KR100736054B1 - Method for analyzing and monitoring of personal computer traffic based on Ethernet packet analysis - Google Patents

Abstract

The present invention relates to a PC traffic analysis and monitoring method based on Ethernet packet analysis, wherein the collected network packets are collected by Ethernet protocol, IP protocol, IP address of counterpart, TCP / UDP port of agent, TCP of counterpart Analyze by various methods such as / UDP port. Also, in order to monitor abnormal traffic, PPS (Packet Per Second) and BPS (Bits Per Second) of the input and output directions of all network packets collected are analyzed and abnormal traffic has been generated when the preset value is exceeded. Alarm. In addition, when abnormally excessive traffic occurs, the operation of the network interface card (NIC) of the PC is stopped to prevent abnormally excessive traffic from leaking to the outside.

According to the present invention, abnormally excessive input or output of traffic can be monitored and blocked at the PC level, and active countermeasures can be proactively compared to a conventional PC security system that analyzes or blocks only a predetermined type of traffic. It can also easily provide structured traffic analysis data to analyze the type of network traffic usage.

Ethernet, PC, Packet, Traffic, Analysis, Surveillance, Block

Description

Method for analyzing and monitoring of personal computer traffic based on Ethernet packet analysis}             

1 is a flow chart of a preferred embodiment according to the present invention,

2 is an example of a traffic monitoring item that can be monitored in the present invention,

3 is an example of a data structure used to analyze a packet in basic period units;

4 is an example in which the data structure of FIG. 3 is extended to the entire traffic analysis item;

5 shows an example of extending the analysis period using the basic period unit.

The present invention relates to a PC traffic analysis and monitoring method based on the Ethernet packet analysis, in particular to analyze and monitor the network traffic of a personal computer (PC) through periodic Ethernet packet analysis, to the abnormally excessive traffic It's about how you can take action effectively at the PC level.

As the use of the Internet has become more common, the amount of network traffic used by personal computers has increased. Therefore, the necessity of analyzing these traffics to determine which traffic is mainly used, which PCs generate a lot of traffic, or which PCs generate abnormally excessive traffic is increased. In particular, since viral traffic causes abnormally excessive traffic and puts a heavy load on the network, seriously hindering the smooth flow of traffic, there is a greater need to detect abnormally excessive traffic quickly.

Conventionally, in order to meet this need, a system installed in a PC for security or a Netflow analysis system used for analyzing network traffic is used. Conventional PC security systems use a protocol or port blocking method in which viral traffic may occur in advance, and focus on monitoring viral traffic rather than overall traffic analysis. As a result, it is unable to monitor traffic that has not been blocked in advance, and does not provide overall traffic analysis information of the PC.

In addition, Netflow analysis system collects and analyzes Netflow packet data provided by the router in the central system, performs traffic analysis only, and can be analyzed only by providing Netflow packet in the router, and controls the traffic of each PC. You can't.

Accordingly, the present invention has been proposed to solve the above problems, taking advantage of both the advantages of the system for PC security and the advantages of the Netflow analysis system to effectively analyze the traffic of the PC itself to analyze and monitor abnormal traffic, and also to formalize it. Its purpose is to provide a method for easily and quickly analyzing the traffic of the entire network by providing the result of the traffic analysis.

In order to achieve the above object, the PC traffic analysis and monitoring method based on the Ethernet packet analysis according to the present invention, based on the schedule information among the information constituting the packet of the packet collected on the Ethernet and the header of the collected packet A collection step of storing each packet type for each period T; Analyzing the information stored in the collection step for each traffic monitoring item and storing / managing the analysis result; And a management step of generating an alarm or blocking traffic of the corresponding PC according to the analysis result.

The traffic monitoring items are PPS (Packets Per Second) of all traffic, BPS (Bits Per Second) of all traffic, PPS of Ethernet protocol, PPS of IP protocol, PPS of TCP / UDP port, PPS of TCP / SYN, TCP ACK PPS, abnormal source IP address PPS, etc. can be configured to preferably be implemented.

In addition, the analyzing step may further include the step of collecting a plurality (n) of information stored for each of the basic period (T), it may be configured to perform the analysis of the traffic monitoring items for each period of (T * n). have. This enables unit analysis of 10 seconds, 1 minute, 10 minutes, 30 minutes, 1 hour, etc., which is an integer multiple of the base time (eg 1 second).

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

Referring to FIG. 1, in the collecting step S11, the packet flowing on the Ethernet 1 is collected, and important information necessary for packet analysis among the information constituting the header of the collected packet is packet every basic period T. Store by type.

This process can be performed by using any method for collecting packets on Ethernet 1, and is a process of collecting only its own packets. At this time, only the header information necessary for traffic analysis among the header information of the collected packets is stored as packet summary information. The basic period T means a basic time interval (eg, 1 second) for collecting packets flowing on the Ethernet, and the packet information collected in the collecting step is refreshed at every basic period.

In the analysis step S12, the packet summary information stored in step S11 is analyzed for various traffic monitoring items, and the analysis result is stored and managed as traffic information.

In this case, the traffic monitoring items are packets per second (PPS) of all traffic, bits per second (BPS) of all traffic, PPS of Ethernet protocol, PPS of IP protocol, PPS of TCP / UDP port, It is preferable to configure PPS of TCP / SYN, PPS of TCP ACK, PPS of abnormal source IP address, and the like. By analyzing each of these traffic monitoring items in the input and output directions, a total of 15 types of traffic monitoring items can be analyzed and monitored.

'PPS of total traffic' item means to analyze PPS (Packets Per Second) of all collected packets, and 'BPS of total traffic' means to analyze BPS (Bits Per Second). The 'PPS of Ethernet protocol' item means to analyze PPS by Ethernet protocol, and the 'PPS of IP protocol' item means to analyze PPS by IP protocol. The 'PPS of TCP / UDP port' item means to analyze PPS for each TCP / UDP port, and the 'PSP of TCP SYN' item means to analyze only TCP SYN packets. 'PSP of TCP ACK' item means to analyze only TCP ACK packet, and 'PPS of abnormal source IP address' means to analyze packet generated by using IP address other than IP address set in own PC. do.

The analysis of each traffic monitoring item may be configured to be performed by basic period (preferably 1 second) as shown in the example shown in FIG. 3 is an example of a data structure analyzed every second, and is the most basic structure of traffic analysis used in the present invention. For example, suppose a packet is analyzed for each Ethernet protocol. The type of data is determined according to Ethernet protocol values of the collected packets. Initially, each data of FIG. 3 is empty, and the first data information is stored in # 1. For the second data, it is stored in # 1 if it is the same type of protocol as the first data, and in # 2 if it is another kind of data. In this way, up to 'max' sorted data can be stored, which is erased and refilled in seconds. That is, the analysis data for all traffic monitoring items may be stored in units of seconds (basic period) according to the format shown in the example of FIG. 3.

In the management step S13, an alarm is generated or the traffic of the PC is blocked according to the stored traffic information as the analysis result in the analysis step S12.

That is, in the management step (S13), it is determined whether or not to generate any alarm or to block the traffic of the PC according to the analysis result in the analysis step (S12). At this time, an event may be generated for each traffic monitoring item, and a reference value for blocking traffic is set in advance. If the analyzed result exceeds the set threshold value, an alarm is issued to notify this or the 'Admin Status' of the LAN card (NIC) is prevented to prevent abnormally excessive traffic from leaking to the outside.

On the other hand, the analysis of the traffic can be done for each of the basic period (T), the analysis period can be adjusted as needed. That is, the analyzing step (S12) may further comprise a step of collecting a plurality (n) of information stored for each basic period (T), it can be configured to perform the analysis by traffic monitoring items for each (T * n) period. have. For example, the traffic may be analyzed according to one second, ten seconds, one minute, ten minutes, thirty minutes, one hour, or another predetermined time interval.

FIG. 4 shows an example in which the data of the second unit shown in FIG. 3 is expanded for each traffic analysis item. That is, in case of analysis by Ethernet protocol, the maximum number of data (max) is kept for 1 second in the direction of each input or output according to the type of Ethernet protocol.

The same is true for analysis by IP protocol, analysis by IP protocol, analysis by IP address, analysis by local TCP / UDP port, and analysis by relative TCP / UDP port. In addition, only one kind of analysis data needs to have one data space, and in particular, analysis by an abnormal source IP address only needs data in the output direction.

Referring to FIG. 5, the second analysis data of each traffic analysis item as shown in the example of FIG. 4 may be extended to data of up to 1 hour. That is, ten pieces of one-second data are collected into ten-second data, and six pieces of ten-second data are collected to form one minute of data. In this way, data can be expanded to store and analyze data for up to one hour.

More specifically, in order to analyze data, first, second data is copied every second, as shown in the example shown in FIG. Prior to this copy, the existing data must be moved, moving the data one second at a time. In other words, after moving the data by moving the data of # 9 to # 10 and copying the data of # 8 to # 9, and copying the new second data to # 1, The data collection e1 is completed.

The data in 1 second should be revised every second, and the data in 10 seconds should be revised every 10 seconds. That is, every 10 seconds have elapsed, and new 10-second data is input to the storage space of 10 data units of one second.

When these 10 data are added together, new 10-second data is created, and the data is stored in the first storage space (e2- # 1) of the 10-second data storage space in the same way as the 1-second data is processed. The data up to the remaining one hour are analyzed, moved and stored in a similar way at the exact time.

On the other hand, when the second unit data of the example shown in FIG. 4 is copied to the data structure of the example shown in FIG. 5 or the data is added to the storage location of the next stage by adding the data inside the example shown in FIG. It is preferable to perform the descending sorting order of moving the kind having the most packets as the reference to the first (# 1). In this manner, the data of 1 second unit is modified every second, the data of 10 second unit is 10 seconds apart, the data of 1 hour unit is modified every 1 hour, it can be configured to have a traffic history of up to 1 hour.

The present invention is not limited to the above-described embodiments and can be variously modified and implemented by those skilled in the art without departing from the technical spirit of the present invention.

According to the present invention, abnormally excessive input or output of traffic can be monitored and blocked at the PC level, and active countermeasures can be proactively compared to a conventional PC security system that analyzes or blocks only a predetermined type of traffic. It can also easily provide structured traffic analysis data to analyze the type of network traffic usage.

Claims (4)

A collection step of collecting packets flowing on Ethernet and storing information set as an analysis target among information constituting the header of the collected packets for each packet type at a basic period T; Setting at least one type of data to be monitored for each of the at least one traffic monitoring item; Analyzing packets per second (PPS) for the at least one traffic monitoring item by accumulating the number of collected packets and the number of bytes corresponding to the set data based on the information stored in the collecting step; And Including an administrative step of generating an alarm or blocking the traffic of the PC according to the analysis result, The at least one traffic monitoring item includes at least one of PPS (Packets Per Second) of Ethernet protocol, PPS of IP protocol, PPS of TCP / UDP port, PPS of TCP / SYN, PPS of TCP ACK, and PPS of abnormal source IP address. PC traffic analysis and monitoring method based on Ethernet packet analysis, characterized in that one. delete delete The method of claim 1, The analyzing may further include collecting a plurality (n) of information stored for each basic period (T), so that the traffic monitoring item analysis may be performed for each (T * n) period. PC traffic analysis and monitoring method based on Ethernet packet analysis, characterized in that.

Images