WO2008062787A1 - Appareil et procédé de restriction d'informations de flux - Google Patents
Appareil et procédé de restriction d'informations de flux Download PDFInfo
- Publication number
- WO2008062787A1 WO2008062787A1 PCT/JP2007/072456 JP2007072456W WO2008062787A1 WO 2008062787 A1 WO2008062787 A1 WO 2008062787A1 JP 2007072456 W JP2007072456 W JP 2007072456W WO 2008062787 A1 WO2008062787 A1 WO 2008062787A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- flow information
- flow
- information
- aggregation
- item
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/30—Flow control; Congestion control in combination with information about buffer occupancy at either end or at transit nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/34—Signalling channels for network management communication
- H04L41/344—Out-of-band transfers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/19—Flow control; Congestion control at layers above the network layer
- H04L47/193—Flow control; Congestion control at layers above the network layer at the transport layer, e.g. TCP related
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/41—Flow control; Congestion control by acting on aggregated flows or links
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/129—Avoiding congestion; Recovering from congestion at the destination endpoint, e.g. reservation of terminal resources or buffer space
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Definitions
- the present invention relates to a network device used in an open network environment represented by the Internet and the like, and in particular, can collect information (flow information) for measuring traffic on the network. , Information communication equipment represented by nodes, etc.
- IP Internet Protocol
- Flow measurement is a method of classifying the type of communication based on information held by such packets.
- a packet having the same attribute for example, a packet having the same information for each information item of protocol, source IP address, destination IP address, source port, and destination port is regarded as a packet belonging to the same communication.
- a set of packets belonging to the same communication is called a flow.
- the Internet is constructed by interconnecting multiple networks including multiple routers that perform route control, and packets sent from the source reach the destination via several routers. To do.
- a router transfers packets by referring to the packet IP header and, in some cases, the transport layer header, and is therefore suitable as a device for classifying flows.
- NetFlow see Non-Patent Document 1
- IPFIX IP Flow Information eXport
- a measurement packet obtained by packetizing flow information according to a specific format is sent from a router. By transmitting to a measurement terminal on the network, it is possible to grasp the communication contents of that node.
- attack traffic called DDoS that keeps sending a large amount of data with distributed source addresses, and connection status to all ports of the target host called port scan are attempted.
- attack traffic that detects vulnerabilities occurs, the number of flows increases rapidly.
- Non-Patent Document 3 in IPFK that performs flow information notification, UDP (User Datagram Protocol) without congestion control and Fransmission Control Protocol (D) for congestion control are used as transport protocols.
- TP Stream Control Transmission Protocol
- the flow transmitter / receiver transmits using UDP without congestion control function, if the number of flows increases rapidly, the number of packets transmitted from the flow transmitter such as a router to the measurement terminal also increases. As a result, congestion may occur in the measurement network between the flow transmitter and the measurement terminal.
- Non-Patent Document 1 [Accessed on Sep. 8, 2006 Internet. Claise. Cisco Systems Net Flow Services export Version 9. RrC 3954 (Informational), October 2004. http: //www.ietf. Org / rfc / rfc3954 .TXT
- Non-Patent Document 2 Cristian Eatan, Ken Keys, David Moore, George Varghese: “Building a better netflow”, ACM SIGCOMM Computer Communication Review, 34, Issue 4, pp. 245-256 (2004)
- Non-Patent Document 3 B. Claise. IPFIX Protocol Specification. Internet Draft, June 2006. H YPERLINK "http: // tools. Ietf. Org / id / draft-ietf—ipfix—protocoto 22 ⁇ txt" htt: // tools. i etf.org/id/draft-ietf-ipfix-protocol-22.txt(22 ⁇ 3 ⁇ 4) Disclosure of the invention
- FIG. 20 shows an information communication system that performs packet communication through the Internet including a measurement network.
- the Internet 10 is formed by connecting a plurality of networks including a plurality of nodes 12 to; Nodes 12 to 14 and 111 are connected to be able to communicate with each other.
- the node 111 is connected to the measurement terminal 20 and the terminal 30.
- a terminal 14 is connected to the node 12, a terminal 42 is connected to the node 13, and a terminal 43 is connected to the node 14.
- Each of measurement terminal 20 and terminals 30, 4;! -43 is a computer system having a communication function.
- the main parts of the computer system are storage devices that store programs, input devices such as keyboards and mice, display devices such as CRTs and LCDs, communication devices such as modems that communicate with the outside, output devices such as printers, and It has a control device that receives input from the input device and controls the operation of the communication device, output device, and display device.
- Terminal 4;! To 43 are client terminals, and terminal 30 is a server that provides communication services to clients, and communication is performed between server clients.
- Terminal 4;!-43 may be infected with a virus or worm or may be illegally controlled by a third party. In such a case, the terminal 4;! To 43 performs a network attack on the terminal 30.
- the source address is distributed.
- the source address may be distributed due to the spoofing of the source address. A large amount of data with distributed source addresses arrives at the node in this way, and abnormal traffic occurs.
- Traffic flowing on the network where node 111 serves as a gateway, such as traffic addressed to 30, will increase. This increase in traffic causes the following problems such as congestion in the communication on the measurement network at node 111 and failure to transmit information on the entire observed traffic.
- the node 111 transmits a measurement packet obtained by packetizing the flow information to the measurement terminal 20.
- UDP without congestion control is used as a transport protocol, as the number of flows observed on the node 111 increases, the amount of measurement packet transmission increases accordingly. For this reason, congestion occurs in the measurement network between the node 111 and the measurement terminal 20, and secondary damage of the attack occurs.
- the measurement terminal 20 When a line used for normal communication between the node 111 and the terminal 30 or between the node 111 and the Internet 10 is in an abnormal state, the measurement terminal 20 is used to detect abnormal traffic. Is arranged. However, if congestion occurs in communication between the node 111 and the measurement terminal 20 due to a rapid increase in flow, the loss of measurement packets increases, making it difficult to perform sufficient measurements at the measurement terminal 20. Become. In addition, if other communications are performed, the communications may be adversely affected. In some cases, the measurement terminal 20 may fall into a resource shortage state.
- An object of the present invention is to solve the above problems and to provide a flow information limiting device that can limit the number of flow information to be transmitted while maintaining measurement information of the entire traffic.
- the flow information limiting device of the present invention is arranged on a network that connects a plurality of terminals to each other, and is connected to a measurement terminal that measures traffic in the network via a measurement network.
- a flow information restriction device connected to each other, wherein a set of packets having the same attribute is defined as the same communication flow, and flow information is generated for each flow based on the header information of the packet.
- a flow information transmitting unit that packetizes the flow information output from the information number limiting unit and transmits the packet on the measurement network.
- the report number limiting unit converts the stored flow information into the non-aggregated flow information and the traffic measurement. It is divided into aggregation candidates whose necessity is lower than that of the non-aggregated flow information, and the flow information determined as the aggregation candidates is aggregated so that the number of flow information held in the management buffer becomes a certain number or less. Control.
- the number of flow information transmitted on the flow information transmission unit force measurement network is also limited to a certain number or less.
- the present invention since only a certain number of pieces of flow information are transmitted on the measurement network related to the increase in flow, the case where V or UDP having a congestion control function is used for the transport protocol.
- the power S can be used to control communication congestion in the measurement network.
- FIG. 1 is a block diagram showing an example of an information communication system to which the present invention is applied.
- FIG. 2 is a block diagram showing a configuration of a node which is an embodiment of the flow information restriction device of the present invention.
- FIG. 3 is a schematic diagram showing an example of the structure of a management buffer managed by the flow information number limiting function unit shown in FIG. 2.
- FIG. 4 is a diagram for explaining flow information and data structure definition information.
- FIG. 5 is a diagram for explaining a notification method using option information.
- FIG. 6 is a schematic diagram showing an example of definition information to which condition priority is given and conditions that are expanded and used by the definition information.
- FIG. 7 is a schematic diagram showing another example of definition information to which condition priority is given and conditions that are expanded and used by the definition information.
- FIG. 8 is a block diagram showing the configuration of a flow information processing unit that can accept external inputs related to priority.
- FIG. 9 is a diagram for explaining an input format of definition information.
- FIG. 10 is a diagram for explaining another input format of definition information.
- FIG. 11 is a flowchart showing a procedure of flow information aggregation processing performed by the flow information number limiting function unit shown in FIG.
- FIG. 12 is a schematic diagram showing an example of flow information aggregation by the flow information number limiting function unit shown in FIG. 2.
- FIG. 13 is a schematic diagram showing another example of flow information aggregation by the flow information number limiting function unit shown in FIG. 2.
- FIG. 14 is a schematic diagram showing another example of aggregation of flow information by the flow information number limiting function unit shown in FIG. 2.
- FIG. 15 is a diagram for explaining a procedure for creating a search index.
- FIG. 16 is a diagram for explaining another procedure for creating a search index.
- FIG. 17 is a diagram for explaining a method for suppressing a decrease in efficiency when a tree structure is recreated for each condition.
- FIG. 18 is a schematic diagram showing an example of collecting ports.
- FIG. 19 is a schematic diagram showing an example of collecting addresses.
- FIG. 20 is a block diagram showing a general configuration of an information communication system including a measurement network.
- FIG. 1 is a diagram illustrating an example of an information communication system to which the present invention is applied.
- the communication system is the same as the system shown in FIG. 20 except that node 11 is provided instead of node 111.
- the Internet 10 is a network in which a plurality of networks including a plurality of nodes 11 to 14 that perform packet transfer are connected to each other. Nodes 11 to 14 are connected to communicate with each other. The node 11 is connected to the measurement terminal 20 and the terminal 30.
- the node 11 has a flow information processing unit 200 having a flow information aggregation function, which is different from the information communication system shown in FIG.
- FIG. 2 shows the configuration of the flow information processing unit 200 of the node 11 which is an embodiment of the flow information limiting device of the present invention.
- the flow information processing unit 200 includes a measurement network interface 201, a flow generation function unit 202, a flow information number limiting function unit 203, a flow transmission function unit 204, and an output network interface 205.
- the measurement network interface 201 is composed of a plurality of network interfaces that respectively collect packets that arrive from each terminal through the Internet 100. Packets collected by the measurement network interface 201 are supplied to the flow generation function unit 202.
- the flow generation function unit 202 is a flow generation function unit included in an existing transmission device that uses a flow notification protocol such as NetFlow, IPFK, and the like.
- the flow generation function unit 202 collects packets collected through the measurement network interface 201. Generate flow information based on the header information. Specifically, the flow generation function unit 202 is determined from information included in a packet header such as a protocol, a source IP address, a destination IP address, a source port and a destination port, or a packet header such as route information.
- a packet with the same information is regarded as a packet belonging to the same communication, and information (flow information) about a flow that is a set of the packets is generated.
- flow information generation processing such as updating of time information based on the conditions for making a flow is also performed.
- flow information often includes protocol, source IP address, destination IP address, source port, and destination port information.
- the flow information generated by the flow generation function unit 202 is supplied to the flow information number limiting function unit 203.
- the flow information number limit function unit 203 receives the flow information input from the flow generation function unit 202.
- a management buffer unit for temporarily storing and managing information is provided, and flow information is read from the management buffer unit and supplied to the flow transmission function unit 204.
- the upper limit value of the number of flow information managed by the management buffer is set in advance, and the flow information limit function unit 203 increases the number of flow information supplied from the flow generation function unit 202 per fixed time.
- the flow information group stored in the management buffer unit is divided into aggregation candidates and non-aggregated flow information, Aggregation processing is performed on the aggregation candidates.
- the upper limit takes into account the communication capacity of the measurement network (network communication capacity between the node 11 and the measurement terminal 20), the processing capacity of the flow transmission function unit 204, the reading speed from the management buffer unit, etc.
- the values are set such that the management buffer unit and the internal buffer of the flow transmission function unit 204 do not fail, and congestion of the measurement network communication does not occur.
- the importance of measuring aggregation candidate traffic is less important than non-aggregated flow information.
- the flow transmission function unit 204 is a flow transmission function unit provided in an existing transmission device that uses a flow notification protocol such as NetFlow or IPFK, and is supplied from the flow information number limiting function unit 203.
- the internal buffer for temporarily storing the flow information is generated, and the flow information read from the internal buffer is packetized to an appropriate size to generate a measurement packet, and a dedicated header is attached to the measurement packet.
- the data is sent out from the output network interface 205 to the network.
- the measurement packet sent from the output network interface 205 is supplied to the measurement terminal 20.
- the measurement network interface 201 and the output network interface 205 may be physically the same.
- These buffers are partly or entirely part of the storage area independently! /, But are also shared! /, Even! /.
- the flow information number limiting function unit 203 sends a flow less than a certain number to the flow transmission function unit 204 related to the number of flow information input from the flow generation function unit 202. Since only one piece of information is transmitted, the amount of measurement buckets transmitted from the node 11 to the measurement terminal 20 is also limited to a certain number or less.
- FIG. 3 shows an example of the structure of the management buffer managed by the flow information number limiting function unit 203.
- the management buffer is composed of a combination of a buffer B1 in which the flow information input from the flow generation function unit 202 is rearranged and stored based on the ranking according to the measurement purpose, and each item of the flow generation condition.
- buffers B2 to B7 provided corresponding to each of a plurality of aggregation conditions with different comparison items included in the conditions to be aggregated
- the noffer B1 includes a non-aggregation B1-1 and an aggregation candidate B1-2.
- Each flow information stored in the buffer B1 is flow information that satisfies the condition (flow generation condition) for identifying packets belonging to the same communication used in the flow information generation in the flow generation function unit 202.
- the flow generation conditions are conditions related to five items: protocol, source IP address, destination IP address, source port, and destination port.
- the flow generation conditions are not limited to the above five items.
- Information based on packet headers such as the MAC address, IP address, port number, etc., or information related to routing such as the next hop and AS number determined from such information, can be used as the flow generation condition. it can.
- the buffer for managing the aggregated information is also created by deleting some of the items of the original condition, and is not limited to the conditions exemplified in the buffers B2 to B7 in FIG.
- FIG. 4 shows an example of flow information and data structure definition information. According to this definition information, the 4-byte header common to definition information 'flow information' is followed by a 4-byte header for definition information, followed by items that make up the flow information.
- SetlD In the 4-byte header common to the definition information 'flow information', the ID called SetlD is indicated by 2 bytes, and the length of the information is indicated by the next 2 bytes.
- SetlD can be either normal definition information or It is used to distinguish the definition information power for options and the flow information and option information power corresponding to those definition information.
- 0 corresponds to normal definition information
- 1 corresponds to option information
- values of 256 or more correspond to flow information / option information.
- IPFIX 2 corresponds to normal definition information
- 3 corresponds to option information
- 256 or more corresponds to flow information 'option information.
- the header for normal definition information following the 4-byte header common to the definition information 'flow information is composed of a 2-byte template ID and a 2-byte field count.
- the 2-byte template ID is used to indicate which flow information data structure is defined, and is the same as the SetID of the corresponding flow information.
- the field count indicates the number of items that follow.
- Each item constituting the field information represents one piece of information for every 4 bytes.
- the first 2 bytes of the 4 bytes represent the item ID, and the last 2 bytes represent the item size (number of bytes).
- there are 12 items that make up the field information and the ID and number of bytes for each item are shown.
- the first item indicates sourceIPv4Address (ID: 8) power bytes indicating the IPv4 source address
- the second item is destinationIPv4Address (ID: 12) power bytes indicating the IP v4 destination address. It is shown that.
- the data structure of the flow information is defined by each item.
- Not all items constituting the field information shown in FIG. 4 are used as flow generation conditions. For example, counters (packetDeltaCount (ID: No. 2), octetDeltaCount (ID: No. 1) in Fig. 4) and time information (flowStartSysUpTime (ID: No. 22, flowEndSysUpTime (Fig. 4)) ID: No. 21)) cannot be used as a flow generation condition, and all other items are not necessarily used as a flow generation condition. In addition, NetFlow does not have such a notification function, so it depends on the device implementation In IPFK, the item that is the flow generation condition is called a flow key. .
- FIG. 5 schematically shows a notification method using option information.
- option information is indicated, the relationship between option data structure definition information and option information is the normal flow data. This is the same as the relationship between the structure definition information and the flow information.
- option information is given information indicating the scope of information called a scope.
- a 2-byte scope field count is given following the field count, and items are enumerated thereafter.
- the scope is the number of items with the first scope field count.
- the scope is Templat elD (same usage as the template ID above).
- a flowKeylndicator that indicates the flow generation condition is defined.
- option information is created according to the option data structure definition information, and specific values are set as option information. For example, to indicate optional information for the flow information shown in FIG. 4, the value corresponding to TemplatelD is 256.
- the flow Keylndicator is a 64-bit bitmap, and indicates whether one item can be used as a flow generation condition for each lbit. In other words, the flowKeylndicator uses the force S to set information indicating whether or not it is used as a flow generation condition for up to 64 items from the top.
- sourceIPv4Address Destination IPv4Address
- protocolIdentiner SourceTransportPort
- destinationTransportPort force throw generation conditions if any, 1st, 2nd, 6th, 7th, 8th from the top, respectively Because of the position, the data of the flow key indicator is 1 for the 1st, 2nd, 6th, 7th and 8th bits.
- the user designates the ID and size of the item to be included in the flow information to be transmitted.
- the priority set by the user is further assigned to the conditions used for the flow generation conditions.
- a new condition is created by deleting a condition from a low priority item.
- FIG. 6 and FIG. 7 show examples of definition information to which condition priorities are assigned and conditions that are expanded and used.
- Figure 6 In this column, the five items of sourceIPv4Address, destinationIPv4Aadress, protocolldentifier, sourceTransportPort, and destinationTransportPort are given different values as the priority of the measurement condition. According to the ranking, when the reduction number is 0, the reduction number is 1, the reduction number is 2, the reduction number is 3, and the reduction power is that Since one condition set is generated for each, a maximum of five condition sets will be generated.
- the items having the same priority are used exclusively.
- the priority of the item of sourceIPv4Address and destinationIPv4 Address is 2
- the priority of the item of protocolldentifier is 1
- the priority J injection position of the item of sourceTransportPort and destinationTransportPort is 4.
- one set of conditions is generated when the number of reductions is 0
- two sets of conditions are generated when the number of reductions is 1
- one condition is set when the number of reductions is 2.
- a pair is generated and two condition pairs are generated when the reduction number is 3, and one condition pair is generated when the power is reduced. become.
- the flow information processing unit 200 may be configured as shown in FIG.
- a flow information processing unit 200 illustrated in FIG. 8 includes a control unit 206 in addition to the configuration illustrated in FIG.
- Each of the flow generation function unit 202, the flow information number limiting function unit 203, and the flow transmission function unit 204 transmits and receives information to and from the control unit 206.
- the definition information input format can be cvs (comma-separated text) as shown in Fig. 9 or space or tab-delimited text, or it can use a description language such as XML as shown in Fig. 10. There may be.
- the information generated by the flow generation function unit 202 is supplied to the flow information number limiting function unit 203, and before being transmitted to the flow transmission function unit 204, items deleted in the flow aggregation condition are deleted. Force removed from the template or excluded from the flowKeylndicator bitmap. Since all of these need to be handled as different templates, different template IDs are assigned by the flow transmission function unit 204 and transmitted via the output network interface 205. In this way, the flow information number limiting function unit 203 holds the items corresponding to the attributes of the packets used for generating the flow information performed by the flow generation function unit 202 and the priority order of the externally input items, The item with the lowest priority The comparison items are changed step by step by repeating the process of deleting from the row information generation item.
- the measurement purpose when the measurement purpose is to detect traffic with an increased amount of data communicated by an attack such as DoS, the amount of data included in the flow information is reduced. Rearrange flow information based on magnitude relationship. Measurement objectives When detecting traffic related to attacks such as STCP SYN Do S, the flow information is rearranged based on the size relationship of the number of messages such as SYN included in the flow information. When the measurement purpose consists of multiple items, the flow information is rearranged after giving priority and weighting to the number of data of each item included in the flow information. In addition, statistical values such as standard deviation and variance of these values can also be used as sorting indices. The sorting method can be switched between descending and ascending order according to the purpose.
- Non-aggregated B1-1 stores the number of upper non-aggregated pieces of flow information in the flow information group that has been rearranged based on the non-aggregated number given from the outside as non-aggregated flow information.
- candidate B12 flow information other than non-aggregated flow information of the sorted flow information group is stored as an aggregation candidate.
- the information flows stored in the non-aggregation B1-1 and aggregation candidate B12 are ranked lower toward the left side of the drawing and higher toward the right side.
- Buffer B2 stores an aggregated flow information group in which flow information that matches four items (aggregation conditions) of the protocol, source address, destination address, and destination port in the flow generation conditions is aggregated.
- the Buffer B3 stores an aggregated flow information group in which flow information that matches the four items (aggregation conditions) of the protocol generation, source address, destination address, and source port among the flow generation conditions is stored.
- the buffer B4 stores an aggregated flow information group obtained by aggregating flow information that matches three items (aggregation conditions) of a protocol, a source address, and a destination address among the flow generation conditions.
- Buffer B5 stores an aggregated flow information group in which flow information that matches two items (aggregation conditions) of the protocol and destination address in the flow generation conditions is aggregated.
- the aggregated flow information that aggregates the flow information that matches the two items (aggregation condition) of the protocol and the source address in the flow generation conditions.
- a row information group is stored.
- Buffer B7 stores an aggregated flow information group in which the flow information that matches the protocol (aggregation condition) in the flow generation conditions is aggregated.
- Aggregation conditions are in the order of notifiers B2, B3, B4, B5, B6, and B7, starting from the one with more items.
- Fig. 3 the number of items that constitute the condition increases as it goes upward in the drawing, and the number of items that constitute the condition decreases as it goes down.
- the flow information number limiting function unit 203 sequentially reads the flow information from the buffer B1 and transmits the flow information. Supplied to the functional unit 204.
- the flow information limit function unit 203 uses the flow information stored in the notifier B1 for measurement purposes. Reordering is performed, and the upper flow information is stored in the non-aggregation B1-1, and the lower flow information is stored in the aggregation candidate B1-2. Then, the flow information aggregation process is executed for the flow information (aggregation candidate) stored in the aggregation candidate B1-2.
- the flow information stored in the non-aggregated B1-1 is sequentially read out without being aggregated and supplied to the flow transmission function unit 204.
- the flow information stored in the buffer B 1 is rearranged! /
- the flow information supplied from the flow generation function unit 202 may be stored in the buffer B1 in a rearranged state using an algorithm such as force S or insertion sort! /.
- Figure 11 shows the flow information aggregation process.
- step Sl it is determined whether or not the number of pieces of flow information stored and managed in the management buffer unit has exceeded the upper limit value. This determination is made at regular time intervals or whenever flow information is input from the flow generation function unit 202.
- the flow information stored in the buffer B1 is rearranged to be divided into aggregation candidates and non-aggregated flow information (step S2).
- the flow information with the lowest rank among the aggregation candidates is extracted as an aggregation target (step S3).
- initial aggregation conditions are set (step S4).
- the initial aggregation condition is a condition with one item less than the flow generation condition. Specifically, the buffer condition shown in Fig. 3 A Aggregation condition for B2.
- a noffer corresponding to the aggregation condition is set as a search target buffer (step S5).
- buffer B2 is the search target buffer.
- step S6 it is determined whether or not there is aggregated flow information in the search target buffer that matches all items of the aggregation condition set as the aggregation target (step S6). If there is aggregated flow information that matches all items of the aggregation condition, the aggregation target is aggregated with the aggregated flow information and stored in the buffer corresponding to the currently set aggregation condition (step S7). If multiple aggregated flow information that matches all items of the aggregation condition is searched at the time of retrieval, all the aggregated flow information and the aggregation target are aggregated.
- step S6 If it is determined in step S6 that there is no aggregated flow information that matches all items in the aggregation condition! /, Whether or not the target buffer set in step S5 is aggregation candidate B1-2 (Step S8). If the target buffer is not the aggregation candidate B1-2, the buffer that is one higher than the current buffer (the buffer with many items that constitute the condition) is set as the search target buffer (step S9), and the process proceeds to step S6.
- step S8 If it is determined in step S8 that the target buffer is aggregation candidate B1-2, is the aggregation condition that is currently set! /, The condition that has the fewest items constituting the condition! /, The condition? It is determined whether or not (Step S10). If the aggregation condition has the least number of items that make up the condition! / Is not a condition! / ⁇ , change the aggregation condition to a condition with one less item than the current condition (Step S11), and go to Step S5 To do. If the aggregation condition is the condition with the fewest items constituting the condition, the aggregation target is stored in the condition buffer with the least number of items constituting the condition (step S12).
- step S2 the upper flow information is stored in non-aggregation B1-1, and the lower flow information is stored in aggregation candidate B1-2. Then, in step S3, the flow information stored in aggregation candidate B1-2 is stored. The flow information with the lowest rank is extracted as the aggregation target. In Fig. 3, the leftmost flow information in aggregation candidate B1-2 is targeted for aggregation.
- a condition is configured as an initial aggregation condition compared to the flow generation condition.
- the condition to be reduced by one item (buffer B2 aggregation condition) is set.
- buffer B2 aggregation condition four items of protocol, source address, destination address, and destination port are set as the initial aggregation conditions.
- step S5 a buffer corresponding to the set aggregation condition is set as a search target buffer, and in step S6, the buffer is searched. At this stage, it is determined whether or not there is aggregated flow information in the buffer B2 corresponding to the initial aggregation condition set in step S4 that matches all items of the aggregation target and the initial aggregation condition.
- Figure 12 shows the state where the fourth aggregated flow information from the left in buffer B2 matches the aggregation target.
- the aggregation target is aggregated into the fourth aggregated flow information.
- the aggregation target is deleted from the aggregation candidate B1-2.
- step S8 it is determined in step S8 whether or not the search target noffer is the aggregation candidate B1-2. If the search target buffer is not the aggregation candidate B 1-2, the buffer one level higher than the current buffer is set as the search target buffer in step S8, and the process proceeds to step S6 to determine whether there is a corresponding flow.
- Figure 13 shows the fifth flow information power S from the left in the aggregation candidate B1-2, which matches the aggregation target. In this case, the aggregation target and the fifth flow information are aggregated and stored in the buffer B2 as aggregated flow information. The aggregation target and the fifth flow information are deleted from aggregation candidate B1-2. Note that there may be multiple flow information that matches the aggregation target when searching for higher-level buffers. In such a case, all the multiple pieces of flow information are aggregated with the aggregation target.
- step S6 If the determination in step S6 is "No applicable flow" and the determination in step S8 determines that the target buffer is an aggregation candidate, the aggregation condition is an item that constitutes the condition in step S10. Is the least condition (aggregation condition corresponding to buffer B7). If the aggregation condition is not the condition that has the least number of items, the aggregation condition is changed to a condition that has one item less than the current condition in step S11, and the process moves to step S5 to change to the changed aggregation condition. Set the corresponding buffer as the search target buffer.
- the aggregation condition for buffer B2 is set as the initial aggregation condition, there is no aggregated flow information that matches the search target and aggregation condition in buffer B2, and aggregation candidate B1 If there is no flow information that matches the search target and the aggregation condition in 2, the aggregation condition is changed to the aggregation condition of buffer B3, which is one condition less than the current item, and the aggregation target buffer is changed to buffer B3. Is set. Then, the search in the buffer B3 is performed with the changed aggregation condition.
- Figure 14 shows the search status for buffer B3. In this example, since there is no aggregated flow information in the buffer B3 that matches the aggregation target and the aggregation condition, the determination in step S6 is “no corresponding flow”.
- the condition of the target buffer is changed step by step with the aggregation condition set in step S4 or step S11.
- the aggregation conditions are changed step by step in the loop of steps S5 to S11. This step-by-step change in the target buffer and aggregation conditions makes it possible to minimize the amount of flow information lost due to aggregation and retain important information on the traffic to be measured.
- the number of items of the aggregation condition is not reduced more than necessary, and the aggregation targets can be aggregated, and the number of flow information is reduced by the aggregated amount.
- the force S that moves by moving a plurality of buffers, and the buffer itself is one.
- a value corresponding to the template ID may be used as the ID indicating the aggregation condition.
- flow information that has been aggregated and is no longer used can be deleted from the buffer, or it can be deleted without giving a special significant ID that is not actually deleted and the information is invalid.
- initial flow information is aggregated between steps S2 and S3.
- Flow information may be counted as a different flow when the flow ends even if the items used as the flow generation 'aggregation condition have the same value. For example, there are the following two conditions.
- connection type protocol such as TCP
- F1N RST for TCP
- the other is to provide a timeout period to send data at regular intervals.
- the flow exceeding this timeout time is temporarily terminated, and the item used as the flow generation 'aggregation condition is counted as another flow information with the same value.
- the timeout times are the non-duration for connectionless protocols such as UDP (final packet force, elapsed time) and the duration for connection-oriented protocols such as TCP (starting packet force, elapsed time).
- UDP final packet force, elapsed time
- TCP starting packet force, elapsed time
- the initial aggregation condition set in step S4 is not limited to the four items of protocol, source address, destination address, and source port.
- the condition of reduction number 0 (same as flow generation condition) derived from conditions and priorities, and aggregation of flows divided by time-out is not performed In this case, it becomes an item that constitutes the condition of 1 reduction.
- the above is the basic condition reduction method.
- a search index By using a search index, the number of searches can be reduced.
- a binary tree algorithm can be used to create a search index. With a balanced binary tree, it is possible to search at Log2N speed.
- two binary tree construction methods can be considered. In general, in the binary tree construction method, the value of the already stored element is compared with the value of the newly inserted element, and the storage location is determined by the magnitude relationship.
- the first construction method is a method in which a size comparison is performed from an item having a higher priority among a plurality of items.
- this first construction method as a result, the priority of multiple items is mapped to the higher-order item powers and values, converted into one value, and the values are compared in magnitude.
- FIG. 15 is a diagram for explaining a search index created by the first construction method.
- items related to flow information A to E include protocolldenti bomb (f3 ⁇ 4 Sagawa is 1), destinationTransportPort (fe is 2), sourceIPv4Address is priority 3), destinationIPv4Address (priority is 4) and 5 items of sourceTransportPort (priority is 5) are given.
- protocolldenti bomb f3 ⁇ 4 Sagawa is 1
- destinationTransportPort fe is 2)
- sourceIPv4Address is priority 3
- destinationIPv4Address priority is 4
- 5 items of sourceTransportPort priority is 5
- a search index is created by the following procedure.
- the flow of B is added to the index. Then, compare the magnitude relationships of the items in each flow of A and B in order from the highest priority!
- the first priority protocollden tifier and second priority destinationTransportPort items are the same between A and B flows.
- the value “10.0.0.2” in the B flow is larger than the value “10.0.0.1” in the A flow. Therefore, instead of A, B is the root, and A is the left leaf.
- the flow D is added to the index. And for each flow item of B and D Compare the size relationships in descending order of priority! For the first priority protocollden tifier item, the value “17” in the D flow is larger than the value “6” in the B flow. Therefore, D is arranged on the right side. Here, since C already exists on the right side, the magnitude relationship between the items of each flow of C and D is compared in order of item power with the highest priority. For the second priority destinationTransportPort item, the value “192.168.0.1” in the C flow is greater than the value “10.0.0.1” in the D flow. Therefore, D is the left leaf of C.
- the second construction method is a method in which a binary tree is created from the highest-level item, and the items below that are rooted at the leaf of the higher-level item.
- FIG. 16 is a diagram for explaining a search index created by the second construction method. Also in the example shown in FIG. 16, five items having the same priority as the example shown in FIG. 15 are given as items related to the flow information A to E. Based on these items, the search index is as follows. It is created by the procedure.
- the first priority protocolldentifier element (value: 6) is added as a pointer at the top of the tree, and the pointer at the top of this tree points to that element. The element also holds a pointer to the second priority.
- second priority destinationTransportPort element (value: 192.168.0.1)
- third priority sourceIPv4Addres element (value: 10.0.0.1)
- fourth priority destinationIPv4 Address element (value: 80)
- 5th priority sourceTransportPort element value: 23456) force S is added, and an element indicating the element number (value: A) is added under the tree.
- First priority protocolldentifier element value: 6
- the second priority destinationTransportPort element value: 192 ⁇ 168.0.1
- the 3rd priority sourceIPv4Addres element value: 10.0.0.2
- the 3rd priority sourceIPv4Addres element value: 10.0.0.2
- Subsequent priority elements are added to the right leaf element in the same way as the flow of A, and an element indicating the element number (value: B) is added below the tree. .
- the first priority protocolldentifier element (value: 17) is the same as the C flow, so it follows the same tree element as C.
- the second priority destina tionTransportPort element (value: 10.0.0.1) is smaller than the existing element (value: 192.168.0.1)! /.
- Subsequent priority elements are added to the left leaf element in the same procedure as the flow of A, and an element indicating the element number (value: D) is added under the tree.
- the first priority protocolldentifier element (value: 1) is smaller than the existing element (value: 6), so it is considered as the left leaf. Subsequent priority elements are added to the left leaf element in the same procedure as the flow of A, and an element indicating the element number (value: E) is added below the tree.
- the tree structure is simple, the tree does not have to be deep, and a tolerance (balanced tree) can be created.
- a tolerance balanced tree
- the tree is deepened, but as long as there are no overlapping priorities, once the tree structure is created, even if the conditions are reduced, some leaves are removed. Since they can be aggregated, there is no need to recreate the tree structure again. In addition, for example, when a specific port is excluded, the information handling method can be changed for each item. However, the second construction method cannot be applied when the priorities overlap. [0099] An index is created and held by the first or second construction method described above, and the conditions are reduced by referring to the held index when generating and aggregating flow information. It is possible to improve the efficiency of the generation and aggregation processes.
- the flow generation function unit for the flow information stored in the management buffer, for each item held by the flow information based on the priority order of the items input externally.
- the size comparison is repeated to determine the size of the flow information, the result is stored as a search index, and flow information is generated by referring to the search index.
- the flow information number limiting function unit determines the size of each item stored in the flow information based on the priority order of the items input externally with respect to the flow information stored in the management buffer. The comparison is repeated to determine the size of the flow information, the result is held as a search index, and the flow information is aggregated with reference to the search index. As a result, the number of comparisons of conditions (combination of items) when collecting flow information can be reduced, and as a result, processing efficiency can be improved.
- the first construction method as a method of minimizing the reduction in efficiency when the tree structure is recreated for each condition, the past number of aggregation candidates under the same condition and the number of flow information holdings per condition are set. There is a way to have it.
- each of the flow information number limiting function unit sets the number of aggregation candidates and the number of aggregation results calculated using the already held upper limit value and the number of non-aggregation, and the aggregation condition when the flow information is limited. Records the number of flows for each item, and estimates the initial number of items to be used when creating the search index based on the recorded information at the next and subsequent aggregations, thereby reducing the number of times the search index is created. .
- the upper limit value is determined internally from the number of flow information finally passed from the flow information number limiting function unit to the flow transmission function unit (force given from the outside, or the capacity of the management buffer). Is).
- the non-aggregated number is the number of non-aggregated flow information (given from the outside) that is positioned higher after sorting.
- the number of aggregation candidates is a value obtained by subtracting the non-aggregation number from the total number of flow information generated by the flow generation function unit.
- the number of aggregated results The result value, that is, the value obtained by subtracting the upper limit force non-aggregation number.
- the flow information number limit function unit subtracts the non-aggregation number from the total number of generated flow information, and the aggregation information obtained by subtracting the non-aggregation number from the upper limit.
- the number of flow information is held for each information item (Information Element) in the number of results and the condition (flow key) used for aggregation.
- FIG. 17 shows an example of information held by the flow information number limiting function unit. In the example shown in Fig.
- protocolldentifier (priority is 1)
- destinationTransportPort (priority is 2)
- sourceIPv4Address (priority is 3)
- destinationIPv4Address (priority is 4)
- sourceTransportPort ( The priorities are 5) and! /, And the information for each item is recorded for the past 5 times.
- the number of aggregation candidates is 120034, and the number of aggregation results is 20000.
- the number of flows resulting from aggregation using only protocolldentifier (condition of 4 reductions in Fig. 6), where the aggregation condition includes items up to the first priority, is included.
- the number of flows as a result of aggregation using the condition that includes items up to the second priority order (condition of 3 reductions in Fig. 6) is 6442, and the aggregation condition is the 3rd priority.
- the number of flows as a result of aggregation using the conditions including items up to the rank (condition of reduction number 2 in Fig.
- aggregation conditions include conditions up to the fourth priority level (Fig.
- the number of flows resulting from aggregation using 6 reductions (1 condition) is 123 3 and the aggregation condition includes conditions up to the 5th priority (conditions with 0 reductions in Figure 6).
- the number of flows as a result of aggregation is set to 0.
- Aggregation with the number of flows set to 0 is regarded as unnecessary aggregation as a result.
- the previous one-time aggregation omits conditions that include items up to the fifth priority, and starts creating a conditional force index that includes items up to the fourth priority. This reduces the number of processes and improves the processing speed.
- the flow information number limiting function unit determines whether aggregation can be omitted from past records.
- the items up to the 5th priority are displayed in the previous 1, 3 and 5 times.
- the number of flows is 0 when the included condition is used.
- the numbers of intensive weather in the intensive day temple at 1, 3 and 5 are 120034, 93898 and 108270, respectively.
- the fourth priority It can be inferred that it is sufficient to start creating an in- stance based on the conditions including the items up to the rank (that is, the string of protocolIdentifier, protocolldentifier, destinationTransportPort, destinationIPv4Address). In this case, it is no longer necessary to create an index based on conditions including items up to the fifth priority level.
- FIG. 18 shows an example of port aggregation.
- a and B are the flow information generated by the conditions (flow generation conditions) of the five items of protocol, source address, destination address, source port and destination port, and C is the flow information
- a , B are aggregated flow information in which each item of the flow generation condition is aggregated as an aggregation condition.
- the source port is deleted from the items constituting the aggregation condition.
- SA is the source address
- DA is the destination address
- SAMask” and “DAMask” are the netmask
- SP is the source port
- DP is the destination port.
- Packets is the number of packets
- octets is the number of bytes
- First is the start time of the flow
- “Last” is the end time of the flow.
- the value of the source port “SP” is set to “0”, and the number of packets “Packets s” and the number of bytes “octets” are added to the corresponding values of the flow information A and B, respectively.
- the start time “First” and the end time “Last” are set to a range that is the union of the corresponding times of the flow information A and B.
- the start time “First J” and end time “Last” of flow information A are “134598098987” and “134598100384”, respectively
- the start time “First” and end time “Last” of flow information B are “13459809”, respectively.
- the start time“ First J ”and the end time“ Last ”of the aggregated flow information C are“ 134598098222 ”and“ 134598100384 ”, respectively.
- the source port “SP” the number of packets “Packets”, the number of bytes “octets”, the start time “First”, and the end time “Last” are aggregated.
- Flow information C is obtained.
- each flow information In the example of a source port that can use the aggregated item value of the flow that has the largest amount of any monitoring item such as the data amount as a representative value, set the source port number that has the largest amount of data. Also good.
- information on the first packet in the flow may be used as a representative value, or information indicating that aggregation has been performed may be added.
- FIG. 19 shows an example of collecting addresses.
- a and B are flow information generated under the conditions (flow generation conditions) of five items of protocol, source address, destination address, source port and destination port, and C is flow information A , B is aggregated flow information that aggregates three items of protocol, source address, and destination address among the flow generation conditions as aggregation conditions.
- the value of the source port “SP” is set to “0” and the number of packets “Packets” and the number of bytes “octets” are respectively flow information, as shown in FIG.
- the corresponding values of A and B are added, and the start time “First” and the end time “Last” are set to a range that is the union of the corresponding times of the flow information A and B.
- the address is a new value obtained from the intersection of the address values of flow information A and B.
- a new destination address “192 ⁇ 168.0.0” is obtained by a product set of the destination address “192.168.0.2” of the flow information A and the destination address “192.168.0.254” of the flow information B.
- the netmask “SAMask” is also changed to “24” with this change in address value.
- the information regarding the deleted item power that constitutes the aggregation condition is not transmitted, so it may have any value internally as described above.
- the item to be sent must be expressed as a prefix (sourceIPv4Prefix) instead of an address (sourceIPv4Address). If the prefix is not changed, the representative value should be used, and the representative value before taking the intersection set (the value of the first packet is preferable according to the protocol specification as described above). In this case, 32 indicating the host address is also used for SAMask.
- the total number of values that can be taken by the items constituting the aggregation condition in the state where the number of reductions is the largest is limited to a certain number or less as the upper limit. It will be the minimum to ensure that.
- the force S that increases the number of flow information generated by the flow generation function unit along with the flow due to attack traffic, and the flow information number limiting function unit When the number of flow information input from the flow generation function unit increases, a part of the currently stored flow information (aggregation candidates) is aggregated. By collecting this flow information, the number of flow information supplied to the flow transmission function unit per fixed time is limited to a certain number or less. Therefore, the number of flow information sent by the flow transmission function unit on the measurement network per fixed time is also limited to a predetermined number or less. In this way, since only a certain number of flow information is sent on the measurement network related to the increase in flow, the measurement that occurred when UDP without the congestion control function was used for the transport protocol. Communication congestion in the network
- flow information that includes information that is important in traffic measurement is excluded from the target of aggregation, and the flow information that is not important is aggregated. Characterizing flow information is retained.
- the flow information restriction device (node) of the present embodiment described above is an example of the present invention.
- each of the function units of the flow generation function unit, the flow information number limiting function unit, and the flow transmission function unit is performed by executing a program stored in a storage device by a control device configuring the computer system. It is possible to realize.
- the program may be provided through a disk-type recording medium such as a CD-ROM or DVD, or may be provided by downloading a necessary program through the Internet.
- the flow generation condition and aggregation condition items may include items other than these as long as they include information based on header information, or may not include these items.
- Information based on header information includes information judged from header information even if it is not included in the header itself.
- routing control information is also included in the information based on header information.
- the header information is not limited to the network layer and the transport layer, but includes lower and higher protocols.
- the number of items of flow generation conditions and aggregation conditions can be set as appropriate as long as flow generation and aggregation are possible.
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007800423057A CN101536437B (zh) | 2006-11-21 | 2007-11-20 | 流信息限制装置以及方法 |
EP07832186A EP2086183B1 (en) | 2006-11-21 | 2007-11-20 | Flow information restricting apparatus and method |
US12/514,883 US8239565B2 (en) | 2006-11-21 | 2007-11-20 | Flow record restriction apparatus and the method |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2006314299 | 2006-11-21 | ||
JP2006-314299 | 2006-11-21 | ||
JP2007-199499 | 2007-07-31 | ||
JP2007199499A JP4658098B2 (ja) | 2006-11-21 | 2007-07-31 | フロー情報制限装置および方法 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2008062787A1 true WO2008062787A1 (fr) | 2008-05-29 |
Family
ID=39429717
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2007/072456 WO2008062787A1 (fr) | 2006-11-21 | 2007-11-20 | Appareil et procédé de restriction d'informations de flux |
Country Status (6)
Country | Link |
---|---|
US (1) | US8239565B2 (ja) |
EP (1) | EP2086183B1 (ja) |
JP (1) | JP4658098B2 (ja) |
KR (1) | KR100997182B1 (ja) |
CN (1) | CN101536437B (ja) |
WO (1) | WO2008062787A1 (ja) |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9026674B1 (en) * | 2010-03-22 | 2015-05-05 | Satish K Kanna | System and method for accurately displaying communications traffic information |
KR20090099519A (ko) * | 2006-12-19 | 2009-09-22 | 인터내셔널 비지네스 머신즈 코포레이션 | 네트워크 흐름을 분석하기 위한 장치 및 방법 |
US9258217B2 (en) * | 2008-12-16 | 2016-02-09 | At&T Intellectual Property I, L.P. | Systems and methods for rule-based anomaly detection on IP network flow |
US8125920B2 (en) * | 2009-03-04 | 2012-02-28 | Cisco Technology, Inc. | System and method for exporting structured data in a network environment |
US8443434B1 (en) * | 2009-10-06 | 2013-05-14 | Palo Alto Networks, Inc. | High availability security device |
US8724487B1 (en) | 2010-02-15 | 2014-05-13 | Cisco Technology, Inc. | System and method for synchronized reporting in a network environment |
CN102075412B (zh) * | 2010-10-22 | 2013-06-19 | 北京神州绿盟信息安全科技股份有限公司 | 一种网络数据传输速率控制设备及方法 |
KR101433420B1 (ko) * | 2010-11-16 | 2014-08-28 | 한국전자통신연구원 | 플로우 기반 데이터 병렬 처리 장치 및 방법 |
EP2530874B1 (en) * | 2011-06-03 | 2020-04-29 | AirMagnet, Inc. | Method and apparatus for detecting network attacks using a flow based technique |
US9674207B2 (en) * | 2014-07-23 | 2017-06-06 | Cisco Technology, Inc. | Hierarchical attack detection in a network |
US10536357B2 (en) * | 2015-06-05 | 2020-01-14 | Cisco Technology, Inc. | Late data detection in data center |
US10142353B2 (en) | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10674394B2 (en) * | 2017-10-27 | 2020-06-02 | Futurewei Technologies, Inc. | Method and apparatus for reducing network latency |
US10999167B2 (en) * | 2018-04-13 | 2021-05-04 | At&T Intellectual Property I, L.P. | Varying data flow aggregation period relative to data value |
US11546185B2 (en) * | 2020-04-27 | 2023-01-03 | Hewlett Packard Enterprise Development Lp | Multicast route summarization |
WO2023105647A1 (ja) * | 2021-12-07 | 2023-06-15 | 日本電信電話株式会社 | フロー情報収集システム、フロー情報収集方法、および、フロー情報収集プログラム |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003244321A (ja) * | 2002-02-15 | 2003-08-29 | Nippon Telegr & Teleph Corp <Ntt> | トラヒックデータ生成装置 |
JP2005210756A (ja) * | 2005-04-08 | 2005-08-04 | Hitachi Ltd | ネットワーク監視方法 |
JP2006050442A (ja) * | 2004-08-06 | 2006-02-16 | Nippon Telegr & Teleph Corp <Ntt> | トラヒック監視方法及びシステム |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7466703B1 (en) * | 1998-05-01 | 2008-12-16 | Alcatel-Lucent Usa Inc. | Scalable high speed router apparatus |
US6570875B1 (en) * | 1998-10-13 | 2003-05-27 | Intel Corporation | Automatic filtering and creation of virtual LANs among a plurality of switch ports |
US6671258B1 (en) * | 2000-02-01 | 2003-12-30 | Alcatel Canada Inc. | Dynamic buffering system having integrated random early detection |
JP3994614B2 (ja) * | 2000-03-13 | 2007-10-24 | 株式会社日立製作所 | パケット交換機、ネットワーク監視システム及びネットワーク監視方法 |
US6836466B1 (en) * | 2000-05-26 | 2004-12-28 | Telcordia Technologies, Inc. | Method and system for measuring IP performance metrics |
WO2002013486A2 (en) * | 2000-08-07 | 2002-02-14 | Xacct Technologies Limited | System and method for processing network accounting information |
US20020032793A1 (en) * | 2000-09-08 | 2002-03-14 | The Regents Of The University Of Michigan | Method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic |
US7039013B2 (en) * | 2001-12-31 | 2006-05-02 | Nokia Corporation | Packet flow control method and device |
US7286482B2 (en) * | 2002-11-29 | 2007-10-23 | Alcatel Lucent | Decentralized SLS monitoring in a differentiated service environment |
US7701863B2 (en) * | 2002-12-12 | 2010-04-20 | Alcatel Lucent | Decentralized SLS monitoring for throughput in a differentiated service environment |
JP2005010756A (ja) | 2003-05-23 | 2005-01-13 | Olympus Corp | 光学系 |
US7453806B2 (en) * | 2003-06-26 | 2008-11-18 | International Business Machines Corporation | Dynamic data packet flow control for packet switching node |
US7385924B1 (en) * | 2003-09-30 | 2008-06-10 | Packeteer, Inc. | Enhanced flow data records including traffic type data |
US7515591B1 (en) * | 2004-08-31 | 2009-04-07 | Adtran, Inc. | Primary channel bank-resident mechanism for scheduling downstream data transmissions to ports of multiple channel banks |
US7738375B1 (en) * | 2005-08-19 | 2010-06-15 | Juniper Networks, Inc. | Shared shaping of network traffic |
US20070140282A1 (en) * | 2005-12-21 | 2007-06-21 | Sridhar Lakshmanamurthy | Managing on-chip queues in switched fabric networks |
-
2007
- 2007-07-31 JP JP2007199499A patent/JP4658098B2/ja active Active
- 2007-11-20 EP EP07832186A patent/EP2086183B1/en not_active Not-in-force
- 2007-11-20 US US12/514,883 patent/US8239565B2/en active Active
- 2007-11-20 WO PCT/JP2007/072456 patent/WO2008062787A1/ja active Application Filing
- 2007-11-20 CN CN2007800423057A patent/CN101536437B/zh not_active Expired - Fee Related
- 2007-11-20 KR KR1020097009813A patent/KR100997182B1/ko active IP Right Grant
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003244321A (ja) * | 2002-02-15 | 2003-08-29 | Nippon Telegr & Teleph Corp <Ntt> | トラヒックデータ生成装置 |
JP2006050442A (ja) * | 2004-08-06 | 2006-02-16 | Nippon Telegr & Teleph Corp <Ntt> | トラヒック監視方法及びシステム |
JP2005210756A (ja) * | 2005-04-08 | 2005-08-04 | Hitachi Ltd | ネットワーク監視方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2086183A4 * |
Also Published As
Publication number | Publication date |
---|---|
JP4658098B2 (ja) | 2011-03-23 |
EP2086183A4 (en) | 2010-01-06 |
US8239565B2 (en) | 2012-08-07 |
JP2008154204A (ja) | 2008-07-03 |
CN101536437B (zh) | 2012-02-01 |
CN101536437A (zh) | 2009-09-16 |
KR20090079945A (ko) | 2009-07-22 |
EP2086183B1 (en) | 2013-01-30 |
KR100997182B1 (ko) | 2010-11-29 |
EP2086183A1 (en) | 2009-08-05 |
US20100070647A1 (en) | 2010-03-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4658098B2 (ja) | フロー情報制限装置および方法 | |
JP5958570B2 (ja) | ネットワークシステム、コントローラ、スイッチ、及びトラフィック監視方法 | |
EP3304853B1 (en) | Detection of malware and malicious applications | |
US7580356B1 (en) | Method and system for dynamically capturing flow traffic data | |
US7639613B1 (en) | Adaptive, flow-based network traffic measurement and monitoring system | |
US7706296B2 (en) | Lightweight packet-drop detection for ad hoc networks | |
US10075371B2 (en) | Communication system, control apparatus, packet handling operation setting method, and program | |
JP4267633B2 (ja) | ネットワークシステム及びトラヒック情報集約装置 | |
JP5050781B2 (ja) | マルウエア検出装置、監視装置、マルウエア検出プログラム、およびマルウエア検出方法 | |
JP2007336512A (ja) | 統計情報収集システム及び統計情報収集装置 | |
CN102498694A (zh) | 通信系统、转发节点、路径管理服务器、通信方法和程序 | |
JP2006352831A (ja) | ネットワーク制御装置およびその制御方法 | |
JP2011146920A (ja) | トポロジーツリー作成装置、プログラム、及び方法 | |
JP5017440B2 (ja) | ネットワーク制御装置およびその制御方法 | |
US7266088B1 (en) | Method of monitoring and formatting computer network data | |
JP4938042B2 (ja) | フロー情報送信装置、中間装置、フロー情報送信方法およびプログラム | |
JP2018029303A (ja) | 通知システムおよび通知方法 | |
JP4489714B2 (ja) | パケット集約方法、装置、およびプログラム | |
JP2012151689A (ja) | トラヒック情報収集装置、ネットワーク制御装置およびトラヒック情報収集方法 | |
Lan et al. | Passive overall packet loss estimation at the border of an ISP | |
JP4871330B2 (ja) | フロー判定方法、通信装置及びプログラム | |
Henke et al. | Evaluation of header field entropy for hash-based packet selection | |
JP2005117213A (ja) | 経路表および経路検索方法 | |
JP2009130686A (ja) | フロー判定方法、通信装置及びプログラム | |
WO2021052554A1 (en) | Network node for supporting performance evaluation using a performance bitmap |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200780042305.7 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07832186 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020097009813 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12514883 Country of ref document: US Ref document number: 2007832186 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |