JP2004064694A - Load distribution method for packet collection in communication network, and its device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a load distribution method for packet collection in a communication network and its device capable of collecting and analyzing one of packets through the TCP (transmission control protocol) by only one packet collecting and analyzing device without generating errors in packets to be collected when performing load distribution, and without using the other packet collecting and analyzing device. <P>SOLUTION: Rules 211 to 21n for each identifying the packet are configured in the packet collecting and analyzing devices 201 to 20n, respectively. Each of the rules to be configured in respective devices has exclusive content, and each of the packets flowing through the network 13 is set to be matching any one of the rules. Each of the packets can be thus collected and analyzed by any one of the packet collecting and analyzing devices 201 to 20n without fail. <P>COPYRIGHT: (C)2004,JPO

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a load distribution method and apparatus for packet collection in a communication network. More specifically, according to the present invention, a single packet collection / analysis device can prevent a packet to be collected at the time of load distribution from being missed, and a series of packets by TCP without straddling a plurality of packets. The present invention relates to a load distribution method and apparatus for packet collection in a communication network.
[0002]
[Prior art]
As a means for grasping the communication status in a communication network such as the Internet, a method of collecting and analyzing packets flowing in the network is widely used. Traditionally, this method has been used to examine traffic in the network, but in recent years, as the number of unauthorized intrusions via the Internet has increased, fraudulent intrusions have been detected by analyzing the collected packets in detail, A network intrusion detection system NIDS (Network Intrusion Detection System) for notifying users has been used.
[0003]
On the other hand, the speed of networks is increasing year by year, and networks of the order of Gb (gigabit) / s are often used in backbone networks. In such a high-speed network, it is very difficult to collect and analyze all packets flowing through the network due to the problem of the processing capability of the packet collection and analysis system.
[0004]
When measuring high-speed network traffic, actual traffic can be estimated from the analysis result by thinning out received packets at a fixed rate and performing collection analysis. However, the network intrusion detection system NIDS does not By thinning out the packets, an unauthorized intrusion may be overlooked. In a series of communication by TCP (Transmission Control Protocol), the communication is restored from a plurality of packets used in the communication, and the illegal intrusion is restored. It is necessary to receive and analyze all packets even in a high-speed network because it detects whether the communication is appropriate.
[0005]
In a high-speed network, as a solution to collect and analyze all packets using a packet collection and analysis device with insufficient processing capacity, connect multiple packet collection and analysis devices to the network and distribute the load of the packet collection and analysis process. There is a way to do that. According to this method, any one of a plurality of packet collection / analysis devices may process a packet flowing through the network, so that the number of packets processed per − can be reduced.
[0006]
In connection with the above load distribution, Japanese Patent Application Laid-Open No. 2000-293496 discloses that (1) distribute the load of a server providing various services on a network, and (2) efficiently distribute various services on a network. In order to achieve the purpose of providing, the following means are disclosed.
[0007]
A first means is an apparatus for distributing the load of the service providing server in a network in which a service providing site in which a plurality of service providing servers of the same type are registered provides service information in response to a request from a terminal, A load distribution processing unit for detecting a load state of the service providing server; and a database for storing each IP address of the service providing server in association with a domain name of the service providing site. When the provision request is received, based on the load status of each service providing server detected by the load distribution processing unit, the IP address notifying means for notifying the terminal of the IP address of the service providing server with a lighter load to the terminal. is there.
[0008]
The second means is that, in the first means, the load distribution processing unit and the IP address notifying means are provided on a router to which each service providing server is connected, and when the connection of the service providing server to the router is detected. Automatically assigning an IP address to each service providing server, and then notifying the IP address to an IP address notifying unit, wherein the IP address notifying unit is notified by the IP address notifying unit. This is a means for registering an IP address in the database.
[0009]
Japanese Patent Application Laid-Open No. 2001-344227 discloses that a plurality of resource information distributed in a network are hierarchically monitored, a resource information database is distributed, and a plurality of resource information distributed in the network are distributed. The following means are disclosed for the purpose of reducing the monitoring traffic when monitoring the traffic.
[0010]
A hierarchical resource monitoring system that collects information on a plurality of resources distributed in a network, comprising a central management station, and a plurality of distributed management stations connected to the central management station via a network. A plurality of management nodes, a resource information database is connected, resource information collection means for collecting resource information from the management nodes according to set management items, and storing the resource information in the resource information database; A resource information transfer unit for transferring information, wherein the central management station is connected to a management configuration database, acquires a management item for each station from the management configuration database, transfers the management item to another station, The resources of the own station The information management means includes a general management configuration control means for setting management items, and the distributed management station includes a distributed management configuration control means for setting the management items transferred from the general management configuration control means to the resource information collection means. Like that. Further, the resource information transfer means requests and obtains resource information from another station, and when receiving a request for resource information from another station, searches the resource information database to retrieve the requested resource information from the other station. Transfer to the station. The distributed management station is connected to a management item definition file, and the distributed management configuration control means stores the management items transferred from the general management configuration control means in the management item definition file. Further, when the management item in the distributed management station is changed, the distributed management configuration control means notifies the general management configuration control means of the change, and the general management configuration control means manages the notified change content in the management. It is stored in the configuration database. In addition, the resource information transfer unit may limit management nodes, limit resource types, limit resource collection periods, monthly average, weekly average, or daily average in response to a request for resource information from another station. To obtain and transfer resource information.
[0011]
Japanese Patent Application Laid-Open No. 2002-91936 discloses a dynamic load control system capable of realizing appropriate load distribution even when access concentration to a server suddenly occurs and maintaining the entire server system at high performance. The following means are provided for the purpose of realizing a load distribution apparatus and method for realizing load distribution.
[0012]
1) means for analyzing a packet header of a service request packet from a client in a load distribution device, and estimating, as a load evaluation value, a magnitude of a processing load executed by a server based on the request content of the service request packet; Provided are means for holding, as a load state value, the cumulative value of the load evaluation values of the service request packets distributed in the past fixed time for each server, and means for determining the server to which the service request is distributed based on the load state value. .
[0013]
2) In the load distribution device, at least one of the type of the requested service, the size of the requested content data, and the execution program for generating the requested content data from the packet header of the service request packet from the client. And means for estimating the magnitude of the processing load executed by the server as a load evaluation value based on the information.
[0014]
3) means for making an access request for all services and all content data that can be provided by the server to each server before the server system is operated or in the spare system in order to realize the load estimation of 2) above; Means for measuring a response time to the request, means for measuring a CPU load when each server executes processing based on the request, and a service request based on the response time, the CPU load, and the size of the response data. A means is provided for generating data for obtaining a load evaluation value indicating a magnitude of a load applied to each server by the data.
[0015]
[Problems to be solved by the invention]
The prior art has the problems described below.
[0016]
None of the means and methods disclosed above satisfy the following conditions necessary for load distribution of packet collection.
[0017]
The first condition is that it is necessary to prevent a packet to be collected from being missed during load distribution. If each packet collection / analysis device simply collects the packets by thinning them out, packets will be missed. Furthermore, since it may occur that a plurality of packet collection / analysis devices perform double collection, a plurality of packet collection / analysis devices must be configured to exclusively collect packets by some method.
The second condition is that when a series of communication is realized by a plurality of packets such as TCP, those packets need to be processed by one packet collection / analysis device. If a series of TCP communication is collected across a plurality of packet collection / analysis devices, communication cannot be restored, and processing such as detection of unauthorized intrusion becomes difficult.
[0018]
The present invention has been made in view of the above-described problems in the related art, and an object thereof is to provide a load distribution method of a packet collection analysis process that satisfies the above two conditions, that is, a load distribution method. Provided is a packet collection load distribution method and apparatus in a communication network in which a packet to be collected does not drop and a series of packets by TCP can be collected by one packet collection and analysis device without straddling a plurality of packets. Is to do.
[0019]
[Means for Solving the Problems]
According to a first aspect of the present invention, there is provided a load distribution method for collecting packets in a communication network, wherein a packet flowing on the network is collected by a packet collection / analysis device in which a rule is set and analyzed based on the rule. It is characterized by the following.
[0020]
Therefore, according to the load distribution method of packet collection in the communication network of the first invention of the present application described above, a packet to be collected at the time of load distribution does not drop, and a series of packets by TCP extends over a plurality of packets. And it is possible to collect the data with one packet collection analyzer.
[0021]
The load balancing method for packet collection in the communication network according to the second invention of the present application that solves the above-mentioned problem is a load balancing method for packet collection in the communication network according to the first invention of the present application, wherein the packet is a packet of the packet. According to another aspect of the present invention, only one of the packet collection / analysis devices is collected and analyzed based on the identifier information and the rule.
[0022]
Therefore, according to the load distribution method of packet collection in the communication network of the second invention of the present application described above, the packets to be collected at the time of load distribution do not drop, and the packets are not redundantly collected. .
[0023]
In order to solve the above-mentioned problem, a load distribution method for packet collection in a communication network according to the third invention of the present application is a method for distributing load for packet collection in a communication network according to the first invention of the present application, wherein According to the information and the rules, a plurality of packets used in one TCP connection are all collected and analyzed by one specific packet collection and analysis device.
[0024]
Therefore, according to the load distribution method of packet collection in the communication network of the third invention of the present application, a series of packets by TCP can be collected by one packet collection and analysis device without straddling a plurality of packets. .
[0025]
In order to solve the above problem, the load distribution method of packet collection in the communication network according to the fourth invention of the present application is a method according to the load distribution method of packet collection in the communication network of the first to third inventions of the present application. The device is a network intrusion detection system.
[0026]
Therefore, according to the load distribution method of packet collection in the communication network of the fourth invention of the present application, by analyzing the collected packets, it is possible to detect unauthorized intrusion into the network.
[0027]
In order to solve the above problems, the load distribution method of packet collection in the communication network of the fifth invention of the present application is a load distribution method of packet collection in the communication network of the fourth invention of the present application, wherein the network intrusion detection system comprises: It comprises a packet receiving section, a rule, a rule discriminating section, and an unauthorized intrusion detecting section.
[0028]
Therefore, according to the load distribution method of packet collection in the communication network of the fifth invention of the present application, the collected packets can be determined according to the rules, and only the packets that match the rules can be detected by the unauthorized intrusion detecting unit. Become.
[0029]
The load balancing method of packet collection in the communication network of the sixth invention of the present application that solves the above-mentioned problem is the load balancing method of packet collection in the communication network of the first to third and fifth inventions of the present application. The rule is characterized by being set by a source IP address and a destination IP address.
[0030]
Therefore, according to the load distribution method for packet collection in the communication network of the sixth invention of the present application described above, a packet to be collected at the time of load distribution does not drop, and a series of packets by TCP extends over a plurality of packets. And it is possible to collect the data with one packet collection analyzer.
[0031]
The load balancing method of packet collection in the communication network of the seventh invention of the present application that solves the above-mentioned problem is the load balancing method of packet collection in the communication network of the first to third and fifth inventions of the present application. The rule is characterized by being set by a source IP address, a destination IP address, a source port, and a destination port.
[0032]
Therefore, according to the load distribution method of packet collection in the communication network of the seventh invention of the present application, in a network in which communication is concentrated on a specific host, the load of the communication of the specific host is distributed to collect the packet. Analysis can be performed.
[0033]
In order to solve the above problem, the load distribution method of packet collection in the communication network according to the eighth invention of the present application is the load distribution method of packet collection in the communication network of the first invention of the present application. The apparatus is characterized in that a rule discriminating apparatus is installed in front of the packet collection and analysis apparatus independently of the apparatus and performs rule discrimination.
[0034]
Therefore, according to the load distribution method of packet collection in the communication network of the eighth invention of the present application, it is possible to perform packet collection and analysis processing without significantly changing the configuration of an existing packet collection and analysis system. Become.
[0035]
According to a ninth aspect of the present invention, there is provided a packet collection and load analyzing apparatus for collecting and analyzing packets flowing through a network, the packet collection and analysis apparatus being connected to a network. The device is a network intrusion detection system.
[0036]
Therefore, according to the load distribution apparatus for packet collection in the communication network of the ninth invention of the present application, it is possible to collect and analyze packets flowing on the network by the network intrusion detection system.
[0037]
The load balancing device for packet collection in the communication network of the tenth invention of the present application that solves the above problem is a load balancing device for packet collection in the communication network of the ninth invention of the present application, wherein the network intrusion detection system comprises: A packet receiving unit, a rule determining unit, an unauthorized intrusion detecting unit, and a rule, wherein the packet received by the packet receiving unit is determined by the rule determining unit based on the identifier information of the packet and the rule. When the packet matches the rule, the packet is passed to the unauthorized intrusion detection unit, and when the packet does not match the rule, the packet is discarded.
[0038]
Therefore, according to the load distribution device for packet collection in the communication network of the tenth invention of the present application, the packet to be collected at the time of load distribution does not drop, and a series of packets by TCP extends over a plurality of units. And it can be collected by one network intrusion detection system.
[0039]
The load balancing device for packet collection in the communication network of the eleventh invention of the present application which solves the above-mentioned problem is a load balancing device for packet collection in the communication network of the ninth invention of the present application, wherein the rule The IP address and the destination IP address, or the source IP address, the destination IP address, the source port, and the destination port are set.
[0040]
Therefore, according to the packet distribution load distribution device in the eleventh communication network of the present application, in a network in which communication is concentrated on a specific host, the communication of the specific host is load-balanced and the existing packet is distributed. The packet collection / analysis process can be performed without significantly changing the configuration of the collection / analysis system.
[0041]
A program for causing a computer to execute the load distribution method of packet collection in a communication network according to the twelfth invention of the present application is a program for collecting packets flowing on a network by a packet collection / analysis device in which rules are set, and based on the rules Since the load distribution method of packet collection in the communication network to be analyzed in the communication network can be executed, the load distribution method of packet collection in the communication network of the present invention can be efficiently executed by a computer.
[0042]
A computer-readable recording medium having recorded thereon a program for executing the load distribution method of packet collection in a communication network according to the thirteenth aspect of the present invention by a computer is provided. A program for executing a load distribution method of packet collection in a communication network, which is collected by an apparatus and analyzed based on the rule, can be read by a computer and efficiently executed by the computer.
[0043]
BEST MODE FOR CARRYING OUT THE INVENTION
An embodiment of the present invention will be described. The load distribution method for packet collection in a communication network according to the present invention is included in a packet in a communication packet collection operation in a network traffic measurement system or a network intrusion detection system used in a communication network using a packet such as the Internet. Using the identifier information, the packets are grouped according to a predetermined rule, and a plurality of devices that collect only the packets of different groups are installed. An object of the present invention is to provide a method for collecting packets without dropping packets even in a network.
[0044]
FIG. 1 is a schematic configuration diagram showing an embodiment of a method and an apparatus for load distribution of packet collection in a communication network according to the present invention. The Internet 11 and the internal network 12 are connected by a network 13 via a router 101 and a router 102.
[0045]
The collection of packets flowing through the network 13 is performed by a plurality of packet collection analyzers 201 to 20n. Rules 211 to 21n used at the time of packet collection are set in advance in the packet collection and analysis devices 201 to 20n. Rules 211 to 21n are used for grouping communication packets, and packets are always classified into any one of rules 211 to 21n according to identifiers recorded in the packets. Are appropriately set so as to be classified into the same group.
[0046]
The packet collection / analysis devices 201 to 20n once receive a packet flowing through the network 13, and check whether the received packet satisfies the rules 211 to 21n set in the packet collection / analysis device. If the rule is satisfied, the received packet is collected and analyzed. If the rule is not satisfied, the received packet is discarded.
[0047]
Since the received packet is set so as to always satisfy any one of the rules 211 to 21n, the received packet is always collected and analyzed by any one of the packet collection and analysis devices 201 to 20n. Become one. As a result, the load of the packet collection process can be distributed.
[0048]
【Example】
FIG. 2 is a schematic configuration diagram showing a first embodiment of a load distribution method for packet collection in a communication network according to the present invention. The first embodiment is a configuration example in which IP (Internet Protocol) packets flowing over a network 13 connecting the Internet 11 and an internal network 12 are collected to detect unauthorized intrusion from the Internet. 13, a router 102 connecting the network 13 and the internal network 12, and a network intrusion detection system 201'-20n 'for collecting packets flowing through the network 13 and detecting unauthorized intrusion. Have been. The network intrusion detection systems 201 'to 20n' are connected to the network 13 so that all packets flowing between the router 101 and the router 102 can be received.
[0049]
FIG. 3 is a schematic internal configuration diagram of the network intrusion detection systems 201 ′ to 20n ′ alone. The packet receiving unit 22n receives the packet flowing through the network 13, and then passes the received packet to the rule determining unit 23n. The rule determining unit 23n receives the received packet from the packet receiving unit 22n, determines whether the identifier included in the received packet satisfies the rule 21n, and passes only the packet that satisfies the rule to the unauthorized intrusion detecting unit 24n. The unauthorized intrusion detecting unit 24n analyzes the packet received from the rule determining unit 23n and detects an unauthorized intrusion. The unauthorized intrusion detection unit 24n has the same configuration as the conventional network intrusion detection system.
[0050]
Next, the overall operation of this embodiment will be described in detail with reference to FIGS. First, in FIG. 2, when communication between the Internet 11 and the internal network 12 occurs, a packet flows to the network 13 via the router 101 and the router 102, and the packet data is transmitted to the network intrusion detection systems 201 'to 20n'. Are received at all of. The network intrusion detection systems 201 'to 20n' have the same configuration except for the contents of the set rules 211 to 21n. Hereinafter, the operation of the network intrusion detection system 20n 'will be described with reference to FIG. .
[0051]
In FIG. 3, the packet data received by the network intrusion detection system 20n 'is first input to the packet receiving unit 22n, and the packet data is passed as it is to the rule determining unit 23n. Upon receiving the packet data from the packet receiving unit 22n, the rule determining unit 23n refers to the rule 21n to determine whether the identifier included in the packet data matches the rule set in the rule 21n. . A plurality of rules (sub-rules) can be set in the rule 21n. When a plurality of sub-rules are set, the rule discriminating unit 23n sets the packet data in one of the plurality of sub-rules. Determine whether the identifiers match.
[0052]
The rule determining unit 23n performs a rule determination, passes the packet data to the unauthorized intrusion detecting unit 24n only when the packet data matches the rule set in the rule 21n, and discards the packet data when the packet data does not match the rule. I do. The processing for the packet data received in this way is terminated. The unauthorized intrusion detection unit 24n receives only packet data that matches the rule from the rule determination unit 23n, and detects whether or not an unauthorized intrusion has been performed using the received packet data.
[0053]
FIG. 4 is an explanatory diagram of a setting example of the rules 211 to 21n. Referring to FIG. 4, rules 211 to 21n set in network intrusion detection systems 201 'to 20n' will be described in detail. In order to properly distribute the load of the intrusion detection processing by a plurality of network intrusion detection systems, packets flowing through the network 13 must be processed by any one of the network intrusion detection systems 201 'to 20n'. Must. Also, in the case of communication using TCP (Transmission Control Protocol), a connection is generated between communication hosts and communication is performed by a plurality of packets. When intrusion detection is performed, a packet of communication by one connection is used. Therefore, when performing load distribution for intrusion detection processing of communication by TCP, packets used by one TCP connection need to be collectively processed by one network intrusion detection system. . Therefore, it is necessary to satisfy the following conditions when setting rules.
[0054]
(1) The identifier of the received packet must match any one of the rules 211 to 21n.
(2) The identifiers of a plurality of packets used in one TCP connection must match the same rule.
[0055]
The setting examples of the rules 211 to 21n shown in FIG. 4 satisfy the above conditions. In this setting example, an IP address is used as an identifier, and grouping is performed according to a range of addresses used in the internal network. One rule is further composed of two sub-rules a and b. Using the two sub-rules a and b, the internal network address is classified into the same rule regardless of whether it is a source address or a destination address. In this embodiment, an IP packet is used as an identifier of a packet. However, any identifier may be used as long as communication can be appropriately classified.
[0056]
Next, the operation of the first embodiment will be further described using a specific example. FIG. 5 is a schematic configuration diagram illustrating a specific example according to the first embodiment. In this specific example, the internal network 12 has a network address of 11.11.10.0, 11.11.11.0, 11.11.12.0, 11.11.13.0 and a netmask of It is assumed that the network is composed of four networks of 255.255.255.0 and these networks are connected to the router 102.
[0057]
It is also assumed that four network intrusion detection systems 201 'to 204' are installed, and the rule 211 in FIG. 6 is set in the network intrusion detection system 201 '. Similarly, it is assumed that the rule 212 is set in the network intrusion detection system 202 ', the rule 213 is set in the network intrusion detection system 203', and the rule 214 is set in the network intrusion detection system 214 '.
[0058]
A case will be described where the packets of the IP addresses shown in FIG. First, when the packet of the number 1 flows through the network 13, the packet data is received by all of the network intrusion detection systems 201 'to 204'. That is, the packet of the number 1 is received by the network intrusion detection systems 201 ′ to 204 ′, and the rule determination is performed in each network intrusion detection system as described below. That is, the packet data is received by the packet receiving units 221 to 224 in the network intrusion detection system, passed to the rule determining units 231 to 234, and then compared with the rules 211 to 214 by the rule determining unit. The rule that the address matches is compared.
[0059]
From FIG. 6, it can be seen that the packet of number 1 in FIG. 7 matches the sub-rule a of the rule 211. Therefore, only the rule discriminating unit 231 passes the packet data to the unauthorized intrusion detecting unit 241, and the rule discriminating units 232 to 234 discard the packet data. By the above operation, the packet of No. 1 in FIG. 7 is processed by the network intrusion detection system 201 ′.
[0060]
Similarly, since the packets No. 4, No. 7, and No. 9 in FIG. 7 have the same source and destination IP addresses as the No. 1 packet, they match the sub-rule a of the rule 211 and are the same as the No. 1 packet. Is processed by the network intrusion detection system 201 '. The packets of No. 2 and No. 5 and No. 8 have the same source and destination IP addresses and match the sub-rule b of the rule 211, so that they are processed by the network intrusion detection system 201 ′. Although the relationship between the source and destination of the IP addresses of the packets Nos. 1, 4, 7, and 9 and the IP addresses of the packets Nos. 2, 5, and 8 are reversed, both match the rule 211. Therefore, it is processed by the network intrusion detection system 201 '.
[0061]
Since the packet of the number 3 matches the sub-rule a of the rule 213, it is processed by the network intrusion detection system 203 '. The packet with the number 6 matches the sub-rule b of the rule 214 and is processed by the network intrusion detection system 204 ′. Since the packet of the number 10 matches the sub-rule b of the rule 213, it is processed by the network intrusion detection system 203 '.
[0062]
As described above, the network intrusion detection system that performs packet processing based on the address of the internal network is uniquely determined, and the intrusion detection processing is distributed.
[0063]
As described above, according to the embodiment, the following first, second, and third effects are exhibited.
[0064]
The first effect is that the processing of collecting and analyzing packets is load-balanced among a plurality of packet collecting and analyzing apparatuses, so that even in a high-speed network, all packets flowing through the network can be targeted without dropping packets. Collected analysis can be performed.
[0065]
The reason is that, regarding the rules for setting packets to be analyzed in the packet collection and analysis device, the rules to be set in each device have exclusive contents, and the packets flowing through the network must be one of the set rules. This is because it is set so that one packet is always matched, and the packet is always analyzed by any one of the plurality of packet collection / analysis devices.
[0066]
The second effect is that the load of the packet collection / analysis processing can be distributed without significantly changing the configuration of the existing packet collection / analysis system.
[0067]
The reason is that load distribution is realized by selecting packet data to be processed according to the present invention before inputting the packet data into the existing packet collection and analysis system. For example, referring to FIG. 3, the existing packet collection / analysis system corresponds to the unauthorized intrusion detecting unit 24n in FIG. Has become. Therefore, an existing network intrusion system can be applied to the intrusion detection unit 24n.
[0068]
A third effect is that when performing packet collection / analysis processing, the load can be distributed without synchronizing processes or exchanging information between a plurality of devices that perform packet collection / analysis.
[0069]
The reason for this is that in each packet collection / analysis device, processing load distribution is realized by selecting packets using rules set in advance to be exclusive among the devices.
[0070]
Next, a second embodiment of the present invention will be described in detail with reference to the drawings. FIG. 8 is a schematic configuration diagram showing a second embodiment of the load distribution method for packet collection in the communication network of the present invention.
[0071]
Referring to FIG. 8, in the second embodiment, a packet collection / analysis device that does not have a rule in the packet collection / analysis device and has no rule set is connected to the network 13 via the rule determination units 301 to 30n. Is different from the first embodiment. In the second embodiment, the packet receiving unit 22n, the rule discriminating unit 23n, and the rule 21n of FIG. 3 are extracted as a rule discriminating device. The present invention realizes load distribution using the existing packet collection and analyzing device. It is an example.
[0072]
The operation of the second embodiment is almost the same as the operation of the first embodiment. The unauthorized intrusion detecting unit 24n in FIG. 3 corresponds to the packet collection / analysis device 20n in the second embodiment, and in the first embodiment of FIGS. In the second embodiment, the output of the rule determination unit 23n is output from the rule determination devices 301 to 30n and is passed to the packet collection / analysis devices 201 to 20n. The effect achieved is exactly the same as in the first embodiment, since the internal configuration is only slightly different.
[0073]
Next, a third embodiment of the present invention will be described in detail with reference to the drawings. FIG. 9 is an explanatory diagram of a rule setting example according to the third embodiment of the load distribution method of packet collection in the communication network of the present invention.
[0074]
In the third embodiment, an example of how to set rules to perform load distribution in a network in which communication is concentrated on a specific host by performing load distribution on five devices, and an example of the rule setting Is shown. In the third embodiment, a rule is set using a port number used in TCPP and UDP (User Datagram Protocol) communication in addition to an IP address in order to collect and collect communication to a specific host. ing.
[0075]
Of the five rules, TCP and UDP communications of the host 11.11.10.1 where communication concentrates on the rules 211 to 214 are set to match, and other communications are set to match the rule 215. are doing. When communication concentrates on a specific host, communication usually concentrates on a specific port number of a specific host (for example, port number 80 in the case of a WWW server). Rules are set by combining destination ports (or by combining destination IP addresses and source ports).
[0076]
In the case of TCP communication, since a series of communications is desirably processed by the same packet collection and analysis device, the series of communications must match the same rule, but the port number is not changed in the series of TCP communications Therefore, in rules 211 to 214, packets used in a series of communications match the same rule. With this setting, it is possible to perform packet collection and analysis by distributing the load of the communication of a specific host.
[0077]
【The invention's effect】
According to the load distribution method of packet collection in the communication network of the present invention, rules for discriminating packets are set in the packet collection / analysis device, rules set for each device have exclusive contents, and flow through the network. Since the packet is set so as to always match any one of the set rules, the following excellent effects are exhibited.
(1) Even in a high-speed network, collection and analysis of all packets flowing through the network can be performed without dropping packets.
(2) A single packet collection / analysis device can collect a series of packets by TCP without straddling a plurality of packets.
(3) The load of packet collection and analysis processing can be distributed without significantly changing the configuration of an existing packet collection and analysis system.
(4) When performing the packet collection / analysis processing, the load can be distributed without synchronizing the processing and exchanging information between a plurality of devices that perform the packet collection / analysis.
[Brief description of the drawings]
FIG. 1 is a schematic configuration diagram illustrating an embodiment of a load distribution method for packet collection in a communication network according to the present invention.
FIG. 2 is a schematic configuration diagram showing a first embodiment of a load distribution method of packet collection in a communication network according to the present invention.
FIG. 3 is a schematic internal configuration diagram of the network intrusion detection system of FIG. 2;
FIG. 4 is an explanatory diagram of a rule setting example according to a first embodiment of a packet collection load distribution method in a communication network of the present invention.
FIG. 5 is a schematic configuration diagram illustrating a specific example according to the first embodiment of the load distribution method of packet collection in the communication network of the present invention.
FIG. 6 is an explanatory diagram of an example of setting rules according to the specific example of FIG. 5;
FIG. 7 is an explanatory diagram of an IP address according to the specific example of FIG. 5;
FIG. 8 is a schematic configuration diagram showing a second embodiment of the load distribution method of packet collection in the communication network of the present invention.
FIG. 9 is an explanatory diagram of a rule setting example according to a third embodiment of the packet collection load distribution method in the communication network of the present invention.
[Explanation of symbols]
11 Internet
12 Internal network
13 Network
101, 102 router
201, 202,... 20n packet collection / analysis device
201 ', 202', ... 20n 'Network intrusion detection system
211, 212,... 21n rule
221, 222,... 22n packet receiving unit
231, 232,... 23n rule discriminator
241, 242,... 24n Intrusion detection section
.., 30n rule discriminating apparatus
IP Internet Protocol
TCP Transmission Control Protocol
UDP User Datagram Protocol
WWW World Wide Web

Claims (13)

A load distribution method for packet collection in a communication network, characterized in that packets flowing on a network are collected by a packet collection / analysis device in which rules are set and analyzed based on the rules. 2. The load distribution method for packet collection in a communication network according to claim 1, wherein the packet is collected and analyzed by only one of the packet collection and analysis devices based on the identifier information of the packet and the rule. . 2. The communication network according to claim 1, wherein a plurality of packets used in one TCP connection are all collected and analyzed by one specific packet collection analyzer based on the packet identifier information and the rule. 3. Load distribution method of packet collection in the server. 4. The load distribution method for packet collection in a communication network according to claim 1, wherein the packet collection and analysis device is a network intrusion detection system. The method according to claim 4, wherein the network intrusion detection system comprises a packet receiving unit, a rule, a rule discriminating unit, and an unauthorized intrusion detecting unit. 6. The load distribution method for packet collection in a communication network according to claim 1, wherein the rule is set by a source IP address and a destination IP address. . 6. The communication according to claim 1, wherein the rule is set by a source IP address, a destination IP address, a source port, and a destination port. A load distribution method for packet collection in a network. 2. The packet collection in a communication network according to claim 1, wherein the rule is set as a rule discriminator independent of the packet collection and analysis apparatus, and the rule is set in front of the packet collection and analysis apparatus. Load balancing method. A packet collection / analysis device for connecting to a network and collecting / analyzing packets flowing on the network, wherein the packet collection / analysis device is a network intrusion detection system, wherein the load distribution device for packet collection in a communication network. The network intrusion detection system includes a packet reception unit, a rule determination unit, an unauthorized intrusion detection unit, and a rule, and the packet received by the packet reception unit is based on the packet identifier information and the rule. It is determined by the rule determination unit, and when the packet matches the rule, the packet is passed to the intrusion detection unit, and when the packet does not match the rule, the packet is discarded. The load distribution device for packet collection in the communication network according to claim 9. 10. The rule according to claim 9, wherein the rule is set by a source IP address and a destination IP address, or the source IP address, the destination IP address, a source port, and a destination port. A load distribution apparatus for packet collection in the communication network according to claim 10. A program for causing a computer to execute a load distribution method of packet collection in a communication network in which packets flowing on a network are collected by a packet collection / analysis device in which rules are set and analyzed based on the rules. A computer-readable program recording a program for executing a load distribution method of packet collection in a communication network in which a packet flowing on a network is collected by a packet collection / analysis device in which a rule is set and analyzed based on the rule. recoding media.

Images