JP2006148686A - Communication monitoring system - Google Patents

Communication monitoring system Download PDF

Info

Publication number
JP2006148686A
JP2006148686A JP2004337676A JP2004337676A JP2006148686A JP 2006148686 A JP2006148686 A JP 2006148686A JP 2004337676 A JP2004337676 A JP 2004337676A JP 2004337676 A JP2004337676 A JP 2004337676A JP 2006148686 A JP2006148686 A JP 2006148686A
Authority
JP
Japan
Prior art keywords
unit
feature information
feature
monitoring system
communication monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
JP2004337676A
Other languages
Japanese (ja)
Other versions
JP3957712B2 (en
Inventor
Nobuyuki Nakamura
信之 中村
Original Assignee
Oki Electric Ind Co Ltd
沖電気工業株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oki Electric Ind Co Ltd, 沖電気工業株式会社 filed Critical Oki Electric Ind Co Ltd
Priority to JP2004337676A priority Critical patent/JP3957712B2/en
Publication of JP2006148686A publication Critical patent/JP2006148686A/en
Application granted granted Critical
Publication of JP3957712B2 publication Critical patent/JP3957712B2/en
Application status is Active legal-status Critical
Anticipated expiration legal-status Critical

Links

Images

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication monitoring system having high reliability and capable of being obtained at a low cost. <P>SOLUTION: A traffic measuring unit 120 is designed to measure the traffic of a network interface unit 110 by a measuring cycle determined by an analysis segment designating unit 140. A statistics calculating unit 150 is designed to perform a statistics process of header information analyzed by a packet analyzing unit 130 in every measuring cycle. A feature information holding unit 160 is designed to create and hold the feature information including output data of the traffic measuring unit 120 and the statistics calculating unit 150 as feature items in every measuring cycle. A data base unit 170 is designed to sequentially accumulate old feature information. An abnormality detecting unit 180 is designed to read the feature information existing within a range of similarity with new feature information in predetermined feature items whenever the new feature information is created, to statistically calculate a normal range about other feature items among the read feature information, and to detect the abnormality by comparing the new feature information with the other feature items. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a communication monitoring system for detecting fraud and abnormality on a network.

  In recent years, problems of fraud (attack, intrusion, etc.) by hackers have become prominent in communication networks such as the Internet. A network intrusion detection system (NIDS) is known as one technique for dealing with such a problem. The network intrusion detection system is a system that detects fraud by comparing a predetermined determination rule with a network state.

  The intrusion detection algorithm of the network intrusion detection system is roughly classified into a fraud detection method and an anomaly detection method. The fraud detection method is a detection technology that analyzes and rules in advance the features that appear in the network status when fraud is performed, and determines that fraud is being performed when the network status matches this rule. is there. On the other hand, the anomaly detection method is to analyze and rule the features that appear in the network state in normal time (when no fraud etc. occur), and to cheat when the network state no longer matches this rule. This is a detection technique that determines that the

  Comparing these detection methods, the abnormality detection method is superior in that it can cope with unknown fraud. However, the abnormality detection method has a drawback that the algorithm is complicated and the false alarm rate is high.

On the other hand, the following Non-Patent Document 1 proposes a technique for creating an abnormality detection rule using a learning device called SVM (Support Vector Machines). According to this technique, it is possible to reduce the false alarm rate without complicating the algorithm by statistically learning information obtained from header information and creating an abnormality detection rule.
Takaro Miyamoto and three others, "Abnormality detection from network traffic using SVM", IEICE Transactions, IEICE, April 2004, Vol. J87-B No. 4, p593-598

However, the technique of Non-Patent Document 1 has the following drawbacks.
(1) Although the technique of Non-Patent Document 1 can detect the normality / abnormality of the network, it has a drawback that the system administrator cannot determine the cause of the abnormality. For this reason, in a system that employs the technique of Non-Patent Document 1, it is necessary to perform manual analysis in order to elucidate the cause of the abnormality, which requires a great deal of cost and time.
(2) With the technique of Non-Patent Document 1, even if it is possible to detect that an abnormality has occurred in the network, it is not possible to determine whether such an abnormality is an abnormality of the entire network or a local abnormality. For this reason, it is difficult to take a quick measure for recovering the normal state when the occurrence of abnormality is detected.
(3) In the technique of Non-Patent Document 1, since traffic data is continuously accumulated for each network device (for example, a probe device), each network device requires a huge amount of disk resources. Furthermore, since computer resources are deprived of data writing to disk resources, there is a possibility that inconveniences such as dropping of communication packets may occur.
(4) In the technique of Non-Patent Document 1, since the learning function is used, it is necessary to learn the traffic tendency at the place where the network device is installed in advance, and therefore the work load until the start of operation is large.
(5) In the technique of Non-Patent Document 1, learning data is stored for each network device. However, since this learning data is generally handled as confidential information, it is necessary to take measures against leakage for each network device, which causes an increase in cost. Become.
(6) Since the learning function is used in the technique of Non-Patent Document 1, it is difficult to keep the false alarm rate low when learning data is small in a small-scale system or the like.

  An object of the present invention is to provide a communication monitoring system that is highly reliable and can be realized at low cost.

  A communication monitoring system according to the present invention measures a traffic measurement unit that measures traffic of a communication packet passing through a network device at a predetermined measurement cycle, and measures one or more types of header information read from the communication packet. A statistical calculation unit that performs statistical processing for each period, a feature information holding unit that creates and holds characteristic information having a plurality of characteristic items including a measurement result of the traffic measurement unit and a calculation result of the statistical calculation unit for each measurement period, and a feature A database unit that reads and stores old feature information from the feature information holding unit every time the information holding unit creates new feature information, and a predetermined one or more features each time the feature information holding unit creates new feature information The feature information whose items are within the same range as the new feature information is read from the database unit, and the read feature information Statistically calculating the normal range for characteristic item, and an abnormality detection unit for determining the occurrence of abnormality by comparing the other characteristic item and a normal range of new feature information.

  According to the present invention, feature information including a plurality of feature items is sequentially accumulated in the database unit, and normality / abnormality is determined by the abnormality detection unit from the correlation between these feature items. Therefore, a highly reliable communication monitoring system Can be provided at low cost.

  Embodiments of the present invention will be described below with reference to the drawings. In the drawings, the size, shape, and arrangement relationship of each component are shown only schematically to the extent that the present invention can be understood, and the numerical conditions described below are merely examples. .

First Embodiment Hereinafter, an embodiment of a communication monitoring system according to the present invention will be described with reference to FIGS. 1 and 2, taking the case where the present invention is applied to a probe device as an example. The probe device is a device that monitors communication traffic, and is installed at an interface portion that connects networks.

  FIG. 1 is a block diagram schematically showing a main configuration of the probe apparatus according to this embodiment.

  As shown in FIG. 1, the probe apparatus 100 of this embodiment includes a network interface unit 110, a traffic measurement unit 120, a packet analysis unit 130, an analysis delimiter designating unit 140, a statistical calculation unit 150, and feature information. A holding unit 160, a database unit 170, and an abnormality detection unit 180 are provided.

  The network interface unit 110 is disposed on a transmission line 193 connecting the two networks 191 and 192, and relays IP packets transmitted on the transmission line 193. That is, all IP packets transmitted between these networks 191 and 192 pass through the network interface unit 110.

  The traffic measurement unit 120 measures the number of IP packets that pass through the network interface unit 110 and the throughput for each measurement period specified by the analysis delimitation specifying unit 140. In addition, the traffic measurement unit 120 records the start / end date and time of each measurement cycle based on the measurement cycle information received from the analysis delimiter designating unit 140 and sends it to the feature information holding unit 160.

  The packet analysis unit 130 analyzes the IP packet that has passed through the network interface unit 110 to determine the type and port number (described later) of the IP packet, and sends the IP packet to the statistical calculation unit 150.

  The analysis delimiter designating unit 140 controls the measurement period of the traffic measurement unit 120 and the packet analysis unit 130. As the measurement cycle, for example, a time cycle or a cycle of the total number of packets can be employed.

  The statistical calculation unit 150 receives the analysis result from the packet analysis unit 130 and performs statistical processing for each measurement period.

  The feature information holding unit 160 receives measurement results and date / time information from the traffic measurement unit 120 and receives processing results from the statistical calculation unit 150. Then, the feature information holding unit 160 creates and holds feature information having these pieces of information (hereinafter referred to as “feature items”) for each measurement cycle (see FIG. 2 described later). Further, each time new feature information is created, the feature information holding unit 160 sends the old feature information created immediately before to the database unit 170 and sends an update notification signal to the abnormality detection unit 180.

  The database unit 170 stores all feature information received from the feature information holding unit 160.

  Each time the feature information stored in the feature information holding unit 160 is updated, the abnormality detection unit 180 determines normality / abnormality using the feature information and past feature information accumulated in the database unit 170 (described later). ).

  FIG. 2 is a table showing an example of feature information created by the feature information holding unit 160.

  As shown in FIG. 2, the feature information of this embodiment includes “date and time”, “total number of packets”, “throughput”, “number of TCP packets”, “number of UDP packets”, “number of ICMP packets” as feature items. ”,“ TCP Windows size ”,“ TCP port number ”,“ source TCP port number ”,“ destination TCP port number ”,“ UDP port number ”,“ source UDP port number ”,“ destination UDP port number ”, It includes “TCP flag”, “TCP flag set”, “ICMP type code”, “IP-TOS”, “IP-TTL”, and “IP protocol”.

  “Date / time” is the start / end date / time of the measurement cycle related to the feature information. The example of FIG. 2 indicates that the feature information is related to the IP packet that has passed through the network interface unit 110 for 5 minutes from 0:00 to 0:05 on September 10, 2004. This feature item is acquired from the traffic measurement unit 120.

  The “total number of packets” is the total number of IP packets that have passed through the network interface unit 110 within the measurement period. This feature item is measured by the packet analysis unit 130.

  “Throughput” is an effective communication speed of the probe apparatus 100 and defines the amount of information that can be processed within a unit time in the application layer. This feature item is measured by the traffic measurement unit 120.

  The “number of TCP packets” is the total number of TCP packets (packets using TCP (Transmission Control Protocol) as a transport layer protocol) among IP packets that have passed through the network interface unit 110 within the measurement period. The number of TCP packets is counted by the packet analysis unit 130 every measurement period.

  The “number of UDP packets” is the total number of UDP packets (packets that use User Datagram Protocol (UDP) as a transport layer protocol) among IP packets that have passed through the network interface unit 110 within the measurement period. This feature item is also counted by the packet analysis unit 130 every measurement cycle.

  “Number of ICMP packets” is the total number of ICMP packets (packets using Internet Control Message Protocol (ICMP)) among IP packets that have passed through the network interface unit 110 within the measurement period. This feature item is also counted by the packet analysis unit 130 every measurement cycle.

  “TCP window size” is one piece of information stored in the TCP header, and is a value indicating the amount of data that can be received at one time by the communication terminal apparatus. The TCP window size is read from all the passing TCP packets by the packet analysis unit 130. Then, the statistical calculation unit 150 counts the number of TCP packets of each window size value, and lists the top three window size values having the largest count number.

  The “TCP port number” is one piece of information stored in the TCP header, and is a port number used in TCP (an auxiliary address provided below the IP address in order to identify an application). The TCP header stores a source port number and a destination port number. In this embodiment, these are collectively referred to as a TCP port number. The TCP port number is read from all passing TCP packets by the packet analysis unit 130. Then, the statistical calculation unit 150 counts the number of TCP packets of each TCP port number, and lists the top five TCP port numbers with the largest number of counts.

  The “transmission source TCP port number” is a port number for identifying the application of the probe device that has transmitted the TCP packet among the above-described TCP port numbers. The source TCP port number is read from all the passing TCP packets by the packet analysis unit 130. Then, the statistical calculation unit 150 counts up the number of TCP packets for each port number.

  The “destination TCP port number” is a port number for specifying an application of the communication terminal device that receives the TCP packet among the above TCP port numbers. The destination TCP port number is read from all passing TCP packets by the packet analysis unit 130. Then, the statistical calculation unit 150 counts up the number of TCP packets for each port number.

  The “UDP port number” is one of information stored in the UDP header and is a port number used in UDP. In this embodiment, the transmission source port number and the destination port number are collectively referred to as a UDP port number. The UDP port number is read from all the passing UDP packets by the packet analysis unit 130. Then, the statistical calculation unit 150 counts the number of UDP packets for each UDP port number, and lists the top five UDP port numbers with the largest number of counts.

  The “transmission source UDP port number” is a port number for specifying the application of the probe device that has transmitted the UDP packet among the above-mentioned UDP port numbers. The source UDP port number is read from all the passing UDP packets by the packet analysis unit 130. Then, the statistical calculation unit 150 counts up the number of UDP packets for each port number.

  The “destination UDP port number” is a port number for specifying an application of the communication terminal device that receives the UDP packet among the above-described UDP port numbers. The destination UDP port number is read from all passing UDP packets by the packet analysis unit 130. Then, the statistical calculation unit 150 counts up the number of UDP packets for each port number.

  The “TCP flag” is a bit value of a flag stored in the flag area (1 byte) of the TCP header. In this flag area, a 2-bit reservation flag, a URG flag, an ACK flag, a PUSH flag, an RST flag, a SYN flag, and a FIN flag are stored (U of the feature item N in FIG. 2). , A, P, R, S, F). The packet analysis unit 130 counts the number of TCP packets in which the flags are set ('1') for six of these flags excluding the reservation flag.

  The “TCP flag set” is information indicating a combination of set flags among the six TCP flags described above. The packet analysis unit 130 reads the value of each TCP flag from the headers of all the passing TCP packets, and counts the number of TCP packets for each set of flag combinations. For example, when one TCP packet whose ACK flag and SYN flag values are '1' but the other flag values are '0', the number of TCP packets of 'ACK + SYN' increases by one. Become. The statistical calculation unit 150 lists the top three flag value combinations that are read frequently.

  The “ICMP type code” is one of information stored in the header of the ICMP packet, and is a type (major classification) and a code (minor classification) indicating a message for network control. For example, when the type code is 8.0, an echo request message is indicated. The packet analysis unit 130 reads the type and code from the headers of all passing ICMP packets, and counts the number of ICMP packets for each type code. Then, the statistical calculation unit 150 lists the top three types / codes having the largest count number.

  “IP-TOS” is 8-bit information stored in a TOS (Type Of Service) area of the IP header, and indicates the routing priority of the IP packet. The packet analysis unit 130 reads IP-TOS from all passing IP packets, and counts the number of IP packets for each IP-TOS value. Then, the statistical calculation unit 150 lists the top three IP-TOS values with the largest number of counts.

  “IP-TTL” is 8-bit information stored in a TTL (Time To Live) area of the IP header, and indicates the lifetime of the IP packet. The packet analysis unit 130 reads IP-TTL from all the passing IP packets and counts the number of IP packets for each IP-TTL value. Then, the statistical calculation unit 150 lists the top three IP-TTL values with the largest number of counts.

  “IP protocol” is information indicating a protocol belonging to a layer higher than IP (network layer), and includes the above-described TCP, UDP, ICMP, and the like. The packet analysis unit 130 determines the IP protocol of all the passing IP packets and counts the number of detections of each IP protocol. Then, the statistical calculation unit 150 lists the top three IP protocols with the largest number of counts.

  Note that the feature items in FIG. 2 are merely examples, and only some of these feature items may be employed, or other feature items may be used. For example, instead of the number of TCP packets, the number of UDP packets, and the number of ICMP packets, the number of TCP packets / total number of packets, the number of UDP packets / total number of packets, and the number of ICMP packets / total number of packets may be used.

  In addition, when the IP packet is a fragment packet, only the top IP packet of the fragment packet may be counted.

  Next, the overall operation of the probe apparatus 100 of this embodiment will be described.

  The network interface unit 110 acquires header information of IP packets as needed in order to analyze traffic on a network (not shown). The acquired IP packet header is sent to the packet analysis unit 130.

  The traffic measurement unit 120 measures the throughput by constantly monitoring the network interface unit 110 (see feature item C in FIG. 2). Further, as described above, the traffic measurement unit 120 records and holds the start / end date and time of each measurement cycle (see the feature item A in FIG. 2). These feature items A and C are created for each measurement cycle and sent to the feature information holding unit 160.

  The packet analysis unit 130 analyzes the IP packet header received from the network interface unit 110, thereby determining the type of packet or port, counting, and the like. The result of this analysis process is sent to the statistical calculation unit 150.

  The statistical calculation unit 150 performs the above-described listing based on the analysis result received from the packet analysis unit 130, and creates feature items B and D to S (see FIG. 2). These feature items B and D to S are sent to the feature information holding unit 160.

  The feature information holding unit 160 creates feature information by listing the feature items A to S corresponding to the same measurement cycle. The created feature information is held in the feature information holding unit 160 until feature information corresponding to the next measurement cycle is created. When new feature information (that is, feature information corresponding to the next measurement cycle) is created, the feature information holding unit 160 sends the old feature information held inside to the database unit 170, Is updated to the new feature information. Then, the feature information holding unit 160 sends a signal indicating that the special book information has been updated to the abnormality detection unit 180.

  The database unit 170 stores all feature information received from the feature information holding unit 160.

  The abnormality detection unit 180 reads new feature information from the feature information holding unit 160 every time the feature information is updated. Then, the abnormality detection unit 180 determines the range of identity for a predetermined one type or a plurality of types of feature items of the feature information. For example, when the range of identity of throughput is obtained, the range of identity can be within ± 10% of this throughput value. In addition, when obtaining the TCP window size identity, the range of identity may be set only when the size values and ranks of the top three lists completely match, and each size of the top three lists may be determined. If only the values match, even if these three ranks are different, they may be in the same range.

  Subsequently, the abnormality detection unit 180 reads all the feature information whose feature items are within the same range from the database unit 170. Then, the abnormality detection unit 180 statistically calculates a normal range for each feature item excluding the feature item for which the “identity range” is determined from the read feature information. For example, the standard deviation of the number of TCP packets included in the read feature information can be calculated, and the normal range can be within three times the standard deviation. For example, regarding the TCP window size, a case where two or more of the top three lists match can be set as the normal range. In order to perform accurate abnormality detection, it is desirable to determine a normal range determination method for each feature item in accordance with the traffic environment of the probe device.

  The abnormality detection unit 180 compares each feature item of feature information read from the feature information holding unit 160 (excluding the feature item for which the range of identity is determined) with the corresponding normal range. Then, whether the network is normal or abnormal is determined according to the comparison result. For example, when the count values of the TCP port 135 and ICMP are very large (refer to the characteristic items H and S in FIG. 2), there is a high possibility that an illegal attack called 'MS Blaster' is being received. In this determination, if there is one feature item that is not within the normal range, it may be determined to be abnormal, or only if there are a predetermined number or more of feature items that are not within the normal range, it is determined to be abnormal. Also good. Furthermore, if there is at least one specific feature item that is not within the normal range, it is determined to be abnormal, but other feature items are abnormal only when there are a predetermined number of items that are not within the normal range. It is good also as judging.

  If it is determined that the abnormality is normal, the abnormality detection unit 180 ends the detection operation as it is, and waits for the next feature information update of the feature information holding unit 160. On the other hand, if it is determined that there is an abnormality, the abnormality detection unit 180 notifies the user or operator of the occurrence of the abnormality and the feature item that is not within the normal range.

  As described above, according to the communication monitoring system according to this embodiment, each feature item of newly acquired feature information is statistically compared with each past feature item to determine normality / abnormality. With the configuration, highly reliable communication monitoring can be performed.

  Further, according to the communication monitoring system according to this embodiment, it is possible to easily identify a feature item that is not within the normal range, so that the cause of the abnormality can be easily clarified.

  In addition, according to the communication monitoring system according to this embodiment, since it is not necessary to use a learning function, even if it is a false detection, the fact that it is a false detection and the cause of the false detection are easily identified. Therefore, it is easy to take measures such as improvement of the normal range judgment method.

Second Embodiment Next, a second embodiment of the communication monitoring system according to the present invention will be described with reference to FIGS.

  This embodiment is an example in which a communication monitoring system is constructed so that a plurality of probe devices can share feature information.

  FIG. 3 is a conceptual diagram schematically showing the overall configuration of the communication monitoring system according to this embodiment.

  As shown in FIG. 3, the communication monitoring system 300 according to this embodiment includes a plurality (three in the example of FIG. 3) of probe devices 321 installed on the transmission path 193 of the interface portion of the networks 311 to 314. , 322, 323.

  FIG. 4 is a block diagram schematically showing a main configuration of the probe device 321. In FIG. 4, the constituent elements having the same reference numerals as those in FIG. 1 are the same as those in FIG. The internal configurations of the probe devices 322 and 323 are the same as the probe device 321, respectively. FIG. 5 is a conceptual diagram showing an example of feature information created by a feature information holding unit 421 (described later).

  In FIG. 4, the feature information holding unit 401 creates feature information as in the first embodiment, and adds a probe ID as shown in FIG. 5 to this feature information. The probe ID is ID (Identity Data) for distinguishing feature information acquired by the probe device 321 from information acquired by the other probe devices 322 and 323. The feature information holding unit 401 creates and holds feature information as shown in FIG. 5 for each measurement period. Each time new feature information is created, the feature information holding unit 401 sends the old feature information created immediately before to the database unit 170 and sends an update notification signal to the abnormality detection unit 403.

  In the distributed database control unit 402, other probe devices that share characteristic information with the probe device 321 (in this embodiment, the probe devices 322 and 323) are registered. The distributed database control unit 402 requests feature information not stored in the database unit 170 from the other probe devices 322 and 323. In addition, the distributed database control unit 402 stores the feature information transmitted from the probe devices 322 and 323 in the database unit 170. For example, the range of throughput identity is obtained from the feature information held in the feature information holding unit 401, but the corresponding feature information does not exist in the database unit 170 (or the predetermined number is not reached). ) Etc., the distributed database control unit 402 acquires feature information from the other probe devices 322 and 323. Furthermore, the distributed database control unit 402 sends the feature information stored in the database unit 170 to these probe devices 322 and 323 in accordance with requests from other probe devices 322 and 323.

  Each time the feature information in the feature information holding unit 401 is updated, the abnormality detection unit 403 determines normality / abnormality using the feature information and past feature information stored in the database unit 170. At this time, the abnormality detection unit 403 determines the probe device that has created each feature information based on the probe ID described above, and the weight of the feature information created by the own probe device 321 is created by the other probe devices 322 and 323. It is also possible to perform statistical calculation of the “normal range” by making it larger than the weight of the feature information. Then, the abnormality detection unit 403 determines whether the network is normal / abnormal as in the first embodiment.

  In addition, when an abnormality is detected, the abnormality detection unit 403 acquires a normal / abnormal determination result from the other probe devices 322 and 323. Based on this acquired information, the abnormality detection unit 403 determines whether the abnormality is a local abnormality that has occurred only around the probe device 321 or an abnormality that has occurred over a wide area of the network. to decide. This determination result is notified to the user or operator together with the fact that an abnormality has occurred.

  Since the configuration and operation of the other components are the same as those in the first embodiment described above, description thereof is omitted.

  According to the communication monitoring system according to this embodiment, similarly to the first embodiment, it is possible to perform highly reliable network intrusion detection with a simple configuration, and to easily elucidate the cause of the abnormality, and Thus, it is possible to easily identify the fact that it is a false detection and the cause of the false detection.

  In addition, according to the communication monitoring system according to this embodiment, since feature information can be shared among a plurality of probe devices, reliability can be improved even when the amount of feature information stored in the database unit 170 is small. High abnormality detection can be expected. Therefore, the work load at the start of operation of the communication monitoring system is small, and high reliability can be easily ensured even in a small-scale system.

Third Embodiment Next, a third embodiment of the communication monitoring system according to the present invention will be described with reference to FIGS.

  This embodiment is an example of a communication monitoring system in which a database unit of a plurality of probe devices is shared.

  FIG. 6 is a conceptual diagram schematically showing the overall configuration of the communication monitoring system according to this embodiment. In FIG. 6, components denoted by the same reference numerals as those in FIG. 3 are the same as those in FIG. 3.

  As shown in FIG. 6, the communication monitoring system 600 according to this embodiment includes probe devices 611 to 613 and a communication monitoring server device 621.

  FIG. 7 is a block diagram schematically showing a main configuration of the probe device 611. In FIG. 7, the constituent elements having the same reference numerals as those in FIG. 1 are the same as those in FIG. The internal configurations of the probe devices 612 and 613 are the same as the internal configuration of the probe device 611, respectively.

  As shown in FIG. 7, the probe device 611 does not include a database unit, and includes a data transmission unit 701, a statistical information inquiry unit 702, and an abnormality detection unit 703.

  Each time the feature information holding unit 401 creates new feature information, the data transmission unit 701 receives old feature information created immediately before and sends it to the communication monitoring server device 621 (see FIG. 6).

  The statistical information inquiry unit 702 sends an information transmission request to the communication monitoring server device 621 in accordance with the request from the abnormality detection unit 703. Further, the statistical information inquiry unit 702 receives the feature information sent from the communication monitoring server device 621 in response to this request, and provides it to the abnormality detection unit 703.

  Each time the feature information holding unit 401 updates the feature information, the anomaly detection unit 703 calculates the identity range, and for each feature item excluding the feature item for which the “identity range” is determined. It is the same as the abnormality detection unit 180 of the first embodiment in that it is determined whether or not it is “normal range”. However, it differs from the abnormality detection unit 180 of the first embodiment in that statistical processing for obtaining the “normal range” is not performed. As will be described later, the statistical processing of the “normal range” is performed by the statistical information analysis unit 850 in the monitoring server device 621 (see FIG. 8).

  FIG. 8 is a block diagram schematically showing a main part configuration of the communication monitoring server device 621. As illustrated in FIG. 8, the communication monitoring server device 621 includes a network interface unit 810, a data receiving unit 820, a database unit 830, a statistical information response unit 840, and a statistical information analysis unit 850. .

  The network interface unit 810 transmits and receives IP packets to and from the network 311.

  The data receiving unit 820 receives the feature information transmitted from the probe devices 611 to 613 and writes it in the database unit 830.

  The database unit 830 accumulates all the feature information received from the data receiving unit 820.

  The statistical information response unit 840 receives the information transmission request transmitted from the probe devices 611 to 613 and sends it to the statistical information analysis unit 850. Further, the statistical information response unit 840 transmits the information (statistic processing result) received from the statistical information analysis unit 850 to the probe device that has issued the information transmission request.

  The statistical analysis unit 850 reads feature information corresponding to the information transmission request received from the statistical information response unit 840 from the database unit 830, performs statistical processing (described later), and sends the processing result to the statistical information response unit 840.

  Next, the overall operation of the communication monitoring system according to this embodiment will be described taking communication monitoring of the probe device 611 as an example.

  As in the first embodiment, the traffic measurement unit 120 of the probe device 611 measures the throughput of IP packets passing through the network interface unit 110 and creates date / time information, and the packet analysis unit 130 performs header analysis of the IP packets. In addition, the statistical calculation unit 150 lists up the count number based on the analysis result of the packet analysis unit 130. In the same manner as in the first embodiment, the feature information holding unit 401 creates and holds feature information from the feature items A to S created in this way.

  When the feature information is updated, the feature information holding unit 401 sends the old feature information held therein to the data transmission unit 701 and sends a signal indicating this update to the abnormality detection unit 703.

  The data transmission unit 701 transmits the feature information received from the feature information holding unit 401 to the communication monitoring server device 621 via the network interface unit 110.

  The data receiving unit 820 of the communication monitoring server device 621 writes the feature information received via the network interface unit 810 in the database unit 830.

  On the other hand, the abnormality detection unit 703 of the probe device 611 reads out this new feature information from the feature information holding unit 401 every time the feature information holding unit 401 updates the feature information. And the abnormality detection part 703 judges the range of the identity about the predetermined feature item of the said feature information similarly to 1st Embodiment. Furthermore, the statistical information inquiry unit 702 is requested for feature information in which the feature item is within the same range.

  The statistical information inquiry unit 702 sends an information transmission request regarding the relevant feature information to the communication monitoring server device 621.

  The statistical information response unit 840 in the communication monitoring server device 621 receives this information transmission request and sends it to the statistical information analysis unit 850.

  The statistical information analysis unit 850 reads all the feature information corresponding to the information transmission request from the database unit 830. Then, the statistical information analysis unit 850, for each feature item excluding the feature item for which the “identity range” is determined, from these feature information, similarly to the abnormality detection unit 703 of the first embodiment. The “normal range” is calculated statistically. Then, the statistical information analysis unit 850 sends the result of the statistical processing to the statistical information response unit 840. By performing such statistical analysis not in the probe device 611 but in the communication monitoring server device 621, the amount of communication data between the probe device 611 and the communication monitoring server device 621 can be reduced.

  The statistical information response unit 840 transmits the statistical processing result to the probe device 611.

  The statistical information inquiry unit 702 of the probe device 611 receives the statistical processing result and sends it to the abnormality detection unit 703.

  The abnormality detection unit 703 obtains each feature item of the feature information read from the feature information holding unit 401 (excluding the feature item for which the range of identity is determined) from the received statistical processing result “normal” Compare with "range". Then, whether the network is normal or abnormal is determined according to the comparison result. When the abnormality detection unit 703 determines that the abnormality is normal, the abnormality detection unit 703 terminates the detection operation as it is. When the abnormality detection unit 703 determines that the abnormality is detected, the abnormality detection unit 703 detects that an abnormality has occurred in the user or the operator and is not within the normal range. Announce feature items.

  According to the communication monitoring system according to this embodiment, similarly to the first embodiment, it is possible to perform highly reliable network intrusion detection with a simple configuration, and to easily elucidate the cause of the abnormality, and Thus, it is possible to easily identify the fact that it is a false detection and the cause of the false detection.

  In addition, according to the communication monitoring system according to this embodiment, the feature information can be shared among a plurality of probe devices as in the second embodiment, so the amount of feature information accumulated in the database unit 830 Even when there are few errors, highly reliable abnormality detection can be expected. Therefore, the work load at the start of operation of the communication monitoring system is small, and high reliability can be easily ensured even in a small-scale system.

  In addition, since it is not necessary to provide a hard disk for each probe device, it is possible to reduce the size and cost of the device.

Fourth Embodiment Next, a fourth embodiment of the communication monitoring system according to the present invention will be described with reference to FIGS.

  This embodiment is another example of a communication monitoring system in which a database unit of a plurality of probe devices is shared.

  The overall configuration of the communication monitoring system according to this embodiment is the same as that in the case of the third embodiment described above (see FIG. 6), and thus the description thereof is omitted.

  FIG. 9 is a block diagram schematically showing a main configuration of the probe apparatus 900 according to this embodiment. In FIG. 9, components having the same reference numerals as those in FIG. 7 are the same as those in FIG. 7. As shown in FIG. 9, the probe apparatus 900 of this embodiment does not include an abnormality detection unit and an information inquiry unit.

  In FIG. 9, every time the feature information holding unit 401 creates new feature information, the data transmission unit 901 receives the old feature information and update notification signal created immediately before it from the feature information holding unit 160, and performs communication. The data is sent to the monitoring server device 621.

  FIG. 10 is a block diagram schematically showing the main configuration of the communication monitoring server apparatus 1000 according to this embodiment. In FIG. 10, the components given the same reference numerals as those in FIG. 8 are the same as those in FIG. As shown in FIG. 10, the communication monitoring server apparatus 1000 includes a data receiving unit 1001 and an abnormality detecting unit 1002.

  The data reception unit 1001 sends the feature information received from the probe device and the update notification signal to the abnormality detection unit 1002, and writes the feature information in the database unit 830 after the abnormality detection processing is completed.

  Each time the feature information is updated, the abnormality detection unit 1002 performs a calculation of “range of identity” and a calculation of “normal range”. Further, the abnormality detection unit 1002 uses the “normal range” to calculate the network. Determine the normality / abnormality.

  Next, the overall operation of the communication monitoring system according to this embodiment will be described.

  As in the third embodiment, the traffic measurement unit 120 of the probe apparatus 900 measures the throughput of IP packets passing through the network interface unit 110 and creates date / time information, and the packet analysis unit 130 performs header analysis of the IP packets. In addition, the statistical calculation unit 150 lists up the count number based on the analysis result of the packet analysis unit 130. In the same manner as in the third embodiment, the feature information holding unit 401 creates and holds feature information from the feature items A to S created in this way.

  When the feature information is updated, the feature information holding unit 401 sends the old feature information and the update notification signal held therein to the data transmission unit 901.

  The data transmission unit 901 transmits the feature information and the update notification signal received from the feature information holding unit 401 to the communication monitoring server apparatus 1000 via the network interface unit 110.

  The data receiving unit 1001 of the communication monitoring server apparatus 1000 sends the received feature information and update notification signal to the abnormality detecting unit 1002.

  Each time the abnormality detection unit 1002 receives new feature information and an update notification signal, the abnormality detection unit 1002 determines the range of identity for a predetermined feature item of the new feature information, as in the first embodiment. Further, all feature information in which the feature items are within the same range is read from the database unit 830. Then, the abnormality detection unit 1002 statistically calculates the “normal range” for each feature item excluding the feature item for which the “identity range” is determined from the feature information. Furthermore, each feature item of the new feature information (excluding the feature item for which the identity range is determined) is compared with the “normal range” to determine whether the network is normal or abnormal. If the abnormality detection unit 1002 is determined to be normal, the abnormality detection unit 1002 terminates the detection operation. If the abnormality detection unit 1002 is determined to be abnormal, the abnormality detection unit 1002 is not within the normal range when an abnormality has occurred to the user or the operator. Announce feature items.

  Thereafter, the feature information is written in the database unit 830.

  According to the communication monitoring system according to this embodiment, as in the first to third embodiments, a highly reliable network intrusion detection can be performed with a simple configuration, and the cause of the abnormality can be easily clarified. In addition, it is possible to easily identify the fact that it is a false detection and the cause of the false detection. In addition, according to the communication monitoring system according to this embodiment, the feature information can be shared among a plurality of probe devices as in the second embodiment, so that the amount of feature information stored in the database unit 830 can be reduced. Even when there are few, reliable abnormality detection can be expected. Therefore, the work load at the start of operation of the communication monitoring system is small, and high reliability can be easily ensured even in a small-scale system. Furthermore, according to the communication monitoring system according to this embodiment, as in the third embodiment, it is not necessary to provide a hard disk for each probe device, so that the size and price of the device can be reduced.

  In addition, in this embodiment, all feature information management and normal / abnormal judgment are performed in the communication monitoring server device 1000, and the probe device 900 only creates new feature information. For this reason, in this embodiment, the countermeasure for preventing the leakage of confidential information may be performed only by the communication monitoring server apparatus 1000, and the security cost can be reduced.

  Furthermore, in this embodiment, since the communication monitoring server apparatus 1000 determines the normality / abnormality of the plurality of probe apparatuses 900, the occurrence state of an abnormality (whether the abnormality is an abnormality of the entire network or a local abnormality) Or the like) can be immediately determined without using a monitoring network. Therefore, if the communication monitoring server device 1000 is installed in the NOC (Network Operatin Center) or SOC (Security Operatin Center), even if the monitoring network goes down, it is quick to recover the normal state of the network. Measures can be taken.

Fifth Embodiment Next, a communication monitoring system according to a fifth embodiment of the present invention will be described with reference to FIG.

  This embodiment is an example of a communication monitoring system in which abnormality detection accuracy is improved by processing / shaping feature information stored in a database unit.

  FIG. 11 is a block diagram schematically showing the main configuration of the probe apparatus 1100 according to this embodiment. In FIG. 11, the components given the same reference numerals as those in FIG. 1 are the same as those in FIG. As shown in FIG. 11, the probe device 1100 of this embodiment includes a data filter unit 1101 and a data matching unit 1102.

  The data filter unit 1101 receives the feature items B and D to S from the statistical calculation unit 150, and processes the feature items having unique data (that is, feature items including data whose appearance rate is lower than a predetermined threshold value). To do. For example, when the sum of the ratios of the first and second values in the top three lists of TCP window sizes exceeds 99% and the ratio of the third value is less than 1%. Considers the third value as an error and changes it to “undefined”. Thereafter, the data filter unit 1101 returns the processed feature items to the statistical calculation unit 150. For example, as described above, when the ratio of the third and subsequent values in the top three lists is less than 1%, it is often meaningless to specify the third value. For this reason, the reliability of abnormality detection can be improved by deleting such unique data.

  The data matching unit 1102 deletes a part of the “identity range” condition output from the abnormality detection unit 180 and reads all feature information that matches the remaining conditions from the database unit 170. Then, the data matching unit 1102 shapes the feature information read from the database unit 170 using the deleted “identity range” condition. For example, the condition of “identity range” output by the anomaly detection unit 180 is condition A: “throughput is 38 Mbps ± 10 percent” and condition B: “the top three TCP window sizes are 33304, 33298, 32148”. The data matching unit 1102 deletes the condition A and reads out feature information satisfying only the condition B from the database unit 170. Then, of the read feature information, the feature information that also meets the condition A is sent to the abnormality detection unit 180 as it is. For feature information that matches the condition B but does not match the condition A, each feature item is shaped so as to meet the condition A and sent to the abnormality detection unit 180. For example, when feature information that meets Condition B but has a throughput of 19 Mbps is read, the data adaptation unit 1102 sets values of the total number of packets, the number of TCP packets, the number of UDP packets, and the number of ICMP packets of the feature information. Each is doubled (= 38 Mbps / 19 Mbps) and sent to the abnormality detection unit 180. Thereby, since the number of characteristic information used for abnormality detection can be increased, the reliability of the abnormality detection can be improved.

  Since the configuration and operation of the other components are the same as those in the first embodiment described above, description thereof is omitted.

  According to the communication monitoring system according to this embodiment, similarly to the first embodiment, it is possible to perform highly reliable network intrusion detection with a simple configuration, and to easily elucidate the cause of the abnormality, and Thus, it is possible to easily identify the fact that it is a false detection and the cause of the false detection.

  Further, according to the communication monitoring system according to this embodiment, the feature item having unique data is processed by the data filter unit 1101, so that the reliability of the feature information can be improved.

  In addition, according to the communication monitoring system according to this embodiment, the feature information that does not match some conditions of the “identity range” is used by shaping the feature item in the data matching unit 1102. Even when the amount of feature information stored in 170 is small, highly reliable abnormality detection can be expected. Therefore, the work load at the start of operation of the communication monitoring system is small, and high reliability can be easily ensured even in a small-scale system.

It is a block diagram which shows roughly the principal part structure of the probe apparatus which concerns on 1st Embodiment. It is a table | surface which shows an example of the feature information which concerns on 1st Embodiment. It is a conceptual diagram which shows roughly the whole structure of the communication monitoring system which concerns on 2nd Embodiment. It is a block diagram which shows roughly the principal part structure of the probe apparatus which concerns on 2nd Embodiment. It is a table | surface which shows an example of the characteristic information which concerns on 2nd Embodiment. It is a conceptual diagram which shows roughly the whole structure of the communication monitoring system which concerns on 3rd Embodiment. It is a block diagram which shows roughly the principal part structure of the probe apparatus which concerns on 3rd Embodiment. It is a block diagram which shows roughly the principal part structure of the communication monitoring server apparatus which concerns on 3rd Embodiment. It is a block diagram which shows roughly the principal part structure of the probe apparatus which concerns on 4th Embodiment. It is a block diagram which shows roughly the principal part structure of the communication monitoring server apparatus which concerns on 4th Embodiment. It is a block diagram which shows roughly the principal part structure of the probe apparatus which concerns on 5th Embodiment.

Explanation of symbols

100, 321, 322, 323, 611, 612, 613 Probe device 110, 810 Network interface unit 120 Traffic measurement unit 130 Packet analysis unit 140 Analysis delimitation designation unit 150 Statistical calculation unit 160, 401 Feature information holding unit 170, 830 Database unit 180, 403, 703, 1002 Abnormality detection unit 191, 192, 311, 312, 313, 314 Network 193 Transmission path 402 Distributed database control unit 621, 1000 Communication monitoring server device 701, 901 Data transmission unit 702 Statistical information inquiry unit 820, 1001 Data reception unit 840 Statistical information response unit 850 Statistical information analysis unit

Claims (12)

  1. A traffic measurement unit that measures traffic of a communication packet passing through a network device at a predetermined measurement cycle;
    A statistical calculator that statistically processes one or more types of header information read from the communication packet for each measurement period;
    A feature information holding unit for creating and holding feature information having a plurality of feature items including a measurement result of the traffic measurement unit and a calculation result of the statistical calculation unit;
    Each time the feature information holding unit creates new feature information, a database unit that reads and stores the old feature information from the feature information holding unit;
    Each time the feature information holding unit creates new feature information, feature information in which one or more predetermined feature items are within the same range as the new feature information is read from the database unit and read. An abnormality detection unit that statistically calculates a normal range for the other feature item of the acquired feature information and determines the occurrence of an abnormality by comparing the other feature item of the new feature information with the normal range; ,
    A communication monitoring system comprising:
  2.   The communication according to claim 1, wherein the traffic measurement unit, the statistical calculation unit, the feature information holding unit, the database unit, and the abnormality detection unit are provided in the network device that performs intrusion detection. Monitoring system.
  3.   The network device transmits the feature information read from its own database unit to another network device, and stores the feature information received from the other network device in the database unit of its own The communication monitoring system according to claim 2, further comprising a database control unit.
  4. The traffic measurement unit, the statistical calculation unit, the feature information holding unit, and the abnormality detection unit are respectively provided in the plurality of network devices that perform intrusion detection,
    The database unit is provided in a server device that is communicatively connected to the plurality of network devices,
    The server device stores the feature information received from the network device in the database unit, and transmits the feature information in which the feature items are within the same range in response to a request from the network device to the network device. To
    The communication monitoring system according to claim 1.
  5. The traffic measurement unit, the statistical calculation unit, and the feature information holding unit are respectively provided in the plurality of network devices that perform intrusion detection,
    The database unit and the abnormality detection unit are provided in a server device that is communicatively connected to the plurality of network devices,
    The server device accumulates the feature information received from the network device in the database unit, and causes the abnormality detection unit to determine whether an abnormality has occurred using the feature information in the database unit;
    The communication monitoring system according to claim 1.
  6.   The communication monitoring system according to claim 1, wherein the statistical process is a process of listing a predetermined number of values of the predetermined header information in descending order of appearance numbers.
  7.   Of the predetermined number of header information values listed, a header information value whose appearance rate is smaller than a predetermined threshold value compared with the appearance rate of the other header information values is deleted from the result of the statistical processing The communication monitoring system according to claim 6.
  8.   The feature item further includes one or more of a total number of packets, a number of packets of a predetermined protocol, and a ratio of the number of packets of the predetermined protocol to the total number of packets. Communication monitoring system.
  9.   9. The communication monitoring system according to claim 1, wherein when the communication packet is a fragment packet, only the first communication packet of the fragment packet is counted.
  10.   The range of the identity is defined by a ratio between a value of the other feature item included in the new feature information and a value of the other feature item of the feature information to be determined. The communication monitoring system according to claim 1.
  11.   The communication monitoring system according to claim 1, wherein the normal range is defined by a standard deviation of the other feature item.
  12.   The ratio of the traffic measurement result of the new feature information and the traffic measurement result of the feature information read from the database unit is multiplied by the predetermined feature item of the read feature information, and the product after the multiplication The communication monitoring system according to claim 1, wherein a normal range is calculated by the abnormality detection unit using other characteristic items.
JP2004337676A 2004-11-22 2004-11-22 Communication monitoring system Active JP3957712B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2004337676A JP3957712B2 (en) 2004-11-22 2004-11-22 Communication monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2004337676A JP3957712B2 (en) 2004-11-22 2004-11-22 Communication monitoring system

Publications (2)

Publication Number Publication Date
JP2006148686A true JP2006148686A (en) 2006-06-08
JP3957712B2 JP3957712B2 (en) 2007-08-15

Family

ID=36627837

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2004337676A Active JP3957712B2 (en) 2004-11-22 2004-11-22 Communication monitoring system

Country Status (1)

Country Link
JP (1) JP3957712B2 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008252427A (en) * 2007-03-30 2008-10-16 Kyushu Univ Detection unit, detection method, communication control method, history space data generation method, and program enabling computer to execute the same methods
WO2009021122A2 (en) * 2007-08-07 2009-02-12 Net Optics, Inc. Methods and arrangement for utilization rate display
JP2009212770A (en) * 2008-03-04 2009-09-17 Oki Electric Ind Co Ltd Statistical processing method and device, and program of statistical processing method
US7760859B2 (en) 2005-03-07 2010-07-20 Net Optics, Inc. Intelligent communications network tap port aggregator
US7773529B2 (en) 2007-12-27 2010-08-10 Net Optic, Inc. Director device and methods thereof
US7898984B2 (en) 2007-08-07 2011-03-01 Net Optics, Inc. Enhanced communication network tap port aggregator arrangement and methods thereof
US7903657B2 (en) 2007-02-01 2011-03-08 Oki Electric Industry Co., Ltd. Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor
US8094576B2 (en) 2007-08-07 2012-01-10 Net Optic, Inc. Integrated switch tap arrangement with visual display arrangement and methods thereof
US8320242B2 (en) 2004-12-24 2012-11-27 Net Optics, Inc. Active response communications network tap
US8320399B2 (en) 2010-02-26 2012-11-27 Net Optics, Inc. Add-on module and methods thereof
JP2012531146A (en) * 2009-06-25 2012-12-06 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Estimating TCP throughput as a user
JP2013073266A (en) * 2011-09-26 2013-04-22 Oki Electric Ind Co Ltd Information processing device and program
US8737197B2 (en) 2010-02-26 2014-05-27 Net Optic, Inc. Sequential heartbeat packet arrangement and methods thereof
US8902735B2 (en) 2010-02-28 2014-12-02 Net Optics, Inc. Gigabits zero-delay tap and methods thereof
US9019863B2 (en) 2010-02-26 2015-04-28 Net Optics, Inc. Ibypass high density device and methods thereof
US9419882B2 (en) 2011-07-27 2016-08-16 Oki Electric Industry Co., Ltd. Network analyzing system, as well as network analyzing apparatus and network analyzing program, as well as data processing module and data processing program
JP2016154396A (en) * 2016-06-03 2016-08-25 エヌ・ティ・ティ・コミュニケーションズ株式会社 Attack detection device, attack detection method, and attack detection program
US9749261B2 (en) 2010-02-28 2017-08-29 Ixia Arrangements and methods for minimizing delay in high-speed taps
US9813448B2 (en) 2010-02-26 2017-11-07 Ixia Secured network arrangement and methods thereof
US9998213B2 (en) 2016-07-29 2018-06-12 Keysight Technologies Singapore (Holdings) Pte. Ltd. Network tap with battery-assisted and programmable failover

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8320242B2 (en) 2004-12-24 2012-11-27 Net Optics, Inc. Active response communications network tap
US8654932B2 (en) 2005-03-07 2014-02-18 Net Optics, Inc. Intelligent communications network tap port aggregator and methods thereof
US7760859B2 (en) 2005-03-07 2010-07-20 Net Optics, Inc. Intelligent communications network tap port aggregator
US7903657B2 (en) 2007-02-01 2011-03-08 Oki Electric Industry Co., Ltd. Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor
JP2008252427A (en) * 2007-03-30 2008-10-16 Kyushu Univ Detection unit, detection method, communication control method, history space data generation method, and program enabling computer to execute the same methods
US8094576B2 (en) 2007-08-07 2012-01-10 Net Optic, Inc. Integrated switch tap arrangement with visual display arrangement and methods thereof
WO2009021122A2 (en) * 2007-08-07 2009-02-12 Net Optics, Inc. Methods and arrangement for utilization rate display
WO2009021122A3 (en) * 2007-08-07 2009-04-16 Dennis Angelo Ramirez Carpio Methods and arrangement for utilization rate display
US9712419B2 (en) 2007-08-07 2017-07-18 Ixia Integrated switch tap arrangement and methods thereof
US7898984B2 (en) 2007-08-07 2011-03-01 Net Optics, Inc. Enhanced communication network tap port aggregator arrangement and methods thereof
US7903576B2 (en) 2007-08-07 2011-03-08 Net Optics, Inc. Methods and arrangement for utilization rate display
US8582472B2 (en) 2007-08-07 2013-11-12 Net Optics, Inc. Arrangement for an enhanced communication network tap port aggregator and methods thereof
US8432827B2 (en) 2007-08-07 2013-04-30 Net Optics, Inc. Arrangement for utilization rate display and methods thereof
US8018856B2 (en) 2007-12-27 2011-09-13 Net Optic, Inc. Director device with visual display arrangement and methods thereof
US7773529B2 (en) 2007-12-27 2010-08-10 Net Optic, Inc. Director device and methods thereof
JP4513878B2 (en) * 2008-03-04 2010-07-28 沖電気工業株式会社 Statistical processing method and apparatus, and statistical processing method program
JP2009212770A (en) * 2008-03-04 2009-09-17 Oki Electric Ind Co Ltd Statistical processing method and device, and program of statistical processing method
JP2012531146A (en) * 2009-06-25 2012-12-06 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Estimating TCP throughput as a user
US8737197B2 (en) 2010-02-26 2014-05-27 Net Optic, Inc. Sequential heartbeat packet arrangement and methods thereof
US9019863B2 (en) 2010-02-26 2015-04-28 Net Optics, Inc. Ibypass high density device and methods thereof
US9306959B2 (en) 2010-02-26 2016-04-05 Ixia Dual bypass module and methods thereof
US8320399B2 (en) 2010-02-26 2012-11-27 Net Optics, Inc. Add-on module and methods thereof
US9813448B2 (en) 2010-02-26 2017-11-07 Ixia Secured network arrangement and methods thereof
US8902735B2 (en) 2010-02-28 2014-12-02 Net Optics, Inc. Gigabits zero-delay tap and methods thereof
US9749261B2 (en) 2010-02-28 2017-08-29 Ixia Arrangements and methods for minimizing delay in high-speed taps
US9419882B2 (en) 2011-07-27 2016-08-16 Oki Electric Industry Co., Ltd. Network analyzing system, as well as network analyzing apparatus and network analyzing program, as well as data processing module and data processing program
JP2013073266A (en) * 2011-09-26 2013-04-22 Oki Electric Ind Co Ltd Information processing device and program
JP2016154396A (en) * 2016-06-03 2016-08-25 エヌ・ティ・ティ・コミュニケーションズ株式会社 Attack detection device, attack detection method, and attack detection program
US9998213B2 (en) 2016-07-29 2018-06-12 Keysight Technologies Singapore (Holdings) Pte. Ltd. Network tap with battery-assisted and programmable failover

Also Published As

Publication number Publication date
JP3957712B2 (en) 2007-08-15

Similar Documents

Publication Publication Date Title
Strayer et al. Botnet detection based on network behavior
US7512980B2 (en) Packet sampling flow-based detection of network intrusions
US9973430B2 (en) Method and apparatus for deep packet inspection for network intrusion detection
US8056115B2 (en) System, method and program product for identifying network-attack profiles and blocking network intrusions
US20060212942A1 (en) Semantically-aware network intrusion signature generator
US6415321B1 (en) Domain mapping method and system
CA2417817C (en) System and method of detecting events
US20050182950A1 (en) Network security system and method
US8483056B2 (en) Analysis apparatus and method for abnormal network traffic
US20030084321A1 (en) Node and mobile device for a mobile telecommunications network providing intrusion detection
US7565693B2 (en) Network intrusion detection and prevention system and method thereof
US10284594B2 (en) Detecting and preventing flooding attacks in a network environment
JP4619254B2 (en) IDS event analysis and warning system
JP4774357B2 (en) Statistical information collection system and statistical information collection device
US8358592B2 (en) Network controller and control method with flow analysis and control function
US20150229661A1 (en) Method and system for confident anomaly detection in computer network traffic
US20100162350A1 (en) Security system of managing irc and http botnets, and method therefor
US20070204060A1 (en) Network control apparatus and network control method
EP1999890B1 (en) Automated network congestion and trouble locator and corrector
US7752663B2 (en) Log analysis system, method and apparatus
US9444701B2 (en) Identifying remote machine operating system
JP2007525856A (en) A specific system that identifies and identifies network problems
US20030097439A1 (en) Systems and methods for identifying anomalies in network data streams
US20040133672A1 (en) Network security monitoring system
US7234166B2 (en) Event sequence detection

Legal Events

Date Code Title Description
A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20070313

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20070508

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20070508

R150 Certificate of patent (=grant) or registration of utility model

Free format text: JAPANESE INTERMEDIATE CODE: R150

FPAY Renewal fee payment (prs date is renewal date of database)

Free format text: PAYMENT UNTIL: 20100518

Year of fee payment: 3

FPAY Renewal fee payment (prs date is renewal date of database)

Free format text: PAYMENT UNTIL: 20110518

Year of fee payment: 4

FPAY Renewal fee payment (prs date is renewal date of database)

Free format text: PAYMENT UNTIL: 20120518

Year of fee payment: 5

FPAY Renewal fee payment (prs date is renewal date of database)

Free format text: PAYMENT UNTIL: 20130518

Year of fee payment: 6

FPAY Renewal fee payment (prs date is renewal date of database)

Free format text: PAYMENT UNTIL: 20140518

Year of fee payment: 7