurs in a time when the busy and quiet periods are similar. To do. Also, when a special event is started, the number of packets may vary irregularly, unlike a normal pattern.

The following products and techniques used in conventional methods for monitoring these traffics are known.
(1) Firewall (hereinafter referred to as FW)
The FW monitors the packets as they enter the intranet from the Internet. Many existing FW products use the Intrusion Detection System (hereinafter referred to as IDS), which is a function to detect the entry of illegal packets, and the Intrusion Prevention System (hereinafter referred to as IPS), which has a function to block packets in the IDS function. To monitor.
(2) Layer 2 switch (hereinafter L2SW), Layer 3 switch (hereinafter L3SW)
The L2SW associates a port with a media access control address (hereinafter referred to as a MAC address) or a virtual local area network (hereinafter referred to as a VLAN) in the data link layer, and transfers the packet. L3SW associates an Internet Protocol address (hereinafter IP address) with a port at the network layer, and forwards the packet. Many of the L2SW and L3SW devices have a packet filtering function, and set communication permitted in advance to block unnecessary packets.

  These devices ensure network security according to the contents of the definition file set in advance. However, the network situation changes day by day, and it is difficult to ensure security only with the contents set in advance. In other words, since the corresponding address, port or special definition file is set and communication corresponding to the pattern is detected, for example, it is not possible to monitor when a normal user performs an illegal behavior.

  For this problem, Patent Document 1 proposes the following method. In other words, if the MAC address of the packet that reaches L2SW is unknown, the probe packet is broadcast to all interfaces other than the receiving interface. The unknown packet is not transferred to the interface that has not responded, but the packet is transferred to the interface that has returned the response, and the MAC address is registered and the packet is monitored.

JP 2005-505175 A

  Patent Document 1 proposes a method for updating a list for managing MAC addresses and filtering packets (paragraphs 0017 and 0018). This is a filter for layer 2 MAC addresses, It does not disclose monitoring using functions such as IP addresses and port numbers, and cannot monitor unauthorized communications other than MAC addresses.

  In recent years, in the case of continuous flooding of illegal packets due to computer viruses and flooding that occurs in a loop configuration of the network due to a failure of the user's network configuration, the packets cannot be blocked only by monitoring the MAC address.

  Therefore, it is desired that the network can be monitored using the IP address of layer 3 that can be generally monitored in a layer higher than layer 2.

  The conventional packet filter control performed by L3SW is to set the IP address of the source and destination to permit or deny communication in advance, and allow communication according to the set contents, all filter settings are set in advance It is necessary to keep it.

  For this reason, as shown below, when a user who has been performing regular communication until just before is infected with a computer virus, or when packet flooding occurs due to a network configuration error, the conventional L3SW cannot filter the packets. .

(1) When a normal user is changed to an unauthorized user If a user who has been using the service provided by the service provider until just before is infected with a computer virus, the user is changed to an unauthorized user that affects the network. Resulting in.

  Some computer viruses send many packets without changing the IP address of the infected computer. If a packet sent by a computer related to a computer virus passes through the L3SW filter, a large amount of packets will flow through the network, causing a heavy load on the network, and providing services provided by providers and services used by other users. It will have an effect.

(2) When packet flooding occurs due to an error in the network configuration When the network used by the user mistakenly becomes a loop configuration or a loop configuration due to a failure or the like, packet flooding occurs.

  Since flooding does not change the IP address of the transmission source, communication is permitted when the L3SW is the same network. Since a large amount of packets flow on the flooding network, a large load is applied to the network, which affects the service provided by the provider and the service used by other users.

  If a normal user is changed to an unauthorized user, or if flooding occurs on the network, it is difficult to suppress the communication.

  The present invention provides a technique for detecting a communication abnormality by observing changes in traffic over time.

  Specifically, the present invention provides a method for monitoring a state of a device and detecting a network abnormality by comparing past traffic with current traffic.

  In other words, the network traffic that flows normally is observed with L3SW, an abnormality when a normal user performs an illegal behavior is detected, and communication of the user who performs the illegal action is blocked.

What is disclosed is
In a network system in which the first node and the second node are connected via the first L3SW that accommodates the first node and the second L3SW that accommodates the second node, A traffic monitoring system for monitoring traffic between a node and a second node.

  More specifically, the second L3SW has a function to capture packets sent from the first node of traffic, a function to check whether there is a special event related to the network system, and a case where there is no special event. , The function to calculate the threshold value of the traffic increase / decrease rate to be allowed at a predetermined interval from the data acquired by capture, and the threshold value of the traffic increase / decrease rate to be allowed according to the special event if there is a special event A traffic monitoring system comprising: an acquiring function; and a function of determining whether to block traffic from a first node based on a calculated or acquired threshold value.

  Further, the second L3SW threshold calculation function includes a function of counting captured packets, a function of extracting information identifying a transmission source and a transmission destination from the captured packets, and an extracted transmission source. And a function for calculating a threshold value of a rate of increase / decrease in traffic volume based on the number of packets at each time point for each combination of information specifying the destination and information specifying the destination.

  In addition, the traffic monitoring system has an event management server, and the function for checking the presence or absence of a special event of the second L3SW inquires the event management server about the presence or absence of a special event related to the network system. When there is a special event, the function of calculating the threshold value of the second L3SW may be configured to acquire the threshold value of the past packet increase / decrease rate related to the special event.

  According to the present invention, it is possible to detect a communication abnormality by observing changes in traffic over time.

The figure which illustrates the whole structure of the traffic monitoring system in an Example. The figure which illustrates the processing outline in L3SW of FIG. The figure which shows the example of a processing flow of the threshold value setting and monitoring in an Example. The figure which illustrates the threshold value calculation method in an Example. The figure which shows the abnormality detection flow outline | summary in an Example. The figure which illustrates the data which concern on the terminal of the user A of the threshold value table 0600 which stores capture data and a threshold value in an Example The figure which illustrates the data which concern on the terminal of the user B of the threshold value table 0600 in an Example.

  Embodiments of the present invention will be described with reference to the drawings.

  In this embodiment, a description will be given of a communication system that observes network traffic flowing in a normal state with L3SW, detects an abnormality when a normal user performs an illegal behavior, and blocks communication of a user who performs an illegal act.

  An outline of this example is shown below.

  Incorporate server functions into network devices such as L3SW, and monitor packets passing through the interface using L3SW. By installing packet capture (snort, etc.) that can monitor the network on the server in L3SW, it monitors the number of packets and detects unauthorized access.

  From the unauthorized access log obtained by packet capture (snort, etc.), the upper and lower limits of the number of packets at the next observation point are assumed, and the number of packets observed by the next observation undersecretary is transmitted. Connect accounts from IP addresses, block user communication, and disable service usage.

  When L3SW captures traffic originating from a user, obtains the daily traffic transition of the user, dynamically calculates a threshold value for monitoring user behavior, and detects anomalies in traffic sent by the user, the L3SW It has a function to dynamically stop user traffic and minimize the influence on the entire network.

The traffic patterns are compared. For example, the traffic is monitored and controlled as follows.
(1) The increase / decrease amount of the assumed traffic volume is calculated by the ratio (change rate) of the previous assumed traffic volume.
(2) For the calculated rate of increase / decrease, set the upper and lower limits of the rate of increase / decrease within a predetermined range (for example, minus 20% to plus 20%).
(3) It is determined whether the traffic rate increase / decrease rate acquired at the next time is within the limit value.
(4) If the upper and lower limit values are exceeded, the target user's communication is blocked. This stops the service.
(5) If there is a special event (service release, etc.), change the calculation range to the limit value of the rate of increase or decrease of past events, and monitor whether the next measurement value falls within the range.

  Hereinafter, the present embodiment will be described more specifically.

  In a more specific configuration of the present embodiment, as illustrated in FIG. 1, the L3SW (0106) includes a terminal (0109) of a user A (0101) and a terminal (0110) of a user B as a first node, It relays traffic exchanged between the distribution server (0107) as the second node via the Internet (0105).

  L3SW (0106) is the IP address of user A LAN (0101) and user B LAN (0103) set in the L3SW (0102) of user A, the L3SW (0104) of user B, and the distribution server A filter is set based on the IP address of (0107) and the network is monitored.

  The L3SW (0106) always captures the traffic (packet) transmitted from the terminal of the user A (0101) accommodated in the L3SW (0102) of the user A through the interface (0201) as illustrated in FIG. . The capture data is normalized (0202) from the result of packet capture, and the rate of increase / decrease in traffic volume is calculated (0203).

  In normalization (0202) of the captured data, the IP address and port number for specifying the transmission source, the IP address and port number for specifying the transmission destination are extracted, and the number of packets is counted. Using the number of packets (traffic volume) counted when normalizing capture data (0202), calculate the rate of increase / decrease in traffic volume and the upper and lower limit values (threshold value) using the calculation procedure shown in Fig. 4. The calculated data is stored in the database (0204).

  The normalized capture data and the calculated threshold are collected in the threshold table (0600) as shown in FIG. 6 for each combination of the transmission source and the transmission destination, and stored in the database (0204). Data is specified and managed by the network administrator every second and every minute, and the data is updated at the specified date and time units.

  FIG. 3 shows an example of a processing flow of a system operating with L3SW (0106).

  The L3SW (0106) performs packet capture (0301), and normalizes captured data (0202) (0302) based on the acquired data.

  Next, the current time is checked to see if the date changes and the timing of normalization of the first captured data (0202) (0303). If the date changes and the timing of normalization of the first captured data (0202) is reached, an inquiry is made to the event management server (0108) as to whether there is a special event on that day (0304). The event management server (0108) registers whether there is a special event such as the release of a new product or the provision of a new service on the day when the L3SW (0106) inquires, and replies to the L3SW (0106).

  The L3SW (0106) determines whether there is a special event from the response of the event management server (0108) (0305). When there is a special event, the allowable increase / decrease rate calculated at the past special event is referred to (0308) from the database (0204), and the upper and lower limit values of the traffic volume are acquired from the database (0309).

  If there is no special event, calculate the traffic increase / decrease rate (0306) from the normalized captured data and the current captured traffic volume and the traffic volume observed immediately before. The upper and lower limit values (in this case, minus 20% to plus 20%) are calculated (0307).

  The upper and lower limit values of the calculated traffic are set to the monitoring range (0310) of the L3SW (0106), these data are stored in the database (0204) (0311), and the communication by the user terminal is monitored (0312).

  If the next observed number of packets (traffic volume) falls outside the upper and lower limits of the number of monitored packets (traffic volume), block the IP address used by the user terminal, Prevent abnormal conditions from occurring. Here, the previous time and the next time represent the acquisition date and time shown in FIG. 6. If the current time is 2 seconds ago, the previous time indicates the previous state 3 seconds and the next time the previous time 1 second.

  Describes what is stored in the database (0204).

  FIG. 6 shows an example of storing the traffic transmitted from the distribution server (0107) and the terminal (0109) of the user A (0101) in the database. From the data 3 seconds before and 4 seconds before the terminal of user A (0101), the increase / decrease rate is 1.25 times, and the upper and lower limit values of the increase / decrease rate are 1.0-1.5 times. Since the data increase / decrease rate of data 2 seconds ago is 1.2 times, the traffic increase / decrease rate is within the expected range, and communication with the terminal of user A (0101) is permitted (blocking judgment 0613 is-) .

  FIG. 7 shows a database storage example for the traffic transmitted from the distribution server (0107) and the terminal (0110) of the user B (0103). Since the increase / decrease rate from the data 3 seconds before and 4 seconds before the terminal of user B (0103) is 1.5 times, the upper and lower limits of the increase / decrease rate are 1.2-1.8 times. Since the increase / decrease rate is 2.0 times in the data 2 seconds before, the traffic increase / decrease rate is outside the expected range, and the communication of the user B (0103) terminal is blocked (blocking determination 0613 is ◯).

  Based on the calculation formula of FIG. 4 and the acquired data shown in FIG. 6, a method of calculating the increase / decrease rate of the terminal of user A and the upper and lower limit values of the increase / decrease rate will be specifically shown.

  The traffic (x) 3 seconds before the terminal of user A (0101) is x = 250000. The traffic (y) 4 seconds before is 200,000. As a result, the rate of increase / decrease is rate = 250000/200000 = 1.25.

  Since the upper and lower limits of the rate of change are ± 20% of 1.25, the upper limit (max) is max = 1.25 × 1.2 = 1.5, and the lower limit (min) is min = 1.25 × 0.8 = 1.0. As a result, the assumed increase / decrease rate of the next observation point is in the range of 1.0 to 1.5 times.

  Since the traffic volume two minutes ago is 300,000, the rate of increase / decrease rate is 1.2 in the same way.

  According to this embodiment, the following effects can be obtained.

(1) Prevention of a large number of packet transmissions due to network problems When there is a problem with a network that uses a service, a large number of packets are transmitted only to the user terminal that uses the service. If you make a wrong connection during network construction or if a large number of packets are temporarily generated due to a network failure, you can assume the traffic volume at the next observation from the previous traffic volume. For example, the network service can be stably supplied by blocking the communication of the user exceeding the assumed traffic.

(2) Measures to be taken when a user terminal is infected with a computer virus If the user terminal is infected with a computer virus or a terminal that performs unauthorized access, etc., regardless of the original user activity time Because traffic continues to be sent, unusual traffic patterns can be detected.

  In addition, it is possible to disguise addresses or change ports in communications due to computer viruses or unauthorized access, so services that are safe for the entire network are provided to users who use such terminals by temporarily suspending and contacting the service. Will be able to provide.

(3) Measures for service provision failures due to network failures If there is a failure in the application of the system that provides the service, a large amount of access will come to the corresponding service only, or access will not come at all I can expect that.

  For example, if a large amount of traffic occurs instantaneously, if the price of the product provided by the service provider is in a state where it can be offered at a lower price than the price originally provided due to a malfunction of the application, The user can expect a large number of orders for the product, and the amount of traffic flowing through the network is expected to increase significantly.

  In addition, when there is no traffic at all, it is considered that the service provision is temporarily delayed due to the occurrence of a system trouble, or in the worst case, the service cannot be provided. In such a situation, it is possible to suppress damage to the user or the company by making the service inaccessible.

(4) Improve network security with L3SW functions
Since the network is monitored by L3SW, the security level can be improved without cost.

(5) Improvement of services by visualizing user communication patterns
Since the communication log can be saved for each user terminal with L3SW, the communication log when a problem occurs later can be confirmed by examining the router and L3SW. In addition, the router and L3SW throughput can be determined from the stored data to determine if replacement is necessary.

0101: User A LAN
0102: User A terminal L3SW
0103: User B LAN
0104: User B L3SW
0105: Internet
0106: L3SW
0107: Distribution server
0108: Event management server
0201: L3SW interface
0202: Capture data normalization function in L3SW
0203: Threshold decision function in L3SW
0204: Database in L3SW
0301: Get packet capture information
0302: Normalization of packet capture information
0303: The first query whose date has changed
0304: Get event information for the current day from the server that manages the event information
0305: Is there a special event?
0306: Traffic volume change rate calculation
0307: Traffic volume ± 20% calculation
0308: Get the traffic volume increase / decrease rate from the database
0309: Get the upper and lower limit values of traffic volume at the event from the database
0310: The upper and lower limits of the traffic volume are used as the user monitoring area.
0311: Save database
0312: Start monitoring
0600: Threshold table
0601: Acquisition time in seconds
0602: Acquisition date YYYYMMDD
0603: Acquisition time HH: MM: SS
0604: Sender information
0605: IP address
0606: Port number
0607: Destination information
0608: Traffic volume (bps / s)
0609: Acquired data
0610: Rate of change
0611: Lower threshold for change rate
0612: Increase / decrease rate upper threshold
0613: Blocking judgment

Claims (3)

In the network system in which the first node and the second node are connected via the first L3SW that accommodates the first node and the second L3SW that accommodates the second node, A system for monitoring traffic between a first node and the second node,
The second L3SW is
The ability to capture packets sent from the first node of the traffic;
A function to check whether there is a special event related to the network system;
When there is no special event, from the data acquired by the capture, a function for calculating a threshold value of an allowable traffic increase / decrease rate at each predetermined time point;
When there is a special event, a function of obtaining a threshold value of the allowable traffic increase / decrease rate according to the special event;
A traffic monitoring system comprising: a function for determining whether or not to block the traffic from the first node based on the calculated or acquired threshold value. The traffic monitoring system according to claim 1,
The function of calculating the threshold value of the second L3SW is
A function for counting the captured packets;
A function of extracting information identifying a transmission source and a transmission destination from the captured packet;
A function of calculating the threshold value of the rate of increase / decrease in traffic volume based on the number of packets at each time point for each combination of the extracted information specifying the transmission source and information specifying the transmission destination; A traffic monitoring system comprising: The traffic monitoring system according to claim 1 or 2,
It has an event management server,
The function to check for the presence of the special event
Inquires of the event management server whether there is a special event related to the network system,
As a result of the inquiry, if there is the special event, the function of calculating the threshold value of the second L3SW acquires a threshold value of a past packet increase / decrease rate related to the special event. Monitoring system.

Images