JP2005210518A - Originating source tracking information providing device, and originating source tracking device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an originating source tracking information providing device which can offer necessary information when an originating source of communication packet is tracked, and an originating source tracking device which trackes the originating source on the basis of the information. <P>SOLUTION: The originating source tracking information providing device 10 comprises an input part 111 which takes in communication packets from a communication network; a tracking information creator 114 which creates a tracking information message which includes a device identification information which identifies the originating source tracking information providing device 10 and back link information, and is sent to a destination of the communication packet at a predetermined probability of a probability event generator 113; a tracking information adder 116 which creates a tracking information message further added front link information, when a tracking information message detector 112 detects the tracking information message from the communication network, and a router device passage detector 115 detects the passage of the router device, and a transmitter 117 which transmits the tracking information message to the communication network. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a source tracking information providing apparatus that can provide information necessary for tracking the source of a communication packet. The present invention also provides a transmission source that tracks a transmission source based on information from a transmission source tracking information providing apparatus that can track the transmission source of a communication packet even when the transmission source of the communication packet spoofs its own address information. It relates to a tracking device.

  In recent years, communication such as an open network represented by the Internet has spread due to the development of communication technology. Along with such a situation, a device connected to a network is likely to be subject to a service denial attack such as a so-called DoS (Denial of Service) attack or a DDoS (Distributed Dos) attack that sends a large number of IP packets. This denial-of-service attack not only paralyzes the provision of services by saturating the processing of the victim device, but also consumes resources of the entire network and has a large impact on the entire network. Yes.

  As one of such measures, a technique for identifying the source of the IP packet used for the attack, so-called IP traceback technique, is known. As a typical example of this IP traceback technique, there is an ICMP traceback (Internet Control Message Protocol Traceback) proposed by an ICMP traceback working group of Internet Engineering Task Force (IETF). In this ICMP traceback, the router device on the midway route selects the IP packet to be tracked with a constant probability of about 1 / 20,000, generates the tracking information for this IP packet, and the tracking information is sent to the IP packet as an ICMP message. The destination device displays this tracking information.

  As a technique for improving the ICMP traceback, there is a technique described in Patent Document 1. The technique described in Patent Document 1 is configured such that the router device that has received the tracking request message returns address information of the router device on the attack device side from the router device to which the attack IP packet is transmitted. The source tracking device tracks the source by sequentially transmitting a tracking request message to each router device so as to approach the attacking device.

In addition, the router device that has received the tracking instruction supplements the electronic data having the characteristic information of the tracking instruction, and transmits the identifier of the data link layer in the router device immediately before the supplemented electronic data to the management system, thereby managing There is a technology that tracks the source of electronic data by analyzing the identifier of the data link layer and tracing the path that the electronic data has passed from the receiving side to the transmitting side (adjacent node tracking process). For example, it is disclosed in Patent Document 2. Further, Patent Document 3 discloses a technique obtained by improving the technique of Patent Document 2 in which this adjacent node tracking process is omitted in a management network in which address management and account management are performed and security is highly reliable.
JP 2003-264553 A JP 2000-124952 A JP 2000-341315 A

  By the way, in the conventional IP traceback technique, since the router apparatus executes a predetermined process for tracing the transmission source, there is a possibility that the original routing process of the router apparatus may be lowered. In particular, in an open network, there are router devices that do not have sufficient processing capability because of the presence of router devices with various performances. In such router devices, predetermined processing for tracking the source is overloaded. There was a problem.

  The present invention has been made in view of the above-described circumstances, and an object of the present invention is to provide a transmission source tracking information providing apparatus that can provide information necessary for tracking the transmission source of a communication packet. Then, an object of the present invention is to provide a transmission source tracking device that tracks a transmission source based on information from the transmission source tracking information providing device.

  In order to achieve the above-described object, a source tracking apparatus according to the present invention is connected to a transmission path connecting router apparatuses, and receives a communication packet from the transmission path, and receives the packet by the packet collection means. The tracking message detecting means for determining whether the received communication packet includes an identifier indicating that it is a tracking information message for tracking the source of the communication packet, and the tracking message detecting means If it is determined that it is not included, it includes an identifier indicating that it is a tracking information message with respect to the communication packet with a predetermined probability, and addresses of router devices connected to both ends of the transmission path. The tracking message creating means for storing the backward link information consisting of If it is determined that the communication packet has passed through the router device, and if it is determined that it has passed, the communication packet is copied and the copied packet is copied. A tracking message adding means for storing forward link information including addresses of router devices connected to both ends of the transmission path in a communication packet, and output from the tracking message adding means or the tracking message creating means Packet transmission means for transmitting a communication packet on the transmission path is provided.

  In the above-described source tracking information providing apparatus, the tracking message creating means includes an identifier indicating that the tracking information message is included, and a backward link including addresses of router devices connected to both ends of the transmission path. When information is stored, information on the time when the tracking information message is generated is further stored.

  Further, in the above-described source tracking information providing device, when the router device is a nut router device having a nut function, the tracking message creating means includes an identifier indicating a tracking information message, and the transmission path When the back link information including the addresses of the router devices connected to both ends is stored, information on the nut function is further stored.

  Further, in the above-described source tracking information providing device, the tracking message creating means includes an identifier indicating that it is a tracking information message when the router device forms a virtual private network, and the transmission When the back link information including the addresses of the router devices connected to both ends of the path is stored, information regarding the virtual private network is further stored.

  In the transmission source tracking information providing apparatus described above, the tracking message creating means is configured to change the predetermined probability.

  Further, in the above-described source tracking information providing device, when the tracking message creating unit and / or the tracking message adding unit stores each link information in a communication packet, the source tracking information providing device further includes: Information for specifying that the device is a legitimate source tracking information providing device is stored.

  Further, the source tracking device according to the present invention is connected to a transmission path that connects between router devices, and a packet collection unit that captures a communication packet from the transmission channel, and a communication packet that is captured by the packet collection unit It is determined whether or not an identifier indicating that it is a tracking information message for tracking the source of the packet is included, and if it is determined that the identifier is included, it is further determined whether or not it is within a predetermined period. A tracking message detection unit; a storage unit for storing the communication packet as a tracking information message when the tracking message detection unit determines that the communication message is within the predetermined period; and From the tracking information message included in the means, arrange records in which the backward link information and the forward link information match in order And a source tracking means for tracking more sources, and identifies the source from tracking information message transmitted from the above source tracking information providing apparatus.

  In the source tracking information providing apparatus having such a configuration, the packet collecting means is connected on the transmission line connecting the router apparatuses, the communication packet is taken in from the transmission line, and the tracking message detecting means is taken in by the packet collecting means. It is determined whether the communication packet includes an identifier indicating that it is a tracking information message for tracking the source of the communication packet, and the tracking message generating means includes the identifier by the tracking message detecting means. If it is determined that the communication packet is not included, the communication packet includes an identifier indicating that it is a tracking information message, and addresses of router devices connected to both ends of the transmission path with a predetermined probability. The backward link information is stored, while the tracking message adding means is provided by the tracking message detecting means, When it is determined that the identifier is included, it is further determined whether the communication packet has passed through the router device. If it is determined that the packet has passed, the communication packet is copied, The duplicated communication packet stores forward link information including addresses of router devices connected to both ends of the transmission path, and the packet transmitting means adds the tracking message adding means or the tracking message creating The communication packet output from the means is transmitted on the transmission path. For this reason, the device that has received these tracking information messages follows the communication path of the communication packet based on the identification information, the backward link information, and the forward link information of the source tracking information providing device accommodated in these tracking information messages. And the source can be identified. Therefore, since the source tracking information providing device provides information for tracking the source of the communication packet, the source tracking information providing device according to the present invention can reduce the load on the router device. The device can be made almost dedicated to the routing process.

  Further, in the source tracking device that identifies the source from the tracking information message transmitted from the source tracking information providing device having such a configuration, the packet collecting means is connected on the transmission path connecting the router devices, An identifier indicating that the packet is a tracking information message for capturing a communication packet from the transmission path, the tracking message detecting unit capturing the communication packet from the packet collecting unit, and tracking the source of the communication packet in the communication packet. If it is determined that the identifier is included, it is further determined whether or not it is within a predetermined period, and the storage means detects that the tracking message detection means is within the predetermined period. When it is determined, the communication packet that is the tracking information message is stored. Then, after the end of the predetermined period, the transmission source tracking unit tracks the transmission source by sequentially arranging records in which the rear link information and the front link information match from the tracking information message included in the storage unit. Therefore, the source tracking device can identify the source from the tracking information message transmitted from the source tracking information providing device.

Embodiments according to the present invention will be described below with reference to the drawings. In addition, the structure which attached | subjected the same code | symbol in each figure shows that it is the same structure, The description is abbreviate | omitted.
(Configuration of the embodiment)
The source tracking information providing apparatus according to the present embodiment is configured such that when one terminal device connected to a communication network transmits a communication packet to another terminal device, the other terminal device tracks the communication path of the communication packet. The device provides tracking information for specifying the source (one terminal device) of the communication packet.

  FIG. 1 is a diagram illustrating a communication network to which a source tracking information providing apparatus according to an embodiment is applied. FIG. 2 is a diagram illustrating a configuration of the source tracking information providing apparatus according to the embodiment.

  In FIG. 1, terminal devices 2, 3, and 1 are connected to a communication network 1 that includes one or a plurality of router devices 11 (11-a to 11-1) and a transmission path 15 that connects the router devices 11. A plurality of source tracking information providing devices 10 (10-a to 10-n) are connected.

  The router device 11 is a device that connects different communication networks (sub-communication networks) to each other and performs routing of a communication packet (selection of a communication path). For example, an IP packet router device that is an example of the router device 11 performs routing by referring to a routing table that registers route information based on a destination IP address included in a header of an IP packet (an example of a communication packet). . In FIG. 1, the router device 11 is indicated by “R”, and Ra11-a to R111-l are described. Further, in the figure, a sub-communication network under the router device 11 configured by including a transmission path, a hub (concentrator), a terminal device, and the like is omitted. Further, the router device 11 may be a device (so-called gateway device) further provided with a gateway function for converting a communication protocol. The transmission path 15 is a wired or wireless path for transmitting communication packets. When the router devices 11 are connected to each other via the transmission path 15, the sub-communication networks are connected to each other, and the communication network 1 is configured.

  The terminal devices 2 and 3 are devices having a communication function for transmitting and receiving communication packets via the communication network 1, for example, a computer terminal, a mobile communication terminal, a game terminal, and a PDA (Personal Digital Assistants) having a communication function. ) Etc. In this embodiment, for convenience of explanation, it is assumed that the terminal device 2 transmits a communication packet to the terminal device 3, and the terminal device 2 accesses the terminal device 3 illegally, that is, destroys the operation of the terminal device 3 due to a so-called computer virus. Further, it is assumed that an attack such as a denial of service attack on the terminal device 3 is performed, and in particular, the terminal device 2 is performing an attack by spoofing the transmission source address of the communication packet. Hereinafter, the terminal device 2 that performs the attack is referred to as the attack-side terminal device 2, and the terminal device 3 that is subjected to the attack is referred to as the victim-side terminal device 3.

  The source tracking information providing device 10 is connected to the transmission path 15 via a hub 16 (concentrator) that branches one communication packet into a plurality of communication packets, and attacks by tracking the communication path of the communication packet. This is a device that provides tracking information for identifying the physical position of the terminal device 2 in the communication network 1 to the victim terminal device 3. In FIG. 1, the source tracking information providing device 10 is indicated by “X”, Xa10-a to Rn11-n are described, and the hub 16 is indicated by “●”, and the source tracking information providing device is indicated. The same number as 10 is listed.

  In FIG. 2, the source tracking information providing apparatus 10 includes a central processing unit 101, an auxiliary storage unit 102, a communication interface 103, and an internal storage unit 104, and an input unit 105 and a display unit indicated by broken lines as necessary. 106 and / or an external storage unit 107.

  The central processing unit 101 is constituted by, for example, a microprocessor or the like, and functionally takes in a communication packet from the transmission path 15 via the communication interface 103 and the hub 16, and corresponds to an example of a packet collecting unit. ), A tracking information message detection unit 112 (corresponding to an example of a tracking message detection unit) that determines whether or not the captured communication packet is a tracking information message, and a probability event generation unit 113 that generates an event with a predetermined probability. A tracking information generation unit 114 that generates a tracking information message for the communication packet notified from the tracking information message detection unit 112 with a predetermined probability (this unit and the probability event generation unit 113 correspond to an example of a tracking message creation unit. ), The tracking information message notified from the tracking information message detection unit 112 The router device passage detection unit 115 for determining whether or not the router device 11 has been passed, the tracking information message notified from the router device passage detection unit 115 is copied (copied), and the attached information is added to the copied tracking information message. From the tracking information addition unit 116 (this unit and the router device passage detection unit 115 correspond to an example of a tracking message addition unit) and the tracking information message and the tracking information addition unit 116 notified from the tracking information generation unit 114 A transmission unit 117 (corresponding to an example of a packet transmission unit) that transmits the notified tracking information message to the transmission path 15 via the communication interface 103 and the hub 16 is provided, and the auxiliary storage unit 102 and the communication interface are provided according to the control program. 103 and the internal storage unit 104 are controlled.

  The auxiliary storage unit 102 is a device that stores information such as a non-volatile storage element such as a ROM (Read Only Memory) and an EEPROM (Electrically Erasable Programmable Read Only Memory) and a hard disk, for example. Information necessary for the execution of each program, such as each program such as a control program for operating the program, link information (back link information and forward link information described later), and the like are stored. The communication interface 103 is connected to the communication network 1 by being connected to the transmission path 15 via the hub 16 and is a device for transmitting and receiving communication packets. The internal storage unit 104 is a so-called working memory that reads a control program executed by the central processing unit 101 from the auxiliary storage unit 102 and temporarily stores each data during execution of the control program, for example, a volatile storage element. An example is a RAM (Random Access Memory). The central processing unit 101, the auxiliary storage unit 102, the communication interface 103, and the internal storage unit 104 are connected to the bus 108 so that data can be exchanged with each other.

  The input unit 105 is a device that inputs various commands and various data such as a start instruction of the transmission source tracking information providing device 10 and an operation status display instruction to the transmission source tracking information providing device 10. A mouse or a touch panel. The display unit 106 is a device that displays commands, data, and the like input from the input unit 105, such as a CRT display, LCD, organic EL display, or plasma display. The external storage unit 107 stores data with a storage medium such as a flexible disk, a CD-ROM (Compact Disc Read Only Memory), a CD-R (Compact Disc Recordable), and a DVD-R (Digital Versatile Disc Recordable). An apparatus that performs reading and / or writing, such as a flexible disk drive, a CD-ROM drive, a CD-R drive, and a DVD-R drive.

  In addition, when information such as each program and each data stored in the auxiliary storage unit 102 is not stored, a server computer (not shown) that manages these information is connected via the communication network 1 and the communication interface 103. The information may be downloaded, or the information may be installed in the auxiliary storage unit 102 via the external storage unit 107 from the recording medium on which the information is recorded.

Next, the operation of this embodiment will be described.
(Operation of the embodiment)
FIG. 3 is a flowchart illustrating the operation of the source tracking information providing apparatus according to the embodiment. FIG. 4 is a diagram showing the format of the tracking information message. 4A shows the format of the tracking information message by the tracking information generation unit, and FIG. 4B shows the format of the tracking information message by the tracking information adding unit.

  The communication packet propagating through the transmission path 15 is branched by the hub 16, one of the branched communication packets is taken into the source tracking information providing apparatus 10, and the other communication packet is propagated through the transmission path 15 as it is. To do. The communication packet captured by the source tracking information providing apparatus 10 is converted into a signal format that can be handled by the central processing unit 101 by the communication interface 103.

  In FIG. 3, the capturing unit 111 of the central processing unit 101 captures a communication packet from the communication interface 103 and notifies the tracking information message detecting unit 112 of the communication packet (S11). The tracking information message detection unit 112 determines whether or not the notified communication packet is a tracking information message by referring to an identifier indicating that the communication packet described later is a tracking information message (S12).

  As a result of the determination, when the communication packet is a tracking information message (Yes), the tracking information message detection unit 112 notifies the router device passage detection unit 115 of the communication packet (tracking information message). On the other hand, if the result of the determination is that the communication packet is not a tracking information message (No), the tracking information message detection unit 112 notifies the tracking information generation unit 114 of the communication packet.

  The tracking information generation unit 114 determines whether an event (probability event) is notified from the probability event generation unit 113 (S13).

  Here, for example, when the transmission source tracking information providing apparatus 10 is activated, the probability event generating unit 113 generates a probability event with a predetermined probability and notifies the tracking information generating unit 114 of the occurrence of the probability event. Predetermined probabilities are arbitrary, but when attack monitoring is strengthened, the occurrence of probability events such as one-thousandth or one-thousandth, for example, is set to a relatively high probability, thereby mitigating attack monitoring. In this case, for example, the occurrence of a probability event such as 1 / 20,000 or 1 / 30,000 is set to a relatively low probability. Therefore, the probability event generation unit 113 may be configured not only to fix the predetermined probability but also to change the predetermined probability. Here, for the occurrence of a probability event, for example, an event occurrence value for generating a probability event is determined by generating a numerical value within a predetermined probability range with a random number, and the tracking information generation unit 114 is notified of the communication packet. The number of communication packets may be counted every time, and a probability event may be generated when the counted value reaches the event occurrence value.

  More specifically, when the predetermined probability is 1 / 20,000, a numerical value is generated by a random number in a range from 1 to 20000, and the generated numerical value (for example, 756) is determined as an event occurrence value. A probability event is generated when the counted number of communication packets reaches 756. Then, the event occurrence value is redetermined and the count value is cleared (count value = 0). The event occurrence value may be determined only once when the source tracking information providing apparatus 10 is activated, or may be determined again after a predetermined period has elapsed. In these cases, the communication packet count is continued until 20000 is reached even after the occurrence of the probability event.

  As a result of the determination in the process S13, if the probability event has not been notified (No), the tracking information generation unit 114 discards the notified communication packet and returns the process to the process S11. On the other hand, when the probability information is notified (Yes), the tracking information generation unit 114 generates a tracking information message and notifies the transmission unit 119 of the generated tracking information message (S14). By operating in this way, the source tracking information providing device 10 generates a tracking information message with a predetermined probability for a communication packet propagating through the transmission path 15.

  As shown in FIG. 4A, the tracking information message 30 generated by the tracking information generation unit 114 is a tracking information such as a transmission destination address, a transmission source address, or a TTL (Time To Live). A header portion 301 for accommodating header information necessary for transmitting an information message, a time stamp portion 302 for accommodating a time (time stamp) at which the tracking information message is generated, and a communication network of the source tracking information providing device 10 1 includes a rear link information unit 303 that stores rear link information, which is information related to a physical position, and an auxiliary information unit 305 that stores auxiliary information.

  As the transmission destination address stored in the header section 301, the transmission destination address of the communication packet notified from the tracking information message detection unit 112 is duplicated. The tracking information message generated thereby is transmitted to the same destination as the communication packet. The source address stored in the header section 301 is the address of the source tracking information providing apparatus 10 that generates the tracking information message (an example of apparatus identification information), and the TTL stored in the header section 301 is an initial value. For example, 255. For example, when the communication packet is an IP packet, the header portion 301 is an IP header, and the transmission destination address and the transmission source address are IP addresses.

  The time of the time stamp is acquired from a clock (not shown), and this clock may be configured by hardware such as a counter circuit, or may be functionally configured by the central processing unit 101 by software. .

  The backward link information is, for example, a pair of identifiers of the router device 11 at both ends of the transmission path 15 to which the source tracking information providing device 10 is connected. As the identifier of the router device 11, for example, a MAC address (Media Access Control Address), an IP address (Internet Protocol Address), an ID, or the like can be used. The back link information may be configured to be stored in the auxiliary storage unit 102 by the user when the source tracking information providing apparatus 10 is connected to the communication network 1, for example, and for example, SNMP (Simple Network Management Protocol) The transmission source tracking information providing apparatus 10 may automatically acquire the information using a communication protocol such as), and store the information in the auxiliary storage unit 102. Further, for example, when information indicating the physical position of the source tracking information providing device 10 in the communication network 1 is separately created as a map or table, the backward link information is the source tracking information providing device 10. (For example, MAC address, IP address, ID, etc.).

  The attached information unit 305 is a payload that stores arbitrary information. For example, the tracking information message is not intended for tracking communication packets (that is, not a tracking information message storing communication packet tracking information). Information indicating that the message is a tracking information message generated for purposes other than tracking such as testing (sample packet information), an identifier of the source tracking information providing apparatus 10, encryption / authentication information, and an electronic signature. The identifier, encryption / authentication information, and electronic signature of the source tracking information providing device 10 are used alone or in combination to confirm that the tracking information message is transmitted from the legitimate source tracking information providing device 10. Used for. By using in this way, the victim terminal device 3 that has received the tracking information message, even if the terminal device connected to the communication network 1 spoofs the source tracking information providing device 10 and transmits the tracking information message, It can be recognized that the tracking information message is from the true source tracking information providing apparatus 10.

  Then, an identifier indicating that it is a tracking information message (tracking information message identifier) is accommodated in the tracking information message. The tracking information message identifier is accommodated in the header part 301 or the attached information part 305, for example. Such a tracking information message 30 is formed using an arbitrary communication protocol such as IP (Internet Protocol), ICMP (Internet Control Message Protocol), TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and the like. In this embodiment, ICMP may be used, and in this case, the tracking information message identifier may be configured to be represented by Type.

  Returning to FIG. 3, when the tracking information message is notified from the tracking information message detection unit 115 when the communication packet of process S <b> 12 is a tracking information message (Yes), the router device passage detection unit 115 is notified. It is determined whether or not the tracking information message has passed through the router device 11, that is, whether or not it has been routed by the router device 11 (S21). As a result of the determination, if it has not passed through the router device 11 (No), the router device passage detection unit 115 discards the tracking information message and returns the process to step S11. On the other hand, as a result of the determination, when the router device 11 is passed (Yes), the router device passage detection unit 115 notifies the tracking information adding unit 116 of the tracking information message.

  The determination as to whether or not the tracking information message has passed through the router device 11 is made based on the passage information indicating the passage of the router device 11. The passage information is configured to determine that the passage information has passed through the router device 11 when, for example, TTL is used and indicates a value reduced by at least 1 from the initial value of TTL (255 in the above example). The TTL is the number of router devices on the path that can be used from the transmission source device to the transmission destination device. As a rule, when the router device routes a communication packet, the TTL is decremented by one. Here, for example, one or more times may be decremented in a line having a low communication speed such as a WAN (Wide Area Network). In addition, the router device 11 that has received the communication packet with TTL = 1 discards the communication packet and transmits an ICMP Time Exceeded Message (type 11 / code 0) to the transmission source device. When the transmission source apparatus receives this message, it can recognize that the communication packet is discarded.

  In the present embodiment, the configuration is such that the tracking information message passes through the router device 11 when the TTL does not match the initial value. For example, the source tracking information providing device 10 sets the tracking information message 30 to the tracking information message 30. When generating, the TTL of the header section 301 is also stored in the attached information section 305, and the source tracking information providing apparatus 10 that has received the tracking information message 30 compares the TTL of the header section 301 with the TTL of the attached information section 305. In the case of mismatch, the router device 11 may be determined to have passed. With this configuration, it is not necessary to uniformly define the TTLs of all the source tracking information providing devices 10, and it is possible to effectively suppress the tracking information message from being transmitted through the communication network 1. In the present embodiment, TTL is used as the passage information. However, the present invention is not limited to this, and the passage information determines, for example, the number of hops and the route indicating the number of router devices 10 that have passed on the route. A metric or the like that is a weight as a judgment material at the time may be used. Further, instead of using the existing TTL, the number of hops, or the metric, for example, when a predetermined time (for example, 500 ms or 1 s) has passed since the time stamp of the time stamp unit 302, the router device 11 is passed. A time stamp may be used for the passage information by configuring it to be determined. Further, for example, the transmission source tracking information providing apparatus 10 sets “0”, and the router apparatus 11 stores a flag (passage flag) for resetting it to “1” in the header section 301 or the attached information section 305. By configuring, a passage flag may be used for passage information.

  The tracking information adding unit 116 duplicates the notified tracking information message (S22), and the tracking information adding unit 116 is a forward link that is information regarding the physical location of the source tracking information providing apparatus 10 in the communication network 1. The information is added to the duplicated tracking information message, and the tracking information message with the forward link information added is notified to the transmission unit (S23). The forward link information is the same as the backward link information described above.

  In the tracking information message 31 to which the forward link information is added by the tracking information adding unit 116, the forward link information is added to the tracking information message 30 shown in FIG. 4 (A). Therefore, as shown in FIG. 4 (B), The header part 301, the time stamp part 302, the back link information part 303, the front link information part 304 which accommodates front link information, and the attached information part 305 are comprised. Here, in the attached information unit 305, not only the identifier of the source tracking information providing device 10 that first generated the tracking information message 30, but also the identifier of the source tracking information providing device 10 to which the forward link information is added, the encryption / Authentication information and electronic signatures are also included.

  Then, the transmission unit 117 transfers the tracking information message 30 generated by the tracking information generation unit 114 and the tracking information message 31 added with the forward link information by the tracking information addition unit 116 to the communication interface 103 so as to be transmitted to the transmission path 15. (S15).

  The communication interface 103 converts the tracking information messages 30 and 31 into the signal format of the transmission path 15 and transmits the tracking information message to the transmission path 15 via the hub 16.

  In this way, the source tracking information providing apparatus 10 operates to generate the tracking information message 30 for the communication packet with a predetermined probability among the communication packets transmitted through the transmission path 15, and to the generated tracking information message 30. Send to the destination in the corresponding communication packet. Then, when the source tracking information providing device 10 finds the tracking information message 30 in the communication packet transmitted through the transmission path 15, the forward link information is displayed when the found tracking information message 30 passes through the router device 11. In addition, the added tracking information message 31 is returned to the transmission line 15 again. That is, the forward link information is added to the tracking information message 30 generated by the other source tracking information providing apparatus 10 and returned to the transmission path 15 again.

  For this reason, when the attacking terminal device 2 starts attacking the victim terminal device 3, the tracking information message 30 is generated according to a predetermined probability for the communication packet used for the attack, and the tracking information message 30 and the forward A tracking information message 31 with link information added is transmitted to the victim terminal device 3. The victim-side terminal device 3 determines the overlap between the forward link information and the backward link information based on the forward link information and the backward link information of the tracking information message 30 and the tracking information message 31, for example. By sequentially tracing the source tracking information providing device 10 to the attacking terminal device 2, the source tracking information providing device 10 closest to the attacking terminal device 2 is specified, and the specified source tracking information providing device 10 is connected. The router device 11 to be identified is specified. As a result, the source of the communication packet used for the attack, that is, the sub communication network to which the attacking terminal device 2 is connected is specified, and the physical position of the attacking terminal device 2 in the communication network 1 is specified.

  As described above, since the transmission source tracking information providing apparatus 10 provides information for specifying the transmission source and the transmission source is specified by the victim terminal apparatus 3, the load on the router apparatus 11 can be reduced. it can. The router device 11 can make the resource substantially dedicated to the routing process. Even when the router device 11 does not have a processing function for specifying a transmission source, the communication network 1 can be used without changing the router device 11 and in a state where the communication network 1 is operated. Can be provided with a function of specifying the transmission source.

  Here, since the attack is usually performed in a relatively short time, the collection period of the tracking information messages 30 and 31 is important. That is, if tracking information messages 30, 31 such as 100 or 1000 are transmitted within one hour, half day, or one day, there is a high possibility of an attack, but in January, half year, or year For example, when 100 or 1000 tracking information messages 30 and 31 are transmitted, there is a high possibility that the message is not an attack. For this reason, the victim terminal device 3 only needs to receive the tracking information messages 30 and 31 for a relatively short time to identify the source. In such a configuration, the time stamps of the tracking information messages 30 and 31 are not necessarily required. Alternatively, for example, referring to the time stamp, the source may be specified using the tracking information messages 30 and 31 transmitted in a relatively short time. The time stamp is information necessary for searching for a tracking information message generated within a certain period when a transmission source is specified. Further, for example, the victim terminal device 3 may be further provided with a so-called intrusion detection system, and the tracking information messages 30 and 31 may be collected based on the detection result from the intrusion detection system to identify the transmission source. Alternatively, the victim terminal device 3 is further provided with an intrusion detection system, collecting the tracking information messages 30, 31, and filtering the collected tracking information messages 30, 31 based on the detection result of the detection system, May be specified. The Intrusion Detection System (IDS) is a system that detects and detects characteristic patterns and signs of attacks, and detects abnormalities in network IDS and terminal devices that detect traffic patterns on the network. A host / IDS to be detected is known.

  In the above-described embodiment, the source is traced by the victim terminal device 3, but is connected to the communication network 1 via a hub (not shown) as indicated by a broken line in FIG. A collector device 20 (corresponding to an example of a source tracking device) that tracks the source of communication packets is provided, the collector device 20 acquires the tracking information messages 30, 31, and the collector device 20 determines the source. It may be configured to track. The source tracking information providing apparatus 10 and the collector apparatus 20 are configured to constitute a source tracking system that can track the source of communication packets. Although the victim terminal device 3 is subjected to an attack, a relatively large load is applied to the resources. However, by providing such a collector device 20, the load on the source tracking process is reduced from the victim terminal device 3. Can be opened.

  FIG. 5 is a diagram illustrating a configuration of the collector device according to the embodiment. FIG. 6 is a flowchart illustrating the operation of the collector device according to the embodiment. FIG. 7 is a diagram for explaining an example of specifying a transmission source. FIG. 7A shows an example of a link list, and FIG. 7B shows a specified communication path.

  First, the configuration of the collector device 20 will be described. In FIG. 5, the collector device 20 is a device that acquires the tracking information messages 30 and 31 from the communication network 1 and tracks the source of the communication packet based on the information accommodated in the tracking information messages 30 and 31. , A central processing unit 201, an auxiliary storage unit 202, a communication interface 203, an internal storage unit 204, and a display unit 206, and an input unit 205 and / or an external storage unit 207 indicated by broken lines as necessary.

  The central processing unit 201 is constituted by, for example, a microprocessor or the like, and functionally takes in a communication packet from the transmission path via the communication interface 203 and the hub (corresponding to an example of a packet collecting unit). Based on the tracking information message detection unit 212 (corresponding to an example of tracking message detection means) for determining whether or not the captured communication packet is the tracking information message 30 or 31, and the information of the tracking information message 30 or 31. And a transmission source tracking unit 213 (corresponding to an example of a transmission source tracking unit) for tracking the transmission source of the communication packet, and according to the control program, the auxiliary storage unit 202, the communication interface 203, the internal storage unit 204, and the display unit 206. To control.

  In this embodiment, the transmission source tracking unit 213 is a link source creation router that identifies a link list creation unit 2131 that creates a link list and a router device to which a terminal device that is a transmission source of communication packets is connected based on the link list. And a device detection unit 2132. The link list is created based on the information contained in the tracking information messages 30 and 31, and at least the source information, the backward link information, the forward link information, and the tracking information message 30 according to the tracking information messages 30 and 31, 11 is a table showing a correspondence relationship with transmission destination information in a communication packet corresponding to No. 31. FIG.

  The auxiliary storage unit 202 is a device that stores information such as a non-volatile storage element such as a ROM or an EEPROM and a hard disk. For example, the auxiliary storage unit 202 executes each program such as a control program for operating the collector device 20 and each program. Necessary information is stored. Further, as will be described later, the auxiliary storage unit 202 also stores tracking information messages (corresponding to an example of storage means). The communication interface 203, internal storage unit 204, display unit 206, input unit 205, and external storage unit 207 are the same as the communication interface 103, internal storage unit 104, display unit 106, input unit 105, and external storage unit 107, respectively. Since there is, explanation is omitted. The central processing unit 201, auxiliary storage unit 202, communication interface 203, internal storage unit 204 and display unit 206, and, if necessary, the input unit 205 and / or the external storage unit 207 exchange data with each other. Are connected to the bus 208 respectively.

  Next, the operation of the collector device 20 will be described. The communication packet propagating through the transmission path is branched at the hub, one of the branched communication packets is taken into the collector device 20, and the other communication packet propagates through the transmission path as it is. The communication packet captured by the collector device 20 is converted into a signal format that can be handled by the central processing unit 201 by the communication interface 203.

  In FIG. 6, the capturing unit 211 of the central processing unit 201 captures a communication packet from the communication interface 203 and notifies the tracking information message detecting unit 212 of the communication packet (S31). The tracking information message detection unit 212 determines whether the notified communication packet is the tracking information message 30 or 31 by referring to an identifier indicating that the communication packet is a tracking information message (S32).

  As a result of the determination, if the communication packet is not the tracking information message 30 or 31 (No), the tracking information message detection unit 212 discards the communication packet and returns the process to step S31. On the other hand, as a result of the determination, if the communication packet is the tracking information message 30 or 31 (Yes), the tracking information message detection unit 212 determines whether or not it is within a predetermined period.

  The determination as to whether or not the time is within the predetermined period includes, for example, a timer unit that measures a predetermined time and interrupts and inputs the start and end of the time measurement to the tracking information message detection unit 212. This is done by judging whether it is in the middle or not. The timer unit may be configured by hardware such as a capacitor, a switching element, or a counter circuit, for example, and is functionally configured by software in the central processing unit 201 as indicated by the broken line in FIG. 5 as the timer unit 214. May be. Further, for example, the determination as to whether or not the time is within a predetermined period may be made based on the time stamp stored in the time stamp portion 302 of the tracking information messages 30 and 31. Since the predetermined period is for determining whether or not the communication packet is an attack, it is one hour, half a day, one day, or the like, similar to the above-described collection period.

  As a result of the determination, if it is not within the predetermined period (No), the tracking information message detection unit 212 discards the communication packet and returns the process to the process S31. On the other hand, if the result of the determination is that it is within the predetermined period (Yes), the tracking information message detection unit 212 stores and acquires the tracking information messages 30 and 31 in the auxiliary storage unit 202, and acquires the tracking information message 30, 31 is notified to the source tracking unit 213 (S35).

  The link list creation unit 2131 of the transmission source tracking unit 213 creates and updates a link list from the information stored in the acquired tracking information messages 30 and 31 (S36).

  Next, the tracking information message detection unit 212 determines whether or not the predetermined period has ended (S37). As a result of the determination, if the predetermined period has not ended (No), the tracking information message detection unit 212 returns the process to step S31. As a result, the tracking information messages 30 and 31 are captured only within a predetermined period, stored in the auxiliary storage unit 202, and registered in the link list.

  On the other hand, if the predetermined period has expired as a result of the determination (Yes), the tracking information message detection unit 212 notifies the transmission source tracking unit 213 of the end of collection of the tracking information messages 30 and 31.

  Then, the transmission source connection router device detection unit 2132 of the transmission source tracking unit 213 identifies a communication path from the victim terminal device 3 to the transmission source (attack terminal device 2) based on the created link list, and transmits the transmission source. Is detected (S38).

  By operating the collector device 20 in this way, for example, a link list 40 shown in FIG. 7A is created. The link list 40 in this embodiment registers an index field 401 for registering an index representing each record of the link list 40 and a communication address of the source tracking information providing apparatus 10 that has transmitted the tracking information messages 30 and 31. A source communication address field 402, a destination communication address field 403 for registering the destination communication address of the tracking information messages 30 and 31, and a passage information field 404 for registering the passage information of the tracking information messages 30 and 31. And the router device communication address field 405 for registering the communication address of the router device 11 between the back link information and the front link information, and the back for registering the back link information accommodated in the tracking information messages 30 and 31. Link information field 406 and The forward link information field 407 for registering the forward link information accommodated in the tracking information messages 30 and 31, the time stamp field 408 for registering the time stamp accommodated in the tracking information messages 30 and 31, and the acquired tracking information Each field is configured with a sampling tracking information message data field 409 for registering information stored in the attached information section 305 of the messages 30 and 31, and an index is assigned to each acquired tracking information message 30 and 31. A record is created.

  The index may be any symbol string different from each other as long as each record is distinguished. In the present embodiment, the index is, for example, a serial number. The communication address is, for example, an IP address when a transmission source is specified in the IP layer. The passage information is, for example, the TTL described above.

  In the process S36 described above, when the tracking information messages 30 and 31 are acquired, the link list creation unit 2131 creates a new record with a serial number index. Next, the link list creation unit 2131 registers the attached index in the index field 401. Next, the link list creation unit 2131 extracts the source communication address, the destination communication address, and the passage information (assumed to be contained in the header unit 301) from the header portion 301 of the tracking information messages 30 and 31. The transmission destination communication address field 402, the transmission destination communication address field 403, and the passage information field 404 are registered. Next, the link list creation unit 2131 receives the backward link information, the forward link information, the time stamp and the backward link information unit 303, the forward link information unit 304, the time stamp unit 302 and the attached information unit 305 of the tracking information messages 30 and 31. The attached information is extracted and registered in the backward link information field 406, the forward link information field 407, the time stamp field 408, and the sampling tracking information message data field 409, respectively. When the tracking information messages 30 and 31 do not contain the forward link information, that is, when the acquired tracking information messages 30 and 31 are the tracking information message 30, the forward link information field 407 is blank. Become.

  Then, the link list creation unit 2131 extracts the communication address of the router device 11 on the downstream side in the communication of the transmission source tracking information providing device 10 of the transmission source from the back link information and registers it in the router device communication address field 405. As described above, the back link information and the front link information are, for example, a pair of identifiers of the router device 11 at both ends of the transmission line 15 to which the source tracking information providing device 10 is connected. Link list creating unit 2131, if it is stipulated that the identifier of upstream router device 11 and the identifier of downstream router device 11 in communication are accommodated in rear link information unit 303 in this order, link list creating unit 2131 The communication address of the router device 11 can be recognized.

  First, the source connection router device detection unit 2132 receives the attack from the link list 40 created in this way, and the communication address of the victim terminal device 3 that wants to track the source of this attack is the destination communication address field. The record registered in 403 is extracted. Next, the source connection router device detection unit 2132 sequentially arranges records in which the back link information and the front link information match between the records, so that the communication packet is transferred from the attacking terminal device 2 to the victim terminal device 3. It is possible to trace the source tracking information providing apparatus 10 on the communication path up to. Then, the farthest source tracking information providing device 10 on the communication path from the victim terminal device 3 can be specified, and the router device 11 connected to the downstream side of the farthest source tracking information providing device 10 can be specified. For this reason, it is specified that the attacking terminal device 2 is in the sub-communication network under the router device 11, and the physical position of the attacking terminal device 2 in the communication network 1 can be specified.

  In the example illustrated in FIG. 7A, the backward link information that matches the forward link information registered in the forward link information field 407 in the record with the index = “1” = “the communication address pair of R2 and R3” is the backward. Since the record registered in the link information field 407 is a record with index = “2”, the communication address registered in the source communication address field 402 in the record with index = “1” = “IP_X3”. Is followed by the source tracking information providing device 10 of communication address = “IP_X4” registered in the source communication address field 402 in the record of index = “2”. .

  Similarly, when the degree of overlap between the forward link information and the backward link information is analyzed, the source tracking information providing device with the communication address = “IP_X4” is determined from the record with the index = “2” and the record with the index = “k”. 10 is followed by the source tracking information providing apparatus 10 having the communication address = “IP_X5”. From the record with index = “k” and the record with index = “n”, the source tracking information providing device 10 with communication address = “IP_X6” is sent to the source tracking information providing device 10 with communication address = “IP_X5”. Continue. On the other hand, from the record with index = “3” and the record with index = “1”, the source tracking information providing device with communication address = “IP_X3” is sent to the source tracking information providing device 10 with communication address = “IP_X2”. 10 continues.

  The forward link information field 407 in the record with index = “0” is blank, the backward link information in the backward link information field 406 in the record with index = “0”, and the backward link information field 406 in the record with index = “3”. Since the backward link information matches, the source tracking information providing device 10 with the communication address = “IP_X1” is positioned in front of the source tracking information providing device 10 with the communication address = “IP_X2”.

  The forward link information field 407 in the record with index = “n−1” is blank, the forward link information in the forward link information field 407 in the record with index = “n”, and the backward link in the record with index = “n−1”. The back link information in the information field 406 matches, the source communication address in the source communication address field 402 in the record with index = “n”, and the source communication address field 402 in the record with index = “n−1”. Since the source communication address matches, the victim terminal device 3 is located immediately after the source tracking information providing device 10 with the communication address = “IP_X6”.

  Therefore, as shown in FIG. 7B, the communication path of the communication packet is the source tracking information providing device 10 (“X6” in the figure) with the communication address = “IP_X6”, and the communication address = “IP_X5”. Source tracking information providing apparatus 10 (“X5” in the figure), communication address = “IP_X4” source tracking information providing apparatus 10 (“X4” in the figure), communication address = “IP_X3” Source tracking information providing apparatus 10 (“X3” in the figure), source address tracking information providing apparatus 10 (“X2” in the figure) of communication address = “IP_X2”, and transmission of communication address = “IP_X1” It can be seen that this is the source tracking information providing apparatus 10 ("X1" in the figure). Then, the attacking terminal device 2 exists in the sub-communication network of the downstream router device 11 (“R0” in the figure) to which the source tracking information providing device 10 with the farthest communication address = “IP_X1” is connected. Thus, the physical position of the attacking terminal device 2 on the communication network 1 is known.

  Further, since the communication address of the router device 11 is also known in the link list 40 in the present embodiment, the communication packet is obtained as shown in FIG. B), the router apparatus 11 (“R6” in the figure) with the communication address = “IP_R6”, the router apparatus 11 (“R5” in the figure) with the communication address = “IP_R5”, and the communication address, as shown in FIG. = "IP_R4" router device 11 ("R4" in the figure), communication address = "IP_R3" router device 11 ("R3" in the figure), communication address = "IP_R2" router device 11 (same as above) “R2” in the figure), router device 11 with communication address = “IP_R1” (“R1” in the figure), and router device 11 with communication address = “IP_R0” (in the figure). It can be seen that the came is transmitted through the communication path of "R0").

  Furthermore, when the collector device 20 exists in the vicinity of the victim terminal device 3, the records may be arranged in consideration of the value of the passing information when following the communication path. When the passing information is, for example, TTL, the smaller the value, the more router devices 11 have been passed, and the source tracking information providing device located far from the collector device 20, that is, the victim terminal device 3. This is because the tracking information messages 30 and 31 are sent from 10.

  In the above description, the collector device 20 is configured to acquire the tracking information messages 30 and 31 transmitted from the communication network 1 to the victim terminal device 3, but the source tracking information providing device 10 is configured to acquire the tracking information message. 30 and 31 may be transmitted to the collector device 20 instead of the victim terminal device 3. With this configuration, the victim terminal device 3 does not need to receive the tracking information messages 30 and 31 when under attack, and thus the load on the victim terminal device 3 is further reduced. In this case, since the address of the collector device 20 is accommodated in the transmission destination address of the header section 301, in order to make the collector device 20 recognize which terminal device the tracking information messages 30 and 31 are for. The tracking information generation unit 114 of the transmission source tracking information providing device 10 accommodates the transmission destination information (address of the victim terminal device 3) in the communication packet corresponding to the generated tracking information message 30 in, for example, the attached information unit 305. To be further included in the tracking information message 30.

  Further, in the above description, the source tracking information providing device 10 transmits the tracking information messages 30 and 31 to the victim terminal device 3 via the communication network 1, and the collector device 20 includes the tracking information messages 30 and 31. Is collected from the communication network 1, but a tracking device for tracking the source of the communication packet is provided based on the information of the tracking information messages 30 and 31, and the source tracking information providing device 10 and the tracking device are connected. A dedicated communication line or communication network may be provided, and the tracking information messages 30 and 31 may be transmitted from the source tracking information providing apparatus 10 to the tracking apparatus through the dedicated communication line or communication network.

  Furthermore, in the above description, the tracking information message 30 is generated with the predetermined probability set in the source tracking information providing apparatus 10, and the collector apparatus 20 acquires the tracking information messages 30 and 31. Depending on the value, the load on the collector device 20 may become relatively large, or the monitoring level of the communication network 1 may be changed. Thus, a communication packet (probability change message) for changing the predetermined probability may be transmitted from the collector device 20 to the source tracking information providing device 10 to change the predetermined probability. In this case, the source tracking information providing apparatus 10 is further provided with a probability changing unit that changes the predetermined probability of the probability event generating unit 113. The predetermined probabilities of all the source tracking information providing devices 10 may be changed all at once by broadcasting the probability changing message, and the probability changing message is transmitted to the desired source tracking information providing device 10. Accordingly, the predetermined probability of the source tracking information providing apparatus 10 may be individually changed.

  On the other hand, some router apparatuses 11 constituting the communication network 1 may have a NAT function (including a Network Address Translation function, a nut function, and a NAPT (Network Address Port Translation) function). The nut function converts private addresses and global addresses to each other (also converts port numbers to each other if necessary), and terminal devices to which only private addresses are assigned can transparently access the Internet. It is a mechanism to do so. In the static nut function that converts private addresses and global addresses one-on-one, it is necessary to prepare as many global addresses as there are private addresses, but there is no space when converting private addresses to global addresses. In the dynamic nut function that is converted into the global address, the number of global addresses can be reduced as compared with the number of private addresses, and the global addresses can be saved.

  FIG. 8 is a diagram illustrating a communication network including a nut router device having a nut function to which the source tracking information providing device according to the embodiment is applied. FIG. 9 is a diagram showing a format of a tracking information message including nut information. FIG. 9A shows the format of the tracking information message by the tracking information generating unit, and FIG. 9B shows the format of the tracking information message by the tracking information adding unit.

  For example, as shown in FIG. 8, the router devices c11-c and Rg11-g in the communication network 1 shown in FIG. 1 are the nut router devices 12 (NAT-Ra12-a, NAT-Rb12-b) and the communication network 1 ′. Is configured.

  As can be seen from the nut function, since the private address is used in the sub communication network of the router device 11 and the private address is converted into the global address, the same private address may be used in different sub communication networks. It may be difficult to identify the source. Therefore, the nut router device detection unit 118 is arranged in the center as shown by a broken line in FIG. 2 so that the transmission source tracking information providing device 10 according to the present invention can be applied to the communication network 1 ′ including the nut router device 12. The processing unit 101 is further provided, and the tracking information generation unit 114 is configured to generate a tracking information message including nut information. The nut information includes the type of the nut / router device 12 (aside from the static nut / router device and the dynamic nut / router device), the IP address and the NAPT function before and after NAT conversion in the nut / router device 12. Is the port number.

  For example, when the source tracking information providing apparatus 10 is connected to the transmission path 15, the nut router apparatus detection unit 118 inquires whether the router apparatus connected to the transmission path 15 is the nut router apparatus 12. (Nut router detection message) is transmitted, and when a message indicating that it is the nut / router device 12 is received, a message (nut information request message) requesting the nut / router device 12 for the nut information is further transmitted. Then, the message containing the nut information is received, the nut information is stored in the auxiliary storage unit 102, and the tracking information generation unit 114 is notified to add the nut information and generate the tracking information message. For example, SNMP is used to acquire such nut information.

  When receiving the notification from the nut router device detection unit 118, the tracking information generation unit 114 generates a tracking information message including nut information when generating the tracking information message. For example, as shown in FIG. 9A, the tracking information message 32 including nut information is further configured to further include a nut information unit 306 that accommodates nut information in the tracking information message 30 shown in FIG. 4A. . That is, the tracking information message 32 includes a header portion 301, a time stamp portion 302, a backward link information portion 303, a nut information portion 306, and an attached information portion 305.

  Then, since the tracking information adding unit 116 adds the forward link information to the tracking information message 32 including such nut information, as shown in FIG. In the tracking information message 33 to which information is added, forward link information is added to the tracking information message 32 shown in FIG. 9A, and a header portion 301, a time stamp portion 302, a backward link information portion 303, and a forward link are added. An information unit 304, a nut information unit 306, and an attached information unit 305 are provided.

  Even when the communication network is the communication network 1 ′ including the nut router device 12, the victim terminal device 3 can receive the tracking information messages 32 and 33 including the nut information, so refer to the nut information. Thus, the inconsistency of the tracking result can be solved and the transmission source can be specified. For example, when the source is specified up to the sub-communication network of the nut router device, the same global address may be assigned to different private addresses because the private address is assigned in the sub-communication network. As a result, duplication of addresses may occur in the tracking result, and the tracking result may be inconsistent. Even in such a case, the source can be specified by referring to the nut information.

  In addition, a virtual private network (VPN, virtual private network, virtual private network, hereinafter abbreviated as “VPN”) is formed in the router device 11 constituting the communication network 1. There may be. VPN is a mechanism that uses a public communication network such as the Internet like a dedicated line. The VPN is mainly composed of a function for converting the header of a communication packet for VPN communication and a function for encrypting the communication packet.

  FIG. 10 is a diagram illustrating a communication network including a VPN and a communication path of a communication packet to which the source tracking information providing apparatus according to the embodiment is applied. 10A shows a communication network including a VPN to which the source tracking information providing apparatus according to the embodiment is applied, FIG. 10B shows an actual communication path of a communication packet, and FIG. C) shows a virtual communication path of a communication packet by VPN. FIG. 11 is a diagram illustrating a format of a tracking information message including VPN information. FIG. 11A shows the format of the tracking information message by the tracking information generation unit, and FIG. 11B shows the format of the tracking information message by the tracking information adding unit.

  For example, as shown in FIG. 10, a VPN 13 is formed between router devices f11-f and Rj11-j in the communication network 1 shown in FIG.

  When the source tracking information providing apparatus 10 according to the present invention is applied to the communication network 1 ″ including the VPN 13, as shown by a broken line in FIG. 2, the central processing unit 101 further includes a VPN router apparatus detecting unit 119. And the tracking information generator 114 is configured to generate a tracking information message including VPN information, including the IP address before and after the encapsulation of the VPN, and the session or tunnel ID number.

  For example, when the source tracking information providing apparatus 10 is connected to the transmission path 15, the VPN router apparatus detection unit 119 determines whether or not the router apparatus 11 connected to the transmission path 15 is a router apparatus 11 that forms a VPN. When a message indicating that a VPN is formed is received, a VPN type such as SSL, IPsec, and MPLS, and VPN information are requested to the router 11. Message (VPN information request message) is received, a message containing the VPN type and VPN information is received, the VPN type and VPN information are stored in the auxiliary storage unit 102, and the tracking information generation unit 114 is also provided with VPN information. To generate a tracking information message. For obtaining such VPN information, for example, SNMP is used.

  Upon receiving the notification from the VPN router device detection unit 119, the tracking information generation unit 114 generates a tracking information message including VPN information when generating the tracking information message. For example, as shown in FIG. 11A, the tracking information message 34 including VPN information is configured to further include a VPN information unit 307 for accommodating VPN information in the tracking information message 30 shown in FIG. 4A. . That is, the tracking information message 34 includes a header part 301, a time stamp part 302, a backward link information part 303, a VPN information part 307, and an attached information part 305.

  The tracking information adding unit 116 adds the forward link information to the tracking information message 34 including such VPN information. Therefore, as shown in FIG. In the tracking information message 35 to which information is added, forward link information is added to the tracking information message 34 shown in FIG. 11A, and a header portion 301, a time stamp portion 302, a backward link information portion 303, and a forward link are added. An information unit 304, a VPN information unit 307, and an attached information unit 305 are provided.

  When the communication network is a communication network 1 ″ including VPN, the VPN communication path (in FIG. 10A, from the router device f11-f to the router device j11-d via the router device c11-c and the router d11-d). transmission source tracking information providing device 10 (communication route to j) (in FIG. 10A, in the source tracking information providing device c11-c, transmission source tracking information providing device d11-d, and transmission source tracking information providing device j11- In j), the tracking information generation unit 114 transmits the tracking information message generated with a predetermined probability to the router device 11 (in FIG. 10A, the router device f11-f or the router device j11-j) that forms the VPN. In addition, since the source tracking information providing device 10 in the VPN communication path is encapsulated and encrypted, the tracking information message detecting unit 112 includes The trace information message cannot be detected, and depending on the VPN setting, for example, the WEB does not use the VPN depending on the type of communication, such as WEB via VPN but e-mail not via VPN. Therefore, even if the transmission sources are the same, the result of apparently changing the communication path results in inconsistencies in the tracking results.

  However, since the victim terminal device 3 can receive the tracking information messages 34 and 35 including the VPN information, the router devices 11 forming the VPN can be recognized by referring to the VPN information. It looks as if router devices 11 forming a VPN are directly connected by a transmission line. Therefore, as shown in FIG. 10 (B), the actual communication path is routed from the router device b11-b to the router device f11-f, the router device c11-c, the router device d11-d, and the router device j11-j. Even if it is k11-k, the communication path from the router apparatus b11-b to the router apparatus k11-k via the router apparatus f11-f and the router apparatus j11-j as shown in FIG. Can be regarded as a source of transmission. Further, since the analysis of the actual communication path in the VPN (in FIG. 10, the analysis from the router device f11-f to the router device j11-j via the router device c11-c and the router device d11-d) is omitted. The communication path to the transmission source can be identified earlier.

It is a figure which shows the communication network to which the transmission source tracking information provision apparatus which concerns on embodiment was applied. It is a figure which shows the structure of the transmission source tracking information provision apparatus which concerns on embodiment. It is a figure which shows the flowchart which shows operation | movement of the transmission source tracking information provision apparatus which concerns on embodiment. It is a figure which shows the format of a tracking information message. It is a figure which shows the structure of the collector apparatus which concerns on embodiment. It is a figure which shows the flowchart which shows operation | movement of the collector apparatus which concerns on embodiment. It is a figure for demonstrating an example which identifies a transmission source. It is a figure which shows the communication network containing the nut router apparatus provided with the nut function to which the transmission source tracking information providing apparatus according to the embodiment is applied. It is a figure which shows the format of the tracking information message containing nut information. It is a figure which shows the communication path | route of the communication network containing VPN, and the communication packet to which the transmission source tracking information provision apparatus which concerns on embodiment was applied. It is a figure which shows the format of the tracking information message containing VPN information.

Explanation of symbols

10 Source Tracking Information Providing Device 11 Router Device 12 Nut / Router Device 13 VPN
16 Hub 20 Collector device 30, 31, 32, 33, 34, 35 Tracking information message 101, 201 Central processing unit 102, 202 Auxiliary storage unit 103, 203 Communication interface 104, 204 Internal storage unit 111, 211 Acquisition unit 112, 212 Tracking Information Message Detection Unit 113 Probability Event Generation Unit 114 Tracking Information Generation Unit 115 Router Device Passage Detection Unit 116 Tracking Information Addition Unit 117 Transmission Unit 118 Nut Router Device Detection Unit 119 VPN Router Device Detection Unit 213 Source Tracking Unit 214 Timer Unit 301 Header section 302 Time stamp section 303 Back link information section 304 Forward link information section 305 Attached information section 306 Nut information section 307 VPN information section 2131 Link list generation section 2132 Source connection router apparatus detection section

Claims (7)

Packet collection means connected to the transmission line connecting the router devices and capturing communication packets from the transmission line;
A tracking message detecting means for determining whether the communication packet captured by the packet collecting means includes an identifier indicating that it is a tracking information message for tracking the source of the communication packet;
When it is determined by the tracking message detecting means that the identifier is not included, an identifier indicating that the communication packet is a tracking information message with respect to the communication packet, and both ends of the transmission path Tracking message creation means for storing back link information comprising the address of each connected router device;
When it is determined by the tracking message detection means that the identifier is included, it is further determined whether the communication packet has passed through the router device. A tracking message adding means for duplicating a communication packet and storing forward link information including addresses of router devices connected to both ends of the transmission path in the duplicated communication packet;
A source tracking information providing apparatus comprising: a tracking message adding unit or a packet transmitting unit that transmits a communication packet output from the tracking message generating unit on the transmission path.   The tracking message creating means further stores the tracking information message when storing backward link information including an identifier indicating that it is a tracking information message and addresses of router devices connected to both ends of the transmission path. 2. The source tracking information providing apparatus according to claim 1, wherein information on the time at which the message is generated is stored.   In the case where the router device is a nut router device having a nut function, the tracking message creating means includes an identifier indicating that it is a tracking information message, and an address of each router device connected to both ends of the transmission path. 2. The source tracking information providing apparatus according to claim 1, further comprising: storing information relating to the nut function when storing the rear link information including the information.   When the router device forms a virtual private network, the tracking message creating means includes an identifier indicating that it is a tracking information message, and the address of each router device connected to both ends of the transmission path 2. The source tracking information providing apparatus according to claim 1, further comprising: storing information related to the virtual private network when storing the backward link information comprising:   2. The source tracking information providing apparatus according to claim 1, wherein the tracking message creating means is configured to change the predetermined probability.   The tracking message creating means and / or the tracking message adding means, when storing each link information in a communication packet, further confirms that the source tracking information providing device is a regular source tracking information providing device. 2. The source tracking information providing apparatus according to claim 1, wherein information for specifying is stored. Packet collection means connected to the transmission line connecting the router devices and capturing communication packets from the transmission line;
It is determined whether the communication packet captured by the packet collecting means includes an identifier indicating that it is a tracking information message for tracking the source of the communication packet, and it is determined that the identifier is included. A tracking message detecting means for determining whether or not it is within a predetermined period,
Storage means for storing the communication packet that is a tracking information message when the tracking message detection means determines that it is within the predetermined period;
After the end of the predetermined period, from the tracking information message included in the storage means, comprising a source tracking means for tracking the source by sequentially arranging records in which the backward link information and the forward link information match,
A source tracking apparatus, wherein a source is specified from a tracking information message transmitted from the source tracking information providing apparatus according to claim 1.

Images