JP2002164899A - Network monitoring method and its equipment - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a network monitoring method and its equipment for finding and taking countermeasure against disguise of a device. SOLUTION: The network monitoring equipment of the invention is provided with a topology memory part 6 which stores topological information of the network, a response time memory part 7 which stores obtained response time after execution of a response inspection command, and a decision part 8 which decides the consistency between the topological information stored in the topology memory part 6 and the response time stored in the response time memory part 7, and it finds and takes a countermeasure against disguise of a device in a network like IEEE1394 by which such topology can be obtained.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a network monitoring method and apparatus for enhancing network security, and more particularly to a network monitoring method and apparatus for enhancing security in a bus network represented by IEEE1394.

[0002]

2. Description of the Related Art Due to its simple configuration and high performance, IEEE 1394 is expected as a means for connecting various devices such as a home LAN in the future. 100Mbp
It has a hot-line connection function that can add or delete devices while the network is running by automatically recognizing the connection of devices and a transfer method suitable for multimedia data transfer called Isochronous, a transfer speed of s or more It is possible to configure a tree-type network and use it for a wide range of applications.

It is conceivable to configure a surveillance system using a camera as one of the applications. This is because a large amount of data such as video can be transmitted due to a high transfer rate.

The conventional surveillance system requires as many analog output cameras as necessary for surveillance, and the same number of A / D conversion mechanisms as video capture boards and the like, and also requires a connection between the cameras and the video capture boards. One cable was required, and it was necessary to route the same number of cables as the number of cameras.

On the other hand, in the case of a surveillance system using IEEE 1394, it is only necessary to connect at least one personal computer for receiving and recording as a surveillance device to the number of IEEE 1394 compliant digital output cameras required for surveillance. By configuring this network, it became possible to configure a monitoring system with a small number of cables.

[0006]

However, such a conventional IEEE 1394 is a bus type network,
The transmitted packet basically reaches all nodes on the bus. As a result, there is a problem that the packet may be sniffed by a device that does not need to receive the packet.

Further, since it is assumed that the packet reaches all the nodes on the bus, there is no mechanism for specifying the node that sent the packet other than checking the description of the source ID on the packet. There is a problem that the description of the source ID is false.

When constructing a monitoring system using IEEE 1394, it is desirable that important packets such as control commands and highly confidential information are guaranteed to be devices that the sending node and the receiving node can trust.

However, the above problem hinders the identification of a device involved in packet transmission / reception, and allows the device to be spoofed, thus lowering the security level of the monitoring system.

The present invention has been made to solve such a problem, and provides a method and an apparatus for detecting and taking measures against impersonation of a device.

[0011]

A network monitoring method according to the present invention is characterized in that topology information of a network is stored, and a bus state, a change in a bus state, or a packet inconsistent with the stored topology information is detected. I have. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring method of the present invention comprises:
Storing the topology information of the network, executing the response inspection command, storing the obtained response time, determining the consistency between the stored topology information and the stored response time, It is characterized by finding contradictory cases. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring method of the present invention comprises:
Storing the topology information of the network, identifying the port that received the packet, identifying the source ID of the received packet, and comparing the stored topology information with the combination of the identified port and the identified source ID. It is characterized by judging consistency and finding a case where there is a contradiction in the network topology. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring method of the present invention comprises:
The topology information of the network is stored, the response check command is executed, the obtained response time is stored, and the state of the network bus is changed from the grant state to the data state.
measuring the time to change to the prefix state, identifying the source ID of the received packet, and combining the stored topology information, the stored response time, the measured time, and the identified source ID. It is characterized by judging the consistency with the network and finding the case where there is a contradiction in the network topology. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring method of the present invention
The topology information of the network is stored, the response check command is executed, the obtained response time is stored, and the state of the network bus is changed from the data end state to the data end state.
measuring the time to change to the quest state, identifying the source ID of the received packet, storing the stored topology information, the measured time, and the identified source ID
It is characterized by judging the consistency with the combination of and finding a case where there is a contradiction in the network topology.
As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring method of the present invention comprises:
It stores the network topology information, executes the response check command, stores the obtained response time, measures the time until the bus state changes from the data end state to the data prefix state, and determines the source of the received packet. Identifying the ID and identifying the consistency between the stored topology information and the combination of the measured time and the identified source ID, thereby finding a case in which there is a contradiction in the network topology. And As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring method of the present invention comprises:
Network topology information is stored, and when packets are received consecutively, the source ID of each received packet and the reception order are identified, and the stored topology information, the source ID of the received packet, It is characterized in that the consistency of the reception order is determined, and a case in which there is a contradiction in the network topology is found. This allows
Of the devices existing on the bus, it is possible to determine a device that is impersonating and a candidate for a device that is performing impersonation.

Also, the network monitoring method of the present invention
Network topology information is stored, and when an ACK and a data packet are continuously received, the source ID of each received packet and the reception order are identified, and the stored topology information and the received packet It is characterized in that the consistency between the source ID and the receiving order is determined, and a case where there is a contradiction in the network topology is found. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring method of the present invention
It stores the topology information of the network, executes the response check command, stores the obtained response time, measures the time until the bus state changes from the data end state to the data prefix state, and measures the time of the received ACK packet. Identifying the source node, determining the consistency between the stored topology information, the combination of the measured time and the source node of the identified ACK packet, and finding a case inconsistent with the network topology. Features. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the above network monitoring method identifies the source ID of the received packet, and if the identified source ID indicates a bus other than the local bus, checks the routing table of the bridge, and It is characterized in that a case where the ID and the routing table are inconsistent is found. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the above-mentioned network monitoring method is characterized in that collection of information used for determination is started with a bus reset as a trigger. As a result, it is possible to determine a device candidate that is impersonating a device and is performing impersonation with a small number of times of information collection.

Further, in the above network monitoring method, when an inconsistency is found, the packet may be discarded. Further, when a contradiction is found, the packet may be destroyed. Alternatively, when a contradiction is found, a bus reset may be generated. As a result, when spoofing has been performed, it is possible to increase the possibility that the transaction is prevented from being completed.

In the above-described network monitoring method, a warning may be issued when an inconsistency is found. As a result, the possibility of impersonation can be notified to an upper layer or another device, and the other device or the user can be alerted.

Further, in the above network monitoring method, when inconsistency is found, the port may be disconnected. As a result, it is possible to forcibly remove the impersonating device candidate from the bus.

Further, the network monitoring device of the present invention includes a topology storage unit for storing network topology information, and a detection unit for detecting a bus state, a change in bus state, or a packet inconsistent with the stored topology information. It is characterized by having. With this configuration, of the devices existing on the bus, it is possible to determine a device that is impersonating and a candidate for a device that is performing impersonation.

Further, the network monitoring device of the present invention
A topology storage unit for storing network topology information, a response time storage unit for executing a response inspection command and storing an obtained response time, a topology information stored in the topology storage unit, and the response time storage. And a judgment unit for judging the consistency with the response time stored in the unit, and finding a case inconsistent with the network topology. With this configuration, of the devices existing on the bus, it is possible to determine a device that is impersonating and a candidate for a device that is performing impersonation.

Further, the network monitoring device of the present invention comprises:
In a network monitoring device including a repeater having at least one port, the repeater stores a topology storage unit that stores network topology information, a port identification unit that identifies a port that has received a packet, and a source ID of the received packet. A source identification unit to be identified; a topology information stored in the topology storage unit; and a determination unit that determines consistency between a combination of a port identified by the port identification unit and a source ID identified by the source identification unit. And finds a case where there is a contradiction in the network topology. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring apparatus of the present invention
In a network monitoring device including a bridge having a plurality of portals, the bridge stores a routing storage unit that stores routing information, a portal identification unit that identifies a portal that has received a packet, and a source that identifies a source ID of the received packet. An identification unit; a determination unit configured to determine consistency between the routing information stored in the routing storage unit and a combination of the portal identified by the portal identification unit and the source ID identified by the source identification unit. In addition, the present invention is characterized in that a case where there is a contradiction in the network topology is found. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Also, the network monitoring device of the present invention
A network monitoring device including a repeater having at least one port, wherein the repeater stores topology information of a network, and a response time storage unit that stores a response time obtained by executing a response inspection command. And the bus status changes from the grant status to dat
a time measurement unit for measuring a time until the state changes to a prefix state, a source identification unit for identifying a source ID of a received packet, topology information stored in the topology storage unit, and a response time stored in the response time storage unit. Response time, and a determination unit that determines the consistency between the time measured by the time measurement unit and the combination of the source ID identified by the source identification unit, and finds a case where the network topology is inconsistent. It is characterized by: As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring device of the present invention
A network monitoring device including a repeater having at least one port, wherein the repeater stores topology information of a network, and a response time storage unit that stores a response time obtained by executing a response inspection command. A time measuring unit for measuring a time until the state of the bus changes from the data end state to the request state, a source identification unit for identifying a source ID of a received packet, and topology information stored in the topology storage unit. A response time stored in the response time storage unit;
A judgment unit for judging the consistency of the information of the combination of the time measured by the time measurement unit and the source ID identified by the source identification unit; and I have. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring apparatus of the present invention
A network monitoring device including a repeater having at least one port, wherein the repeater stores topology information of a network, and a response time storage unit that stores a response time obtained by executing a response inspection command. A time measurement unit for measuring a time required for the bus state to change from the data end state to the data prefix state; a source identification unit for identifying a source ID of a received packet; and topology information stored in the topology storage unit. A response time stored in the response time storage unit, and a determination unit that determines consistency between a combination of the time measured by the time measurement unit and the source ID identified by the source identification unit, It is characterized by finding cases where there is a contradiction in the network topology. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring apparatus of the present invention
In a network monitoring device that includes a repeater having at least one port, the repeater stores a topology storage unit that stores network topology information, and when a series of packets is received, a source ID of each packet and a reception order thereof. A network comprising: a source order identification unit for identifying; a topology information stored in the topology storage unit; and a determination unit for determining consistency between the source ID identified by the source order identification unit and its reception order. It is characterized by finding cases where there are contradictory topologies. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring apparatus of the present invention
In a network monitoring device that includes a repeater having at least one port, the repeater receives a ACK and a series of data packets, and stores a source ID of each packet, An ACK source order identification unit for identifying a reception order; a topology information stored in the topology storage unit; and a determination unit for determining consistency between the source ID identified by the ACK source identification unit and the reception order. It is characterized by discovering a case where there is a contradiction in the network topology. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

Further, the network monitoring device of the present invention
A network monitoring device including a repeater having at least one port, wherein the repeater stores topology information of a network, and a response time storage unit that stores a response time obtained by executing a response inspection command. A time measurement unit for measuring a time required for the bus state to change from the data end state to the data prefix state; a source identification unit for identifying a source node of a received ACK packet; and a topology stored in the topology storage unit. Information, a response time stored in the response time storage unit, and a determination unit that determines consistency between a combination of the time measured by the time measurement unit and the combination of the source node of the ACK packet identified by the source identification unit. And finds cases where there is a contradiction in the network topology. . As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

[0035] The network monitoring device includes a source identification unit for identifying a source ID of the packet, a routing table confirmation unit for confirming a routing table of the bridge, a source ID identified by the source identification unit,
A judgment unit for judging the consistency of the bridge confirmed by the routing table confirmation unit with the routing table, and finding a case where there is a contradiction in the network topology. As a result, of the devices existing on the bus, it is possible to determine a candidate for a device that is impersonating and a device that is performing impersonation.

The above network monitoring apparatus is characterized in that the collection of information used by the determination section is started by a bus reset as a trigger. As a result, it is possible to determine a candidate for a device that is an impersonated device and that is performing the spoofing by a small number of times of information collection.

In the above network monitoring apparatus, a packet discard processing unit for discarding the packet when an inconsistency is found may be provided. Further, a packet destruction processing unit which destroys the packet when an inconsistency is found may be provided. Alternatively, a bus reset generation processing unit that generates a bus reset when contradiction is found may be provided. As a result, when spoofing has been performed, it is possible to increase the possibility that the transaction is prevented from being completed.

The above-described network monitoring device may include a warning generation processing unit that generates a warning when contradiction is found. As a result, the possibility of impersonation can be notified to an upper layer or another device, and the other device or the user can be alerted.

In the above-described network monitoring apparatus, a port connection control processing unit for disconnecting a port when an inconsistency is found may be provided. As a result, it is possible to forcibly remove the impersonating device candidate from the bus.

Further, in the repeat method of the present invention, the topology information of the network is stored, the destination ID of the packet is identified, and the state of the port is determined based on the combination information of the topology information and the destination ID. , And a port for repeating the packet and a port for repeating the dummy information. As a result, when spoofing or eavesdropping has been performed, it is possible to increase the possibility of preventing the completion of the transaction.

In the above-mentioned repeat method, the collection of the information may be started with a bus reset as a trigger. As a result, when spoofing or eavesdropping has been performed, the possibility of hindering the completion of the transaction can be increased with a small number of times of information collection.

Further, the repeater device of the present invention comprises a topology storage unit for storing network topology information, a destination identification unit for identifying a destination ID of a packet, the topology information stored in the topology storage unit, and Based on the combination information of the destination ID identified by the destination identification unit,
It is characterized by comprising a port control unit that determines a port state and determines a port that repeats the packet and a port that repeats dummy information. As a result, when spoofing or eavesdropping has been performed, it is possible to increase the possibility of preventing the completion of the transaction.

Further, in the above repeater device, the information collection is started by a bus reset as a trigger. As a result, when spoofing or eavesdropping has been performed, the possibility of hindering the completion of the transaction can be increased with a small number of times of information collection.

The network protection method according to the present invention is characterized in that upon receiving a warning from the network monitoring method, the contents of the warning and the state at the time of the warning are notified to the user. As a result, it is possible to promptly indicate to the user the possibility that spoofing is being performed.

Further, the network protection method of the present invention
Upon receiving an alert from the above network monitoring method,
The contents of the warning and the state at the time of the warning are notified to the user via a public line. As a result, it is possible to promptly show the possibility of impersonation to a remote user.

Further, the network protection method of the present invention
Upon receiving an alert from the above network monitoring method,
The contents of the warning and the state at the time of the warning are recorded. As a result, it is possible to preserve the proof of impersonation and the situation at that time.

Also, the network protection method of the present invention
Upon receiving an alert from the above network monitoring method,
It is characterized by recording the behavior of any or all devices related to the warning, or recording the status of the devices. As a result, the unauthorized device can be continuously monitored.

Further, the network protection method of the present invention
Upon receiving an alert from the above network monitoring method,
It is characterized in that access from any or all of the devices related to the warning, a service request is rejected until a set condition is satisfied, or the request is changed to a set one. As a result, the service provided to the unauthorized device can be made different from the normal service.

Also, the network protection method of the present invention
Upon receiving an alert from the above network monitoring method,
The method is characterized in that routing of packets from any or all of the devices related to the warning is stopped until the set conditions are satisfied, or changed to the set conditions. As a result, the handling of the communication of the unauthorized device can be made different from normal.

Further, the network protection method of the present invention
Upon receiving an alert from the above network monitoring method,
It is characterized in that device authentication is performed on the related device or redo. As a result, when a device suspected of fraud is found, it is possible to confirm the unauthorized device and the normal device.

Further, the network protection method of the present invention comprises:
Upon receiving an alert from the above network monitoring method,
It is characterized by encrypting data or regenerating an encryption key. As a result, when a device suspected of being fraudulent is found, security can be tightened.

The network device according to the present invention includes a warning receiving unit for receiving a warning from the network monitoring device, an information collecting unit for collecting a state at the time of occurrence of the warning, and a display unit for notifying a user of the collected information. And notifies the user of the content of the warning and the state of the warning at the time of the warning. This will prompt the user
It can be shown that spoofing is being performed.

Further, the network device of the present invention includes a warning receiving unit for receiving a warning from the network monitoring device, an information collecting unit for collecting a state at the time of occurrence of the warning, and a public line communication unit connected to the public line. At the time of a warning, and notifies the user of the content of the warning and the state at the time of the warning via a public line. As a result, it is possible to promptly show the possibility of impersonation to a remote user.

Further, the network device of the present invention comprises a warning receiving unit for receiving a warning from the network monitoring device, an information collecting unit for collecting a state at the time of occurrence of the warning, and a storage unit for recording information. When a warning is issued, the contents of the warning and the state at the time of the occurrence of the warning are recorded. As a result, it is possible to preserve the proof of impersonation and the situation at that time.

Further, the network device of the present invention includes a warning receiving unit for receiving a warning from the network monitoring device, an information collecting unit for collecting the behavior or state of a device related to the warning, and a storage unit for recording information. And recording the behavior of any or all of the devices related to the warning, or recording the status of the devices. As a result, the unauthorized device can be continuously monitored.

Further, the network device of the present invention includes a warning receiving unit for receiving a warning from the network monitoring device, a service processing unit for providing a service to another device, and a service control unit for permitting the provision of the service according to conditions. And rejects access from any or all of the devices related to the alert, denies the service request until the set conditions are satisfied, or changes the service request to the set one. As a result, the service provided to the unauthorized device can be made different from the normal service.

Further, the network device of the present invention comprises: a warning receiving unit for receiving a warning from the network monitoring device; a routing unit for routing a packet;
A routing controller configured to perform routing setting, wherein the routing of packets from any or all of the devices related to the warning is stopped until the set condition is satisfied, or the condition is changed to the set condition. And As a result, the handling of the communication of the unauthorized device can be made different from normal.

Further, the network device of the present invention includes a warning receiving unit for receiving a warning from the network monitoring device and a device authentication unit having a device authentication function, and performs device authentication on related devices. Or start over. As a result, when a device suspected of fraud is found, it is possible to confirm the unauthorized device and the normal device.

Also, the network device of the present invention includes a warning receiving unit for receiving a warning from the network monitoring device, and an encryption unit for encrypting data, and performs encryption of data or an encryption key. Is re-created. As a result, when a device suspected of being fraudulent is found, security can be tightened.

[0060]

Embodiments of the present invention will be described below with reference to the drawings. In all drawings,
Similar components are indicated using the same reference signs and symbols. (First Embodiment)

As shown in FIG. 1, the network monitoring device 1 according to the first embodiment of the present invention includes a transmitting / receiving unit 5, a topology storage unit 6, a response time storage unit 7, a judgment unit 8, And a processing unit 9. In the present embodiment, the transmitting / receiving unit 5 has three ports of the port P0, the port P1, and the port P2, but is not limited to this. The ports P0 to P2 are connected to the bus 10, respectively.

The topology storage section 6 collects and stores network topology information via the transmission / reception section 5. The response time storage unit 7 executes a ping, which is a response inspection command, to a node on the network via the transmission / reception unit 5, and responds to the ping between the network monitoring device 1 and the other nodes (hereinafter, referred to as “ping time”). "). The ping may be performed in any order. The determination unit 8 compares the topology information stored in the topology storage unit 6 with the ping time information stored in the response time storage unit 7 to determine whether there is any contradiction. When the determining unit 8 determines that the contradiction exists, the various processing units 9
It performs various processes described below.

Collection and Ping of Topology Information
May be performed at set time intervals, or may be performed when conditions such as when the traffic volume is equal to or less than a threshold are set and the conditions are satisfied. It is preferable to carry out each time a bus reset occurs, in order to reduce the number of times of information collection while avoiding insufficient information.

The operation of the network monitoring device 1 thus configured will be described below.

First, network topology information is collected via the transmission / reception unit 5 and stored in the topology storage unit 6. Next, the response time storage unit 7 pings the nodes on the network via the transmission / reception unit 5, and the pin between the network monitoring device 1 and the other nodes.
The g time is stored. The determination unit 8 compares the topology information stored in the topology storage unit 6 with the ping time information stored in the response time storage unit 7 to determine whether there is any contradiction. When it is determined that there is a contradiction, various processing is performed by the various processing units 9.

Using the network shown in FIG. 2 as an example, a determination method by the determination unit 8 of the network monitoring device 1 according to the present embodiment will be described below. As shown in FIG. 1, the network includes nodes 201 to 210 and a network monitoring device 1. Ping of node 201 with ID = 0
The time should be longer than the ping time of node 203 with ID = 2, the difference is (PHY delay + cable delay)
Should be equal to If this condition is not met,
The determination unit 8 determines that there is an inconsistency between the topology information stored in the topology information storage unit 6 and the ping time information. That is, the node 201 with ID = 0 or the node 203 with ID = 2 is considered to be “spoofed by another node”. By performing this for the entire network, nodes on the network can be distinguished from normal nodes and unauthorized nodes. Hereinafter, the “illegal node” indicates any or all of the “node impersonating” and the “node impersonating”.

Also, for example, the p of the node 203 with ID = 2
When the ping time is equal to the ping time of the node 205 with the ID = 5, the node 205 with the ID = 5 has the ID = 2
It can be understood that there is a possibility that the node 203 is performing spoofing.

As described above, the network monitoring device 1 according to the first embodiment of the present invention includes the transmission / reception unit 5 and the topology storage unit 6 for storing the network topology information collected via the transmission / reception unit 5. And execute ping,
A response time storage unit 7 for storing the obtained ping time;
The topology information stored in the topology storage unit 6 is compared with the ping time information stored in the response time storage unit 7,
Since there are provided a judgment unit 8 for judging whether or not an inconsistency exists and various processing units 9, a spoofed node and a candidate for a spoofing node are selected from the nodes on the network. Can be found.

The processing performed by the various processing units 9 is as follows.

The various processing units 9 may include a packet discard processing unit (not shown) for discarding a packet when the discrepancy is found in the judgment unit 8. The packet discard processing unit of the various processing units 9 controls the transmission / reception unit 5 so as to discard packets transmitted from an unauthorized node. Discarding a packet means that the received packet is not passed to the upper layer, and that the received packet is not repeated as it is, and a dummy or a partially harmless packet is transmitted instead of the repeat.

Further, the packet discard processing unit of the various processing units 9 may cause an unauthorized node to discard all transmitted packets. This can prevent an upper layer of the network monitoring device 1 from receiving a packet from a node suspected of being illegal. Further, it is possible to prevent a node existing downstream of the network monitoring device 1 from receiving a packet from a node suspected of being fraudulent.

Alternatively, the various processing units 9 may include a packet destruction processing unit (not shown) that destroys a packet when an inconsistency is found in the judgment unit 8. The packet destruction processing unit of the various processing units 9 controls the transmission / reception unit 5 so as to destroy a packet transmitted from an unauthorized node. Destruction of a packet indicates that the received packet is not passed to the upper layer and that the bus is driven regardless of whether the packet exists on the bus. Here, the driving state is a state that collides with the packet data state. For example, IDOL, TX_DATA_END, T
X_DATA_PREFIX, TX_REQUEST,
And BUS_RESET. This can prevent an upper layer of the network monitoring device 1 from receiving a packet from a node suspected of being illegal. Further, it is possible to prevent a node on the network from receiving a packet from a suspected fraudulent node.

Alternatively, the various processing units 9 may include a bus reset generation processing unit (not shown) for generating a bus reset when a contradiction is found in the judgment unit 8. The bus reset generation processing unit of the various processing units 9 controls the transmission / reception unit 5 to generate a bus reset. This can prevent an upper layer of the network monitoring device 1 from receiving a packet from a node suspected of being illegal. In addition, it is possible to prevent a node on the network from receiving a packet from a node suspected of being fraudulent.

Alternatively, the various processing units 9 may have a warning generation processing unit (not shown) that generates a warning when the discrimination unit 8 finds inconsistency. The warning generated by the warning generation processing unit of the various processing units 9 may be output to the upper layer of the network monitoring device 1 or may be output to another node on the network via the transmission / reception unit 5. The spoofed node may be warned in terms of reporting spoofing. This allows the upper layer of the network monitoring device 1 to know that there is a node suspected of being fraudulent. Also, a node on the network can know that there is a node suspected of being fraudulent. Further, it is possible to know that a node on the network has been spoofed.

Alternatively, the various processing units 9 may include a port connection control processing unit (not shown) that disconnects a port when a contradiction is found in the judgment unit 8. The port connection control processing unit of the various processing units 9 controls the transmission / reception unit 5 so as not to use the port. The port whose use is stopped at this time is the port connected to the unauthorized node.

In the example of FIG. 2, if the impersonating node 205 is ID = 5, the port P
By stopping the function of the node 1, the node 205 of ID = 5
Can be excluded from the bus. As a result, a node suspected of fraud can be excluded from the bus.

As described above, when the various processing units 9 find inconsistencies, by discarding or destroying the packets and the like transmitted by spoofing, it is possible to prevent the completion of the transaction due to spoofing, and furthermore, the spoofing is possible It is possible to warn another device or a user by alerting the user of the nature. In addition, when the various processing units 9 find inconsistencies, they can prevent spoofing by disconnecting the spoofing device and not participating in the bus. (Second embodiment)

FIG. 3 is a flowchart showing a network monitoring method according to the second embodiment of the present invention. As shown in the figure, in step S101, network topology information is obtained. In step S102, ping is performed on a node on the network, and a ping time is acquired. In step S103, the topology information acquired in step S101 is compared with the ping time acquired in step S102, and it is determined whether there is any contradiction. If there is no inconsistency, the process proceeds to step S104 and waits for the occurrence of a bus reset. If there is an inconsistency, the process proceeds to step S105, and various processes described below are performed. After the various processes in step S105 are completed, the process proceeds to step S104. If a bus reset is detected in step S104,
It returns to step S101.

The method of determination in step S103 of the network monitoring method according to the present embodiment will be described by taking the network shown in FIG. 2 as an example. As shown in FIG. 1, the network includes nodes 201 to 210 and a network monitoring device 1. Pin of node 201 with ID = 0
The g time should be longer than the ping time of node 203 with ID = 2, and the difference should be equal to (PHY delay + Cable delay). If this condition is not satisfied, in step S103, the topology information acquired in step S101 and the ping acquired in step S102
It is determined that inconsistency exists between the time information. That is, node 201 with ID = 0 or node 2 with ID = 2
03 is considered "spoofed by another node". By performing this for the entire network, the nodes on the network can be distinguished from normal nodes and unauthorized nodes.

Further, for example, p of the node 203 with ID = 2
If the ping time is equal to the ping time of the node 205 with ID = 5, the node 205 with ID = 5 becomes
It can be seen that there is a possibility that the second node 203 is impersonating.

As described above, the network monitoring method according to the second embodiment of the present invention stores the topology information of the network, executes the ping, stores the obtained ping time, and stores the stored topology information. And the stored pi
Since the consistency with the ng time is determined, a spoofed node and a candidate for a spoofing node can be found from the nodes on the network.

The various processes performed in step S105 are as follows.

If an inconsistency is found in step S103, the packet sent from the unauthorized node may be discarded in step S105. Discarding a packet means that the received packet is not passed to the upper layer, and that the received packet is not repeated as it is, and a dummy or a partially harmless packet is transmitted instead of the repeat.

In step S105, an illegal node may be made to discard all transmitted packets. This can prevent an upper layer of the network monitoring device 1 from receiving a packet from a node suspected of being illegal. Further, it is possible to prevent a node existing downstream from the network monitoring device 1 from receiving a packet from a node suspected of being fraudulent.

Alternatively, if an inconsistency is found in step S103, the packet sent from the unauthorized node may be destroyed in step S105. Destruction of a packet indicates that the received packet is not passed to the upper layer and that the bus is driven regardless of whether the packet exists on the bus. This can prevent an upper layer of the network monitoring device 1 from receiving a packet from a node suspected of being illegal. Further, it is possible to prevent a node on the network from receiving a packet from a node suspected of being fraudulent.

Alternatively, if a contradiction is found in step S103, a bus reset may be generated in step S105. This can prevent an upper layer of the network monitoring device 1 from receiving a packet from a node suspected of being illegal. Further, it is possible to prevent a node on the network from receiving a packet from a node suspected of being fraudulent.

Alternatively, if an inconsistency is found in step S103, a warning may be issued in step S105. Warnings may be issued to higher layers,
It may be sent to another node on the network. The spoofing node may be warned in that it reports spoofing. This allows the upper layer of the network monitoring device 1 to know that there is a node suspected of being fraudulent. Also, a node on the network can know that there is a node suspected of being fraudulent. In addition, it is possible to know that a node on the network has been spoofed.

Alternatively, if a contradiction is found in step S103, the port may be disconnected and the use of the port stopped in step S105. The port whose use is stopped at this time is the port connected to the unauthorized node.

In the example of FIG. 2, if the impersonating node 205 is ID = 5, the port P
By stopping the function of the node 1, the node 205 of ID = 5
Can be excluded from the bus. As a result, a node suspected of fraud can be excluded from the bus.

As described above, when an inconsistency is found in step S103, in the various processes in step S105, the spoofed packet or the like is discarded or destroyed, so that the completion of the transaction due to the spoofing can be prevented. By warning the possibility of impersonation, it is possible to call attention to another device or a user. In addition, when the various processing units 9 find inconsistencies, they can prevent spoofing by disconnecting the spoofing device and not participating in the bus. (Third embodiment)

FIG. 4 is a schematic block diagram of a network monitoring device 21 according to the third embodiment of the present invention. This is different from the first embodiment in that a source identification unit 11 is provided instead of the response time storage unit 7. First
The same reference numerals are given to the same components as those of the embodiment, and the detailed description is omitted.

When a packet is received via the transmission / reception unit 5, the source identification unit 11 identifies the source ID of the packet and the port that received the packet.

The operation of the network monitoring device 21 according to the present embodiment will be described below.

First, the topology information of the network is collected via the transmission / reception unit 5 and stored in the topology storage unit 6. Next, the source identification unit 11 receives the packet, and identifies the source ID of the packet and the port that received the packet. The determination unit 8 compares the topology information stored in the topology storage unit 6 with the source ID of the packet identified by the source identification unit 11 and the port that received the packet, and determines whether there is any contradiction. When it is determined that a contradiction exists, the various processing units 9
Various processes similar to those of the first embodiment are performed. As a result, the same effects as in the first embodiment can be obtained in this embodiment.

The above-mentioned collection of topology information may be performed at set time intervals, or may be performed when a condition such as a case where the traffic volume is equal to or less than a threshold is set and the condition is satisfied. It is preferable to carry out each time a bus reset occurs, in order to reduce the number of times of information collection while avoiding insufficient information.

[0096] Taking the network shown in Fig. 2 as an example, a method of determination by the determination unit 8 of the network monitoring device 21 of the present embodiment will be described below. As shown in the figure, this network includes nodes 201 to 210 and a network monitoring device 21. A packet transmitted from the node 201 whose source ID is ID = 0 must be received via the port P0 due to the network topology.
When this is received via a port other than the port P0, it is considered that the node 201 with ID = 0 is impersonated as another node.

As described above, the network monitoring device 21 according to the second embodiment of the present invention includes the transmission / reception unit 5 and the topology storage unit 6 for storing the topology information of the network collected via the transmission / reception unit 5. When a packet is received via the transmission / reception unit 5, the source identification unit 11 identifies the source ID of the packet and the port that received the packet.
And the ping time information stored in the response time storage unit 7 by comparing the topology information stored in the topology storage unit 6 with the ping time information stored in the response time storage unit 7, and various processing units 9. , It is possible to find, from among the nodes on the network, the spoofed node and the port to which the spoofing node is connected. (Fourth embodiment)

FIG. 5 is a flowchart showing a network monitoring method according to the fourth embodiment of the present invention. This is different from the second embodiment in that steps S102 and S102
Steps S111 to S1 instead of 103
13 is mainly different.

As shown in the figure, in step S101, network topology information is obtained. Next, in step S104, the process waits for the occurrence of a bus reset. In step S104, if a bus reset is detected, the process returns to step S101; otherwise, the process proceeds to step S111. In step S111, reception of a packet is awaited. If no packet is received in step S111, the process proceeds to step S10.
Returning to step S4, if a packet has been received, step S11
Proceed to 2.

In step S112, the port receiving the packet and the source ID of the packet are identified. Next, in step S113, the topology information acquired in step S101 is compared with the source ID of the packet identified in step S112 and the port that has received the packet, and it is determined whether or not there is any inconsistency. If there is an inconsistency, the process proceeds to step S105, and various processes are performed. The various processes in step S105 are the same as the various processes in step S105 in the above-described second embodiment shown in FIG. As a result, the same effects as in the second embodiment can be obtained in the present embodiment. If no inconsistency exists, the process returns to step S104. After the various processes of step S105 are completed, the process returns to step S104.

The method of determination in step S113 of the network monitoring method according to the present embodiment will be described using the network shown in FIG. 2 as an example. As shown in the figure, this network includes nodes 201 to 210 and a network monitoring device 21. A packet transmitted from the node 201 whose source ID is ID = 0 must be received via the port P0 due to the network topology.
When this is received via a port other than the port P0, it is considered that the node 201 with ID = 0 is impersonated as another node.

As described above, the network monitoring method according to the fourth embodiment of the present invention stores network topology information, identifies a port that has received a packet, identifies a source ID of a received packet, Since the consistency between the stored topology information and the identified stored combination of the port and the source ID is determined, the nodes on the network are the spoofed node and the impersonating node. Can be found with the port that is connected. (Fifth embodiment)

FIG. 6 is a schematic block diagram of a network monitoring device 31 according to a fifth embodiment of the present invention. This is different from the first embodiment in that a source identification unit 11 and a time measurement unit 12 are further provided. The same components as those in the above embodiment are denoted by the same reference numerals, and detailed description thereof will be omitted.

The time measuring section 12 measures the time when the state on the bus changes via the transmitting / receiving section 5. The measured time will be described later.

The operation of the network monitoring device 31 according to the present embodiment will be described below.

First, network topology information is collected via the transmission / reception unit 5 and stored in the topology storage unit 6. Next, the response time storage unit 7 pings a node on the network via the transmission / reception unit 5, and pi between the network monitoring device 31 and the other nodes.
ng time is stored. Here, the order of performing pings may be any order.

Next, the packet is received by the source identification unit 11, and the source ID of the packet and the port that received the packet are identified. Furthermore, the time when the state on the bus changes via the transmission / reception unit 5 is measured by the time measurement unit 12. The determination unit 8 measures the topology information stored in the topology storage unit 6, the ping time information stored in the response time storage unit 7, the source ID information identified by the source identification unit 11, and the time measurement unit 12. The measured bus state time measurement information is compared to determine whether there is any inconsistency. When it is determined that there is a contradiction, the various processing units 9 perform various processes similar to those in the first embodiment. As a result, the first embodiment is also used in this embodiment.
The same effect as that of the embodiment can be obtained.

Collection of the above topology information and ping
May be performed at set time intervals, or may be performed when a condition such as a case where the traffic volume is equal to or less than a threshold is set and the condition is satisfied. It is preferable to perform it every time a bus reset occurs, in order to reduce the number of times of collecting information while avoiding insufficient information.

The method of determination by the determination unit 8 of the network monitoring device 31 according to the present embodiment will be described below using the network shown in FIG. 2 as an example. As shown in the figure, this network includes nodes 201 to 210 and a network monitoring device 31.

When the node 201 with ID = 0 transmits a packet, the following procedure is performed. First, it informs that it wants to obtain the right to use the bus to transmit the packet by driving the upstream bus state to the request state. Next, the root node (in this case, the node 210 with ID = 10) drives the bus state of the path to the node 201 with ID = 0 to the grant state. The node 201 of ID = 0, which has detected the grant state, switches the bus to dat
Drive to a prefix state and start sending packets. At this time, when viewed from the network monitoring device 31, the data state is changed after the bus state changes to the grant state.
By the time the state changes to the aprefix state, approximately the time of the following equation (1) should elapse.

PHY delay × 4 + cable delay × 4 + ping time Expression (1)

If the time between grant and dataprefix immediately before receiving the packet with the source ID = 0 is different from the value of the above equation (1), the packet is not transmitted by the node 201 with the ID = 0. it is conceivable that.

In addition, grant-data p
If the time between refixes is the following equation (2), this value matches the value when the node 203 with ID = 2 transmits a packet.
It is considered that the node 201 is impersonating 0.

PHY delay × 2 + cable delay × 2 + ping time Expression (2) The time measured by the time measuring unit 12 is grant-dat.
In addition to the time between a prefixes, data end-r
time between requests, data end-data p
Time between refixes or data end-ACK
The time between data prefixes can be considered.

In addition, these cases are based on the assumption that the root node is normal. In consideration of the possibility that the root node is an incorrect node, request-gr
ant time, request-data pref
The time between ix is also a source of judgment. Therefore, the time measuring unit 1
2 is the time between request and grant or re
The time between quest-data prefixes may be measured, whereby the same effect can be obtained even when the root node is an incorrect node.

As described above, the network monitoring apparatus 31 according to the fifth embodiment of the present invention comprises a transmitting / receiving unit 5 and a topology storage unit 6 for storing network topology information collected via the transmitting / receiving unit 5. Response time storage unit 7 for executing ping and storing the obtained ping time
When a packet is received via the transmission / reception unit 5, the source ID of the packet and the source identification unit 11 for identifying the port that received the packet, and the time when the state on the bus changes via the transmission / reception unit 5 The time measurement unit 12 to be measured, the topology information stored in the topology storage unit 6, the ping time information stored in the response time storage unit 7, the source ID identified by the source identification unit 11, the time measurement unit 12, Is provided with a judgment unit 8 for comparing the time measured in the step S1 to judge whether there is any inconsistency and various processing units 9.
From among the nodes on the network, a spoofed node and a candidate for a spoofing node can be found. (Sixth embodiment)

FIG. 7 is a flowchart showing a network monitoring method according to the sixth embodiment of the present invention. This is mainly different from the second embodiment in that steps S121 to S123 are provided instead of step S103.

As shown in the figure, in step S101, network topology information is obtained. Next, in step S102, ping is executed for the nodes on the network, and a ping time is acquired. Next, in step S104, the process waits for the occurrence of a bus reset. If no bus reset is detected in step S104, the process returns to step S101. If a bus reset is detected, the process proceeds to step S121.

In step S121, the change time of the bus state is measured. The time measured here will be described later. Next, in step S122, the port receiving the packet and the source ID of the packet are identified. Next, in step S123, the topology information obtained in step S101, the response time obtained in step S102, the bus state change time information measured in step S121, and the source ID information of the packet identified in step S122 are compared. , To determine if a contradiction exists. If a contradiction exists, various processes are performed in step S105. Various processes in step S105 include:
Since this is the same as the various processes in step S105 in the second embodiment shown in FIG. 3, detailed description will be omitted. As a result, the same effects as in the second embodiment can be obtained in the present embodiment. If no inconsistency exists, the process returns to step S104. Step S105
After the various processes are completed, the process returns to step S104.

The method of determination in step S123 of the network monitoring method according to the present embodiment will be described using the network shown in FIG. 2 as an example. As shown in the figure, this network includes nodes 201 to 210 and a network monitoring device 31.

When the node 201 with ID = 0 transmits a packet, the following procedure is performed. First, it is notified that the right to use the bus to transmit the packet is desired by driving the upstream bus state to the request state. Next, the root node (in this case, the node 210 with ID = 10) drives the bus state of the path to the node 201 with ID = 0 to the grant state. The node 201 of ID = 0 detecting the grant state sets the bus to data
Drive to the prefix state and start sending packets. At this time, when viewed from the network monitoring device 31, the data is changed after the bus state changes to the grant state.
Until the state changes to the prefix state, approximately the time of the following equation (3) should elapse.

PHY delay × 4 + cable delay × 4 + ping time Expression (3)

If the time between grant and dataprefix immediately before receiving the packet with the source ID = 0 is different from the value of the above equation (3), the packet is not transmitted by the node 201 with the ID = 0. it is conceivable that.

Also, grant-data p at that time is used.
If the inter-refix time is the following equation (4), this value matches the value when the node 203 with ID = 2 transmits a packet.
Is presumed to be the node 201 of.

PHY delay × 2 + cable delay × 2 + ping time Expression (4)

The time measured in step S121 is gr
In addition to the time between ant and data prefix, data
a time between end and request, data end
-Data Prefix time or data
The time between dataprefix of end-ACK can be considered.

In addition, these are the cases where the root node is normal beforehand. Considering the possibility that the root node is an invalid node, request-gr
ant time, request-data pref
The time between ix is also a source of judgment. Therefore, step S1
In 21, the time between request and grant or
The inter-request-data-prefix time may be measured, whereby the same effect can be obtained even when the root node is an incorrect node.

As described above, the network monitoring method according to the sixth embodiment of the present invention stores network topology information, executes ping, stores the obtained ping time, and receives a packet. Identify the port, identify the source ID of the received packet, measure the time at which the state on the bus has changed, and store the stored topology information, the stored ping time, and the identified stored source I
Since the consistency between D and the measured time is determined, a spoofed node and a candidate for a spoofing node can be found from the nodes on the network. (Seventh embodiment)

FIG. 8 is a schematic block diagram of a network monitoring device 41 according to a seventh embodiment of the present invention. This is different from the first embodiment in that a source order identification unit 13 is provided instead of the response time storage unit 7.
The same components as those in the first embodiment are denoted by the same reference numerals, and detailed description thereof will be omitted.

The source order identification unit 13 identifies the source ID of a received packet and the order of reception when a continuous packet is received.

The operation of the network monitoring device 41 according to the present embodiment will be described below.

First, network topology information is collected via the transmission / reception unit 5 and stored in the topology storage unit 6. Next, when a continuous packet is received by the source order identification unit 13, the source ID of the continuous packet and the reception order are identified. The determination unit 8 compares the topology information stored in the topology storage unit 6 with the source ID of the packet identified by the source order identification unit 13 and its reception order, and determines whether there is any contradiction. When it is determined that there is a contradiction, the various processing units 9 perform various processes similar to those in the first embodiment. As a result, the same effects as in the first embodiment can be obtained in this embodiment.

The above-mentioned collection of topology information may be performed at every set time, or may be performed when a condition such as a case where the traffic volume is equal to or less than a threshold is set and the condition is satisfied. It is preferable to carry out each time a bus reset occurs, in order to reduce the number of times of information collection while avoiding insufficient information.

The method of determination by the determination unit 8 of the network monitoring device 41 according to the present embodiment will be described below using the network shown in FIG. 2 as an example. As shown in the figure, this network includes nodes 201 to 210 and a network monitoring device 41. Node 206 with ID = 6 and ID
When a continuous packet is transmitted from the node 207 having the ID = 7 and the node 209 having the ID = 9, the order of the packets is as follows: the node 206 having the ID = 6 and the node 20 having the ID = 7.
7, node 209 with ID = 9. If a continuous packet in any other order is observed, a contradiction exists.

If the contradictory order is the node 207 with ID = 7, the node 209 with ID = 9, and the node 206 with ID = 6, the node 207 with ID = 7
It can be seen that the order of the nodes 209 with ID = 9 is correct, but the order of the nodes 206 with ID = 6 is unnatural.

From this, it is understood that there is a possibility that the node 206 with ID = 6 may be spoofed, and from the topology information, the node performing spoofing may be ID = 9.
It can be understood that there is a possibility that the node is a node located at a position closer to the root than the node 206 of FIG.

As described above, the network monitoring apparatus 41 according to the seventh embodiment of the present invention comprises a transmitting / receiving unit 5 and a topology storage unit 6 for storing network topology information collected via the transmitting / receiving unit 5. When receiving successive packets, the source order identification unit 13 identifies the source ID of the received packets and the order in which they are received, the topology information stored in the topology storage unit 6, and the source order identification unit 13. The source ID of the received packet is compared with the order in which the packets are received, and a determination unit 8 that determines whether there is any inconsistency and various processing units 9 are provided. Node and a candidate for a spoofing node can be found. (Eighth embodiment)

FIG. 9 is a flowchart showing a network monitoring method according to the eighth embodiment of the present invention. This is different from the second embodiment in that steps S102 and S102
Steps S131 through S1 instead of 103
The main difference is that 33 is provided.

As shown in the figure, in step S101, network topology information is obtained. Next, in step S104, the process waits for the occurrence of a bus reset. In step S104, if a bus reset is detected, the process returns to step S101; otherwise, the process proceeds to step S131. In step S131, reception of a continuous packet is awaited. Step S131
If no packet is received in step S
Returning to 104, if a packet has been received, step S
Go to 132.

In step S132, the order in which packets were received and the source ID of the packets are identified. Next, in step S133, the topology information acquired in step S101 is compared with the source ID of the packet identified in step S132 and the order in which the packets were received, and it is determined whether there is any contradiction. If a contradiction exists, various processes are performed in step S105. Step S1
The various processes in 05 are the same as the various processes in step S105 in the above-described second embodiment shown in FIG. As a result, the same effects as in the second embodiment can be obtained in the present embodiment. If there is no inconsistency, step S104
Return to After the various processes of step S105 are completed,
It returns to step S104.

The method of determination in step S133 of the network monitoring method according to the present embodiment will be described using the network shown in FIG. 2 as an example. As shown in the figure, this network includes nodes 201 to 210 and a network monitoring device 41. Node 206 with ID = 6 and ID
When a continuous packet is transmitted from the node 207 having the ID = 7 and the node 209 having the ID = 9, the order of the packets is as follows: the node 206 having the ID = 6 and the node 20 having the ID = 7.
7, node 209 with ID = 9. If a continuous packet in any other order is observed, a contradiction exists.

If the inconsistent order is the node 207 with ID = 7, the node 209 with ID = 9, and the node 206 with ID = 6, the node 207 with ID = 7
It can be seen that the order of the nodes 209 with ID = 9 is correct, but the order of the nodes 206 with ID = 6 is unnatural.

From this, it is understood that there is a possibility that the node 206 with ID = 6 may have been spoofed.
It can be understood that there is a possibility that the node is a node located at a position closer to the root than the node 206 of FIG.

As described above, the network monitoring method according to the eighth embodiment of the present invention stores the topology information of the network, and when a continuous packet is received, the source ID of the received packet and the reception order. And the stored topology information and the source I of the identified packet
Since the consistency between D and its reception order is determined, a spoofed node and a candidate for a spoofing node can be found from the nodes on the network. (Ninth embodiment)

FIG. 10 is a schematic block diagram of a network monitoring device 51 according to a ninth embodiment of the present invention. This is different from the first embodiment in that an ACK source identification unit 14 is provided instead of the response time storage unit 7. The same components as those in the first embodiment are denoted by the same reference numerals,
Detailed description is omitted.

The ACK source identification unit 14 identifies the ACK, the source ID of the packet following the ACK, and the order of reception when the ACK is received.

The operation of the network monitoring device 51 according to the present embodiment will be described below.

First, the topology information of the network is collected via the transmission / reception unit 5 and stored in the topology storage unit 6. Next, the ACK source order identification unit 14
A packet continuous to K is received, and the ACK, the source ID of the packet following the ACK, and the reception order are identified. The determination unit 8 compares the topology information stored in the topology storage unit 6, the ACK identified by the ACK source order identification unit 14, the source ID of the packet, and the reception order to determine whether there is any contradiction. Is done. When it is determined that there is a contradiction, the various processing units 9 perform various processes similar to those in the first embodiment. As a result, the same effects as in the first embodiment can be obtained in this embodiment.

The above-mentioned collection of the topology information may be performed at every set time, or may be performed when a condition such as a case where the traffic volume is equal to or less than a threshold is set and the condition is satisfied. It is preferable to carry out each time a bus reset occurs, in order to reduce the number of times of information collection while avoiding insufficient information.

The method of determination by the determination unit 8 of the network monitoring device 51 according to the present embodiment will be described below, taking the network shown in FIG. 2 as an example. As shown in the figure, this network includes nodes 201 to 210 and a network monitoring device 51.

A sent from node 207 with ID = 7
Packets can be consecutively transmitted to CK because ID =
9 and only node 210 with ID = 10. Packets with other source IDs are ID = 7
If the ACK of the node 207 is continued, there is a contradiction. ACK of node 207 with ID = 7
In the case where packets having the source ID of the node 206 having the ID = 6 are continuous, it is understood that the node 206 having the ID = 6 may be spoofed. Also, it can be understood that the impersonating node may be the node 209 with ID = 9 or the node 210 with ID = 10.

As described above, the network monitoring apparatus 51 according to the ninth embodiment of the present invention includes a transmitting / receiving unit 5 and a topology storage unit 6 for storing network topology information collected via the transmitting / receiving unit 5. ACK source identification unit 14 for identifying the ACK, the source ID of the packet following the ACK, and the order in which the ACK is received, the topology information stored in topology storage unit 6, and the ACK source Since it includes a determination unit 8 for comparing the source ID of the packet identified by the identification unit 14 and the order of reception thereof and determining whether or not there is any inconsistency, and various processing units 9, each of the nodes on the network has From among them, it is possible to find a spoofed node and a candidate for a spoofing node. (Tenth embodiment)

FIG. 11 is a flowchart showing a network monitoring method according to the tenth embodiment of the present invention. This is mainly different from the second embodiment in that steps S141 to S143 are provided instead of steps S102 and S103.

As shown in the figure, in step S101, network topology information is obtained. Next, in step S104, the process waits for the occurrence of a bus reset. In step S104, if a bus reset is detected, the process returns to step S101; otherwise, the process proceeds to step S141. In step S141, reception of a packet consecutive to ACK is awaited. In step S141, if a packet has not been received, the process returns to step S104, and if a packet has been received, the process proceeds to step S142.

In step S142, ACK and the source ID of the packet are identified. Next, step S143
In, the topology information acquired in step S101 is compared with the ACK identified in step S142 and the source ID of the packet, and it is determined whether or not a contradiction exists.
If there is an inconsistency, the process proceeds to step S105, and various processes are performed. The various processes in step S105 are described in FIG.
Step S1 in the second embodiment shown in FIG.
Since the various processes are the same as those of the process 05, detailed description is omitted. As a result, the same effects as in the second embodiment can be obtained in the present embodiment. If no inconsistency exists, the process returns to step S104. After the various processes of step S105 are completed, the process returns to step S104.

The method of determination in step S143 of the network monitoring method according to the present embodiment will be described using the network shown in FIG. 2 as an example. As shown in the figure, this network includes nodes 201 to 210 and a network monitoring device 51.

A sent from node 207 with ID = 7
A packet can be continuously transmitted to CK because ID = 9 on the topology.
And the node 210 with ID = 10. Packets with other source IDs are ID = 7
If the ACK of the node 207 is continued, there is a contradiction. ACK of node 207 with ID = 7
In the case where packets having the source ID of the node 206 having the ID = 6 are continuous, it is understood that the node 206 having the ID = 6 may be spoofed. Also, it can be understood that the impersonating node may be the node 209 with ID = 9 or the node 210 with ID = 10.

As described above, the network monitoring method according to the tenth embodiment of the present invention stores the topology information of the network and, when receiving a packet continuous to the ACK, receives the received ACK and the packet continuous to the ACK. The source ID of the packet and its reception order are identified, and the consistency between the stored topology information, the identified ACK, the source ID of the packet, and the reception order is determined. Node and a candidate for a spoofing node can be found. (Eleventh embodiment)

FIG. 12 is a schematic block diagram of a network monitoring device 61 according to the eleventh embodiment of the present invention. This is different from the fifth embodiment shown in FIG. 6 in that a routing table check unit 15 is further provided. The same components as those in the above embodiment are denoted by the same reference numerals,
Detailed description is omitted.

The routing table checking unit 15 is connected to the judging unit 8 and the transmitting / receiving unit 5. The judging unit 8 judges that there is no inconsistency, and the source ID obtained through the judging unit 8 is a virtual node ID. If there is, a routing table of a network relay device such as a bridge is acquired.

The operation of the network monitoring device 61 according to the present embodiment will be described below.

First, the topology information of the network is collected via the transmission / reception unit 5 and stored in the topology storage unit 6. Next, the response time storage unit 7 pings a node on the network via the transmission / reception unit 5, and pi between the network monitoring device 61 and the other nodes.
ng time is stored. Here, the order of performing pings may be any order.

Next, the packet is received by the source identification unit 11, and the source ID of the packet and the port that received the packet are identified. Furthermore, the time when the state on the bus changes via the transmission / reception unit 5 is measured by the time measurement unit 12. The determination unit 8 measures the topology information stored in the topology storage unit 6, the ping time information stored in the response time storage unit 7, the source ID information identified by the source identification unit 11, and the time measurement unit 12. The measured bus state time measurement information is compared to determine whether there is any inconsistency. When it is determined that there is a contradiction, the various processing units 9 perform various processes similar to those in the first embodiment. As a result, the first embodiment is also used in this embodiment.
The same effect as that of the embodiment can be obtained.

Collection of the above topology information and ping
May be performed at set time intervals, or may be performed when a condition such as a case where the traffic volume is equal to or less than a threshold is set and the condition is satisfied. It is preferable to perform it every time a bus reset occurs, in order to reduce the number of times of collecting information while avoiding insufficient information.

If the source ID is a virtual node ID, the node that transmitted the packet is a network relay device such as a bridge or a router. If it is determined that there is no inconsistency and the source ID is the virtual node ID, the routing table check unit 15 acquires the routing table of the network relay device. Thereafter, the determination unit 8 compares the source ID information of the source identification unit 11 with the routing table information of the routing table check unit 15 to determine whether or not there is any inconsistency. If it is determined that inconsistency exists, various processing units 9
Performs the processing. By caching the routing table, it is not necessary to go to obtain the routing table every time.

As described above, the network monitoring apparatus 61 according to the eleventh embodiment of the present invention includes the transmission / reception unit 5 and the topology storage unit 6 for storing the topology information of the network collected via the transmission / reception unit 5. Response time storage unit 7 for executing ping and storing the obtained ping time
When a packet is received via the transmission / reception unit 5, the source ID of the packet and the source identification unit 11 for identifying the port that received the packet, and the time when the state on the bus changes via the transmission / reception unit 5 The time measurement unit 12 to be measured, the topology information stored in the topology storage unit 6, the ping time information stored in the response time storage unit 7, the source ID identified by the source identification unit 11, the time measurement unit 12, Is compared with the time measured in step (a) to determine whether or not there is any inconsistency. The determination unit 8 determines that there is no inconsistency, and the source ID obtained through the determination unit 8 is a virtual ID. If the node ID is a node ID, the network device includes a routing table check unit 15 for acquiring a routing table of a network relay device such as a bridge, and various processing units 9. From the node above it can be found and a node that is spoofed, a candidate for doing impersonation node. (Twelfth embodiment)

FIG. 13 is a flowchart showing a network monitoring method according to the twelfth embodiment of the present invention. This is different from the sixth embodiment shown in FIG. 7 in that steps S151 to S153 are further provided.

As shown in the figure, in step S101, network topology information is obtained. Next, in step S102, ping is executed for the nodes on the network, and a ping time is acquired. Next, in step S104, the process waits for the occurrence of a bus reset. If no bus reset is detected in step S104, the process returns to step S101. If a bus reset is detected, the process proceeds to step S121.

At step S121, the change time of the bus state is measured. Next, in step S122,
Identify the port that received the packet and the source ID of the packet. Next, in step S123, step S
The topology information acquired in step S101, the response time acquired in step S102, the change time information of the bus state measured in step S121, and the source ID information of the packet identified in step S122 are compared, and there is any inconsistency. Judge whether or not. If there is no inconsistency, the process proceeds to step S151, and it is determined whether the source node is a bridge. If it is not a bridge, the process returns to step S104; if it is a bridge, it returns to step S104.
At 152, a routing table is obtained. The routing table is compared with the source ID of the packet to determine whether or not there is any inconsistency. If a contradiction exists, various processes are performed in step S105. The various processes in step S105 are the same as the various processes in step S105 in the above-described second embodiment shown in FIG. As a result, the same effects as in the second embodiment can be obtained in the present embodiment.
On the other hand, if there is no inconsistency, step S104
Return to After the various processes of step S105 are completed,
It returns to step S104.

Here, a bridge refers to a device having a routing table and a packet relay function. By caching the routing table, it is not necessary to go to obtain the routing table every time.

As described above, the network monitoring method according to the twelfth embodiment of the present invention stores the topology information of the network, executes the ping, and obtains the obtained ping.
Storing the time, identifying the port that received the packet, identifying the source ID of the received packet, measuring the time at which the state on the bus changed, storing the topology information, the stored ping time, Determine the consistency between the identified stored source ID and the measured time, and if the identified source ID indicates a bus other than the local bus, check the routing table of the bridge;
Since a case where the source ID and the routing table conflict is found, a spoofed node and a candidate for a spoofing node can be found from the nodes on the network. (Thirteenth embodiment)

FIG. 14 is a schematic block diagram showing a repeater device 71 according to a thirteenth embodiment of the present invention. As shown in the figure, the repeater device 71 of the present embodiment includes a transmitting / receiving unit 5, a topology storage unit 6, a destination identification unit 16, and a port control unit 17. The same components as those in the first embodiment are denoted by the same reference numerals, and detailed description thereof will be omitted.

The destination identifying section 16 identifies the destination ID of the packet when the transmitting / receiving section 5 receives the packet. Port control unit 17
Is to judge the state of the port from the topology information stored in the topology storage unit 6 and the destination ID information identified by the destination identification unit 16 and to control the port related to packet repeat.

Hereinafter, the repeater device 71 of this embodiment will be described.
Will be described.

First, the topology information of the network is collected via the transmission / reception unit 5 and stored in the topology storage unit 6. Next, when the transmission / reception unit 5 receives the packet, the destination identification unit 16 identifies the destination ID of the packet. Next, the port control unit 17 stores the topology information of the network stored in the topology storage unit 6 and the destination identification unit 1.
The status of the port is determined from the destination ID information identified in 6 and the port related to the packet repeat is controlled. The port control method will be described later.

The above-mentioned collection of topology information may be performed at every set time, or may be performed when a condition such as a case where the traffic volume is equal to or less than a threshold is set and the condition is satisfied. It is preferable to carry out each time a bus reset occurs, in order to reduce the number of times of information collection while avoiding insufficient information.

A method of port control in the port control unit 17 of the repeater device 71 according to the present embodiment will be described below using the network shown in FIG. 2 as an example. As shown in the figure, this network includes nodes 201 to 210 and a repeater device 71.

If the destination ID of the packet is 3, this packet can play the role of a packet if it is repeated only to the port P2 to which the node 204 with ID = 3. Port, port P0 and port P1 do not need to be repeated.

However, some data needs to be driven to indicate that it is occupying the bus. Therefore, the port control unit 17 controls the ports as follows.

The port P2 repeats the packet as usual. The port that received the packet does not repeat as usual. The port P0 and the port P1 repeat a dummy having the same size as the packet. The dummy may be a packet in which an important part such as the data payload of the packet is rewritten, or a harmless packet prepared in advance, and data prefix may be continuously output instead of the packet.

As described above, the repeater device according to the thirteenth embodiment of the present invention comprises a transmitting / receiving unit 5, a topology storing unit 6 for storing network topology information collected via the transmitting / receiving unit 5, When the transmission / reception unit 5 receives the packet, the destination identification unit 16 for identifying the destination ID of the packet, the topology information stored in the topology storage unit 6, and the destination ID identified by the destination identification unit 16 From the information
A port control unit 17 for judging the state of the port and controlling the port related to packet repeat,
It is possible to prevent the packet contents from flowing to nodes other than the nodes on the path between the source node and the destination node, and it is possible to reduce the possibility of eavesdropping on the packet contents. (14th embodiment)

FIG. 15 is a flowchart showing a repeat method according to the fourteenth embodiment of the present invention. As shown in the figure, in step S101, network topology information is obtained. In step S104, the process waits for a bus reset to occur. If a bus reset is detected in step S104, step S101
The process returns to step S161 if not detected.
In step S161, reception of a packet is awaited. In step S161, if a packet has not been received, the process returns to step S104, and if a packet has been received, the process proceeds to step S162. Step S162
In, the repeat of the port is controlled as described later.

The method of port control in step S162 of the network monitoring method according to the present embodiment will be described using the network shown in FIG. 2 as an example. As shown in the figure, this network includes nodes 201 to 210 and a repeater device 71.

If the destination ID of the packet is 3, if this packet is repeated only to the port P2 to which the node 204 of ID = 3 is connected, it can fulfill the role of the packet. Port, port P0 and port P1 do not need to be repeated.

However, some data needs to be driven to indicate that it is occupying the bus. Therefore, the port control unit 17 controls the ports as follows.

The port P2 repeats the packet as usual. The port that received the packet does not repeat as usual. The port P0 and the port P1 repeat a dummy having the same size as the packet. The dummy may be a rewritten portion of the packet, such as the data payload, which is considered important, or a harmless packet prepared in advance.
a prefix may be continuously output.

As described above, in the repeat method according to the fourteenth embodiment of the present invention, the topology information of the network is stored, the destination ID of the packet is identified, and the stored topology information and the identified destination are stored. Since the port status is determined from the nation ID information and the port related to the packet repeat is controlled, it is possible to prevent the packet contents from flowing to nodes other than the nodes on the route between the source node and the destination node. That is, the possibility that the packet contents are eavesdropped can be reduced. (Fifteenth embodiment)

The network device (not shown) of the fifteenth embodiment of the present invention receives warnings from the various processing units 9 of the network monitoring devices 1, 21, 31, 41, 51 and 61 of the above embodiments. Warning receiver (not shown)
And an information collection unit (not shown) that collects the status when a warning occurs
And a display unit (not shown) for notifying the user of the collected information.

The contents displayed here include the grounds for warning, time, network topology, system diagram, ID of incorrect node, name, location on topology, location on system,
ID of the node that issued the warning, name, topological location,
The position on the system, the contents of the packet with the warning, the contents of the currently flowing packet, and the contents of the processing performed other than the warning can be considered. As a result, the presence of an unauthorized device can be indicated to the user. (Sixteenth embodiment)

In the network protection method according to the sixteenth embodiment of the present invention, when a warning generated in various processes in step S105 of the network monitoring method according to the above embodiment is received, the contents of the warning and the Is displayed to notify the user of the status.

The contents displayed here include the grounds for warning, time, network topology, system diagram, ID of incorrect node, name, location on topology, location on system,
ID of the node that issued the warning, name, topological location,
The position on the system, the contents of the packet with the warning, the contents of the currently flowing packet, and the contents of the processing performed other than the warning can be considered. As a result, the presence of an unauthorized device can be indicated to the user. (Seventeenth embodiment)

The network device (not shown) according to the seventeenth embodiment of the present invention receives warnings from the various processing units 9 of the network monitoring devices 1, 21, 31, 41, 51 and 61 according to the above embodiments. Warning receiver (not shown)
And an information collection unit (not shown) that collects the status when a warning occurs
And a public line communication unit (not shown) connected to the public line
And

[0193] The network device according to the present embodiment includes a network monitoring device 1, 21, 31,
When a warning is received from any one of the various processing units 41, 51 and 61, the contents of the warning are transmitted to the public line.

Telephone, mobile phone, PH using telephone line
An abnormality may be notified by connecting to S, a pager, or the like. Also, necessary information may be converted into a voice message, and the information may be notified by telephone, mobile phone, PHS, or the like. Further, the image may be converted into a code and displayed on a mobile phone, a PHS, a pager, or the like, and the image may be transmitted as a fax signal.

[0195] Further, necessary information may be transmitted using the Internet, using an electronic mail, an always-on application, a push distribution application, a Web server, or the like. As a result, the presence of an unauthorized device can be indicated to a remote user. (Eighteenth Embodiment)

According to the network protection method of the eighteenth embodiment of the present invention, when a warning generated in various processes in step S105 of the network monitoring method of the above embodiment is received, the content of the warning is sent to a public line. Transmit.

Telephone, cellular phone, PH using telephone line
An abnormality may be notified by connecting to S, a pager, or the like. Also, necessary information may be converted into a voice message, and the information may be notified by telephone, mobile phone, PHS, or the like. Further, the image may be converted into a code and displayed on a mobile phone, a PHS, a pager, or the like, and the image may be transmitted as a fax signal.

[0198] Further, necessary information may be transmitted using the Internet by using an electronic mail, an always-on type application, a push distribution type application, a Web server, or the like. As a result, the presence of an unauthorized device can be indicated to a remote user. (Nineteenth Embodiment)

The network device (not shown) of the nineteenth embodiment of the present invention receives warnings from the various processing units 9 of the network monitoring devices 1, 21, 31, 41, 51 and 61 of the above embodiments. Warning receiver (not shown)
And an information collection unit (not shown) that collects the status when a warning occurs
And a storage unit (not shown) for recording information.

[0200] The network device according to the present embodiment includes a network monitoring device 1, 21, 31,
When a warning is received from any one of the various processing units 41, 51, and 61, information such as the content of the warning and the state at the time of the warning is recorded.

The information recorded here includes the grounds for the warning, the time, the network topology, the system diagram, the ID of the invalid node, the name, the position on the topology, the position on the system,
ID of the node that issued the warning, name, topological location,
The position on the system, the contents of the packet with the warning, the contents of the currently flowing packet, the contents of processing performed other than the warning, and the like can be considered. As a result, the presence of an unauthorized device can be recorded and referenced later. (Twentieth embodiment)

[0202] In the network protection method according to the twentieth embodiment of the present invention, information is recorded when a warning generated in various processes in step S105 of the network monitoring method according to the above embodiment is received.

The information recorded here includes the grounds for warning, time, network topology, system diagram, ID of incorrect node, name, location on topology, location on system,
ID of the node that issued the warning, name, topological location,
The position on the system, the contents of the packet with the warning, the contents of the currently flowing packet, the contents of processing performed other than the warning, and the like can be considered. As a result, the presence of an unauthorized device can be recorded and referenced later. (Twenty-first embodiment)

The network device (not shown) according to the twenty-first embodiment of the present invention receives warnings from the various processing units 9 of the network monitoring devices 1, 21, 31, 41, 51 and 61 according to the above-described embodiments. Warning receiver (not shown)
And an information collecting unit (not shown) for collecting the behavior or state of the device related to the warning, and a storage unit (not shown) for recording information.

[0205] The network device according to the present embodiment includes a network monitoring device 1, 21, 31,
When a warning is received from any of the various processing units 41, 51, and 61, the behavior of any or all of the devices related to the warning is recorded, or the state of the device is recorded. The record registers an unauthorized device as a blacklist and monitors the devices on the blacklist.

Here, as the monitoring content, a packet related to the device may be monitored and recorded, or a register of the device may be obtained and recorded at regular intervals or every bus reset. In addition, the blacklist may be deleted from the list if no fraud has been found for a certain period of time, or may be deleted from the list after device authentication is performed and it is confirmed that the blacklist is normal. Alternatively, it may be deleted from the list after confirming that it has been deleted from the network. Instead of erasing from the list, a sleep state may be set, or the monitoring level may be changed. As a result, the presence and behavior of an unauthorized device can be recorded, referenced later, and an unauthorized behavior can be found. (Twenty-second embodiment)

In the network protection method according to the twenty-second embodiment of the present invention, when a warning generated in various processes in step S105 of the network monitoring method according to the above-described embodiment is received, any one of Alternatively, record the behavior of all devices, or record the status of devices. The record registers an unauthorized device as a blacklist and monitors the devices on the blacklist.

Here, as the monitoring contents, a packet related to the device may be monitored and recorded, or a register of the device may be obtained and recorded at regular intervals or every bus reset. In addition, the blacklist may be deleted from the list if no fraud has been found for a certain period of time, or may be deleted from the list after device authentication is performed and it is confirmed that the blacklist is normal. Alternatively, it may be deleted from the list after confirming that it has been deleted from the network. Instead of erasing from the list, a sleep state may be set, or the monitoring level may be changed. As a result, the presence and behavior of an unauthorized device can be recorded, referenced later, and an unauthorized behavior can be found. (Twenty-third embodiment)

The network device (not shown) according to the twenty-third embodiment of the present invention receives warnings from the various processing units 9 of the network monitoring devices 1, 21, 31, 41, 51 and 61 according to the above-described embodiments. Warning receiver (not shown)
A service processing unit for providing a service to another device; and a service control unit for permitting the provision of the service according to a condition.

[0210] The network device according to the present embodiment includes a network monitoring device 1, 21, 31,
When a warning is received from any one of the various processing units 41, 51, and 61, the service is stopped. Here, stopping the service means accessing from any or all of the devices related to the warning, rejecting the service request until the set condition is satisfied, or changing the service request to the set one.

[0211] To stop the service, the connection established with the unauthorized device may be disconnected, access from the unauthorized device may not be permitted, and the packet from the unauthorized device may not be permitted. May not be received. Alternatively, the service may be changed instead of stopping the service. The service change may be, for example, limiting the access level, limiting the service content, or preparing and supplying a service dedicated to an unauthorized device. As a result, the service provided to the unauthorized device can be limited, and the damage caused by the unauthorized device can be limited. (Twenty-fourth embodiment)

[0212] In the network protection method according to the twenty-fourth embodiment of the present invention, the service is stopped when a warning generated in various processes in step S105 of the network monitoring method according to the above-described embodiment is received.

Here, the suspension of the service means that access from any or all of the devices related to the warning, rejection of the service request until the set condition is satisfied, or change to the set one.

[0214] To stop the service, the connection established with the unauthorized device may be disconnected, access from the unauthorized device may not be permitted, and the packet from the unauthorized device may not be permitted. May not be received. Alternatively, the service may be changed instead of stopping the service. The service change may be, for example, limiting the access level, limiting the service content, or preparing and supplying a service dedicated to an unauthorized device. As a result, the service provided to the unauthorized device can be limited, and the damage caused by the unauthorized device can be limited. (Twenty-fifth embodiment)

The network device (not shown) according to the twenty-fifth embodiment of the present invention receives warnings from the various processing units 9 of the network monitoring devices 1, 21, 31, 41, 51 and 61 according to the above-described embodiments. Warning receiver (not shown)
And a routing unit (not shown) for routing packets, and a routing control unit (not shown) for performing routing settings.

[0216] The network device according to the present embodiment is connected to the network monitoring devices 1, 21, 31,.
When a warning is received from any of the various processing units 9 of 41, 51, and 61, the routing of packets from any or all of the devices related to the warning is stopped or set until the set condition is satisfied. Change the conditions.

As an example, the routing related to the unauthorized device is stopped. Alternatively, instead of stopping, a packet that should normally be routed to an unauthorized device may be routed to a device monitoring the unauthorized device. Further, a packet transmitted from an unauthorized device may be similarly routed to a device monitoring the unauthorized device. Alternatively, the above packet may be routed to a route for an unauthorized node different from a normal routing route, or a packet related to an unauthorized node may not be allowed to enter a specific area.

As a result, the routing of a packet from an unauthorized device can be controlled, and recording can be easily performed, or damage caused by an unauthorized device can be limited. (Twenty-sixth embodiment)

In the network protection method according to the twenty-sixth embodiment of the present invention, when a warning generated in various processes in step S105 of the network monitoring method according to the above-described embodiment is received, a device related to the warning is monitored. Stop the routing of packets from any or all until the set condition is satisfied, or change to the set condition.

[0220] As an example, the routing related to the unauthorized device is stopped. Alternatively, instead of stopping, a packet that should normally be routed to an unauthorized device may be routed to a device monitoring the unauthorized device. Further, a packet transmitted from an unauthorized device may be similarly routed to a device monitoring the unauthorized device. Alternatively, the above packet may be routed to a route for an unauthorized node different from a normal routing route, or a packet related to an unauthorized node may not be allowed to enter a specific area.

Thus, the routing of a packet from an unauthorized device can be controlled, and recording can be performed easily, or damage caused by an unauthorized device can be limited. (Twenty-seventh embodiment)

The network device (not shown) of the twenty-seventh embodiment of the present invention receives warnings from the various processing units 9 of the network monitoring devices 1, 21, 31, 41, 51 and 61 of the above-described embodiments. Warning receiver (not shown)
And a device authentication unit having a device authentication function.

[0223] The network device according to the present embodiment includes a network monitoring device 1, 21, 31,
When a warning is received from any of the various processing units 9 of 41, 51, and 61, device authentication is performed for the related device.
Or start over.

The device authentication may be performed on an unauthorized device in order to confirm the validity of the unauthorized device, or may be performed on devices other than the unauthorized device in order to confirm the influence of the unauthorized device. May be.

As a result, the state of the unauthorized device can be grasped, or the influence of the unauthorized device can be grasped. (Twenty-eighth embodiment)

The network protection method according to the twenty-eighth embodiment of the present invention performs device authentication when a warning generated in various processes in step S105 of the network monitoring method according to the above-described embodiment is received, or Perform device authentication again.

The device authentication may be performed on an unauthorized device to confirm the validity of the unauthorized device, or may be performed on a device other than the unauthorized device to check the influence of the unauthorized device. May be.

As a result, the state of the unauthorized device can be grasped, or the influence of the unauthorized device can be grasped. (Twenty-ninth embodiment)

The network device (not shown) of the twenty-ninth embodiment of the present invention receives warnings from the various processing units 9 of the network monitoring devices 1, 21, 31, 41, 51 and 61 of the above-described embodiments. Warning receiver (not shown)
And an encryption unit for encrypting data.

[0230] The network device according to the present embodiment includes a network monitoring device 1, 21, 31,
When a warning is received from any of the various processing units 9 of 41, 51 and 61, data encryption is performed or an encryption key is re-created.

As a result, it is possible to prevent an unauthorized device from eavesdropping on a packet and prevent spoofing. (Thirtieth embodiment)

The network protection method according to the thirtieth embodiment of the present invention encrypts communication when receiving a warning generated in various processes in step S105 of the network monitoring method according to the above embodiment. Or try to recreate the encryption key.

As a result, it is possible to prevent an unauthorized device from eavesdropping on a packet and prevent spoofing.

[0234]

As described above, the present invention stores network topology information and detects a bus state, a change in the bus state, or a packet inconsistent with the stored topology information so that the network state information is present on the bus. It is possible to provide a network monitoring method having an excellent effect that it is possible to detect a possibility that a device performing the process is impersonating another device.

Further, the present invention comprises a topology storage unit for storing network topology information, and a detection unit for detecting a bus state, a change in bus state, or a packet inconsistent with the stored topology information. An object of the present invention is to provide a network monitoring device having an excellent effect that it is possible to detect a possibility that a device existing on a bus is trying to impersonate another device.

[Brief description of the drawings]

FIG. 1 is a schematic block diagram illustrating a configuration of a network monitoring device according to a first embodiment of this invention.

FIG. 2 is a block diagram showing an example of a network configuration for explaining the behavior of the embodiment;

FIG. 3 is a flowchart illustrating a network monitoring method according to a second embodiment of this invention;

FIG. 4 is a schematic block diagram showing a configuration of a network monitoring device according to a third embodiment of the present invention.

FIG. 5 is a flowchart illustrating a network monitoring method according to a fourth embodiment of the present invention.

FIG. 6 is a schematic block diagram illustrating a configuration of a network monitoring device according to a fifth embodiment of the present invention.

FIG. 7 is a flowchart illustrating a network monitoring method according to a sixth embodiment of the present invention;

FIG. 8 is a schematic block diagram illustrating a configuration of a network monitoring device according to a seventh embodiment of the present invention.

FIG. 9 is a flowchart illustrating a network monitoring method according to an eighth embodiment of the present invention;

FIG. 10 is a schematic block diagram illustrating a configuration of a network monitoring device according to a ninth embodiment of the present invention.

FIG. 11 is a flowchart illustrating a network monitoring method according to a tenth embodiment of the present invention.

FIG. 12 is a schematic block diagram illustrating a configuration of a network monitoring device according to an eleventh embodiment of the present invention.

FIG. 13 is a flowchart illustrating a network monitoring method according to a twelfth embodiment of the present invention.

FIG. 14 is a schematic block diagram illustrating a configuration of a repeater device according to a thirteenth embodiment of the present invention.

FIG. 15 is a flowchart showing a repeat method according to a fourteenth embodiment of the present invention.

[Explanation of symbols]

1, 21, 31, 41, 51, 61 Network monitoring device 5 Transmission / reception unit 6 Topology storage unit 7 Response time storage unit 8 Judgment unit 9 Various processing units 10 Bus P0, P1, P2 port 11 Source identification unit 12 Time measurement unit 13 Source order identification unit 14 ACK source order identification unit 15 Routing table check unit 16 Destination identification unit 17 Port control unit 71 Repeater device

 ──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5K030 GA15 HA08 HB06 HB28 HB29 KA07 LA02 MA06 MC04 MC06 MC09 5K033 AA08 CB04 CC01 DA13 DB20 EA05 5K035 EE03 EE05 GG01 MM02 MM06

Claims (55)

[Claims] 1. A network monitoring method, comprising storing topology information of a network, and detecting a bus state, a change in bus state, or a packet inconsistent with the stored topology information. 2. Storing topology information of a network, executing a response check command, storing an obtained response time, and determining consistency between the stored topology information and the stored response time. A network monitoring method for finding a case inconsistent with the network topology. 3. Storing network topology information, identifying a port that received the packet, identifying a source ID of the received packet, storing the topology information, the identified port, and the identified source. A network monitoring method characterized by determining consistency with a combination of IDs and finding a case inconsistent in a network topology. 4. A method for storing topology information of a network, executing a response check command and storing an obtained response time, and a time until the state of the network bus changes from a grant state to a data prefix state. Measuring the source ID of the received packet, the stored topology information, the stored response time, the measured time and the identified source ID.
A network monitoring method characterized by determining consistency with a combination of the above and finding a case where there is a contradiction in a network topology. 5. A network for storing topology information of a network, executing a response check command, storing an obtained response time, and a time until the state of the network bus changes from a data end state to a request state. Is determined, the source ID of the received packet is identified, and the stored topology information is determined to be consistent with the combination of the measured time and the identified source ID. A network monitoring method characterized by discovering. 6. Storing topology information of the network, executing a response check command, storing the obtained response time, and changing the bus state from the data end state to the data pr state.
measuring the time to change to the efix state, identifying the source ID of the received packet, and determining consistency between the stored topology information and the combination of the measured time and the identified source ID. A network monitoring method characterized by discovering a case where the network topology is inconsistent. 7. When network topology information is stored, and when packets are continuously received, the source ID of each received packet and the reception order thereof are identified, and the stored topology information and the received A network monitoring method comprising: determining consistency between a source ID of a packet and the reception order; and finding a case inconsistent in a network topology. 8. When topology information of a network is stored, and when an ACK and a data packet are continuously received, a source ID of each received packet and a reception order thereof are identified, and the stored topology information is A network monitoring method, comprising: determining a match between a source ID of the received packet and the reception order, and finding a case inconsistent in a network topology. 9. Storing topology information of a network, executing a response check command, storing an obtained response time, and changing a bus state from a data end state to a data pr state.
measuring the time to change to the efix state, identifying the source node of the received ACK packet, matching the stored topology information with the combination of the measured time and the source node of the identified ACK packet A network monitoring method characterized by judging the nature and finding a case where the network topology is inconsistent. 10. When the identified source ID indicates a bus other than a local bus, check a routing table of a bridge and find a case where the source ID and the routing table are inconsistent. The network monitoring method according to any one of claims 3 to 8, wherein: 11. When a source ID of a received packet is identified, and when the identified source ID indicates a bus other than a local bus, a routing table of a bridge is confirmed. 10. The network monitoring method according to claim 9, wherein a case is found in which the two are inconsistent. 12. The network monitoring method according to claim 2, wherein collection of information used for determination is started with a bus reset as a trigger. 13. The network monitoring method according to claim 2, wherein said packet is discarded when an inconsistency is found. 14. The network monitoring method according to claim 2, wherein said packet is destroyed when an inconsistency is found. 15. The system according to claim 2, wherein when an inconsistency is found, a bus reset is generated.
The network monitoring method according to any one of the above. 16. The network monitoring method according to claim 2, wherein a warning is issued when an inconsistency is found. 17. The network monitoring method according to claim 2, wherein a port is disconnected when an inconsistency is found. 18. A network comprising: a topology storage unit that stores topology information of a network; and a detection unit that detects a bus state, a change in a bus state, or a packet inconsistent with the stored topology information. Monitoring device. 19. A topology storage unit for storing network topology information, a response time storage unit for executing a response inspection command and storing an obtained response time, and a topology information stored in the topology storage unit. A determination unit for determining consistency with the response time stored in the response time storage unit, and discovering a case where there is a contradiction in the network topology. 20. A network monitoring apparatus including a repeater having at least one port, wherein the repeater stores topology information of a network, a port identification unit that identifies a port that has received a packet, Consistency between a source identification unit that identifies a source ID of a packet, topology information stored in the topology storage unit, and a combination of a port identified by the port identification unit and a source ID identified by the source identification unit A network monitoring device, comprising: a determination unit configured to determine whether the network topology is inconsistent. 21. A network monitoring apparatus including a bridge having a plurality of portals, wherein the bridge stores a routing storage unit that stores routing information, a portal identification unit that identifies a portal that has received a packet, and a source of the received packet. Determining a consistency between a source identification unit for identifying an ID, routing information stored in the routing storage unit, and a combination of a portal identified by the portal identification unit and a source ID identified by the source identification unit; A network monitoring device comprising: a determination unit; and detecting a case inconsistent in a network topology. 22. A network monitoring device including a repeater having at least one port, wherein the repeater stores a topology storage unit for storing network topology information, and stores a response time obtained by executing a response inspection command. Response time storage unit that changes the bus state from the grant state to the data
a time measuring unit that measures a time until the state changes to the x state; a source identifying unit that identifies a source ID of a received packet; topology information stored in the topology storage unit; and a response time storage unit that is stored in the response time storage unit. A response time, a determination unit for determining the consistency between the time measured by the time measurement unit and the combination of the source ID identified by the source identification unit, and finding a case inconsistent in a network topology. A network monitoring device characterized by the above-mentioned. 23. A network monitoring device including a repeater having at least one port, wherein the repeater stores a topology storage unit for storing network topology information, and stores a response time obtained by executing a response inspection command. The response time storage unit that changes the bus state from the data end state to the request state
A time measuring unit for measuring a time until the state changes, a source identifying unit for identifying a source ID of a received packet, topology information stored in the topology storage unit, and a response stored in the response time storage unit A time, a judgment unit for judging the consistency of information of a combination of the time measured by the time measurement unit and the source ID identified by the source identification unit, and finding a case inconsistent in a network topology. A network monitoring device characterized by the above-mentioned. 24. A network monitoring apparatus including a repeater having at least one port, wherein the repeater stores a topology storage unit for storing network topology information, and stores a response time obtained by executing a response inspection command. Response time storage unit, and the bus state changes from the data end state to the data pr state
a time measuring unit that measures a time until the state changes to an efix state; a source identifying unit that identifies a source ID of a received packet; topology information stored in the topology storage unit; and a response time stored in the response time storage unit. A response time, and a determination unit that determines the consistency between the time measured by the time measurement unit and the combination of the source ID identified by the source identification unit. Characteristic network monitoring device. 25. A network monitoring device including a repeater having at least one port, wherein the repeater stores a topology storage unit for storing network topology information, and a source ID of each packet when a series of packets is received. And a source order identification unit for identifying the reception order, and topology information stored in the topology storage unit, and a determination unit for determining consistency between the source ID identified by the source order identification unit and the reception order. A network monitoring device, comprising: detecting a case inconsistent with a network topology. 26. A network monitoring apparatus including a repeater having at least one port, wherein the repeater receives a ACK and a series of data packets when the repeater receives a series of ACKs and data packets. An ACK source order identification unit for identifying the source ID and the reception order thereof, the topology information stored in the topology storage unit, and the consistency between the source ID identified by the ACK source identification unit and the reception order. A network monitoring device, comprising: a determination unit configured to detect a contradiction in a network topology. 27. A network monitoring device including a repeater having at least one port, wherein the repeater stores a topology storage unit for storing network topology information, and stores a response time obtained by executing a response inspection command. Response time storage unit, and the bus state changes from the data end state to the data pr state
a time measurement unit that measures a time until the state changes to the efix state; a source identification unit that identifies a source node of a received ACK packet; topology information stored in the topology storage unit; and a response time storage unit that is stored in the response time storage unit. Response time, the time measured by the time measurement unit, and the AC identified by the source identification unit.
A network monitoring device, comprising: a determination unit configured to determine consistency between a combination of the source nodes of the K packets and a network topology. 28. A routing table checking unit for checking a routing table of a bridge; a source ID identified by the source identifying unit; and consistency between the routing table of the bridge identified by the routing table checking unit. 27. The network monitoring apparatus according to claim 20, further comprising: a determination unit configured to detect a contradiction in a network topology. 29. A source identification unit for identifying a source ID of a packet, a routing table confirmation unit for confirming a routing table of a bridge, a source ID identified by the source identification unit, and a confirmation by the routing table confirmation unit. 28. The network monitoring device according to claim 27, further comprising: a determination unit configured to determine consistency of the bridge with the routing table, and to detect a case where the bridge is inconsistent in a network topology. 30. The network monitoring apparatus according to claim 19, wherein a collection of information used by said determination unit is started with a bus reset as a trigger. 31. The network monitoring apparatus according to claim 19, further comprising a packet discard processing unit that discards the packet when an inconsistency is found. 32. The network monitoring apparatus according to claim 19, further comprising a packet destruction processing unit that destroys the packet when an inconsistency is found. 33. The network monitoring apparatus according to claim 19, further comprising a bus reset generation processing unit that generates a bus reset when a contradiction is found. 34. The apparatus according to claim 1, further comprising a warning generation processing unit that generates a warning when an inconsistency is found.
The network monitoring device according to any one of claims 9 to 30. 35. The network monitoring device according to claim 19, further comprising a port connection control processing unit that disconnects a port when a contradiction is found. 36. A port for storing network topology information, identifying a destination ID of a packet, determining a port state based on a combination of the topology information and the destination ID, and repeating the packet. And a port for repeating dummy information. 37. The repeat method according to claim 36, wherein the information collection is started with a bus reset as a trigger. 38. A topology storage unit for storing topology information of a network, a destination identification unit for identifying a destination ID of a packet, and topology information stored in the topology storage unit and identified by the destination identification unit. A repeater device comprising: a port controller that determines a port state based on the combination information of the destination IDs and determines a port that repeats the packet and a port that repeats the dummy information. . 39. The repeater according to claim 38, wherein the information collection is started by a bus reset as a trigger. 40. A network protection method comprising: receiving a warning from the network monitoring method according to claim 16; and notifying a user of the content of the warning and a state at the time of the warning. 41. A network protection method comprising: receiving a warning from the network monitoring method according to claim 16; and notifying a user of the content of the warning and a state at the time of the warning via a public line. Method. 42. A network protection method comprising: receiving a warning from the network monitoring method according to claim 16; and recording a content of the warning and a state at the time of the warning. 43. Receiving a warning from the network monitoring method according to claim 16, recording the behavior of any or all devices related to the warning, or recording the status of the device. How to protect your network. 44. Receiving the warning from the network monitoring method according to claim 16, denying access and service requests from any or all of the devices related to the warning until a set condition is satisfied. Or a network protection method characterized by changing to a set one. 45. Upon receiving the warning from the network monitoring method according to claim 16, routing of packets from any or all of the devices related to the warning is stopped until a set condition is satisfied. Or a network protection method characterized by changing to set conditions. 46. A network protection method comprising: receiving a warning from the network monitoring method according to claim 16; 47. A network protection method comprising: receiving a warning from the network monitoring method according to claim 16; encrypting data; or recreating an encryption key. 48. A warning receiving unit that receives a warning from the network monitoring device according to claim 34, an information collecting unit that collects a state at the time of occurrence of the warning, and a display unit that notifies a user of the collected information. A network device for notifying a user of a content of a warning at the time of a warning and a state at the time of occurrence of the warning. 49. A warning receiving unit for receiving a warning from the network monitoring apparatus according to claim 34, an information collecting unit for collecting a state at the time of occurrence of the warning, and a public line communication unit connected to a public line. A network device for notifying the user of the content of the warning and the state of the warning at the time of the warning via a public line. 50. A warning receiving unit that receives a warning from the network monitoring device according to claim 34, an information collecting unit that collects a state at the time of occurrence of the warning, and a storage unit that records information. A network device for recording contents of a warning and a state at the time of the warning. 51. A warning receiving unit for receiving a warning from the network monitoring device according to claim 34, an information collecting unit for collecting a behavior or a state of a device related to the warning, and a storage unit for recording information. And recording the behavior of any or all of the devices related to the warning, or recording the status of the devices. 52. A warning receiving unit for receiving a warning from the network monitoring device according to claim 34, a service processing unit for providing a service to another device, and a service control unit for permitting the provision of the service according to a condition. A network device, comprising: rejecting access from any or all of devices related to a warning, a service request until a set condition is satisfied, or changing the service request to a set one. 53. An alarm receiving section for receiving an alarm from the network monitoring apparatus according to claim 34, a routing section for performing packet routing, and a routing control section for performing routing setting. A network device, which stops the routing of packets from any or all of the devices until a set condition is satisfied or changes the route to a set condition. 54. A warning receiving unit for receiving a warning from the network monitoring device according to claim 34, and a device authentication unit having a device authentication function, wherein device authentication is performed on a related device, or A network device characterized by redoing. 55. An alarm receiving unit for receiving an alarm from the network monitoring apparatus according to claim 34, and an encryption unit for encrypting data, wherein the encryption unit performs data encryption or re-encrypts an encryption key. A network device characterized by being created.