JP2018207345A - Calculation device and calculation method - Google Patents

Abstract

To perform effective measurement of communication by using limited processing resources.SOLUTION: An acquisition unit 131 of a calculation device 10 acquires flow statistical information, which is statistical information on traffic aggregated for each communication source and communication destination. A classification unit 132 classifies the flow statistical information into groups so that underlying sessions of traffic are the same. A calculation unit 133 calculates statistical information on traffic for each of the groups classified by the classification unit 132 on the basis of the flow statistical information.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a calculation apparatus and a calculation method.

  Communication measurement methods in network monitors and LAN (Local Area Network) analyzers used for the purpose of computer network observation are broadly divided into measurement methods using packet capture and measurement methods for measuring flow statistical information.

  The measurement method using packet capture is a technique for copying packets, which are transmission units of information exchanged between computer systems constituting a computer network, and analyzing the contents of the copied packets.

  A measurement method that measures flow statistics information is a technology that measures the amount of information flowing through a computer network by installing a function that measures the amount of communication that passes through the network device such as a router that constitutes the computer network. It is. Here, the flow statistical information refers to a statistical numerical value such as an information amount of communication passing through a network device. This statistical value is also called a counter. An example of traffic statistics information is the number of bytes.

  As typical technical specifications of flow statistical information, sFlow (registered trademark) (for example, see Non-Patent Document 1) and netFlow (for example, see Non-Patent Document 2) are known. sFlow is a traffic measurement technique based on statistical estimation using packet sampling and a counter for each communication line interface. NetFlow is a technology that measures the number of packets and the number of bytes per flow with network devices such as routers and switches.

  As another measurement method for measuring flow statistical information, other methods are used in which packets of flows in both the uplink and downlink directions of the session are arranged in the order of observed time and the packet size is used as an array (for example, Non-Patent Document 3). ), Average value of median packet length, median, method of calculating variance and variance of packet arrival interval (see Non-Patent Document 4, for example), total number of packets and total number of bytes per session, specific A method of calculating the number of packets with the flag, the average of all packets, the maximum size and variance (see, for example, Non-Patent Document 5), and the like are known.

Traffic Monitoring using sFlow, [online], [Search May 25, 2017], Internet (http://www.sflow.org/sFlowOverview.pdf) Omar Santos, “Network Security with NetFlow and IPFIX”, Cisco Press, September 2015 Yuji Izumi, Kazuyuki Tanaka, “Web Application Identification Based on Traffic Analysis”, IEICE Technical Report CS2013-40 (2013-09), pp.61-66 Takeshi Kitamura, Takayuki Shizuno, Shinya Okabe, “Application Identification Method Based on Flow Behavior Analysis”, IEICE Technical Report NS2005-136 (2005-12), pp.13-16 Liu Yingqiu, Li Wei, Li Yunchun, “Network Traffic Classification Using K-means Clustering”, Second International Multisymposium on Computer and Computational Sciences, pp. 360-365

  However, the conventional technology has a problem in that effective communication measurement may not be performed using limited processing resources. For example, a measurement method using packet capture requires a large amount of storage resources and calculation resources. For this reason, when the processing resources that can be used are limited, it may not be possible to perform a measurement method using packet capture. On the other hand, in a measurement method that measures flow statistical information, there are cases where effective communication measurement cannot be performed.

  For example, since sFlow described in Non-Patent Document 1 samples packets intermittently at a constant rate, it is detected for flows with a low probability of being sampled, such as communications with very few or very short packets. There are cases where leaks and errors may occur, and the method of selecting packets and the period of collecting samples or counters also affect the measurement accuracy, so effective communication measurement may not be possible. There is a point.

  For example, netFlow described in Non-Patent Document 2 measures the number of packets and the number of bytes in a flow unit with a network device such as a router or a switch. For this reason, extra computing resources may be required to cause an existing router or switch to perform both the original process such as packet exchange and the process related to measurement.

  The techniques described in Non-Patent Documents 3 to 5 perform measurement by referring to only header information such as the length, arrival interval, and flag of each packet without analyzing the contents of the data payload of the captured packet. The information that can be measured is limited, and in order to generate additional flow statistical information, it is necessary to perform measurement by packet capture.

  The calculation device according to the present invention has the same traffic session as the acquisition unit that acquires flow statistical information that is statistical information related to traffic aggregated for each communication source and communication destination, and the flow statistical information. A classifying unit for classifying into groups, and a calculating unit for calculating statistical information regarding traffic for each group classified by the classifying unit based on the flow statistical information.

  According to the present invention, effective communication measurement can be performed using limited processing resources.

FIG. 1 is a diagram illustrating an example of a configuration of a calculation system according to the first embodiment. FIG. 2 is a diagram illustrating an example of the configuration of the computing device according to the first embodiment. FIG. 3 is a diagram for explaining a calculation method performed by the calculation apparatus according to the first embodiment. FIG. 4 is a flowchart illustrating the processing flow of the router according to the first embodiment. FIG. 5 is a flowchart showing the flow of processing of the computing device according to the first embodiment. FIG. 6 is a diagram illustrating an example of a data configuration of the primary storage unit according to the first embodiment. FIG. 7 is a flowchart illustrating a processing flow of the computing device according to the first embodiment. FIG. 8 is a flowchart showing the flow of processing of the computing device according to the first embodiment. FIG. 9 is a diagram illustrating an example of a data configuration of the secondary storage unit according to the first embodiment. FIG. 10 is a diagram illustrating an example of a computer that executes a calculation program.

[Configuration of First Embodiment]
Hereinafter, embodiments of a calculation device and a calculation method according to the present application will be described in detail with reference to the drawings. In addition, this invention is not limited by embodiment described below. First, the configuration of the calculation system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating an example of a configuration of a calculation system according to the first embodiment. As illustrated in FIG. 1, the computing system 1 includes a computing device 10, a client 20, a server 30, and a router 40.

  Here, the router 40 generates flow statistical information based on traffic generated by communication between the client 20 and the server 30. The flow statistics information includes the number of packets and the number of bytes. In addition, the communication for which the flow statistical information is generated in the computing system 1 is not limited to the communication between the client and the server, and may be communication between clients, communication between servers, or client And communication by equipment other than the server may be used. Also, the device that generates the flow statistical information is not limited to the router 40, and may be any network device.

  Here, the flow statistical information divides information exchanged between computer systems performing communication based on a transmission source, a destination, a protocol, a port, etc. for identifying a computer system into units called flows, and communicates for each flow. It can be referred to as statistical information obtained by measuring and calculating quantities. For example, since the flow includes an attribute related to the direction in which information flows, that is, a transmission source and a destination of communication, there are usually two types of flows: transmission (forward) and reception (return). In this embodiment, a unit in which two types of flows of transmission and reception are combined is called a session. In the following description, in the calculation system 1, the direction from the client 20 to the server 30 is called up, and the direction from the server 30 to the client 20 is called down.

  In this embodiment, as described above, the router 40 that is a network device generates flow statistical information. The router 40 may generate the flow statistics information for each communication line interface included in the computer system, or may be generated by dividing the flow statistics information into finer communication units.

  The computing device 10 performs statistical computation on the session based on the flow statistical information generated by the router 40, thereby obtaining information that cannot be obtained only by the flow statistical information, for example, information other than the number of packets and the number of bytes. Can be obtained.

  Next, the configuration of the calculation apparatus 10 will be described with reference to FIG. FIG. 2 is a diagram illustrating an example of the configuration of the computing device according to the first embodiment. As illustrated in FIG. 2, the computing device 10 includes a communication unit 11, a storage unit 12, and a control unit 13.

  The communication unit 11 performs data communication with other devices via a network. For example, the communication unit 11 is a NIC (Network Interface Card). The communication unit 11 performs data communication with the router 40, for example.

  The storage unit 12 is a storage device such as a hard disk drive (HDD), a solid state drive (SSD), and an optical disk. Note that the storage unit 12 may be a semiconductor memory that can rewrite data, such as a random access memory (RAM), a flash memory, and a non-volatile static random access memory (NVSRAM). The storage unit 12 stores an OS (Operating System) executed by the computing device 10 and various programs. Furthermore, the storage unit 12 stores various information used in executing the program. The storage unit 12 includes a primary storage unit 121 and a secondary storage unit 122.

  The control unit 13 controls the entire computing device 10. The control unit 13 is, for example, an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit), or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array). The control unit 13 has an internal memory for storing programs and control data defining various processing procedures, and executes each process using the internal memory. The control unit 13 functions as various processing units when various programs are operated. For example, the control unit 13 includes an acquisition unit 131, a classification unit 132, a calculation unit 133, and a storage unit 134.

  The acquisition unit 131 acquires flow statistical information that is statistical information regarding traffic aggregated for each communication source and communication destination. The acquisition unit 131 acquires flow statistical information generated by a network device such as the router 40.

  Further, the classification unit 132 classifies the flow statistical information into groups so that the sessions of the traffic that is the basis are the same. For example, the classification unit 132 extracts information that can identify a session from the flow statistical information acquired by the acquisition unit 131, and classifies the flow statistical information for each session of the original traffic based on the extracted information. . Information that can identify a session includes a transmission source and a transmission destination included in the flow statistical information, a generation time of the flow statistical information, and the like.

  For example, the classification unit 132 has the same transmission source and transmission destination included in the first flow statistical information as those of the transmission destination and transmission source included in the second flow statistical information, and the first flow. When the statistical information and the second flow statistical information are both based on traffic generated within a predetermined period, the first flow statistical information and the second flow statistical information are classified into the same group.

  Further, the calculation unit 133 calculates statistical information regarding traffic for each group classified by the classification unit 132 based on the flow statistical information. For example, when the acquisition unit 131 acquires the number of packets and the number of bytes as the flow statistical information, the calculation unit 133 includes, as statistical information, an average packet size for each group, an average maximum packet size, and an average packet size. Information indicating the minimum value, the standard deviation of the average packet size, the time average of the number of bytes, and the presence / absence of transmitted / received packets for each time is calculated. Further, the calculation unit 133 can calculate a co-occurrence matrix based on the presence / absence of transmitted / received packets for each time as statistical information.

  The storage unit 134 stores the flow statistical information acquired by the acquisition unit, the calculation result by the calculation unit 133, and the like in the primary storage unit 121 or the secondary storage unit 122. In the following description, the flow statistical information acquired by the acquisition unit 131 is referred to as input information. The statistical information calculated by the calculation unit 133 is called session statistical information.

  Here, calculation of input information and session statistical information will be specifically described with reference to FIG. FIG. 3 is a diagram for explaining a calculation method performed by the calculation apparatus according to the first embodiment.

  The acquisition unit 131 receives, as input information, a session identifier INP_1 that uniquely identifies the session, input information generation time INP_2, uplink packet count INP_3, downlink packet count INP_4, uplink byte count INP_5, downlink byte count INP_6, after session establishment Get the elapsed time INP_7.

  The session identifier INP_1 is a value that can uniquely identify a certain session established between a pair of computer systems that perform communication. For example, the acquisition unit 131 can generate a session identifier by performing a bit operation, a hash operation, or the like on an address, protocol number, port, time, and the like that identify a computer system.

  The generation time INP_2 is a time when the input information acquired by the acquisition unit 131 is generated. The uplink packet number INP_3 is the cumulative number of packets in the uplink direction (integer value on 0) from the session start time to the generation time INP_2 in the session identified by the session identifier INP_1. Further, the downlink packet number INP_4 is the cumulative number of packets in the downlink direction (an integer value of 0 or more) from the session start time to the generation time INP_2 in the session identified by the session identifier INP_1. The uplink byte count INP_5 is the cumulative number of bytes in the uplink direction (integer value on 0) from the session start time to the generation time INP_2 in the session identified by the session identifier INP_1. In addition, the downlink byte number INP_6 is the cumulative number of bytes in the downlink direction (an integer value of 0 or more) from the session start time to the generation time INP_2 in the session identified by the session identifier INP_1. The elapsed time INP_7 is the elapsed time from the start time of the session to the generation time INP_2. In order to perform calculation with higher accuracy, it is desirable that the generation time INP_2 and the elapsed time INP_7 include microseconds or milliseconds.

Here, the acquisition unit 131 acquires input information generated every predetermined time dT from the session start time. For example, as shown in FIG. 3, the acquisition unit 131 first acquires the input information INP (T ₁ ) generated at time T ₁ , and then at time T ₂ when time dT has elapsed from time T _1. The generated input information INP (T ₂ ) is acquired. In this way, the acquisition unit 131 sequentially acquires input information until it acquires input information generated at time T _n that is a session end time. Here, the input information at the generation time T _k is expressed as INP (T _k ). INP (T _k ) includes INP_1 (T _k ), INP_2 (T _k ), INP_3 (T _k ), INP_4 (T _k ), INP_5 (T _k ), INP_6 (T _k ), INP_7 (T _k ) included. Further, the time interval dT at which the input information is generated is preferably constant, but may be different.

Next, the calculation unit 133 calculates two variables of the average uplink packet size AVE_1 and the average downlink packet size AVE_2 for each session as session statistical information. Calculation unit 133, INP (T _k), and the time T on the basis of the input information INP (T _k-1) in the previous time T _k-1 of _k, uplink average packet size AVE_1 at time T _k (T _k ) and the average downlink packet size AVE_2 (T _k ) are calculated as shown in equations (1) and (2), respectively.
AVE_1 (T _k ) = {INP_4 (T _k ) −INP_4 (T _k−1 )} ÷ {INP_3 (T _k ) −INP_3 (T _k−1 )} (1)
AVE_2 (T _k ) = {INP_6 (T _k ) −INP_6 (T _k−1 )} ÷ {INP_5 (T _k ) −INP_5 (T _k−1 )} (2)

As described above, the calculation unit 133 can calculate the average packet size by averaging the difference in the number of bytes with the difference in the number of packets between the time T _k and the time T _k−1 . Here, the average packet size at the generation time T _k is expressed as AVE (T _k ). AVE (T _k ) includes AVE_1 (T _k ) and AVE_2 (T _k ).

Each average packet size is the average number of bytes per packet of packets flowing between time T _k and time T _k−1 . When INP (T _k-1 ) does not exist (for example, when k = 1, that is, when INP (T _k ) is input information generated first after the session starts), the calculation unit 133 uses INP_3 (T _k-1 ), INP_3 (T _k-1 ), INP_3 (T _k-1 ), and INP_3 (T _k-1 ) are set to 0. Further, the storage unit 134 stores INP (T _k ) in the primary storage unit 121 until AVE_1 (T _{k + 1} ) is calculated. Then, the storage unit 134 may discard INP (T _k ) after AVE_1 (T _{k + 1} ) is calculated.

Further, the calculation unit 133 uses AVE (T _k ), the maximum uplink average packet size AVE_MAX_1 (T _k ), the maximum downlink average packet size AVE_MAX_2 (T _k ), the minimum uplink average packet size AVE_MIN_1 (T _k ), the downlink minimum average packet size AVE_MIN_2 (T _k), calculated as the standard deviation of the uplink average packet size AVE_SD_1 (T _k), and a downlink standard deviation of the mean packet size AVE_SD_2 a (T _k) from equation (3) (8) To do.
AVE_MAX_1 (T _k ) = {AVE_1 (T ₁ ), AVE_1 (T ₂ ), ..., maximum value of AVE_1 (T _k )} (3)
AVE_MAX_2 (T _k ) = {AVE_2 (T ₁ ), AVE_2 (T ₂ ),…, AVE_2 (T _k )} maximum value (4)
AVE_MIN_1 (T _k ) = {AVE_1 (T ₁ ), AVE_1 (T ₂ ), ..., AVE_1 (T _k )} minimum value (5)
AVE_MIN_2 (T _k ) = {Minimum value of AVE_2 (T ₁ ), AVE_2 (T ₂ ),…, AVE_2 (T _k )} (6)
AVE_SD_1 (T _k ) = {AVE_1 (T ₁ ), AVE_1 (T ₂ ), Standard deviation of AVE_1 (T _k )} (7)
AVE_SD_2 (T _k ) = {AVE_2 (T ₁ ), AVE_2 (T ₂ ), ..., AVE_2 (T _k )} standard deviation (8)

In addition, the calculation unit 133 calculates the time average of the number of bytes that flow in each of the uplink and downlink directions from the start to the end of the session, that is, the uplink flow rate FRATE_1 and the downlink flow rate FRATE_2, respectively (9 ) And (10). Here, T _n is the time when the session ends. Further, as shown in the equations (9) and (10), the calculation unit 133 can calculate the flow rate only from the input information at the end of the session, that is, INP (T _n ).
FRATE_1 = INP_4 (T _n ) ÷ INP_7 (T _n ) (9)
FRATE_2 = INP_6 (T _n ) ÷ INP_7 (T _n ) (10)

The calculation unit 133 calculates a packet co-occurrence matrix. Here, the co-occurrence matrix is a matrix that expresses a relative relationship between pixels such as pixels and words and an appearance pattern of words, and has been generally used in image recognition, language processing, and the like. In the present embodiment, the calculation unit 133 calculates a packet co-occurrence matrix as follows. First, the calculation unit 133 indicates whether one or more packets have flowed between time T _k−1 and time T _k in a certain session by binary values of 0 or 1. Note that the binary BOOL_1 (T _k) of the uplink, representing the binary downlink BOOL_2 and (T _k).

Here, the calculation unit 133, INP_3 (T _k), or INP_5 (T _k), respectively INP_3 (T _k-1), or INP_5 when (T _k-1) greater than the time T _k-1 It is considered that one or more packets have flowed in the upstream direction between time T _k and the binary value is 1. This calculation method can be expressed as the following equations (11) and (12).
BOOL_1 (T _k ) =
₁ if INP_3 (T _k ) −INP_3 (T _k−1 )> 0, 0 if INP_3 (T _k ) −INP_3 (T _k−1 ) = 0 (11)
BOOL_2 (T _k ) =
₁ if INP_5 (T _k ) -INP_5 (T _k-1 )> 0, 0 if INP_5 (T _k ) -INP_5 (T _k-1 ) = 0 (12)

Further, the binary values can be calculated as in the following formulas (13) and (14) using the average packet size.
1 if BOOL_1 (T _k ) '= AVE_1 (T _k )> 0, 0 if AVE_1 (T _k ) = 0 (13)
1 if BOOL_2 (T _k ) '= AVE_2 (T _k )> 0, 0 if AVE_2 (T _k ) = 0 (14)

The calculating unit 133 sets {T ₁ ,..., T _n } in order from immediately after the start of the session (first) to the end (nth) from the time when the input information for a session is generated, and from T ₁ to T the binary determined for each of up to _n, it is possible to obtain the n-number of digits sequence made of the 0 and 1, respectively downlink and uplink.

  If the number sequence obtained by the calculation unit 133 for the upstream packet is BOOL_1 and the number sequence obtained for the downstream packet is BOOL_2, each of BOOL_1 and BOOL_2 has a length of n numbers. For example, BOOL_1 = {1,0, ...., 1}. BOOL_1 and BOOL_2 represent a packet transmission / non-transmission pattern in a session. For example, in the case of a session that sends packets continuously from the start to the end of the session, BOOL_1 and BOOL_2 are as follows: 1 sequence {1,1,1,1,1, ..., 1} become. When packets are intermittently transmitted beyond the time period for generating input information, BOOL_1 and BOOL_2 are repeated 1 and 0, for example, {1,0,1,0,1, ..., 0} or {1,0,0,1,0,0, ..., 1}.

  In addition, when information is sent only immediately after the start of a session and the process is completed in a short time, the length of the number sequence is shortened. For example, a number sequence such as {1,0} may be generated. In this way, BOOL_1 and BOOL_2 express the packet transmission pattern in a session, but the length of BOOL_1 and BOOL_2 is variable depending on the duration of the session, and the length is predicted. It is difficult.

  The calculation unit 133 generates a co-occurrence matrix from BOOL_1 and BOOL_2 obtained by the above procedure. Since BOOL_1 and BOOL_2 are one-dimensional 0 or 1 sequences, when focusing on a sequence of two consecutive numbers in the sequence, the combinations of the sequence are {00}, {01}, {10}, There are only four ways of {11}. The calculation unit 133 takes out a sequence of numbers from the top of each of BOOL_1 and BOOL_2, and totals the number of combinations that appear. Here, as an example, a method for generating a co-occurrence matrix by the calculation unit 133 when input information is generated ten times, that is, when n = 10 will be described. For example, when BOOL_1 = {1,1,1,1,1,1,1,1,1,1}, the calculation unit 133 sets the co-occurrence matrix MATRIX_1 to {00} = 0, {01} = 0, Generate as {10} = 0, {11} = 9. For example, when BOOL_2 = {1,0,1,0,1,0,1,0,1,0}, the calculation unit 133 sets the co-occurrence matrix MATRIX_2 to {00} = 0, {01} = 4, {10} = 5, {11} = 0.

  Further, when the session time is short, for example, when n = 4 and BOOL_1 = {1,0,1,1}, the calculation unit 133 sets the co-occurrence matrix MATRIX_1 to {00} = 0, {01} = 1, {10} = 1, {11} = 1. In this way, the calculation unit 133 calculates the co-occurrence matrix for each uplink and downlink for a certain session, and each co-occurrence matrix has 4 variables, so that a total of 8 variables can be obtained.

[Process of First Embodiment]
The process flow of the calculation system 1 will be described with reference to FIGS. FIG. 4 is a flowchart illustrating the processing flow of the router according to the first embodiment. 5, 7 and 8 are flowcharts showing the flow of processing of the computing device according to the first embodiment. FIG. 6 is a diagram illustrating an example of a data configuration of the primary storage unit according to the first embodiment. FIG. 9 is a diagram illustrating an example of a data configuration of the secondary storage unit according to the first embodiment.

  As shown in FIG. 4, the router 40 waits until a certain time elapses (No at Step S11), and when the certain time elapses (Yes at Step S11), generates the input information (Step S12).

As shown in FIG. 5, the acquisition unit 131 reads input information INP (T _k ) at time T _k from the network device, that is, the router 40 (step S21). The classification unit 132 determines whether or not the input information INP (T _k ) acquired by the acquisition unit 131 belongs to a new session (step S22).

Here, when the input information INP (T _k-1 ) is not stored in the primary storage unit 121, the classification unit 132 indicates that the input information INP (T _k ) acquired by the acquisition unit 131 is that of a new session. It is determined that there is (step S22, Yes). In this case, the storage unit 134 stores the input information INP (T _k ) in the primary storage unit 121 (step S23). As shown in FIG. 6, the primary storage unit 121 stores input information. FIG. 6 shows that input information INP (T _k ) stored by the storage unit 134 has a session identifier INP_1 (T _k ) of “xyz001”, a generation time INP_2 (T _k ) of “20:40”, and an uplink packet count INP_3 ( T _k ) is `` 10 '', uplink byte count INP_4 (T <sub>k</sub> ) is `` 80 '', downlink packet count INP_5 (T _k ) is `` 400 '', downlink byte count INP_6 (T <sub>k</sub> ) is `` 10000 '', elapsed time INP_7 This indicates that (T _k ) was “2”. In this case, the storage unit 134 stores the statistical information in the primary storage unit 121. Since the statistical information in this case is the first statistical information of the session, the storage unit 134 sets each value of the statistical information in the primary storage unit 121 to 0.

On the other hand, when the input information INP (T _k-1 ) is stored in the primary storage unit 121, the classification unit 132 determines that the input information INP (T _k ) acquired by the acquisition unit 131 is not for a new session. Determine (No in step S22). That is, the classification unit 132 classifies the input information INP (T _k-1 ) and the input information INP (T _k ) into the same group. In this case, the storage unit 134 stores the input information INP (T _k ) in the primary storage unit 121. In addition, the acquisition unit 131 reads input information and statistical information at time T _k−1 from the primary storage unit 121 (step S24). And the calculation part 133 calculates each statistical information (step S25).

  As described above, the acquisition unit 131 can acquire the flow statistical information corresponding to each of the time intervals at a certain time interval in time order. At this time, the classification unit 132 classifies the flow statistical information every time the flow statistical information is acquired by the acquisition unit 131. In addition, the calculation unit 133 calculates statistical information regarding traffic for each group each time classification is performed by the classification unit 132.

As shown in FIG. 7, in step S25 of FIG. 5, the calculation unit 133, first, based on the input information of the input information and time T _k-1 at time T _k, calculate the average packet size at time T _k (Step S251). Next, calculation unit 133, based on the average packet size and average packet size at time T _k-1 at time T _k, the maximum value of the average packet size at time T _k, a minimum value, and calculates the standard deviation ( Step S252). Next, calculation unit 133, based on the input information of the input information and time T _k-1 at time T _k, calculates the co-occurrence matrix of time T _k (step S253). Then, the storage unit 134 stores each statistical information calculated by the calculation unit 133 in the primary storage unit 121.

Here, when calculating the average packet size, the calculation unit 133 uses only input information and statistical information at time T _k−1 and time T _k without using all input information from the start to the end of the session. By using this, it is possible to perform calculations as shown in equations (15) to (18).
AVE_MAX_1 (T _k ) = {AVE_1 (T _k-1 ), AVE_1 (T _k )}, whichever is larger (15)
AVE_MAX_2 (T _k ) = {AVE_2 (T _k-1 ), AVE_2 (T _k )}, whichever is larger (16)
AVE_MIN_1 (T _k ) = {AVE_1 (T _k-1 ), AVE_1 (T _k )}, the smaller one (17)
AVE_MIN_2 (T _k ) = {AVE_2 (T _k-1 ), AVE_2 (T _k )}, the smaller one (18)

Thus, in step S254, the storage unit 134 may store only the statistical information at the time T _k calculated by the calculation unit 133 in the primary storage unit 121. That is, the storage unit 134 deletes the statistics at time T _k-1, may be stored statistics in time T _k, overwrites the statistics at the time T _k to the statistics at time T _k-1 May be. As described above, by discarding the statistical information of the previous time, it is only necessary to store the input information and statistical information of one time in the primary storage unit 121, and the storage capacity can be reduced. it can.

Here, assuming that there are variables X = {x1, x2, ..., x (k), ..., x (n-1), x (n)}, the variance sig (k) at the kth, That is, the square of the standard deviation is expressed by a recurrence formula shown in the following formula (19). Calculation unit 133 may calculate the (19) using the formula, AVE_SD_1 (T _k-1) and AVE_SD_2 (T _k-1) based on AVE_SD_1 (T _k) and AVE_SD_2 (T _k). However, u (k) is an average of x (k) up to k-th.

Further, the calculation unit 133 can calculate the co-occurrence matrix at time T _k based on the input information and statistical information at time T _k−1 . First, the calculation unit 133 calculates BOOL_1 (T _k ) ′ and BOOL_2 (T _k ) ′ based on AVE_1 (T _k ) and AVE_2 (T _k ) according to the equations (13) and (14). Here, if BOOL_1 (T _k-1 ) and BOOL_2 (T _k-1 ) are stored in the primary storage unit 121, the calculation unit 133 calculates BOOL_1 (T _k-1 ) and BOOL_1 (T _k ) ′. Or by concatenating BOOL_2 (T _k-1 ) and BOOL_2 (T _k ) ', one of {00}, {01}, {10}, {11} can be obtained. And BOOL_1 and BOOL_2 can be calculated.

  Thus, when the statistical information of the group classified by the classification unit 132 has already been calculated, the calculation unit 133 is based on the calculated statistical information and the flow statistical information acquired by the acquisition unit 131. , Calculate traffic statistics for each group.

  Here, the calculation unit 133 determines whether or not the session has ended (step S26). When it is determined that the session has ended (step S26, Yes), the calculation unit 133 calculates session unit statistical information (step S27), substitutes k + 1 for k (step S28), and calculates the next time. Proceed to processing. The statistical information for each session is, for example, a flow rate. If it is determined that the session has not ended (step S26, No), the calculation unit 133 substitutes k + 1 for k (step S28), and proceeds to processing at the next time.

Here, the calculation unit 133 can determine whether or not the session is ended depending on whether or not the input information at the time T _{k + 1} is generated in the router 40. That is, if INP (T _{k + 1} ) is input information having the same session identifier as INP_1 (T _k ), the calculation unit 133 determines that the session has not ended.

  Furthermore, the calculation unit 133 may determine whether or not the session has ended by referring to a flag included in the header portion of the packet. For example, the calculation unit 133 refers to whether the FIN flag indicating transmission end is ON or OFF in a TCP (Transmission Control Protocol) header, and determines that the session is ended if the FIN flag is ON. can do. This method can be realized by adding a FIN flag to the input information.

As shown in FIG. 8, in step S27 in FIG. 5, the calculation unit 133, first, based on the input information of the time T _k, to calculate the flow rate of the session (step S271). Then, the storage unit 134 stores the statistical information and the flow rate in the primary storage unit 121 in the secondary storage unit 122, and deletes the input information and statistical information in the primary storage unit 121 (step S272).

As shown in FIG. 9, the secondary storage unit 122 stores input information and statistical information. FIG. 9 shows that the input information INP (T _k ) stored in the secondary storage unit 122 has the session identifier INP_1 (T _n ) “abc123”, the generation time INP_2 (T _n ) “20:29”, and the uplink packet The number INP_3 (T _n ) is `` 20 '', the number of upstream bytes INP_4 (T <sub>n</sub> ) is `` 120 '', the number of downstream packets INP_5 (T _n ) is `` 650 '', the number of downstream bytes INP_6 (T <sub>n</sub> ) is `` 30000 '', The elapsed time INP_7 (T _k ) is “5”. Also, FIG. 9 shows that the statistical information stored in the secondary storage unit 122 has an uplink average packet size AVE_1 (T _n ) of “30”, a downlink average packet size AVE_2 (T _n ) of “200”, and an uplink average packet Maximum size AVE_MAX_1 (T _n ) is “60”, maximum downlink average packet size AVE_MAX_2 (T _n ) is “500”, minimum average uplink packet size AVE_MIN_1 (T _n ) is “2”, downlink average The minimum packet size value AVE_MIN_2 (T _n ) is `` 50 '', the standard deviation of uplink average packet size AVE_SD_1 (T <sub>n</sub> ) is `` 30 '', the standard deviation of downlink average packet size AVE_SD_2 (T _n ) is `` 300 '', the uplink The co-occurrence matrix MATRIX_1 (T _n ) is “0,0,0,9”, the upstream co-occurrence matrix MATRIX_2 (T _n ) is “0,2,2,5”, and the upstream flow rate FRATE_1 (T _n ) is “19”. ", Indicating that the downstream flow rate FRATE_2 (T _n ) is" 1300 ". Further, for example, storage unit 134, below the line session identifier INP_1 (T _n) is "abc123" session identifier INP_1 (T _n) to create a line of "xyz001", the input information and statistics May be saved.

[Example]
An example based on the first embodiment will be described. In this embodiment, the router 40 collects flow statistical information using a method called NetFlow. The router 40 may use a method other than NetFlow as long as it can collect necessary information as input information. For example, the router 40 uses OpenFlow (Reference 1: OpenFlow Switch Specification (URL: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1. 3.2.pdf)) Input information can be generated even with information specified in “Body of reply to OFPMP_FLOW request”.

  NetFlow is a standard mechanism for generating flow statistical information on network devices such as routers and switches that are used on the Internet, and sending the information to remote information collectors and analyzers. One. As shown in FIG. 1, a router 40 (NetFlow-Enabled Router) is a network device that generates flow statistical information of communication passing through itself, and a computing device 10 (NetFlow Collector) receives a Flow Record that is flow statistical information. It is a device that performs collection and analysis.

Here, in NetFlow Version 5, the following information is defined in the Flow Record Format.
1.srcaddr Source IP address
2.dstaddr Destination IP address
3.nexthop IP address of next hop router
4.input SNMP index of input interface
5.output SNMP index of output interface
6.dPkts Packets in the flow
7.dOctets Total number of Layer 3 bytes in the packets of the flow
8.First SysUptime at start of flow
9.Last SysUptime at the time the last packet of the flow was received
10.srcport TCP / UDP source port number or equivalent
11.dstport TCP / UDP destination port number or equivalent
12.pad1 Unused (zero) bytes
13.tcp_flags Cumulative OR of TCP flags
14.prot IP protocol type (for example, TCP = 6; UDP = 17)
15.tos IP type of service (ToS)
16.src_as Autonomous system number of the source, either origin or peer
17.dst_as Autonomous system number of the destination, either origin or peer
18.src_mask Source address prefix mask bits
19.dst_mask Destination address prefix mask bits
20.pad2 Unused (zero) bytes

  The acquisition unit 131 of the computing device 10 can generate input information as follows using the information of the Flow Record Format. The acquisition unit 131 can generate INP_1 by performing bit operation or hash calculation using 1, 2, 8, 10, 11, and 14 of Flow Record Format as inputs. Further, the acquisition unit 131 may generate INP_2 with reference to the time when the router 40 generates or transmits the Flow Record, or the computing device 10 may set the time when the Flow Record is received as INP_2. In addition, the acquisition unit 131 generates INP_3 and INP_5 with reference to Flow Record Format 6. Further, the acquisition unit 131 generates INP_4 and INP_6 with reference to Flow Record Format 7. In addition, the acquisition unit 131 calculates the time difference between 9 and 8 in the Flow Record Format and generates INP_7.

  Here, INP_3 and INP_5, and INP_4 and INP_6 are paired in uplink and downlink. Since the NetFlow Flow Record is information related to a flow in one direction, the acquisition unit 131 needs to find a pair of Flow Records. And 11 are reversed. That is, the acquisition unit 131 only needs to find a pair of flows in which the source (source) and the destination (destination) are switched. Then, the acquisition unit 131 generates an INP corresponding to one session from two paired Flow Records.

  The router 40 generates and transmits a flow record relating to all flows passing through itself at a certain time T, that is, a session. Since the flow record transmission trigger can be set by the router 40, it is possible to transmit the flow record at regular time intervals, for example, every 10 seconds. In addition, the computing device 10 receives the Flow Record, and generates and updates session statistical information by repeating the calculation according to the procedure of the embodiment.

  When the client 20 starts communication with the server 30, the router 40 records the communication as a Flow Record. Two Flow Records are generated: an upstream direction and a downstream direction. For example, in the embodiment, the calculation system 1 performs processing according to the following flow.

(When session starts and continues)
1. The router 40 generates a flow record and sends it to the computing device 10 when the flow record is transmitted.
2. The computing device 10 receives the Flow Record and records the reception time.
3. The computing device 10 generates input information according to the procedure of the embodiment.
4. The computing device 10 generates statistical information according to the procedure of the embodiment.
5. The computing device 10 waits for input information at the next time.
6. The router 40 generates a flow record and sends it to the computing device 10 when the flow record is transmitted.
7. The computing device 10 receives the Flow Record and records the reception time.

(At the end of the session)
8. The client 20 or the server 30 ends the communication.
9. The router 40 detects the end of communication, transmits the flow record to the computing device 10, and then deletes the ended flow record.
10. The computing device 10 receives the Flow Record of 9., records the reception time, and generates input information and statistical information.
11. The computing device 10 waits for input information at the next time.
12. Since the Flow Record has been deleted, the router 40 does not transmit anything regarding the Flow Record of the corresponding communication (or transmits an empty Flow Record).
13. The calculation device 10 determines that the session has ended and calculates the flow rate.
14. The computing device 10 writes the input information and statistical information to the secondary storage device or the like, and ends the calculation of statistical information related to the session identified by INP_1.

[Effect of the first embodiment]
The acquisition unit 131 acquires flow statistical information that is statistical information regarding traffic aggregated for each communication source and communication destination. Further, the classification unit 132 classifies the flow statistical information into groups so that the sessions of the traffic that is the basis are the same. Further, the calculation unit 133 calculates statistical information regarding traffic for each group classified by the classification unit 132 based on the flow statistical information.

  Thus, the computing device 10 of this embodiment measures communication between computer systems without using packet capture. For this reason, according to the present embodiment, it is not necessary to duplicate and store the capture data, and there is an effect that a secondary storage device for storing the capture data is not necessary.

  Furthermore, in this embodiment, since the packet is not duplicated, there is no problem regarding the confidentiality of the contents of communication included in the payload and the privacy protection. Furthermore, according to the present embodiment, it is possible to measure communication without reading the contents of the payload for the encrypted communication used for protecting the confidentiality of the contents of the communication.

  In the conventional measurement of flow statistical information, the statistical information that can be measured is limited to two types, that is, the number of packets and the number of bytes. On the other hand, the computing device 10 of this embodiment uses eight types of statistical information (number of packets, number of bytes, average packet size, maximum value of average packet size, minimum value, standard deviation, flow rate, co-occurrence matrix). Generate by calculation. For this reason, if the number of values that can be taken by one variable is M, the amount of information obtained in the prior art was M2, whereas in this embodiment, the amount of information of M8 is obtained. Can do.

  Furthermore, in this embodiment, it is not necessary to hold information necessary for calculation over the entire period from the start to the end of the session. That is, in the present embodiment, each piece of statistical information other than the number of packets and the number of bytes can be calculated only by temporarily storing one cycle of flow statistical information that can be periodically acquired. Thus, according to the computing device 10 of the present embodiment, effective communication measurement can be performed using limited processing resources.

  The classification unit 132 includes a transmission source and a transmission destination included in the first flow statistical information that are the same as the transmission destination and the transmission source included in the second flow statistical information, respectively, and the first flow statistical information and When both of the second flow statistical information are based on traffic generated within a predetermined period, the first flow statistical information and the second flow statistical information can be classified into the same group. Thus, the computing device 10 classifies the flow statistical information into groups for each session. As a result, according to the present embodiment, it is possible to calculate statistical information in units of sessions.

  The acquisition unit 131 can acquire at least the number of packets and the number of bytes as flow statistical information. In this case, the calculation unit 133 uses, as statistical information, the average packet size for each group, the average maximum packet size, the minimum average packet size, the standard deviation of the average packet size, and the time average of the number of bytes. And information indicating the presence / absence of transmitted / received packets for each time can be calculated. Thus, the computing device 10 can generate six types of statistical information from the number of packets and the number of bytes.

  The acquisition unit 131 can acquire the flow statistical information corresponding to each time at a fixed time interval in time order. In this case, the classification unit 132 can classify the flow statistical information each time the flow statistical information is acquired by the acquisition unit 131. In addition, the calculation unit 133 can calculate statistical information regarding traffic for each group each time classification is performed by the classification unit 132. Thereby, the computing device 10 can proceed with the sequential calculation as the flow statistical information is generated.

  When the statistical information of the group classified by the classification unit 132 has already been calculated, the calculation unit 133 calculates each group based on the calculated statistical information and the flow statistical information acquired by the acquisition unit 131. Statistical information about traffic can be calculated. As a result, it is not necessary to hold all the flow statistical information of a session, and the storage capacity to be used can be reduced.

  The calculation unit 133 can calculate a co-occurrence matrix based on the presence / absence of transmitted / received packets for each time as statistical information. This makes it possible to analyze the appearance pattern of successive packets.

[System configuration, etc.]
Each component of each illustrated device is functionally conceptual and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or a part of the distribution / integration is functionally or physically distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Furthermore, all or a part of each processing function performed in each device may be realized by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  Also, among the processes described in this embodiment, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

[program]
As one embodiment, the calculation device 10 can be implemented by installing a calculation program for executing the above-described statistical information calculation on a desired computer as package software or online software. For example, the information processing apparatus can be caused to function as the calculation apparatus 10 by causing the information processing apparatus to execute the above calculation program. The information processing apparatus referred to here includes a desktop or notebook personal computer. In addition, the information processing apparatus includes mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone System), and slate terminals such as PDA (Personal Digital Assistant).

  The computing device 10 can also be implemented as a computing server device that uses a terminal device used by a user as a client and provides the client with a service related to the calculation of the statistical information. For example, the calculation server device is implemented as a server device that provides a calculation service that receives flow statistical information and outputs session statistical information. In this case, the calculation server device may be implemented as a Web server, or may be implemented as a cloud that provides a service related to the above-described statistical information calculation by outsourcing.

  FIG. 10 is a diagram illustrating an example of a computer that executes a calculation program. The computer 1000 includes a memory 1010 and a CPU 1020, for example. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to a mouse 1110 and a keyboard 1120, for example. The video adapter 1060 is connected to the display 1130, for example.

  The hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the computing device 10 is implemented as a program module 1093 in which a code executable by a computer is described. The program module 1093 is stored in the hard disk drive 1090, for example. For example, a program module 1093 for executing processing similar to the functional configuration in the computing device 10 is stored in the hard disk drive 1090. Note that the hard disk drive 1090 may be replaced by an SSD.

  The setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 and executes them as necessary.

  The program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN, WAN (Wide Area Network), etc.). Then, the program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.

DESCRIPTION OF SYMBOLS 1 Computation system 10 Computation apparatus 11 Communication part 12 Storage part 13 Control part 20 Client 30 Server 40 Router 121 Primary storage part 122 Secondary storage part 131 Acquisition part 132 Classification part 133 Calculation part 134 Storage part

Claims (7)

An acquisition unit that acquires flow statistical information that is statistical information related to traffic aggregated for each communication source and communication destination;
A classification unit for classifying the flow statistics information into groups so that the sessions of the traffic based on the same are the same;
Based on the flow statistical information, a calculation unit that calculates statistical information about traffic for each group classified by the classification unit;
A computing device characterized by comprising:   In the classification unit, the transmission source and the transmission destination included in the first flow statistical information are the same as the transmission destination and the transmission source included in the second flow statistical information, respectively, and the first flow statistical information And the second flow statistical information is classified into the same group when the second flow statistical information is based on traffic generated within a predetermined period. The computing device according to claim 1, wherein: The acquisition unit acquires at least the number of packets and the number of bytes as the flow statistical information,
The calculation unit includes, as the statistical information, an average packet size for each group, an average maximum packet size, an average minimum packet size, an average standard deviation of the packet size, and the number of bytes. The calculation apparatus according to claim 1, wherein the time average and the information indicating the presence / absence of transmitted / received packets for each time are calculated. The acquisition unit acquires the flow statistic information corresponding to each time at a fixed time interval in time order,
The classification unit classifies the flow statistical information every time the flow statistical information is acquired by the acquisition unit,
4. The calculation device according to claim 1, wherein the calculation unit calculates statistical information regarding traffic for each group each time classification is performed by the classification unit. 5.   When the statistical information of the group classified by the classification unit has already been calculated, the calculation unit, based on the calculated statistical information and the flow statistical information acquired by the acquisition unit, The calculation apparatus according to claim 4, wherein statistical information about traffic for each group is calculated.   The calculation device according to claim 1, wherein the calculation unit calculates a co-occurrence matrix based on the presence / absence of a transmitted / received packet for each time as the statistical information. A calculation method executed by a calculation device,
An acquisition step of acquiring flow statistical information that is statistical information related to traffic aggregated for each communication source and communication destination;
A classification step of classifying the flow statistics information into groups so that the sessions of the traffic based on the same are the same;
A calculation step of calculating statistical information on traffic for each group classified by the classification step based on the flow statistical information;
The calculation method characterized by including.

Images