JP4190508B2 - Network control system and network control method - Google Patents

Description

  The present invention is used in an apparatus for evaluating and managing various events generated in a network. In particular, it relates to a technique for detecting and protecting against unauthorized access.

  In recent years, services that allow remote computers to access information stored in Web servers and FTP servers connected to networks such as the Internet have been provided. These servers are monitored using an intrusion detection system (IDS: Intrusion Detection System) for the purpose of detecting an intrusion attack from an unauthorized remote user (for example, see Non-Patent Document 1).

  In the IDS of the prior art, it is necessary for an operator to manually analyze a detection result (alert) to be obtained and distinguish an important alert from an alert that is not so. However, the amount of alerts obtained from IDS is enormous, and there is a problem that the above analysis work takes an enormous amount of time.

  In addition, with conventional monitoring purposes or IDS operation by human analysis, when the server is subjected to a huge number of intrusion attacks from unauthorized remote users, the server is overloaded and the request can be processed normally. There was a situation where it was lost or the system went down, and normal user traffic and requests were invalidated.

  In addition, when a large number of requests are concentrated on the server at a time, the conventional IDS cannot perform the process of narrowing down (dropping) the number of requests.

"Current status of research on intrusion detection systems", Takeshi Atsushi, Information Processing, Vol. 42, No. 12, issued in December 2001 "Network QoS technology", written by Kei Toda, published by Ohmsha

  In the above prior art, since the classification and analysis of the importance of information such as detection results (alerts) and logs obtained from servers such as the Web and IDS are performed manually, processing takes time. In addition, after the above classification and analysis, even if it becomes necessary to apply traffic restrictions based on important alerts, it is necessary to manually set traffic restrictions on managed devices such as routers, which takes time, There was a problem that the operation cost would increase. In addition, there is a problem that it is difficult to avoid an influence on a normal user due to erroneous detection of IDS, or to avoid a server overload state.

  It is an object of the present invention to automatically identify the importance of information obtained from a device under evaluation such as a Web server or IDS, and automatically perform network control according to the importance so that the server can be used in an emergency situation. The object is to provide a network control system that realizes quick response and reduction of operation cost of network management.

  A second object of the present invention is to provide a network control system that stabilizes server operation by preferentially restricting traffic of unauthorized remote users when the server is overloaded.

  Furthermore, the present invention provides a network that restricts the traffic of remote users according to the amount of load on the server, reduces the number of requests received by the server, avoids an overload condition of the server, and avoids system down. The purpose is to provide a control system.

  The present invention is directed to one or more managed devices that are connected to one or more external devices directly or via a network and control communication between the external devices and the evaluated device, and the managed devices The network control system includes an evaluated device that communicates with the external device via the network and transmits an event notification including the communication status or communication failure occurrence status, and a network management device that receives the event notification.

  Here, the system is characterized in that the network management device classifies the event type based on the received event notification, and counts the number of event notifications per unit time for each classified event type. When the count result exceeds a threshold value determined for each event type, information related to the event is generated, and a control execution instruction determined in advance is generated based on the generated information related to the event to The data is sent to the management device.

  The managed device can change the traffic restriction by an external control execution command. Further, the device to be evaluated can detect a log or traffic abnormality including the communication status or communication failure occurrence status or an intrusion attack and generate an alert including the detection result. The event notification may include the generated log or the alert.

  With this system configuration, an accurate control execution command based on an alert or log can be generated in a short time with a simple configuration using one device to be evaluated. Therefore, it is possible to quickly identify the importance of information obtained from the evaluated device such as a Web server, IDS, etc., and automatically perform network control according to the importance so that the server can respond quickly in an emergency situation. It is possible to reduce the operational cost of network management (cost reduction through efficient server operation and labor cost reduction).

  Alternatively, the present invention provides one or more devices that are connected to one or more external devices directly or via a network and that control communication between the external devices and the first or second device to be evaluated. A management device, a first evaluated device that communicates with the external device via the managed device, and sends an event notification including the communication status or communication failure occurrence status; and the external device via the managed device A network control system configured to include a second device to be evaluated that communicates with a device and transmits information on a load amount related to the external device, and a network management device that receives the event notification or the information on the load amount It is also possible.

  Here, the system is characterized in that the network management device classifies the event type based on the received event notification, and counts the number of event notifications per unit time for each classified event type. When the count result exceeds a threshold value determined for each event type, information related to the event is generated, and a control execution instruction determined in advance is generated based on the generated information related to the event to Sends to the management device, or generates a predetermined control execution command based on the load amount information and sends it to the managed device when the load amount exceeds a threshold based on the received load amount information There is a place to do.

  The managed device can change the traffic restriction by an external control execution command. The first device to be evaluated detects a log or traffic abnormality including the communication status or a communication failure occurrence status or an intrusion attack, and generates an alert including the detection result. The event notification may include the generated log or the alert. Furthermore, the second device to be evaluated includes a calculation processing unit that performs communication processing or data calculation processing related to the external device, and the load amount information includes load amount information in the calculation processing unit. it can.

  For example, when the information about the event is generated and the condition that the load amount exceeds a threshold is satisfied, the control execution instruction predetermined based on the information about the event or the information on the load amount A predetermined control execution command can be generated and sent to the managed device.

  According to the system configuration, since the control execution command can be generated based on both the alert and the load amount information, an accurate control execution command can be generated in a short time. For example, if the determination of the first device under evaluation is wrong, even if the server that is the second device under evaluation is operating normally instead of being overloaded, the traffic of normal users is erroneously restricted. However, according to this, the network management device can recognize the erroneous determination of the first device under evaluation from the detection result of the load amount of the second device under evaluation. Thus, it becomes possible to eliminate the influence of the erroneous determination of the first device under evaluation and to discard only the illegal traffic with priority (logical product (AND) usage form).

  In addition, if either of the determination result of the first device under evaluation or the detection result of the load amount of the second device under evaluation shows an abnormality, the control execution command is generated, so that the occurrence of the abnormality Since monitoring can be performed from many directions, it is possible to avoid a situation in which an abnormality is overlooked (logical OR (OR) usage form).

  Therefore, it is possible to quickly identify the importance of information obtained from the evaluated device such as a Web server, IDS, etc., and automatically perform network control according to the importance so that the server can respond quickly in an emergency situation. The operational cost of network management can be reduced, and when the server is overloaded, the server operation can be stabilized by preferentially regulating the traffic of unauthorized remote users. Furthermore, according to the amount of load on the server, it is possible to restrict the traffic of the remote user, reduce the number of requests received by the server, avoid the server overload state, and avoid the system down.

  In addition, when generating the control execution instruction, the network management device writes information on an unauthorized user included in the information on the event that is a basis for generating the control execution instruction in a part of the control execution instruction, The management device can specify the traffic of the unauthorized user based on the information related to the unauthorized user included in the control execution command received from the network management device.

  That is, an IP address, a sender telephone number, and the like, which are individual IDs of unauthorized users, are stored only in events (logs, alerts). Therefore, by extracting information on the unauthorized user stored in the event, writing it in the control execution command, and sending it to the managed device, the managed device can identify the traffic of the unauthorized user. As a result, the managed device can intensively and efficiently execute the treatment instructed by the control execution command for the traffic of the unauthorized user.

  Alternatively, the present invention provides one or more managed devices that are directly or via a network connected to one or more external devices and control communication between the external devices and the evaluated device. A network control system configured to include an evaluated device that communicates with the external device via a management device and transmits load amount information related to the external device, and a network management device that receives the load amount information It is also possible.

  Here, the feature of the system is that the network management device, based on the received information on the load amount, when the load amount exceeds a threshold value, a control execution command predetermined based on the load amount information. Is generated and sent to the managed device.

  The managed device can change the traffic restriction by an external control execution command. In addition, the device to be evaluated may include a calculation processing unit that performs communication processing or data calculation processing related to the external device, and the load amount information may include load amount information in the calculation processing unit.

  According to the system configuration, an accurate control execution command can be generated in a short time by a simple configuration and control based only on load amount information. Therefore, when the server is overloaded, server operation can be stabilized by preferentially restricting traffic of unauthorized remote users. Furthermore, according to the amount of load on the server, it is possible to restrict the traffic of the remote user, reduce the number of requests received by the server, avoid the server overload state, and avoid the system down.

The network control system of the present invention has the following effects.
(1) Time required for automatically determining important events that need to be subject to traffic control from events such as server logs such as Web, IDS alerts and logs, and actually controlling managed devices such as routers This makes it possible to respond quickly.
(2) When a server overload such as Web is overloaded, it becomes possible to regulate only the traffic of unauthorized users with high probability, and server operation can be stabilized.
(3) When a server overload such as the Web is overloaded, it is possible to avoid invalidating all user requests and traffic, and only some user requests can be processed normally, avoiding system downtime. can do.

  Further, according to the network control system of the present invention, efficient network operation can be performed, so that the network operation cost can be reduced. Furthermore, since the network control of the present invention is all automatically performed without manual operation, the network operation cost can be reduced by reducing the labor cost.

(First embodiment)
Below, 1st embodiment of this invention is described with reference to FIG. 1 and FIG. FIG. 1 is a block diagram showing a configuration of a network control system according to the first embodiment of this invention. FIG. 2 is a flowchart showing the operation of the network control system of the first embodiment. In FIG. 1, the first form of the device under evaluation 1 is a server such as a Web server or an FTP server, and generates information such as a communication status with a remote external device 7 or a server failure as a log. . The second form of the device under evaluation 1 is an intrusion detection system (IDS), which detects a traffic abnormality or intrusion attack sent from a remote external device 7 and generates a detection result (alert). The evaluated device 1 notifies the network management device 2 of these logs and alerts as events. As an intrusion detection system, an anti-virus system, a spam filter, or the like can be used instead of IDS. In the description of this embodiment, these are referred to as IDS as representative.

  In the event notification, for example, in the first form of the device to be evaluated 1, “information indicating that the system has been rebooted” indicating the state of the server and processing contents, or “increase in the number of remote external devices to communicate with” is indicated. “Information”, “Information indicating that the remote external device has accessed important data”, “Information in which the normality of the server is maintained”, and the like are stored.

  In the second form of the device under evaluation 1, “information indicating that a serious intrusion attack has been performed” or “information indicating that a meaningless access has been performed” is stored in the event notification. Is done. The importance of these events is expressed using numerical values, or expressed using words such as “emergency”, “somewhat urgent”, and “caution”.

  The network management device 2 includes an event evaluation unit 3, event counting units 4-1 to 4 -N, and an event processing unit 5. When the event evaluation unit 3 receives the event notification from the evaluated device 1, the event evaluation unit 3 classifies the event type based on the information indicating the importance stored in the event, and prepares event counting units 4-1 to 4 prepared for each event type. Forward the event notification to -N.

  In the most basic operation of the event counting units 4-1 to 4 -N, the event counting units 4-1 to 4 -N count the number of events per unit time, and event information when the threshold value prepared in advance is exceeded. Is transmitted to the event processing unit 5.

  As a counting method used when counting the number of events per unit time, a token bucket method, a leaky bucket method, or the like described in Non-Patent Document 2 is used.

  When the event processing unit 5 receives event information from the event counting units 4-1 to 4 -N, the event processing unit 5 transmits a control execution command corresponding to the prepared event to the network device 6 that is a managed device.

  In addition, when generating the control execution instruction, the network management device 2 sets a means for writing information on an unauthorized user included in the information on the event that is a basis for generating the control execution instruction in a part of the control execution instruction. Provided in the processing unit 5, the network device 6 includes means for identifying the traffic of the unauthorized user based on the information regarding the unauthorized user included in the control execution command received from the network management device 2.

  That is, an IP address, a sender telephone number, and the like, which are individual IDs of unauthorized users, are stored only in events (logs, alerts). Therefore, the event processing unit 5 of the network management device 2 extracts information related to the unauthorized user stored in the event, writes it in the control execution command, and sends it to the network device 6. Traffic can be identified. As a result, the network device 6 can intensively and efficiently execute the treatment instructed by the control execution command for the traffic of the unauthorized user.

  The managed device is a network device 6 such as a router, a switch, a firewall, or a load distribution device, and performs traffic restriction as a communication control unit in communication between the external device 7 and the evaluated device 1. The control execution command includes discard (regulation) of specific traffic, change of priority, release of the priority, and the like.

  FIG. 1 illustrates one external device 7 and a network device 6 corresponding thereto, but actually, a plurality of external devices 7 and a plurality of network devices 6 corresponding thereto are installed. The control execution command is issued only to the network device 6 arranged at a necessary location according to the disposal (regulation) of specific traffic, the change of priority, the release thereof, or the like, thereby controlling the traffic. The control execution command is not issued to the network device 6 arranged in an unnecessary place. Further, the device under evaluation 1 is not limited to one. By arranging the plurality of devices to be evaluated 1 at a plurality of important points, the traffic monitoring accuracy can be improved.

  By using such a network control system of the present embodiment, important events that need to be subject to traffic regulation are automatically determined from events such as logs and alerts from the device under evaluation 1, and routers and the like are actually detected. It is possible to shorten the time until the managed device is controlled and to respond quickly.

  In the operation described above, the event counting units 4-1 to 4-N set a small threshold for alerts and logs having high importance, and set a large threshold for alerts and logs having low importance. Set. As a result, only a small number of important alerts and logs are generated, information is immediately sent to the event processing unit 5, and traffic that causes an abnormality can be regulated.

  This eliminates the need for manual event classification and analysis, which is a problem of the prior art, and enables automatic traffic regulation for important attacks and intrusions more quickly than in the prior art, thereby reducing operational costs. Further, in the case where the device under evaluation 1 is in the form of IDS, even if the IDS is rarely erroneously determined by setting a threshold value, there is no information transfer to the event processing unit 5 with a small number of erroneous determinations. There is an advantage that the regulation is not performed and the influence of the erroneous determination of IDS can be reduced.

  As an operation of the event counting units 4-1 to 4 -N, information may be sent to the event processing unit 5 for all notifications to be received if the event notification has a particularly high importance. Conversely, if the degree of importance is low, information may be transferred to the event processing unit 5 for one randomly selected event notification received.

  Furthermore, it is also possible to process information included in a plurality of received events, create summary information (metadata) indicating the trend and nature of these events, and transfer this to the event processing unit 5 as event information. This enables traffic regulation that automatically performs advanced log / alert analysis. When event information is transferred from the event counting units 4-1 to 4-N to the event processing unit 5, the count values of the event counting units 4-1 to 4-N are reset to zero, and the event evaluation unit 3 The count value may be recounted as 1 from the next event to be received.

  Further, if the counted number of events per unit time is smaller than the threshold value, “cancel event information” for canceling the process executed immediately before can be transferred to the event processing unit 5. As a result, if the state returns to normal, it becomes possible to cancel the traffic regulation.

  The event processing unit 5 can have a function of storing the transmission of the control execution command to the network device 6 that is a managed device. Further, when cancel event information is received from the event counting units 4-1 to 4-N, if a control execution command for a corresponding event has been transmitted before that, the corresponding control cancel command is sent from the event processing unit 5. May be sent. As described above, this makes it possible to automatically release the regulation and reduce the operation cost.

  The event processing unit 5 has a database that is a storage device that stores a control execution command corresponding to an event received from the event counting units 4-1 to 4-N and a control cancellation command. The contents may be changed dynamically.

  As a result, a wide range of logs, alerts, and control execution instructions can be handled, so the range of automatic traffic control can be expanded and the operation cost can be reduced.

  FIG. 2 is a flowchart showing the operation of the network control system in the first embodiment described above. When an event notification is received from the device to be evaluated 1 that is an IDS or a server (S1), the event evaluation unit 3 classifies the event type (S2), and any of the event counting units 4-1 to 4-N is applicable. Enter the event notification in. When receiving event notifications from the event evaluation unit 3, the event counting units 4-1 to 4-N count the number of event notifications per unit time for each type (S3). If any of the event counting units 4-1 to 4-N has an event notification number exceeding the threshold (S4), the event counting unit 4-i (i is any one of 1 to N) Information about the event exceeding the threshold is generated (S5), and this information is transferred to the event processing unit 5. The event processing unit 5 generates a predetermined control execution command based on the information and sends it to the network device 6 (S6).

  In addition, when generating the control execution instruction, the event processing unit 5 writes information on the unauthorized user included in the information on the event that is the basis for generating the control execution instruction in a part of the control execution instruction. Thereby, the network device 6 identifies the traffic of the unauthorized user based on the information on the unauthorized user included in the control execution command received from the network management device 2, and instructs the identified traffic by the control execution command. Can be performed.

(Second embodiment)
Below, 2nd embodiment of this invention is described with reference to FIG. 3 and FIG. FIG. 3 is a block diagram showing the configuration of the network control system according to the second embodiment of this invention. FIG. 4 is a flowchart showing the operation of the network control system of the second embodiment.

  In FIG. 3, a device under evaluation 11 is a server such as a Web server or an FTP server, and generates information such as a communication status with a remote external device 7 and a server failure as a log.

  The server of the device under evaluation 11 performs communication processing with the external device 7, monitors the load amount state itself, and notifies the event processing unit 15 of the network management device 12 if there is an abnormality. The device under evaluation 10 is an intrusion detection system (IDS), detects abnormalities in traffic and intrusion attacks sent from a remote external device 7, and generates a detection result (alert).

  When detecting an abnormality in the traffic between the server of the device under evaluation 11 and the external device 7, the traffic between the network device 6 and the device under evaluation 11 is transferred from the network device 6 to the IDS of the device under evaluation 10. A method of controlling the network device 6 so as to be copied and transferred to the network can be adopted. Such a control function is usually called a mirror port function.

  The IDS that is the device under evaluation 10 transmits an alert to the network management device 12 as an event notification. As in the first embodiment, the importance level of an event is expressed using numerical values or expressed using words.

  The network management device 12 includes an event evaluation unit 13, event counting units 14-1 to 14 -N, and an event processing unit 15. When the event evaluation unit 13 detects the occurrence of an event from the device under evaluation 10 as a notification, the event evaluation unit 13 identifies the event based on the information indicating the importance stored in the event notification, and prepares the event counting units 14-1 to 14 prepared for each type. Forward the event to -N.

  The event counting units 14-1 to 14-N count the number of events per unit time, and transmit event information to the event processing unit 15 when a threshold value prepared in advance is exceeded. As described above, as a counting method used when counting the number of events per unit time, a token bucket method, a leaky bucket method, or the like described in Non-Patent Document 2 is used.

  As in the case of the first embodiment, when event information is received from the event counting units 14-1 to 14-N, a control execution command corresponding to the prepared event is transmitted to the managed device. The managed device is a network device 6 such as a router, a switch, a firewall, or a load distribution device.

  The control execution command includes discard (regulation) of specific traffic, change of priority, release of the priority, and the like. In the present embodiment, in addition to this, the event processing unit 15 also periodically receives information on the load amount from the calculation processing unit 16 of the server that is the device under evaluation 11. The event processing unit 15 discards (regulates) specific traffic or changes priority as a control execution command if the load of the server that is the device under evaluation 11 is excessive.

  As a result, important events that need to be subject to traffic regulation are automatically determined from events such as alerts from IDS, which is the device under evaluation 10, and the time required to actually control the managed device such as a router is shortened. In addition, it is possible to respond quickly, and at the time of server overload, which is the device under evaluation 11, it is possible to regulate only the traffic of unauthorized users with high probability, and server operation can be stabilized. Furthermore, when the server is overloaded, it is possible to avoid invalidating the requests and traffic of all users, and it is possible to process only some of the user requests normally, thus avoiding system down. .

  Also in the second embodiment, as in the first embodiment, as the operation of the event counting units 14-1 to 14-N, information may be sent to the event processing unit 15 for every event notification received. Event information may be transferred to the event processing unit 15 for one randomly selected event notification received.

  Furthermore, it is also possible to process information included in a plurality of received events to create summary information (metadata) indicating the trend and nature of these events, and transfer this to the event processing unit 15 as event information.

  When event information is transferred from the event counting units 14-1 to 14-N to the event processing unit 15, the count values of the event counting units 14-1 to 14-N are reset to zero, and the event processing unit 15 The count value may be recounted from the next event to be received again. Furthermore, when the counted number of events per unit time is smaller than the threshold value, “cancellation event information” for canceling the process executed immediately before can be transferred to the event processing unit 15.

  The event processing unit 15 can have a function of storing that the control execution command is transmitted to the managed device. Further, when cancel event information is received from the event counting units 14-1 to 14-N, if a control execution command for the corresponding event has been transmitted before that, the corresponding control cancel command is sent from the event processing unit 15. May be sent.

  The event processing unit 15 has a database that is a storage device that stores a control execution instruction corresponding to an event received from the event counting units 14-1 to 14-N and a control cancellation instruction. The contents may be changed dynamically.

  The operation of the network control system in the second embodiment described above is shown in the flowchart of FIG. When the event evaluation unit 13 receives an event notification (alert) from the IDS that is the device under evaluation 10 (S10), the event evaluation unit 13 classifies the event type (S11) and transfers the event type to the event counting units 14-1 to 14-N.

  The event counting units 14-1 to 14-N count the number of event notifications per unit time for each type of events transferred from the event evaluation unit 13 (S12). If there is the number of event notifications exceeding the threshold (S13), information about the event exceeding the threshold is generated (S14), and the information is notified to the event processing unit 15.

  The event processing unit 15 generates a predetermined control execution command based on the information notified from the event counting unit 14-i and sends it to the network device 6 (S15).

  In addition, when generating the control execution instruction, the event processing unit 15 writes information on the unauthorized user included in the information on the event that is a basis for generating the control execution instruction in a part of the control execution instruction. As a result, the network device 6 identifies the traffic of the unauthorized user based on the information regarding the unauthorized user included in the control execution command received from the network management device 12, and instructs the identified traffic by the control execution command. Can be performed.

  In parallel with this processing, the calculation processing unit 16 of the server that is the device under evaluation 11 monitors its own load amount (S16), and when the load amount exceeds the threshold value (S17), the load amount exceeds the threshold value. Information to that effect is generated (S18), and the information is sent to the event processing unit 15.

  When the event processing unit 15 receives information indicating that the load amount of the server that is the device under evaluation 11 exceeds the threshold value, the event processing unit 15 sends a control execution command determined in advance based on the information to the network device 6 (S15).

  The process of step S15 in FIG. 4 is provided in common to both the flow of steps S10 to S14 and the flow of steps S16 to S18, and is executed whenever the process in either step S14 or S18 is completed. The event processing unit 15 may generate information related to the event by the event counting unit 14-i, and the event processing unit 15 may execute the processing in step S15. Based on the information about the event generated by the event counting unit 14-i in advance when the condition that the load amount exceeds the threshold based on the load amount information received from the calculation processing unit 16 of the device under evaluation 11 is satisfied. Information on the amount of load received from the defined control execution command or the calculation processing unit 16 of the device under evaluation 11 It may comprise means for sending to the network device 6 generates a predetermined control execution order based on (conjunctive flow).

  As a result, the control execution command can be generated based on both the alert and the load amount information, so that an accurate control execution command can be generated in a short time. For example, in the case of the latter (logical flow), if the evaluation of the device under evaluation 10 is wrong, even if the server as the device under evaluation 11 is operating normally without being overloaded, Although there is a possibility that traffic of normal users is erroneously regulated or discarded, according to the latter (logical product flow), the network management device 12 makes an erroneous determination of the device under evaluation 10 by the device under evaluation 11. It becomes possible to recognize from the detection result of the load amount, and it becomes possible to eliminate the influence of the erroneous determination of the device under evaluation 10 and to discard only the illegal traffic with priority.

  Further, according to the latter (logical OR flow), a control execution command is generated when either the determination result of the device under evaluation 10 or the load amount detection result of the device under evaluation 11 shows an abnormality. Since the occurrence of abnormality can be monitored from various directions, it is possible to avoid a situation where an abnormality is missed.

  These usage modes can be selected adaptively according to the network environment.

(Third embodiment)
Below, 3rd embodiment of this invention is described with reference to FIG. 5 and FIG. FIG. 5 is a block diagram showing the configuration of the network control system according to the third embodiment of this invention. FIG. 6 is a flowchart showing the operation of the network control system according to the third embodiment of the present invention. In FIG. 5, the device under evaluation 11 is a server such as a Web server or an FTP server, and has a calculation processing unit 16 for performing communication processing with the external device 7 and arithmetic processing such as data processing, The load amount state can be monitored and the load amount can be notified to the network management device 22.

  The network management device 22 includes an event processing unit 25. The event processing unit 25 periodically receives the load amount information of the calculation processing unit 16 from the calculation processing unit 16 of the server that is the device under evaluation 11. In the third embodiment, when the magnitude of the load amount of the calculation processing unit 16 exceeds a predetermined threshold, the calculation processing unit 16 of the evaluated device 11 sends the information to the event processing unit 25 of the network management device 22. To transmit. When the load amount of the calculation processing unit 16 exceeds a threshold value prepared in advance, the event processing unit 25 transmits a control execution command corresponding to the threshold value to the network device 6 that is a managed device.

  This makes it possible to regulate only the traffic of unauthorized users with high probability when the server being the device under evaluation 11 is overloaded, and the server operation can be stabilized. Furthermore, when the server is overloaded, it is possible to avoid invalidating the requests and traffic of all users, and it is possible to process only some of the user requests normally, thus avoiding system down. .

  The event processing unit 25 may have a function of storing that the control execution command is transmitted to the network device 6. Further, when the load amount of the calculation processing unit 16 is smaller than the threshold value, an instruction to cancel the control execution instruction sent before that may be transmitted to the network device 6.

  The operation of the network control system in the third embodiment described above is shown in the flowchart of FIG. The calculation processing unit 16 of the server that is the device under evaluation 11 monitors its own load amount (S20), and if the load amount exceeds the threshold value (S21), generates information that the load amount exceeds the threshold value. (S22), the information is sent to the event processing unit 25.

  When the event processing unit 25 receives information indicating that the load amount of the server that is the device under evaluation 11 exceeds the threshold value, the event processing unit 25 sends a control execution command determined in advance based on the information to the network device 6 (S23).

(Fourth embodiment)
In this embodiment, when installed in a general-purpose information processing apparatus, the information processing apparatus realizes functions corresponding to the network management apparatuses 2, 12, and 22 of the first to third embodiments, and the network control of the present invention. It can be realized as a program for executing a procedure corresponding to the method. The program is recorded on a recording medium and installed in the information processing apparatus, or installed in the information processing apparatus via a communication line, so that the network management apparatus 2 according to the first to third embodiments is installed in the information processing apparatus. , 12 and 22 can be realized.

  According to the network control system of the present invention, it is possible to shorten the time from the occurrence of a situation where traffic regulation is necessary until the traffic regulation is actually performed, and to respond quickly. Further, it becomes possible to regulate only the traffic of unauthorized users with a high probability, and the server operation can be stabilized. Further, it is possible to avoid invalidating requests and traffic of all users, and it is possible to normally process only requests of some users, thereby avoiding a system down.

  As a result, the convenience of the network administrator can be improved, and the service quality for the network user can be improved.

The block diagram of the network control system of 1st embodiment of this invention. The flowchart which shows operation | movement of the network control system of 1st Example of this invention. The block diagram of the network control system of 2nd embodiment of this invention. The flowchart which shows operation | movement of the network control system of 2nd embodiment of this invention. The block diagram of the network control system of 3rd embodiment of this invention. The flowchart which shows operation | movement of the network control system of 3rd embodiment of this invention.

Explanation of symbols

1, 10, 11 Evaluated device 2, 12, 22 Network management device 3, 13 Event evaluation unit 4-1 to 4-N, 14-1 to 14-N Event counting unit 5, 15, 25 Event processing unit 6 Network Device 7 External device 16 Calculation processing unit

Claims (6)

Connected to one or more external devices directly or via a network,
One or more managed devices comprising communication control means for controlling communication between the external device and the first or second device to be evaluated, and means for changing traffic regulation by an external control execution command When,
An event generating unit that communicates with the external device via the managed device, detects an abnormal traffic or an intrusion attack, and generates an alert including the detection result, and an event including the alert generated by the alert generating unit A first device to be evaluated comprising an event notification means for sending a notification;
A calculation processing unit that communicates with the external device via the managed device and performs communication processing or data calculation processing related to the external device, and load amount information sending means for sending load amount information in the calculation processing unit A second device to be evaluated,
A network management device comprising a traffic information receiving means for receiving the event notification and the load amount information,
The network management device includes:
Event type classification means for classifying the type of the event based on the event notification received by the traffic information receiving means;
An event that counts the number of event notifications per unit time for each event type classified by the event classification means, and generates information related to the event when the counting result exceeds a threshold value determined for each event type Information generating means;
When the event information on the event by the information generating means is generated, and the conditions referred to the load based on the load amount of information received has exceeded a threshold met by the traffic information receiving means, relating to the event network, characterized in that to generate a predetermined control execution command based on a predetermined control execution instruction or the load amount of information on the basis of the information and a control execution command sending means for sending to said managed device Control system. The network management device, when generating the control execution command, writes unauthorized user information writing means that writes information related to an unauthorized user included in the information related to the event that is the basis for generating the control execution command in a part of the control execution command With
Said managed device, according to claim 1, characterized in that it comprises an unauthorized user specifying means for specifying traffic unauthorized user on the basis of the information related to fraud user included in the control execution instructions received from the network management device network control system. A network control method applied to the network control system according to claim 1,
The network management device includes:
Classifying the event type based on the received event notification;
Counting the number of event notifications per unit time for each event type classified by the step, and generating information about the event when the counting result exceeds a threshold value determined for each event type;
Based on the information on the event when the information on the event generated by the step is generated and the condition that the load exceeds the threshold is satisfied based on the received information on the load. A network control method comprising: executing a step of generating a predetermined control execution command based on a predetermined control execution command or information on the load amount and sending the generated control execution command to the managed device. The network management device, when generating the control execution instruction, executes a step of writing information on an unauthorized user included in the information on the event that is a basis for generating the control execution instruction in a part of the control execution instruction,
The network according to claim 3 , wherein the managed device executes a step of identifying traffic of an unauthorized user based on information on the unauthorized user included in the control execution command received from the network management device. Control method. A program that, when installed in an information processing apparatus, causes the information processing apparatus to execute a procedure corresponding to the network control method according to claim 3 or 4 . 6. A recording medium readable by the information processing apparatus on which the program according to claim 5 is recorded.

Images