JP4867848B2 - Overlay traffic detection system and traffic monitoring / control system - Google Patents

Description

  The present invention relates to an overlay traffic detection system and a traffic monitoring / control system, and can be applied to, for example, monitoring and control of traffic in an overlay network or a peer-to-peer (P2P) network.

  In recent years, a communication technology called an overlay network or a P2P network has been actively researched and developed and is actually being applied. The technique disclosed in Patent Document 1 is one of them.

  An overlay network is a network constructed on the upper layer with a certain network function as a transmission path, and means a network having a routing function different from that of a lower network. P2P means that each computer has a connection relationship having an equal relationship. In the P2P network, each PC (personal computer) serves as a terminal in some cases and serves as a relay node in other cases, and performs exactly the same function. For this reason, a P2P network implemented over a wide area on the Internet often takes the form of an overlay network.

  FIG. 2 shows an example of a physical connection state of the overlay network, and FIG. 3 shows a logical connection state of the overlay network.

  2 and 3, ISP represents an Internet service provider (Internet-Service-Provider) or a network provided by the ISP, R represents a router, IX represents an Internet connection point (Internet-eXchange), PC represents a terminal such as a personal computer (or a large host computer), and SW represents a switch. In the example shown in FIG. 2 and FIG. 3, ISP1 to ISP3 directly connected to IX are called primary providers, and ISP4 to ISP6 connected to a primary provider connected directly are not directly connected to IX. The next provider is called. The secondary providers ISP4 and ISP5, and ISP4 and ISP6 were associated with an agreement such as setting the route of the router so that traffic from the peering connection could not flow upstream or flow to other ISP networks. And peering.

  In the example shown in FIG. 2, PC11, PC41, and PC51 have a terminal function and a transfer node function to construct an overlay network. The constructed overlay network logically has a topology as shown in FIG.

  Since the routing in the overlay network follows the routing policy of the overlay, it does not depend on the routing in the ISP network below. For example, when the PC 41 accesses the file server 11, transfer via the path of the file server 11 → PC 11 → PC 51 → PC 41 is also possible. In general, file server 11 → ISP1 → ISP3 → ISP5 → ISP4 → PC41 cannot be transferred according to ISP routing policy (peering agreement). However, since file transfer of ISP1 → ISP3 → ISP5 → PC51 and file transfer of PC51 → ISP5 → ISP4 → PC41 are possible, if each PC conspires and the PC51 hides the role of the relay node from the ISP, Transfer of the file server 11 → PC51 → PC41 becomes possible.

  The preconditions for the occurrence of the overlay network problem are as follows.

  (1) ISP4 attaches great importance to spending reduction, and operates under a policy of operating the line between R33 and R41 with a very thin line.

  (2) The ISP 5 places importance on increasing revenues, places importance on service quality in order to acquire users, and conducts business with a policy that uses a thick line between R34 and R51.

  Under such a precondition, as described above, if the PC 41, PC 51, and PC 11 (users) construct an overlay network, the PC 41 accesses the file server 11 via the PC 51 using the overlay network, Get a comfortable environment. Also, when the R61-R32 line is thin and the R61-R42 is thick, when the user of the PC 51 accesses the WEB server 61, the connection is made via the ISP 4 called R61-R42-PC41-R42-R43 instead of the normal ISP3. PC 51 and PC 41 are mutually beneficial because they can be comfortable. As described above, the subscribers of the overlay network can also obtain a “smart and comfortable environment in cooperation”.

  However, ISP5 spends a large amount of money to improve the service quality of its subscribers and sets up a thick line between R34 and R51, but other ISP subscribers use a lot of bandwidth. May adversely affect the use of your subscribers. In other words, there is a situation where the competitiveness is lost due to the large expenditure, but the customer satisfaction is not improved so much and the purpose of emphasizing the acquisition of the number of users cannot be achieved.

  Therefore, the ISP has a desire to grasp how much traffic of the overlay network flowing in its own network is, and to control the traffic. However, at present, there is no sufficient countermeasure. Hereinafter, the traffic of the overlay network is called overlay traffic, and the problem is considered. Such situations and problems are often referred to as a network free-riding problem (see Non-Patent Document 1).

  As conventional techniques for countermeasures against these problems, there are those described in Patent Documents 2 to 5.

  The technique described in Patent Document 2 shows a method for separating P2P traffic by analyzing header address information (Claim 1), and shows a method for participating in P2P service for obtaining address information (Claim 2). A function for separating traffic with matching information is shown (Claim 3), and an improvement method thereof is shown (Claims 4 to 7). For each packet, time stamp information, outgoing IP address, incoming IP address, outgoing port The method of analyzing the number, the incoming port number and the packet size (claim 8) to determine the P2P traffic is shown.

  The technology described in Patent Document 3 (Claim 1) is a method of acquiring P2P node information using a dummy PC and grasping P2P traffic, and Patent Document 3 is a technology that has been improved. Show.

  Patent Document 4 receives and analyzes information relating to connectivity related to a network including a plurality of samples relating to user activity, constructs a statistical model that mathematically predicts connectivity between network regions, and matches A method for determining a P2P network by determining whether or not to perform the process, and an improved method thereof are shown. It also describes controlling the detected P2P traffic.

In the technique described in Patent Document 5, a P2P message is freely detected by a third party to grasp traffic.
Japanese Patent Application Laid-Open No. 2004-266796 JP 2004-343186 A JP-A-2005-202589 JP 2005-278176 A Special table 2006-506877 Hasegawa, Murata et al., “A study on free-riding network problems caused by overlay routing”, IEICE Tech. 106, no. 420, IN2006-136. pp. 133-138, December 2006

  However, in the technique described in Patent Document 2, it is known that (1) the P2P network is deployed on the own network, and the PC that is the P2P node and its IP address are known, (2) the P2P network If the PC participating in the P2P network is unknown, or authentication is required for participation in the P2P network and P2P traffic cannot be specified, etc. , Has a problem that it can not be applied.

  The technique described in Patent Document 3 is also based on the above (1) and (2), and has the same problems as the technique described in Patent Document 2.

  The technique described in Patent Document 4 requires the construction of a “statistical model that mathematically predicts connectivity between network areas”, and how to build a model with sufficient reliability. It has become a challenge.

  The technique described in Patent Document 5 is based on the precondition that a P2P message can be freely detected and acquired by a third party. Therefore, it is difficult to detect a P2P message or the content of the message is encrypted. If the analysis is impossible, this technique cannot be applied.

  Therefore, an overlay traffic detection system and a traffic monitoring / control system capable of detecting and controlling overlay traffic in an overlay network or a P2P network without restrictions such as known IP addresses or under loose restrictions are desired. It is rare.

  The overlay traffic detection system according to the first aspect of the present invention comprises: (1) traffic information measuring means for at least two directions for acquiring characteristic information of traffic from input traffic so that the traffic can be examined for at least two directions; And (2) a correlation degree calculation / threshold judgment means for obtaining a correlation degree of the acquired feature information of traffic in different directions and judging whether or not it exceeds a set threshold value, and (3) the correlation Whether or not there is overlay traffic to be output to another network after the traffic that has flowed into a network once goes out of the network and then returns to that network. It is characterized by outputting as what represents.

    The overlay traffic detection system according to the second aspect of the present invention comprises: (1) traffic information measuring means for at least two directions for acquiring characteristic information of traffic from input traffic so that the traffic can be examined for at least two directions; (2) The traffic characteristic information acquired from the traffic information measuring means is stored separately for each specific identification information such as a destination IP address, a source IP address, and a port number of a packet included in the traffic. Profile creation means, and (3) Obtain the correlation degree of characteristic information of traffic separated for each specific identification information in different directions acquired by the profile creation means, and whether or not it exceeds a set threshold value (4) Correlation calculation / threshold determination means Judgment results indicate that traffic that has flowed into a network once goes out of the network, then returns to the network, and again there is overlay traffic to be output to another network. It is characterized by outputting.

  The overlay traffic detection system according to the third aspect of the present invention provides (1) an identifier assignment / recognition that is output by assigning an identifier to traffic in a certain direction that has been input, or after recognizing a possible identifier. And (2) identifier detecting means for detecting whether there is an identifier assigned or recognized by the identifier assigning / recognizing means for the traffic in the other direction input, and (3) the above The detection result of the identifier detection means indicates whether or not there is overlay traffic to be output to another network after the traffic that has flowed into the network once goes out of the network and then returns to the network. It outputs as what is.

  In the overlay traffic detection system according to the fourth aspect of the present invention, (1) a delay that selectively gives a specified delay time only for a specified period to input traffic in a certain direction, and outputs it without a delay outside the specified period. (2) arrival time measuring means for measuring the arrival time of the traffic in the other direction inputted; (3) delay time given by the delay giving means, and measurement by the arrival time measuring means. (4) detecting the delay-added traffic, and (4) detecting the delay-added traffic. Based on the detection results of the means, the traffic that has flowed into a network once goes out of the network, then returns to the same network, and then returns to another network. And outputs as an overlay traffic to be output to over click represents a presence or absence.

  An overlay traffic detection system according to a fifth aspect of the present invention includes (1) traffic discarding means that selectively discards traffic in a certain direction for a specified period, and (2) traffic in another direction that is input. Traffic observation means for observing traffic, (3) traffic that is selectively discarded by the traffic discarding means, and traffic observed by the traffic observation means is discarded from changes in the appearance of traffic observed by the traffic observation means. (4) The traffic that has flowed into a certain network is temporarily out of the network as a result of the detection by the discard traffic detecting means, which detects whether the traffic is related to the same traffic as the received traffic. After that, return to the same network and output the overlay traffic to another network again. Wherein the click is output as expressing whether there.

  An overlay traffic detection system according to a sixth aspect of the present invention includes (1) traffic discarding means for selectively discarding traffic in a certain direction for a specified period, and (2) traffic in another direction input. (3) traffic selectively discarded by the traffic discarding means, and traffic of a retransmission request for selectively discarded traffic based on a change in the appearance of traffic observed by the traffic observation means Or (4) the detection of the discarded traffic detecting means; and (4) detection of the discarded traffic detecting means for detecting whether the retransmitted traffic is observed in the other direction or not, which is related to the same traffic as the discarded traffic. As a result, after the traffic that has flowed into a network has once left the network Come back to the same network again, and outputs as expressing whether the overlay traffic exists to be output to another network.

  The traffic monitoring and control system according to the seventh aspect of the present invention includes (1) the overlay traffic detection system according to any one of the first to sixth aspects of the present invention, and (2) specific traffic installed in association with the router. Filtering means for selectively excluding processing, and (3) control means for controlling the filtering means to exclude the traffic detected by the overlay traffic detection system as overlay traffic.

  According to the present invention, there is provided an overlay traffic detection system and a traffic monitoring / control system capable of detecting and controlling the overlay traffic even when the destination of the node constituting the overlay network, the IP address and the port of the transmission source are not known. it can.

(A) First Embodiment Hereinafter, a first embodiment of an overlay traffic detection system according to the present invention will be described in detail with reference to the drawings.

(A-1) Configuration of First Embodiment FIG. 1 is a block diagram showing a detailed configuration of an overlay traffic detection apparatus according to the first embodiment. FIG. 4 is an explanatory diagram of an installation position of the overlay traffic detection device according to the first embodiment.

  1 and 4 apply the overlay traffic detection apparatus according to the first embodiment to the overlay network that takes the physical connection state shown in FIG. 2 and the logical connection state shown in FIG. Shows the case.

  The overlay traffic detection device 100 (100-1, 100-2) is mounted inside the router or outside the router, for example. In FIG. 4, the overlay traffic detection device 100-1 is provided between the router R51 of the ISP network ISP5 and another ISP network ISP3, and the overlay traffic detection device 100-2 is connected to the router R52 of the ISP network ISP5 and other routers. The example provided between ISP network ISP4 is shown. As described above, the overlay traffic detection apparatus 100 is preferably provided between the router of the ISP network and another ISP network.

  Although the overlay traffic detection device 100 can be installed on a line in the ISP network, it is determined whether or not the observed traffic is from an overlay network that is input from the external ISP network and transferred to the outside. In addition, a function for judging from the destination IP address of the packet and the route information of the network must be added, and therefore the above installation position is preferable. In addition, as shown in FIG. 4, the installation at the interface between the external ISP network and the local ISP network has an advantage that the number of installed units can be reduced.

  The example shown in FIG. 1 is an example in which the first overlay traffic detection system is configured by two overlay traffic detection devices 100-1 and 100-2.

  The overlay traffic detection devices 100-1 and 100-2 are mirroring means 101-1, 101-2, traffic information measuring means 102-1, 102-2, traffic profile creating means 103-1, 103-2, and communication, respectively. Means 104-1 and 104-2 and profile correlation degree calculation / threshold judgment means 105-1 and 105-2.

  Each of the mirroring units 101-1 and 101-2 is copied when an input packet (traffic) is allowed to pass, and the copied input packet is given to the corresponding traffic information measuring units 102-1 and 102-2. Note that the mirroring units 101-1 and 101-2 are not essential, and it is sufficient that traffic is input to the traffic information measuring units 102-1 and 102-2 from a router or a transmission path. The traffic input to the traffic information measuring means 102-1 and 102-2 may be all traffic or sampled traffic (however, in the case of sampled traffic, the detection accuracy may be reduced). .

  Each traffic information measuring means 102-1 and 102-2 extracts information necessary for determining overlay traffic from the input traffic, and outputs it to the corresponding traffic profile creating means 103-1 and 103-2. Is. As a determination method, there are a plurality of methods, and information necessary for the determination varies depending on the determination method. In the following, a method for determining using the packet length will be described. Each traffic information measuring unit 102-1, 102-2 acquires the packet length, the arrival time of the packet, the destination, or the source IP address for the input packet.

  Each of the traffic profile creation means 102-1 and 102-2 creates a traffic profile based on the information given from the corresponding traffic information measurement means 102-1 and 102-2. The profile includes “traffic characteristic information” and “traffic identification information”. The information for identifying the traffic includes, for example, the IP address of the destination and the transmission source. As the characteristic information of the traffic, for example, information indicating the packet length and the arrival time interval can be used. The profile creation means accumulates characteristic information for each piece of information to be identified.

  Each of the communication units 104-1 and 104-2 has a function of communicating with the communication units 104-2 and 104-1 of the other overlay traffic detection apparatuses 100-2 and 100-1, for example, the created traffic profile Give and receive.

  The profile correlation calculation / threshold determination means 105-1 and 105-2 include profiles created by the traffic profile creation means 102-1 and 102-2 of the overlay traffic detection apparatuses 100-1 and 100-2, The degree of correlation is calculated by comparing with the profiles created by the traffic profile creation means 102-2 and 102-1 of the other overlay traffic detection devices 100-2 and 100-1. Each profile correlation calculation / threshold determination means 105-1 and 105-2 determines that if there is traffic whose correlation is equal to or greater than the threshold as a result of calculation, it is determined as overlay traffic, and if it is less than the threshold, it is determined that the traffic is different. is there.

  In FIG. 4, the plurality of overlay traffic detection devices 100-1 and 100-2 are all mounted with the respective units 101 to 105. However, by using communication, other devices are predetermined. A part of the function may be substituted for this means.

(A-2) Operation of the First Embodiment Next, the operation of the traffic monitoring / control system and overlay traffic detection device of the first embodiment will be described.

  Since the overlay traffic detection devices 100-1 and 100-2 in the traffic monitoring / control system of the first embodiment perform the same operation, the operation will be described below with a focus on the overlay traffic detection device 100-1.

  The packet (IP packet) input to the overlay traffic detection apparatus 100-1 is copied by the mirroring means 101-1, and is given to the traffic information measuring means 102-1. Then, the traffic information measuring unit 102-1 acquires the packet length, the arrival time of the packet, the destination or the source IP address for the input packet, and based on the information acquired by the traffic profile generating unit 103-1. Thus, a traffic profile is created.

  The created traffic profile is given to the communication means 104-1, transferred to the other overlay traffic detection apparatus 100-2, and created by the other overlay traffic detection apparatus 100-2 by the communication means 104-1. A traffic profile is received.

  The profile correlation calculation / threshold judgment means 105-1 includes a traffic profile created by the traffic profile creation means 103-1, and another overlay traffic detection apparatus 100-2 received by the communication means 104-1. A traffic profile is input. Then, the profile correlation degree calculation / threshold value judgment means 105-1 calculates the correlation degree of two types of traffic profiles with different created devices for each identified traffic, and the overlay traffic according to the magnitude of the correlation degree. Is detected. Instead of taking a correlation for each traffic, it is also possible to take a correlation only with characteristic information. In the former case, the processing speed can be increased by performing parallel operations. In the latter case, the hardware and software configuration becomes simple, and the implementation becomes easy.

  FIG. 5 shows traffic input to the ISP 5 (inbound traffic) and traffic output from the ISP 5 (outbound traffic). FIG. 6 shows an overlay traffic detection apparatus 100-1, 100-2 shows the traffic profiled with the destination IP address as identification information and the packet length as characteristic information. In FIGS. 5 and 6, black rectangles represent overlay traffic, and white rectangles represent traffic other than overlay traffic.

  Overlay traffic passes through ISP 5 along with other traffic. The problem to be solved is to separate overlay traffic and other traffic from traffic passing through the ISP 5.

  In the first embodiment, the problem is to be solved based on the following assumptions (1) and (2) regarding the overlay traffic.

(1) Overlay traffic is input from an external first ISP and transferred to an external second ISP via a PC connected to the ISP.

(2) When only packets having the same destination IP address are arranged in time series, traffic (overlay traffic) relating to a certain first destination IP address inputted from the first external ISP, and external second The traffic related to a certain second destination IP address transferred to the ISP (overlay traffic) has a high frequency in which packets having the same packet length appear in the same order.

  Therefore, in the first embodiment, traffic is classified according to the same destination, a time-series traffic profile is created, and if there is traffic having a high correlation between the traffic profiles, it is determined that the traffic is overlay traffic. If the source IP address is not spoofed, the source IP address can also be used.

  The data transmitted from the ISP 3 to the IP address of the PC 51 includes traffic that is not an overlay network. In addition, there is overlay traffic terminated at the PC 51, and there is overlay traffic sent out from the PC 51. Packet loss also occurs. Therefore, just because of overlay traffic, the packet lengths of packets arranged by destination IP address do not completely match in time series. However, it can be expected to have a relatively similar pattern.

  The degree of correlation between the traffic profiles for each destination is evaluated using a cross-correlation function, and a certain threshold value is set. If there is a traffic set exceeding this, it is determined that the traffic is an overlay traffic and is output.

  In the above, the packet length, the IP address, and the packet arrival order information are used as the profile to be used, but other information such as a packet port number may be used or combined instead.

  Moreover, in the above, since the overlay traffic detection apparatuses 100-1 and 100-2 exchange information with each other and the comparison operation is performed on both, unnecessary calculations are also performed. In order to avoid such waste, for example, a device that has received a traffic profile first can eliminate waste of comparison by taking a technique such as not transmitting a traffic profile created by itself to the other party.

  Further, in the above description, it is determined whether the traffic having a single destination IP address is relay traffic of the overlay network, but at the same time, whether the traffic is relay traffic of the overlay network for a plurality of destination IP addresses. By determining whether or not, overlay traffic can be detected at higher speed.

(A-3) Effect of First Embodiment According to the first embodiment, it is possible to detect free-riding traffic in the overlay network flowing in the ISP, and to take measures as necessary. It becomes.

(A-4) Modified Embodiment of First Embodiment FIG. 7 is a block diagram showing a detailed configuration of an overlay traffic detection apparatus according to a modified embodiment of the first embodiment, and FIG. It is explanatory drawing of the installation position of the overlay traffic detection apparatus shown.

  In this modified embodiment, the overlay traffic detection system is constituted by one overlay traffic detection device 100A.

  An overlay traffic detection apparatus 100A according to a modified embodiment of the first embodiment includes a mirroring unit 101, a traffic information measurement unit 102, a traffic profile creation unit 103, and a profile correlation degree calculation / threshold determination unit 105, and an ISP. It is arranged between the router (R53) of the network (ISP5) and the subscriber (PC51). In general, since the number of subscribers is larger than the number of external ISPs to be connected, there is an advantage that a communication function for exchanging information between the overlay traffic detection devices becomes unnecessary although the number of subscribers increases. If the subscriber cooperates, it may be installed inside the subscriber PC. This is the case, for example, when it is detected that the subscriber's PC has been made an Internet bot against the intention of the owner and used as a node of the overlay network.

  The overlay traffic detection device 100A creates a traffic profile for the traffic destined for the PC 51, creates a traffic profile for the traffic output from the PC 51, and tries to execute a determination process similar to that of the first embodiment. .

  Of the traffic sent by the transmission source, the traffic on the overlay network is relayed by the PC and returned, so that it is possible to specify the overlay traffic alone without communicating with others. However, it is necessary to confirm from the IP address, the input / output edge node, or the like that the communication is not with the transmission source node but with another node. Of course, it is possible to increase the accuracy by providing a communication function and communicating with other overlay traffic detection devices.

(B) Second Embodiment Next, a second embodiment of the overlay traffic detection system according to the present invention will be described in detail with reference to the drawings.

(B-1) Configuration of Second Embodiment FIG. 9 is a block diagram showing a detailed configuration of an overlay traffic detection apparatus 200 of the second embodiment.

  The overlay traffic detection apparatus 200 of the second embodiment is installed inside a router or between a router and a subscriber's PC. If the subscriber cooperates, it may be installed inside the subscriber PC. FIG. 9 shows a case where it is installed between the router of the ISP network and the subscriber's PC (see FIG. 8).

  In FIG. 9, the overlay traffic detection apparatus 200 according to the second embodiment includes a packet mark assigning unit 201, a packet mark detection unit 202, a packet mark removal unit 203, and a control unit 204. A mark / packet correspondence information table 205 is built in the control means 204.

  The packet mark assigning unit 201 marks (payload mark) the payload part of the packet from the ISP network router to the PC, and corrects the header part so as not to cause a problem in the packet length, checksum, etc. And then send it out. The information of the mark given at the time of sending is also given to the control means 204. Here, it is preferable that marking is performed on all packets, but it may be performed only on a part (in this case, the packet mark detection means sequentially searches whether it is attached to only a part). Will do). The mark can be attached to the payload portion of the packet as described above, but the mark may be attached using an option field of the IP header. Further, the value (fragment ID) of the fragment ID field already included in the IP header information can be used as it is as a packet mark. In this case, it may be stored as a packet mark with a fragment ID, and it may be monitored whether or not there is traffic having the fragment ID in the traffic in the other direction.

  Using the above configuration, if traffic that has flowed into a network once goes out of the network, returns to the network, and whether there is traffic to be output to another network again. The overlay traffic detection apparatus having a function of specifying and indicating the traffic may be used.

  The packet mark detection means 202 monitors the traffic from the PC to the ISP router and checks whether or not the payload portion is marked. When a packet with a mark is detected, the packet mark detection means 202 This is to notify the mark removing means 203 and the control means 204. The packet mark detection means 202 delivers all the traffic from the PC to the ISP router to the packet mark removal means 203 as it is.

  The packet mark removal means 203 removes the mark from the marked packet, corrects the header portion, and sends it to the router side, and sends the packet without the mark to the router side as it is. Note that the packet mark removing means 203 may discard the marked packet if there is an agreement between the user and the ISP to prohibit the flow of overlay traffic.

  The control unit 204 stores the information of the packet to which the mark given from the packet mark giving unit 201 is given and the relationship between the marks in the mark / packet correspondence information table 205 and the mark notified from the packet mark detection unit 202. The information of the packet with is collated with the stored contents of the mark / packet correspondence information table 205, the overlay traffic (overlay packet) is specified, and the information is output to the management device or the like.

(B-2) Operation of Second Embodiment Next, the operation of the overlay traffic detection apparatus 200 of the second embodiment will be described.

  Packets that are sent from the router of the ISP network to the PC are marked with the payload part by the packet mark assigning means 201, and the header part is corrected so as not to cause a problem in the packet length and checksum, and then sent. . A plurality of marks to be assigned at the time of transmission are prepared for each IP address and port number, and the correspondence between them is stored in the mark / packet correspondence method table 205 in the control means 204.

  Next, the overlay traffic detection apparatus 200 monitors the traffic from the PC to the ISP router, and the packet mark detection means 202 checks whether or not the payload portion is marked. If a packet with a mark is detected, it is estimated that the PC is performing relay processing of the overlay network. From the packet with this mark, the mark is removed by the packet mark removing means 203, the header part is corrected, and the packet is sent to the router.

  If a packet with a mark is detected by the packet mark detection means 202, the control means 204 compares the stored contents of the mark / packet correspondence information table 205 to specify the overlay traffic.

  Note that if the marked packet is terminated at the PC, there is a possibility that an error will occur in the received data. Therefore, it is not recommended to use the overlay traffic detection method according to the second embodiment continuously for a long time. Is desirable.

  Here, the packet mark assigning means 201 of the second embodiment is connected to the inbound line from the external ISP to the own ISP, and the mark packet detecting means 202 and the packet mark removing means 203 are outbound from the own ISP to the external ISP. The same function may be realized by connecting to a line and exchanging information between the two (see FIG. 4).

(B-3) Effects of the Second Embodiment According to the second embodiment, in addition to the effects of the first embodiment, even when many packets having the same packet length flow, the overlay network There is an effect that it is possible to detect the traffic.

The detection method of the first embodiment is a method of detecting a packet of the overlay network based on the packet length information. However, in this method, in a network having a lot of traffic of the same packet length, there is a possibility that the probability of misrecognizing non-overlay traffic as overlay traffic may increase. According to the second embodiment, since the packet length is not used for detection, the traffic of the overlay network can be detected even in a network in which many packets having the same packet length flow (C). Third Embodiment Next, a third embodiment of the overlay traffic detection system according to the present invention will be described in detail with reference to the drawings.

(C-1) Configuration of Third Embodiment FIG. 10 is a block diagram showing a detailed configuration of an overlay traffic detection apparatus 300 of the third embodiment.

  The overlay traffic detection apparatus 300 of the third embodiment is installed inside a router or between a router and a subscriber's PC. If the subscriber cooperates, it may be installed inside the subscriber PC. FIG. 10 shows a case where it is installed between the router of the ISP network and the subscriber's PC (see FIG. 8).

  In FIG. 10, an overlay traffic detection apparatus 300 according to the third embodiment includes a packet delay adding unit 301, a mirroring unit 302, a packet arrival time measuring unit 303, a packet transmission interval adjusting unit 304, and a control unit 305.

  The packet delay adding unit 301 adds an arbitrary delay time selectively designated by the control unit 305 to a packet from the ISP network router to the PC.

  The mirroring means 302 copies and takes out the traffic from the PC to the router of the ISP network, gives it to the packet arrival time measuring means 303, and gives the copy source traffic to the packet transmission interval adjusting means 304.

  The packet arrival time measuring unit 303 measures the arrival time of the copy packet output from the mirroring unit 302.

  The packet transmission interval adjusting unit 304 adjusts the transmission interval of packets output to the router of the ISP network under the control of the control unit 305.

  The control means 305 gives an arbitrary delay time to the packet from the ISP network router to the PC by the packet delay giving means 301. Note that the control unit 305 controls a time period during which the packet delay providing unit 301 is provided with a delay and a time period during which the packet delay providing unit 301 is not provided with a delay. The control unit 305 also adds a delay time zone and a delay grant based on the packet arrival time in the time zone to which the delay is added and the packet arrival time in the time zone in which the delay is not given, measured by the packet arrival time measurement unit 303. A destination IP address that shows a difference in arrival interval in a non-permitted time zone is detected, and overlay traffic is recognized. Note that the detection of overlay traffic by the control unit 305 is performed in two stages of temporary detection and verification (verification may be omitted). Further, the control unit 305 controls the packet transmission interval adjusting unit 304 according to the recognition result of the overlay traffic.

(C-2) Operation of the Third Embodiment Next, the operation of the overlay traffic detection device 300 of the third embodiment will be described.

  A packet delay adding unit 301 adds an arbitrary delay time selectively specified by the control unit 305 and outputs the packet from the router of the ISP network to the PC.

  The traffic from the PC to the router of the ISP network is copied by the mirroring means 302 and given to the packet arrival time measuring means 303, and the copy source traffic is given to the packet transmission interval adjusting means 304. The arrival time of the copy packet output from the mirroring means 302 is measured by the packet arrival time measuring means 303, and information on the arrival time is given to the control means 305.

  As will be described later, the control unit 305 detects a destination IP address in which a difference in arrival interval is detected between a time zone where a delay is added and a time zone where a delay is not added, and specifies overlay traffic.

  The transmission interval of packets output to the router of the ISP network is adjusted by the packet transmission interval adjustment unit 304 under the control of the control unit 305. This operation prevents the user packet from being repelled by the policing control of the router.

  FIG. 10 shows a case where the traffic of the overlay network is divided into a plurality of destinations (black rectangle and white rectangle) and transmitted when transferred by the PC of the overlay network. In addition, traffic transmitted from a plurality of PCs in the upstream network is combined when relayed by the PC and transferred to one PC in the next overlay network. The third embodiment aims to detect overlay traffic with high detection accuracy even when there is such packet division or combination.

  In the third embodiment, in order to distinguish the overlay traffic and the traffic other than the overlay traffic, the traffic having a certain same source IP address and port number is either delayed or not applied.

As a method of giving a delay, for example, there is a method of giving one of two kinds of delay amounts 0 and T ₀ . Further, for example, there is a method in which a time period for giving a delay so that the PC arrival interval of packets becomes constant and a time for transmitting the packets so that the arrival interval of packets approaches 0 as much as possible. FIG. 10 shows the latter case.

  When the traffic transmitted to the PC side in this way is relayed by the PC of the overlay network and transferred again to the router of the overlay network, the transferred overlay traffic is statistically significant as compared with other traffic. It can be expected that a significant difference will occur. That is, it can be expected that a difference appears in the arrival interval of packets having a specific destination IP between a time zone with a delay operation and a time zone without a delay operation. FIG. 10 shows how the arrival interval of overlay traffic (hatched rectangle, black rectangle) changes depending on the presence or absence of a delay operation. Although it is difficult to see in FIG. 10, even if the arrival time interval of the black rectangular packet is the relay traffic of the overlay network, it should be statistically affected by the delay operation. On the other hand, if it is not relay traffic of the overlay network, there will be no significant difference in the arrival delay time interval regardless of whether or not there is a delay operation, or it should be smaller than the traffic of the overlay network. By detecting this difference, the traffic of the overlay network is specified.

  For example, for the IP packet of the same destination (or transmission source), the control unit 305 determines a statistically significant difference between arrival interval data in a time zone with a delay operation and arrival interval data in a time zone without a delay operation. Overlay traffic is detected (temporary detection) by detecting whether or not there is.

  If the traffic having a specific IP address becomes suspicious of relay traffic in the overlay network by the above operation, the verification operation is performed next. In the verification work, it is determined whether or not the packet to be transmitted was relayed by the PC of the overlay network by giving an extremely large delay time or setting the delay to 0 only for a packet with a high suspicion of overlay traffic. Let

  As in the first and second embodiments, the packet delay providing unit 301 is connected to the inbound line from the external ISP to the own ISP, and the mirroring unit 302, the packet arrival time measuring unit 303, and the packet transmission interval adjustment. The means 304 and the control means 305 may be connected to an outbound line from the local ISP to the external ISP, and information may be exchanged between the two (see FIG. 4), and the same function may be realized.

(C-3) Effects of the Third Embodiment According to the third embodiment, in addition to the same effects as those of the above-described embodiments, the packet length is changed when the PC of the overlay network transfers traffic. Even if the packet is transferred to a plurality of destinations, the overlay traffic can be distinguished from the traffic other than the overlay traffic.

  In the first embodiment, it is assumed that the overlay traffic has the following characteristics (1) and (2), and in the second embodiment, the following characteristic (3) is assumed.

(1) Overlay traffic sent from an ISP router to a PC and transferred from the PC to the ISP router again for the next PC will not have its payload divided or combined. . In other words, the packet length is not changed before and after the transfer.

(2) The overlay traffic transferred by the PC has a one-to-one correspondence between the input IP address and the output IP address (if a match search is performed with a combination so that even a combination of a plurality of IP addresses can be handled) Can be associated).

(3) The overlay traffic transferred by the PC is not detected in the plain text as being falsified. Winny, famous as P2P software, encrypts the data to be transferred with MD5, but the first 2 bytes are dummy random numbers and the next 4 bytes are MD5's common key. Since the key can be easily unlocked, the accuracy can be easily secured in the second embodiment by decrypting and operating the code.

  If these assumptions are not satisfied, the performance of the first and second embodiments may deteriorate. In the third embodiment, relay traffic of the overlay network is detected with high accuracy even in the cases (1) to (3).

(D) Fourth Embodiment Next, a fourth embodiment of the overlay traffic detection system according to the present invention will be described in detail with reference to the drawings.

(D-1) Configuration of the Fourth Embodiment FIG. 11 is a block diagram showing a detailed configuration of the overlay traffic detection apparatus 400 of the fourth embodiment.

  The overlay traffic detection apparatus 400 of the fourth embodiment is installed inside a router or between a router and a subscriber's PC. If the subscriber cooperates, it may be installed inside the subscriber PC. FIG. 11 shows a case where it is installed between the router of the ISP network and the subscriber's PC (see FIG. 8).

  In FIG. 11, an overlay traffic detection apparatus 400 according to the fourth embodiment includes a packet discard / retransmission packet monitoring unit 401, a mirroring unit 402, a packet flow rate monitoring / retransmission request monitoring unit 403, and a control unit 404.

  In the third embodiment, a delay is given to the traffic in the delay grant time zone, and there is a significant difference in the arrival interval of the overlay traffic from the overlay node between the delay grant time zone and the non-delay time zone. Overlay traffic is detected based on the fact that there is no significant difference in the arrival interval of non-overlay traffic (traffic other than overlay traffic).

  In the fourth embodiment, instead of a delay operation, a discard operation is used to detect overlay traffic.

  The packet discard / retransmission packet monitoring unit 401 controls a certain packet flow from the router of the ISP network having the same transmission source and the same destination IP address to the PC under the control of the control unit 404 in the period with the discard operation (a fixed time). The packet is intentionally discarded as long as the transmission quality assurance contract (SLA) is satisfied. The packet discard / retransmission packet monitoring unit 401 monitors retransmission of the discarded packet, and provides the control unit 404 with information on the retransmission packet. This information is also used for determination of overlay traffic, as will be described later.

  The mirroring means 402 copies and takes out the traffic from the PC to the router of the ISP network, gives it to the flow rate monitoring / retransmission request monitoring means 403, and outputs the copy source traffic as it is.

  The packet flow rate monitoring / retransmission request monitoring unit 403 obtains the traffic data amount (packet flow rate or packet flow rate per unit time) of the same destination based on the copied traffic. Further, the packet flow rate monitoring / retransmission request monitoring unit 403 monitors a retransmission request under the control of the control unit 404. The reason for monitoring the retransmission request will be clarified in the operation section.

  The control unit 404 determines whether there is a difference in data amount between the period with a discard operation and the period without a discard operation, the presence of a retransmission request, and the like, and determines whether there is overlay traffic.

(D-2) Operation of the Fourth Embodiment Next, the operation of the overlay traffic detection apparatus 400 of the fourth embodiment will be described.

  In the fourth embodiment, the traffic from the router to the PC is input to the packet discard / retransmission packet monitoring means 401 of the overlay traffic detection device 400, where a certain packet stream having the same source and the same destination IP address is input. With regard to the packet, the packet is intentionally discarded within a range that satisfies the SLA for a certain time.

  On the other hand, the traffic from the PC to the router is copied by the mirroring means 402 of the overlay traffic detection device 400, inputted to the packet flow rate monitoring / retransmission request monitoring means 403, and inputted by the packet flow rate monitoring / retransmission request monitoring means 403. The packet flow is monitored. Instead of monitoring by mirroring, the packet flow monitoring / retransmission request monitoring unit 403 may be sent to the router through the packet flow monitoring / retransmission request monitoring unit 403.

  The time period during which the packet discard / retransmission packet monitoring unit 401 performs packet discard as described above is estimated to reduce the amount of overlay traffic transferred compared to the time period when the packet discard is not performed. By detecting traffic in which the amount of traffic (packet flow rate) is decreasing, overlay traffic can be estimated. In some cases, an overlay network is equipped with a protocol for performing retransmission control of discarded packets using End-End. In such a case, the retransmission request is issued from the transfer destination on the overlay to the transmission source of the discarded packet even though the end point of the packet is the PC. Therefore, although not shown in FIG. 11, overlay traffic can be detected by monitoring whether a packet estimated to be a retransmission request does not flow in the reverse direction. In addition, after a packet estimated to be a retransmission request is sent to the router side, it seems that a retransmission packet is sent from the router to the PC, so this is detected both between the router and the PC and between the PC and the router. Improve estimation accuracy by checking if possible. In general, all the retransmission request packets have the same length, and the retransmission packet can be expected to be equal to the packet length of the discarded packet. If there is a packet having a packet length (this length or length range is set) that is likely to be adopted by the retransmission request packet within the period with the discard operation and within a predetermined time immediately after that Estimated retransmission request packet. Note that it is sufficiently expected that the destination IP address of the retransmission request is different from the source IP address of the discarded packet. This is because the source IP address of the discarded packet is often forged. If there is a packet of the same source and destination as the discarded packet that has the same packet length as that of the discarded packet within the period with the discarded operation and within the predetermined time immediately after that, it is likely that the packet is a retransmitted packet. It is. Note that a method for recognizing a retransmission packet or a retransmission request packet is not limited to this method.

  If the control unit 404 discards a packet with respect to a certain traffic flow, and there is no traffic flow to be reduced and a retransmission request is made or there is no traffic that seems to be retransmitted, the discarded flow is irrelevant to the overlay. Presumably traffic.

  In the above description, the packet is actively (intentionally) discarded. However, the PC or router may be discarded due to insufficient processing capability without intentionally discarding the packet. Therefore, it is possible to detect overlay traffic by monitoring a packet loss that occurs naturally without causing packet discard actively, a change in traffic caused by this, and a packet that is estimated to be a retransmission request or retransmission. good.

  As in the first to third embodiments, the packet discard / retransmission packet monitoring means 401 is connected to the inbound line from the external ISP to the own ISP, and the mirroring means 402, the packet flow rate monitoring / retransmission request monitoring means. The same function may be realized by connecting the 403 and the control unit 404 to an outbound line from the local ISP to the external ISP and exchanging information between the two (see FIG. 4).

(D-3) Effect of the Fourth Embodiment According to the fourth embodiment, it is possible to identify traffic in the overlay network based on fluctuations in the amount of data due to packet discard, presence / absence of retransmission, and the like.

(E) Fifth Embodiment Next, a traffic monitoring / control system according to a fifth embodiment of the present invention will be described in detail with reference to the drawings.

(E-1) Configuration of Fifth Embodiment A traffic monitoring / control system 500 according to the fifth embodiment is a system for filtering overlay traffic, and has the configuration shown in FIG.

  A traffic monitoring / control system 500 according to the fifth embodiment includes an overlay traffic detection system 501, a route information acquisition unit 502, and a control unit 503, and a filtering request unit 504 is provided inside the control unit 503. .

  The overlay traffic detection system 501 corresponds to any of the overlay traffic detection systems of the first to fourth embodiments, and provides overlay traffic information to the control means 503.

  The route information acquisition unit 502 acquires the route information of the route information table 505 in the router (not limited to one) under the control of the control unit 503.

  Based on the overlay traffic information given from the overlay traffic detection device 500 and the route information acquired from the router, the control means 503 determines a location for filtering the overlay traffic, and the filtering request means 504 performs filtering within the corresponding router. The means 506 is requested to perform filtering.

(E-2) Operation of Fifth Embodiment Next, the operation of the traffic monitoring / control system 500 of the fifth embodiment, particularly, the operation for filtering the overlay traffic will be described.

  The overlay traffic information output from the overlay traffic detection system 501 of the first to fourth embodiments is input to the control means 503. In the control means 503, information related to the traffic that matches the destination of the overlay traffic and the source IP address information is retrieved from the route information table 505 of the router by the route information acquisition means 502, and the traffic on the overlay network is specifically obtained. To be specific.

  Then, the control unit 503 controls the router via the filtering request unit 504 so that the traffic of the specified overlay network does not pass through the router or passes through with a narrow band. It may be requested to add a delay to such traffic. Further, instead of performing the process of narrowing or not passing the bandwidth of the overlay network, an operation of setting a route table of the router so as to pass through a different route may be performed. In this case, it is preferable that the alternative route has the least influence on other traffic.

(E-3) Effect of Fifth Embodiment According to the fifth embodiment, it is possible to delete or reduce undesirable traffic on the overlay network. As a result, the influence on other traffic can be reduced.

(F) Other Embodiments In the first to fifth embodiments described above, overlay traffic detection methods using different methods are applied. However, two or more of these methods are applied in combination to improve detection accuracy. May be.

  In the first to fifth embodiments, the configuration for obtaining information for determining the overlay traffic and the configuration for determining the overlay traffic (profile correlation / threshold determination means, control means) are mounted on the same apparatus. However, it may be mounted on a different device.

It is a block diagram which shows the detailed structure of the overlay traffic detection apparatus which concerns on 1st Embodiment. It is a block diagram which shows the physical connection state of an example of an overlay network. It is a block diagram which shows the logical connection state of FIG. It is explanatory drawing of the installation position of the overlay traffic detection apparatus of FIG. It is explanatory drawing (1) of the detection method of the overlay traffic in 1st Embodiment. It is explanatory drawing (2) of the detection method of the overlay traffic in 1st Embodiment. It is a block diagram which shows the detailed structure of the overlay traffic detection apparatus which concerns on the deformation | transformation embodiment of 1st Embodiment. It is explanatory drawing of the installation position of the overlay traffic detection apparatus of FIG. It is a block diagram which shows the detailed structure of the overlay traffic detection apparatus which concerns on 2nd Embodiment. It is a block diagram which shows the detailed structure of the overlay traffic detection apparatus which concerns on 3rd Embodiment. It is a block diagram which shows the detailed structure of the overlay traffic detection apparatus which concerns on 4th Embodiment. It is a block diagram which shows the structure of the traffic monitoring and control system 500 which concerns on 5th Embodiment.

Explanation of symbols

  100-1, 100-2, 100A, 200, 300, 400 ... overlay traffic detection device, 101, 101-1, 101-2 ... mirroring means, 102, 102-1, 102-2 ... traffic information measuring means, 103 , 103-1, 103-2 ... traffic profile creation means, 104, 104-1, 104-2 ... communication means, 105, 105-1, 105-2 ... profile correlation calculation / threshold judgment means, 201 ... packet mark Assigning means 202 ... Packet mark detecting means 203 ... Packet mark removing means 204 ... Control means 205 ... Mark / packet correspondence information table 301 ... Packet delay giving means 302 ... Mirroring means 303 ... Packet arrival time measuring means , 304 ... Packet transmission interval adjusting means, 305 ... Controller , 401 ... Packet discard / retransmission packet monitoring means, 402 ... Mirroring means, 403 ... Packet flow rate monitoring / retransmission request monitoring means, 404 ... Control means, 500 ... Traffic monitoring / control system, 501 ... Overlay traffic detection system, 502 ... Path Information acquisition means, 503... Control means, 504.

Claims (19)

At least two-direction traffic information measuring means for obtaining characteristic information of the traffic from the input traffic so that the traffic can be examined in at least two directions;
Correlation degree calculation / threshold judgment means for obtaining a correlation degree of the acquired feature information of traffic in different directions and judging whether or not it exceeds a set threshold value,
As a result of the above correlation degree calculation / threshold judgment means, traffic that has flowed into a certain network once goes out of the network, then returns to the network, and there is overlay traffic that is output to another network again. An overlay traffic detection system that outputs as an indication of whether or not. At least two-direction traffic information measuring means for obtaining characteristic information of the traffic from the input traffic so that the traffic can be examined in at least two directions;
Profile creating means for separately storing characteristic information of traffic acquired from the traffic information measuring means according to specific identification information such as a destination IP address, a source IP address, and a port number of a packet included in the traffic; ,
Correlation calculation / threshold for determining the degree of correlation of characteristic information of traffic separated for each specific identification information in different directions acquired by the profile creation means and determining whether or not it exceeds a set threshold Determination means,
As a result of the above correlation degree calculation / threshold judgment means, traffic that has flowed into a certain network once goes out of the network, then returns to the network, and there is overlay traffic that is output to another network again. An overlay traffic detection system characterized in that it is output as an indication of whether or not. A profile that combines the characteristic information of traffic and the information that identifies traffic,
3. The overlay traffic detection system according to claim 2, wherein said correlation degree calculation / threshold judgment means uses one profile to be compared for specifying traffic and the other profile is used for obtaining a correlation degree. . Of the information accumulated by said profile creation means, as the information for identifying the traffic, using the IP address information of the destination and or source, the appearance order or frequency of the same packet length as a characteristic information, determine the degree of correlation 4. The overlay traffic detection system according to claim 2, wherein the overlay traffic detection system is used as an index.   The first traffic information measurement means is installed between connection interfaces from an external network to the own network, and the second traffic information measurement means is installed between connection interfaces from the own network to the external network, As the profile creation means, those corresponding to the first and second traffic information measurement means are provided, and the profile correlation calculation / threshold judgment means processes those created by these profile creation means. The overlay traffic detection system according to any one of claims 2 to 4,   The overlay traffic detection system according to any one of claims 1 to 4, wherein the traffic information measuring means in two directions is provided in an uplink / downlink bidirectional interface between the local network and the subscriber terminal. . An identifier adding / recognizing means for outputting after giving an identifier to traffic in a certain direction inputted, or recognizing what can be an identifier,
Identifier detection means for detecting whether there is an identifier given or recognized by the identifier assignment / recognition means for the traffic in the other direction that has been input,
Based on the detection result of the identifier detection means, it is determined whether or not there is overlay traffic to be output to another network after the traffic that has flowed into the network once goes out of the network and then returns to the network. An overlay traffic detection system characterized in that it is output as a representation. The identifier assigning / recognizing means assigns an identifier,
The overlay traffic detection system according to claim 7, further comprising: an identifier removing unit that removes and outputs an identifier when there is an inputted traffic in another direction.   The identifier assigning / recognizing means is installed between connection interfaces from an external network to the own network, and the identifier detection means is installed between connection interfaces from the own network to the external network. The overlay traffic detection system according to claim 7 or 8.   The identifier assigning / recognizing means is provided in a downstream interface from the own network to the subscriber terminal, and the identifier detecting means is provided in an upstream interface from the subscriber terminal to the own network. The overlay traffic detection system according to claim 7 or 8. A delay giving means for selectively giving a specified delay time only for a specified period to traffic inputted in a certain direction, and outputting without delay outside the specified period;
Arrival time measuring means for measuring the arrival time of the traffic in the other direction input;
The correspondence relationship between the delay time given by the delay giving means and the arrival time interval measured by the arrival time measuring means is confirmed, and it is determined whether the traffic given the delay time has been inputted to the arrival time measuring means. Delay added traffic detection means,
Whether or not there is overlay traffic to be output to another network after the traffic that has flowed into a certain network once goes out of the network, returns to the same network, and returns to another network. An overlay traffic detection system characterized in that it is output as a representation.   12. Overlay traffic detection according to claim 11, further comprising transmission interval adjusting means for adjusting the transmission interval of traffic when there is a delay added in the traffic in the other direction inputted. system.   The delay providing means is installed between the connection interfaces from the external network to the own network, and the arrival time measuring means and the delay adding traffic detection means are installed between the connection interfaces from the own network to the external network. 13. The overlay traffic detection system according to claim 11 or 12, characterized in that:   The delay providing means is provided in a downstream interface from the own network to the subscriber terminal, and the arrival time measuring means and the delay adding traffic detecting means are provided in an upstream interface from the subscriber terminal to the own network. 13. The overlay traffic detection system according to claim 11 or 12, wherein the overlay traffic detection system is used. Traffic discarding means for selectively discarding traffic in a certain direction for a specified period;
Traffic observation means for observing traffic in other directions input;
Based on the traffic selectively discarded by the traffic discarding means and the change in the appearance of the traffic observed by the traffic observation means, the traffic observed by the traffic observation means is related to the same traffic as the discarded traffic. Discard traffic detection means for detecting,
Whether or not there is overlay traffic to be output to another network after the traffic that has flowed into a certain network once goes out of the network, returns to the same network, and returns to another network. The overlay traffic detection system is characterized in that it is output as representing   The traffic discarding unit is installed between the connection interfaces from the external network to the own network, and the traffic observation unit and the discarded traffic detection unit are installed between the connection interfaces from the own network to the external network. The overlay traffic detection system according to claim 15.   The traffic discarding means is provided in the downstream interface from the own network to the subscriber terminal, and the traffic observation means and the discarded traffic detection means are provided in the upstream interface from the subscriber terminal to the own network. The overlay traffic detection system according to claim 15, wherein: Traffic discarding means for selectively discarding traffic in a certain direction for a specified period;
Traffic observation means for observing traffic in other directions input;
From the traffic selectively discarded by the traffic discarding means and the change in the appearance status of the traffic observed by the traffic observation means, the traffic of the retransmission request for the selectively discarded traffic or the retransmission traffic is also transmitted in the other direction. A discarded traffic detection means for detecting whether the traffic is related to the same traffic as the discarded traffic,
Whether or not there is overlay traffic to be output to another network after the traffic that has flowed into a certain network once goes out of the network, returns to the same network, and returns to another network. The overlay traffic detection system is characterized in that it is output as representing An overlay traffic detection system according to any of claims 1 to 18,
Filtering means installed in connection with the router for selectively excluding specific traffic;
A traffic monitoring / control system comprising: control means for controlling the filtering means to exclude the traffic detected by the overlay traffic detection system as overlay traffic.

Images