JP2006197103A - Detection packet generating device, packet passing time evaluating device, and packet loss evaluating device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an evaluating device that accurately and easily evaluate an IPS device in the actual environment of a user without influencing the user's actual environment and specifies a loss packet due to the IPS device. <P>SOLUTION: The evaluating device is provided with an attack packet generation section 105 which generates an attack packet that an IPS 400 to be evaluated is made to detect, an up insertion control section 111 which inputs a background traffic up 115a bound for a specified network and the attack packet generated by the attack packet generation section 105 and outputs them as a mixed packet, and an up distribution section 109 which inputs the mixed packet outputted by the up insertion control section 111, generates a duplicate packet as a duplicate of the mixed packet on the basis of the mixed packet and outputs the duplicate packet to the IPS 400 to be evaluated, and deletes the attack packet included in the mixed packet and outputs the resulting mixed packet as the background traffic up 115a toward the specified network. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention evaluates quality (performance and attack detection) in a device (Intrusion Detection and Prevention System device, hereinafter referred to as IPS) that detects and blocks unauthorized intrusion by examining packets in the network. It relates to the technology to be performed.

  As a conventional method for evaluating the quality of IPS, a test environment is generally constructed by using a device that generates a pseudo network load (hereinafter referred to as a pseudo load device).

FIG. 18 illustrates a conventional IPS evaluation test environment. As shown in the figure, the IPS evaluation test environment includes a pseudo load device 1, an evaluation target IPS2, an IPS management terminal 3, an attack terminal 4,
It is composed of a hub 5 and a test network 6.

  An evaluation method using this IPS evaluation test environment will be described. First, a pseudo packet is transmitted from one end of the pseudo load device 1 to the evaluation target IPS 2 at a fixed packet length and a constant interval, and is received at the other end. As a result, a background load is generated in the test network 6, and an attack packet is transmitted from the attack terminal 4 to the test network 6 via the hub 5. As described above, it is verified whether the evaluation target IPS2 can normally detect the attack packet.

  Further, Patent Document 1 below describes a technique for generating a highly bursty traffic with pseudo packets and measuring the packet loss and delay of an evaluation target network. Therefore, an evaluation method for arranging and evaluating IPS as shown in FIG.

  The evaluation method of FIG. 19 is based on the IP network 11, the performance measuring device 12 according to Patent Document 1, the routers 13 a and 13 b, the evaluation target IPS 14, the IPS management terminal 15, the attack terminal 16, the hub 17, Composed. As in FIG. 18, the test packet is transmitted from one end of the conventional performance measuring apparatus 12 between the routers 13a and 13b in the IP network 11 and received at the other end. However, the test packets used in this conventional technique are transmitted to the IPS introduction planned network 18 with different packet lengths and different packet intervals. As a result, an attack packet is inserted from the attack terminal 16 via the hub 17 in a state where a load is applied to the IPS introduction planned network 18 to verify whether the evaluation target IPS 14 normally detects. According to this technique, the evaluation target IPS 14 can be verified in a state where the background load is not constant.

  Further, according to this conventional technique, it is possible to measure the packet delay and verify the packet loss of the network to which the evaluation target IPS 14 is connected by the pseudo packet.

  In the packet loss verification according to this conventional technique, the packet loss is detected by comparing the number of packets transmitted from the performance measuring apparatus 12 to the IPS introduction planned network 18 with the number of packets received from the IPS introduction planned network 18. Further, in order to identify the lost packet, the IP address, fragment ID, and fragment offset of each packet are stored at the time of transmission and at the time of reception, respectively.

The buffer capacity required in this conventional packet loss verification will be described. Information of the IP header is used as a packet identifier to identify a lost packet. This requires 32 bits for the source IP address and destination IP address, 16 bits for the fragment ID, 13 bits for the fragment offset, and a total of 93 bits of information per packet. When packet loss verification is performed using a short packet in the full bandwidth of 1G Ethernet (registered trademark), a buffer capacity of about 3.7 Gbytes is required for both transmission packets and reception packets.
JP2003-244237

  Since the performance of the IPS greatly depends on the background load, it is necessary to evaluate it in the user's actual environment. However, the conventional technology has a problem in that it cannot be accurately and easily evaluated whether or not sufficient quality is satisfied in the actual user environment where IPS is introduced. In the case of the conventional example of FIG. 18, the transfer packet length and transfer interval are completely different from the actual environment of the user. Also, in the case of the conventional example of FIG. 19, verification with traffic having strong burstiness can be realized, but since it is verification by a pseudo packet, it is not verification in the actual user environment. Further, in the test environment of FIG. 19 using this prior art, the packet loss may occur in the evaluation target IPS by arranging the IPS in the actual user environment, which affects the user who uses the network. May come out.

  In packet loss verification, the buffer capacity required for the prior art of FIG. 19 increases as the verification time increases. In addition, IPS has a strong tendency to cause packet loss depending on an IP upper protocol and application, and this information is effective information for considering introduction of IPS. For this reason, it is desirable to be able to identify even the information of the upper IP protocol when a packet is lost. However, storing the information of the IP upper layer in addition to the identifier by the IP header as in the prior art of FIG. 19 requires more buffer capacity.

  Further, as shown in FIGS. 18 and 19, if a hub is used when inserting an attack packet into the network, the attack packet may not be inserted due to network traffic.

  An object of the present invention is to provide an apparatus that accurately and easily evaluates an IPS in a user's real environment and identifies a lost packet by the IPS without affecting the user's real environment.

The detection packet generation device of the present invention includes:
In a detection packet generation device that generates a packet for detection by a packet detection device that detects a predetermined packet as a detection target,
A detection packet generator for generating a detection packet for causing the packet detection device to detect;
Input the packet traffic indicating the flow of a plurality of packets toward a predetermined network and the detection packet generated by the detection packet generator, and input the plurality of packets included in the input packet traffic A mixing unit that mixes the packets and outputs them as mixed packets;
The mixed packet output by the mixing unit is input, a duplicate packet that is a duplicate of the mixed packet is generated based on the input mixed packet, and the mixed packet and the duplicate packet are set as output targets. Any one of them is output as an output packet toward the packet detection device, the output packet not output as the output packet is set as a residual packet, the detection packet included in the residual packet is deleted, and the detection packet is deleted And a duplicating unit that outputs the remaining packet to the predetermined network.

  Since the detection packet generation apparatus of the present invention includes a mixing unit that mixes packet traffic and detection packets and a replication unit that replicates the mixed packets, an IPS that detects a predetermined packet is evaluated in a user's actual environment. can do.

Embodiment 1 FIG.
The first embodiment will be described with reference to FIGS. FIG. 1 is a diagram for explaining the configuration of the IPS verification system according to the first embodiment. As shown in the figure, the IPS verification system includes an IPS evaluation apparatus 101, an IP network 200, routers 300a and 300b, an evaluation target IPS 400, an IPS management terminal 500, and an IPS introduction planned network 600. The IPS evaluation apparatus 101 is connected inline to the IPS introduction planned network 600, and the evaluation target IPS 400 is connected to the evaluation target IPS 400 using the actual traffic (packet traffic) between the routers 300a and 300b. Perform verification.

  FIG. 2 is a diagram showing an internal configuration of the IPS evaluation apparatus 101 according to the first embodiment. As shown in the figure, the IPS evaluation apparatus 101 includes the following processing units. That is, the IPS evaluation apparatus 101 includes an input unit 102, a delay measurement unit 103, a loss detection unit 104, an attack packet generation unit 105, a trigger packet generation unit 106, a first measurement packet distribution unit 107, a second measurement packet distribution unit 108, An uplink distribution unit 109, a downlink distribution unit 110, an uplink insertion control unit 111, a downlink insertion control unit 112, an uplink filter unit 113, a downlink filter unit 114, and an output unit 116 are provided. Further, as shown in the figure, the background traffic 115 includes a background traffic up 115a and a background traffic down 115b. Further, the upstream distribution unit 109 outputs the evaluation traffic 117 in the upstream direction (the first measurement packet distribution unit 107 direction), and the downstream distribution unit 110 the evaluation traffic 117 in the downstream direction (the second measurement packet distribution unit 108 direction). Is output.

  In the IPS evaluation apparatus 101 connected to the IPS introduction planned network 600, the background traffic 115 is the user's real network. The IPS evaluation apparatus 101 is configured to be able to evaluate IPS by bidirectional communication in full-duplex communication such as Ethernet (registered trademark). The background traffic 115 is branched from the network by the upstream distribution unit 109 and the downstream distribution unit 110. The uplink distribution unit 109 transmits a copy of the packet of the background traffic uplink 115a to the evaluation traffic 117 side. The downlink distribution unit 110 transmits a copy of the packet of the background traffic downlink 115b to the evaluation traffic 117 side. By copying in this way, the evaluation traffic 117 can realize the same communication state as the background traffic 115. The evaluation target IPS 400 is evaluated using the copied evaluation traffic 117.

  The IPS evaluation apparatus 101 performs attack packet detection verification, packet delay measurement, and packet loss verification of the evaluation target IPS 400. That is, the IPS evaluation apparatus 101 has functions of a detection packet generation apparatus, a packet transit time evaluation apparatus, and a packet loss evaluation apparatus. As will be described later, the IPS evaluation apparatus 101 will be described as a detection packet generation apparatus, a packet transit time evaluation apparatus, and a packet loss evaluation apparatus, respectively.

Before explaining the operation of the IPS evaluation apparatus 101, the process until the input unit 102 notifies the processing unit such as the attack packet generation unit 105 and the upstream filter unit 113 of the information received from the IPS management terminal 500, FIG. And it demonstrates along FIGS. 4-6.
(1) First, the type of verification performed by the IPS evaluation apparatus 101 is one of three types: (a) attack packet detection verification, (b) packet delay measurement, or (c) packet loss verification (S1). The verification type is instructed by the IPS management terminal 500.
(2) A flow when the verification type in FIG. 3 is attack packet detection verification will be described with reference to FIG. FIG. 4 shows a case where the verification direction is uplink. As shown in FIG. 4, the IPS management terminal 500 notifies the input unit 102 of “verification type instruction”, “attack packet information”, and “verification direction”. The “attack packet information” is the IP address of the attack packet, information on the upper protocol, and the like, and the input unit 102 notifies the attack packet generation unit 105 of the “attack packet information” (S2).
(3) If the verification direction instruction is the upward direction (S3), the input unit 102 notifies the attack packet generation unit 105 of this (S4), and additionally uploads the “attack packet information”. The filter unit 113 is notified (S5).
(4) If the verification direction instruction is the downlink direction (S3), the input unit 102 notifies the attack packet generation unit 105 of this (S6) and sends the “attack packet information” to the downlink filter unit 114. Notification is made (S7).
(5) Thereafter, an instruction to start attack packet detection verification is sent to each processing unit (S8), and verification is started.

Next, a flow when the verification type in FIG. 3 is packet delay measurement will be described with reference to FIG. FIG. 5 shows a case where the verification direction is uplink. When the verification type is packet delay measurement, the input unit 102 is notified from the IPS management terminal 500 that the verification type is packet delay measurement, trigger packet information, and the verification direction.
(1) In the case of packet delay measurement, the input unit 102 receives notification of the IP address of the trigger packet and information on the upper protocol as “trigger packet information”. The input unit 102 notifies the “trigger packet information” to the delay measurement unit 103 and the trigger packet generation unit 106 (S9).
(2) If the verification direction instruction is the uplink direction (S10), this is notified to the delay measurement unit 103, the trigger packet generation unit 106, the first measurement packet distribution unit 107, and the second measurement packet distribution unit 108. In addition, the “trigger packet information” is notified to the upstream filter unit 113 (S12).
(3) When the verification direction is in the down direction (S10), this is sent to the delay measurement unit 103 (S13), the trigger packet generation unit 106, the first measurement packet distribution unit 107, and the second measurement packet distribution unit 108. In addition, the “trigger packet information” is notified to the downstream filter unit 114 (S14).
(4) Thereafter, the input unit 102 notifies each processing unit of a packet delay measurement start instruction (S15), and starts verification.

Next, a flow when the verification type in FIG. 3 is packet loss verification will be described with reference to FIG. FIG. 6 shows a case where the verification direction is uplink. When the verification type is packet loss verification, the input unit 102 is notified from the IPS management terminal 500 that the verification type is packet loss verification and the verification direction.
(1) In the case of packet loss verification, the input unit 102 notifies the packet loss verification time information to the loss detection unit 104 (S16).
(2) If the verification direction instruction is the uplink direction (S17), this is notified to the loss detection unit 104, the first measurement packet distribution unit 107, and the second measurement packet distribution unit 108 (S18).
(3) If the verification direction instruction is the downlink direction (S17), this is notified to the loss detection unit 104, the first measurement packet distribution unit 107, and the second measurement packet distribution unit 108 (S19).
(4) Thereafter, the input unit 102 notifies each processing unit of a packet loss verification start instruction (S20), and starts verification.

  In the above cases (a) attack packet detection verification, (b) packet delay measurement, and (c) packet loss verification, the input unit 102 in FIG. 2 receives information notification from the IPS management terminal 500 and receives notification. This is a flow until the information is notified to each processing unit.

  Next, taking the case of the upstream direction as an example, each of (a) attack packet detection verification, (b) packet delay measurement, and (c) packet loss verification on the evaluation target IPS 400 by the IPS evaluation apparatus 101 will be described.

First, attack packet detection verification for the evaluation target IPS 400 will be described with reference to FIGS. In the case of attack packet detection verification, the IPS evaluation apparatus 101 has a function as a detection packet generation apparatus and can be regarded as a detection packet generation apparatus. In FIG. 7, the first measurement packet distribution unit 107, the uplink distribution unit 109, and the uplink filter unit 113 constitute a duplication unit 150.
(1) The attack packet generation unit 105 (an example of a detection packet generation unit) is configured to detect an attack packet (detection packet of the detection packet) to be detected by the evaluation target IPS 400 using an IP address, a higher-level protocol, or the like specified by “attack packet information”. Example). The attack packet generation unit 105 delivers the attack packet to the uplink insertion control unit 111 according to the instruction that the verification direction is the uplink direction (S101).
(2) The uplink insertion control unit 111 inputs the background traffic uplink 115a (packet traffic), inputs the attack packet from the attack packet generation unit 105, and mixes the packet included in the background traffic uplink 115a with the attack packet. Then, the “mixed packet” is output to the upstream distribution unit 109 of the duplication unit 150 (S102).
(3) The uplink distribution unit 109 receives the “mixed packet” from the uplink insertion control unit 111 and generates a copy of the input “mixed packet” as a “duplicate packet”. Then, the upstream distribution unit 109 outputs the “duplicate packet” (output packet) to the first measurement packet distribution unit 107 as the evaluation traffic 117 (S103). Also, the “mixed packet” (residual packet) that is the copy source is output to the upstream filter unit 113. The “duplicate packet” may be output to the upstream filter unit 113 and the “mixed packet” may be output to the first measurement packet distribution unit 107. Upstream distribution section 109 may output “mixed packet” and “replicated packet”, output one to first measurement packet distribution section 107, and output the other to upstream filter section 113. It is sufficient to set in advance whether to output.
(4) In the attack packet detection verification, the first measurement packet distribution unit 107 passes the upstream packet in the evaluation traffic 117 and blocks the downstream packet (S104).
(5) The first measurement packet distribution unit 107 transmits a “duplicate packet” including the attack packet to the evaluation target IPS 400 (S105).
(6) The evaluation target IPS 400 notifies the IPS management terminal 500 of detection of the attack packet (S106). As a result, it is possible to verify whether or not the attack packet is correctly detected in the real user environment.
(7) For the input “mixed packet”, the upstream filter unit 113 blocks a packet (attack packet) in which the attack packet information notified from the input unit 102 in advance matches the IP address, the upper protocol, and the like (S107). ). As a result, attack packets included in the “mixed packet” are blocked. The upstream filter unit 113 outputs the background traffic upstream 115a in which the attack packet is deleted from the “mixed packet” (residual packet). As a result, the real user network outside the IPS evaluation apparatus 101 is not affected.

Next, packet delay measurement for the evaluation target IPS 400 will be described with reference to FIGS. 9 and 10. In the case of packet delay measurement, the IPS evaluation apparatus 101 can be regarded as a packet transit time evaluation apparatus that evaluates the transit time when a packet passes through the evaluation target IPS 400. In FIG. 9, the first measurement packet distribution unit 107, the uplink distribution unit 109, and the uplink filter unit 113 constitute a duplication unit 150.
(1) The trigger packet generation unit 106 (an example of an evaluation packet generation unit) is configured to execute a “trigger” for the delay measurement unit 103 to perform packet delay measurement using an IP address, a higher-level protocol, or the like specified by “trigger packet information”. Packet "(evaluation packet) is generated. Then, according to the instruction that the verification direction is the uplink direction, the “trigger packet” is passed to the uplink insertion control unit 111 (S201).
(2) The uplink insertion control unit 111 inputs the background traffic uplink 115a (packet traffic) and inputs the “trigger packet” from the trigger packet generation unit 106, and the packet included in the background traffic uplink 115a and the “trigger packet” Are mixed and output to the upstream distribution unit 109 of the duplication unit 150 as a “mixed packet” (S202).
(3) The uplink distribution unit 109 receives the “mixed packet” from the uplink insertion control unit 111 and generates a copy of the input “mixed packet” as the “first duplicate packet”. Then, the uplink distribution unit 109 outputs the “first duplicate packet” to the first measurement packet distribution unit 107 as the evaluation traffic 117 (S203). Further, the “mixed packet” that is the copy source is output to the upstream filter unit 113.
(4) When the first measurement packet distribution unit 107 receives the “first replication packet” from the upstream distribution unit 109, the first measurement packet distribution unit 107 generates a “second replication packet” using the “first replication packet” as a replication source, “2 duplicate packet” (second output packet) is transmitted to the delay measuring unit 103, and “first duplicate packet” (first output packet) input from the uplink distribution unit 109 is transmitted to the evaluation target IPS 400 (S204).
(5) At this time, the delay measurement unit 103 records the reception time of the trigger packet included in the “second duplicate packet” received from the first measurement packet distribution unit 107 (S205).
(6) The second measurement packet distribution unit 108 receives the “first duplicate packet” that has passed through the evaluation target IPS 400, and transmits the received “first duplicate packet” to the delay measurement unit 103 (S206).
(7) The delay measurement unit 103 records the reception time of the “trigger packet” included in the “first duplicate packet” received from the second measurement packet distribution unit 108. The delay measurement unit 103 determines whether the trigger packet transmitted by the evaluation target IPS 400 relays based on the time difference between the reception time of the trigger packet included in the “second replication packet” and the reception time of the trigger packet included in the “first replication packet”. A delay time is obtained (S207).
(8) The delay measurement unit 103 notifies the output unit 116 of the packet delay measurement result (S208), and the output unit 116 notifies the IPS management terminal 500 of this (S209).
(9) Further, the upstream filter unit 113, for the “mixed packet” input from the upstream distribution unit 109, a packet (trigger packet) in which the trigger packet information notified from the input unit 102 in advance matches the IP address, upper protocol, etc. Shut off. As a result, the trigger packet included in the “mixed packet” is blocked. The upstream filter unit 113 outputs the background traffic upstream 115a in which the trigger packet is deleted from the “mixed packet” (third output packet). As a result, the real user network outside the IPS evaluation apparatus 101 is not affected.
(10) In the above description, the upstream distribution unit 109 of the replication unit 150 generates a “first replication packet” using the mixed packet as a replication source and outputs it to the first measurement packet distribution unit 107. Then, the first measurement packet distribution unit 107 generates a “second duplicate packet” using the “first duplicate packet” as a duplication source, and outputs the “second duplicate packet” to the delay measurement unit 103. Further, the upstream distribution unit 109 outputs the “mixed packet” to the upstream filter unit 113, and the upstream filter unit 113 deletes the trigger packet included in the “mixed packet”. However, the present invention is not limited to this, and the duplicating unit 150 receives the “mixed packet” output from the uplink insertion control unit 111, and the “first duplicate packet that is a duplicate of the mixed packet based on the input“ mixed packet ”. And “second duplicate packet” may be generated. Then, the “mixed packet”, the “first duplicate packet”, and the “second duplicate packet” are output targets, and any one of these output targets is directed to the evaluation target IPS 400 (packet detection device) as the first output packet. Any one of the output targets that are not output as the first output packet is output to the delay measurement unit 103 (passage time evaluation unit) as a “second output packet”, and also as the second output packet as the first output packet The output object that is not output as a third output packet is deleted, the “trigger packet” (evaluation packet) included in the third output packet is deleted, the third output packet from which the “trigger packet” is deleted is directed to a predetermined network, What is necessary is just to output as background traffic uplink 115a.

Next, packet loss verification for the evaluation target IPS 400 will be described with reference to FIGS. 11 and 12. In the case of packet delay measurement, the IPS evaluation apparatus 101 can be regarded as a packet loss evaluation apparatus that evaluates packet loss when a packet passes through the evaluation target IPS 400 (packet detection apparatus). In FIG. 11, the first measurement packet distribution unit 107, the uplink distribution unit 109, and the uplink filter unit 113 constitute a duplication unit 150. The uplink distribution unit 109, the loss detection unit 104, the first measurement packet distribution unit 107, and the second measurement packet distribution unit 108 mainly operate in the packet loss verification.
(1) The uplink insertion control unit 111 inputs the background traffic uplink 115a (packet traffic) and passes it as it is (S301).
(2) The uplink distribution unit 109 receives the background traffic uplink 115a from the uplink insertion control unit 111, and receives a plurality of packets (hereinafter referred to as “replication source packets”) included in the input “background traffic uplink 115a”. A copy is generated as a “first duplicate packet”. Then, the uplink distribution unit 109 outputs the “first duplicate packet” to the first measurement packet distribution unit 107 as the evaluation traffic 117 and outputs the “copy source packet” to the uplink filter unit 113 (S302). .
(3) When the first measurement packet distribution unit 107 receives the “first replication packet” from the upstream distribution unit 109, the first measurement packet distribution unit 107 generates a “second replication packet” using the “first replication packet” as a replication source, The “second duplicate packet” (second output packet) is transmitted to the loss detection unit 104, and the “first duplicate packet” (first output packet) input from the uplink distribution unit 109 is transmitted to the evaluation target IPS 400 (S303). .
(4) The second measurement packet distributor 108 receives the “first duplicate packet” (first output packet) that has passed through the evaluation target IPS 400, and transmits the received “first duplicate packet” to the loss detector 104. (S304).
(6) The loss detection unit 104 receives the “first duplicate packet” from the second measurement packet distribution unit 108, and the “first duplicate packet” received from the second measurement packet distribution unit 108 and the first measurement packet distribution Based on the “second duplicate packet” received from the unit 107, the loss of the packet passing through the evaluation target IPS 400 is evaluated (S305). Specific evaluation will be described later with reference to FIG.
(7) In the above description, the upstream distribution unit 109 of the duplication unit 150 generates a “first duplication packet” using the “duplication source packet” as a duplication source, and outputs it to the first measurement packet distribution unit 107. Then, the first measurement packet distribution unit 107 generates a “second duplicate packet” using the “first duplicate packet” as a duplication source, and outputs it to the loss detection unit 104. However, the present invention is not limited to this, and the duplication unit 150 inputs the “duplication source packet” that has passed through the uplink insertion control unit 111, and is based on the inputted “duplication source packet” and is a duplicate of the duplication source packet. What is necessary is just to produce | generate "1st duplicate packet" and "2nd duplicate packet". Then, “duplication source packet”, “first duplication packet”, and “second duplication packet” are output targets, and any one of these output targets is directed to the evaluation target IPS 400 (packet detection device). Of the output target that is not output as the first output packet, is output to the loss detection unit 104 as the “second output packet”, and is not output as the first output packet or the second output packet. To the predetermined network as a third output packet and output as the background traffic up 115a.

  Next, the internal configuration of the loss detection unit 104 will be described. FIG. 13 is a diagram illustrating an internal configuration of the loss detection unit 104. As shown in the figure, the loss detection unit 104 includes an overall control unit 1041, an input unit 1042 (second output packet input unit), an input unit 1043 (first output packet input unit), and a buffer control unit 1044 (storage control unit). A packet information buffer unit 1045 (storage unit) and a timer unit 1046.

The overall control unit 1041 controls the entire inside of the loss detection unit 104. A processing flowchart of the overall control unit 1041 is shown in FIG. The operation of the overall control unit 1041 will be described with reference to FIG.
(1) When receiving the loss verification instruction from the input unit 102 of the IPS evaluation apparatus 101 (T1), the overall control unit 1041 notifies the start notification and the verification direction to each unit in the loss detection unit 104 (T2).
(2) Thereafter, the verification elapsed time is received from the timer unit 1046 (T3), and when the fixed time has elapsed (T4), the input unit 1042 is notified of the input stop (T5).
(3) Further, the verification elapsed time is received from the timer unit 1046 (T6), and when a predetermined time has elapsed (T7), an end notification is notified to each unit (T8).
(4) After that, the packet loss detection determination performed by the buffer control unit 1044 is received (T9), and when the packet loss is detected (T10), the packet loss detection is notified to the output unit 116 (T11). If not detected (T10), the output unit 116 is notified that no packet loss has been detected (T12).
(5) When the verification direction is uplink, the input unit 1042 receives the “second duplicate packet” (second output packet) before passing through the evaluation target IPS 400, and the input unit 1043 receives “ A “first duplicate packet” (first output packet) is received.
(6) The input unit 1042 and the input unit 1043 notify the buffer control unit 1044 of packet information held by each of the received “second duplicate packet” and “first duplicate packet”. Here, “packet information” means “IP header information (IP address, fragment ID, fragment offset) for identifying a packet, and when the packet loss occurs, the evaluation target IPS 400 depends on which application. IP upper protocol information for knowing whether a packet has been lost "(an example of first individual possession information, an example of second individual possession information).
(7) Further, the input unit 1042 buffers “packet information” (an example of second individual possession information) about the “second duplicate packet” before passing through the evaluation target IPS 400 in response to an input stop notification from the overall control unit 1041. The notification to the control unit 1044 is stopped. Further, the input unit 1043 stops notifying the buffer control unit 1044 of “packet information” (an example of first individual possession information) about the “first duplicate packet” after passing through the evaluation target IPS 400 by the end notification. .
(8) The buffer control unit 1044 detects packet loss due to the evaluation target IPS 400 by using the packet information of the pre-passage packet and post-passage packet information and the packet information buffer unit 1045.
(9) A processing flowchart of the buffer control unit 1044 is shown in FIG.

In FIG. 15, after receiving the start notification (U1), the buffer control unit 1044 repeats the following processing until receiving the end notification (U2).
(1) When the “second duplicate packet” before passing through the evaluation target IPS 400 is received (U3), the “packet information” is registered in the packet information buffer unit 1045 (U4).
(2) When the “first duplicate packet” after passing through the evaluation target IPS 400 is received (U3), the packet information buffer unit 1045 is searched for “packet information” of the received “first duplicate packet” (U5), and hit The entry is deleted from the packet information buffer unit 1045 (U6).
(3) After receiving the end notification, it is checked whether there is an entry remaining in the packet information buffer unit 1045 (U7), and the result is notified to the overall control unit 1041 (U8).

  In order to realize the function of the buffer control unit 1044 by mounting, the packet information buffer unit 1045 can be realized by using a CAM (Content Addressable Memory) that is a searchable buffer. A total of 93 bits of the source IP address, destination IP address, fragment ID, and fragment offset is used as a data string for search, and this is used as one entry to perform registration, search, and delete processing in the packet information buffer unit 1045. The above scheme can be realized.

  In addition to this search data string, if it has a 96-bit data storage buffer as IP upper protocol information, a buffer of about 23 million entries can be obtained by using a CAM with a capacity of 512 Mbytes. Become. This is the number of packets for which IP short packets are transferred to a 1 Gbps network for about 14 seconds.

  In the above method, since the buffer is released every time the “first duplicate packet” is received after passing through the evaluation target IPS 400, the required buffer capacity does not increase more than a certain amount even if the packet loss verification time increases. The buffer capacity required by the above method depends on the maximum number of packets carried by the evaluation target IPS 400, but it is not considered that 23 million packets are carried, and the above method can be sufficiently realized by a CAM having a 512 Mbyte capacity.

  The timer unit 1046 is for controlling the packet loss verification time, and notifies the overall control unit 1041 of the elapsed time at regular intervals from the start of verification.

  After performing the packet loss verification, the loss detection unit 104 notifies the output unit 116 of the loss verification result, and the output unit 116 notifies the IPS management terminal 500 of this.

  The above shows each verification in the uplink communication, but the downlink can be similarly implemented.

Next, the structures of the uplink insertion control unit 111 and the downlink insertion control unit 112 will be described using FIG. The structures of the uplink insertion control unit 111 and the downlink insertion control unit 112 are the same, and FIG. 16 shows the configuration of the uplink insertion control unit 111. The uplink insertion control unit 111 includes an input unit 1112, a packet buffer unit 1113, an output unit 1114, and an interrupt packet input unit 1115.
(1) The input unit 1112 temporarily stores a packet flowing in the background traffic 115 (hereinafter referred to as a user packet) in the packet buffer unit 1113.
(2) The interrupt packet input unit 1115 receives an “attack packet” or “trigger packet” (hereinafter referred to as an interrupt packet) from the attack packet generation unit 105 or the trigger packet generation unit 106 and transmits it to the output unit 1114 To do.
(3) The output unit 1114 transmits the user packet and the interrupt packet to the background traffic 115.
(4) The packet buffer unit 1113 reliably inserts the interrupt packet into the background traffic 115 even when the background traffic 115 is full bandwidth and the packet is being transferred. This is to prevent the input of the uplink insertion control unit 111 from being stopped. The data temporarily retained in the packet buffer unit 1113 is eliminated when the user packet stops flowing in the full band.

  As described above, according to the first embodiment, when considering the introduction of IPS into a real network of a certain user, it is accurately and easily verified whether or not the IPS satisfies a sufficient quality in the target network. Is possible.

  Further, even when a packet lost due to IPS is specified, the required buffer amount does not increase depending on the verification time, which is effective in reducing the buffer amount.

  Further, it is possible to reliably insert an attack packet at the time of attack packet detection verification and a trigger packet at the time of packet delay measurement into the network. Further, although the IPS introduction support system in the IP network is applicable to a network other than the IP.

  Since the IPS evaluation apparatus according to the first embodiment includes the attack packet generation unit, the insertion control unit, and the duplication unit, it is possible to evaluate the detection of the attack packet by the evaluation target IPS in a real environment.

  Since the IPS evaluation apparatus according to the first embodiment includes the trigger packet generation unit, the delay measurement unit, the insertion control unit, and the duplication unit, the delay time when the packet passes through the evaluation target IPS in the actual environment. Can be measured.

  Since the IPS evaluation apparatus according to the first embodiment includes the loss detection unit and the duplication unit, it is possible to verify the packet loss when the packet passes through the evaluation target IPS in an actual environment.

  In the loss detection unit of the first embodiment, the buffer control unit searches the packet information buffer unit and deletes the hit packet information from the packet information buffer unit. Therefore, even if the packet loss verification time increases. The buffer capacity can be kept below a certain level.

Embodiment 2. FIG.
The second embodiment will be described with reference to FIG. FIG. 17 is a diagram illustrating another example of the detection packet generation device illustrated in FIG. 7 of the first embodiment. In the example shown in FIG. 7, the “mixed packet” is duplicated. That is, since the “mixed packet” includes a packet constituting the background traffic uplink 115a and an attack packet, when the “mixed packet” is duplicated, the packet constituting the background traffic uplink 115a and the attack packet are attacked. Duplicate packets. On the other hand, in the second embodiment, the attack packet is not duplicated, and only the packet constituting the background traffic uplink 115a is duplicated. Then, the duplication unit 150 includes the attack packet in the inputted “packet constituting the background traffic uplink 115a” or “duplication of the packet constituting the background traffic uplink 115a” and transmits the attack packet to the evaluation target IPS 400. The “packet constituting the background traffic uplink 115a” or “duplicate of the packet constituting the background traffic uplink 115a” which does not include the attack packet is output as the background traffic uplink 115a. As a result, the upstream filter unit 113 required in FIG. 7 becomes unnecessary.

In FIG. 17, the IPS evaluation apparatus 101 as the detection packet generation apparatus performs the following operation.
(1) The attack packet generation unit 105 (detection packet generation unit) generates an attack packet (detection packet) for the evaluation target IPS 400 (packet detection device) to detect.
(2) The uplink distribution unit 109 of the duplication unit 150 inputs the background traffic uplink 115a (packet traffic) and the attack packet generated by the attack packet generation unit 105. Then, a duplicate packet is generated using a plurality of packets included in the input background traffic uplink 115a as a duplication source. Then, the input attack packet is mixed with any of the duplicate packets and the duplicated “duplicate packet” and output to the evaluation target IPS 400 as a “mixed packet”. Any of the plurality of packets and the “duplicate packet” that have not been performed is output as the background traffic uplink 115a toward the predetermined network. The same applies to the downhill.

  In the IPS evaluation apparatus according to the second embodiment, since the duplicating unit duplicates only the packet constituting the background traffic uplink 115a, it is not necessary to delete the attack packet.

1 is a configuration diagram of an IPS verification system in Embodiment 1. FIG. 2 is an internal configuration diagram of an IPS evaluation apparatus 101 in Embodiment 1. FIG. 4 is an information transmission flowchart from the input unit 102 to each processing unit in the first embodiment. FIG. 10 is a diagram illustrating information transmission from the input unit 102 to each processing unit in the case of attack packet detection verification in the first embodiment. FIG. 6 is a diagram illustrating information transmission from the input unit 102 to each processing unit in the case of packet delay measurement in the first embodiment. FIG. 6 is a diagram illustrating information transmission from the input unit 102 to each processing unit in the case of packet loss verification in the first exemplary embodiment. It is a block diagram at the time of seeing the IPS evaluation apparatus 101 in Embodiment 1 as a packet generation apparatus for a detection. 4 is a flowchart of an operation when the IPS evaluation apparatus 101 is viewed as a detection packet generation apparatus in the first embodiment. It is a block diagram at the time of seeing the IPS evaluation apparatus 101 in Embodiment 1 as a packet passage time measuring apparatus. 3 is a flowchart of an operation when the IPS evaluation apparatus 101 is viewed as a packet transit time measurement apparatus in the first embodiment. It is a block diagram at the time of seeing the IPS evaluation apparatus 101 in Embodiment 1 as a packet packet loss evaluation apparatus. 3 is a flowchart of an operation when the IPS evaluation apparatus 101 is viewed as a packet packet loss evaluation apparatus in the first embodiment. FIG. 3 is a diagram showing a configuration of a loss detection unit 104 in the first embodiment. 6 is an operation flowchart of the overall control unit 1041 of the loss detection unit 104 in the first embodiment. 6 is an operation flowchart of the buffer control unit 1044 of the loss detection unit 104 in the first embodiment. 3 is an internal configuration diagram of an uplink insertion control unit 111 in the IPS evaluation apparatus 101 according to Embodiment 1. FIG. FIG. 10 is a configuration diagram illustrating another example of a detection packet generation device according to the first embodiment. It is an example of a conventional general IPS verification environment. It is an example of the verification environment of IPS at the time of using the conventional technique.

Explanation of symbols

  1 pseudo load device, 2 evaluation target IPS, 3 IPS management terminal, 4 attack terminal, 5 hub, 6 test network, 11 IP network, 12 performance measurement device, 13 router, 14 evaluation target IPS, 15 IPS management terminal , 16 Attack terminal, 17 Hub, 18 IPS planned network, 101 IPS evaluation apparatus, 102 input unit, 103 delay measurement unit, 104 loss detection unit, 105 attack packet generation unit, 106 trigger packet generation unit, 107 first measurement Packet distribution unit, 108 Second measurement packet distribution unit, 109 Up distribution unit, 110 Down distribution unit, 111 Up insertion control unit, 112 Down insertion control unit, 113 Up filter unit, 114 Down filter unit, 115 Background traffic, 115a Background traffic Upstream, 115b Background traffic down, 116 output unit, 117 evaluation traffic, 200 IP network, 300a, 300b router, 400 evaluation target IPS, 500 IPS management terminal, 600 IPS planned network, 1041 overall control unit, 1042 input Unit, 1043 input unit, 1044 buffer control unit, 1045 packet information buffer unit, 1046 timer unit, 1112 input unit, 1113 packet buffer unit, 1114 output unit, 1115 interrupt packet input unit.

Claims (7)

In a detection packet generation device that generates a packet for detection by a packet detection device that detects a predetermined packet as a detection target, a detection packet generation unit that generates a detection packet for detection by the packet detection device;
Input the packet traffic indicating the flow of a plurality of packets toward a predetermined network and the detection packet generated by the detection packet generator, and input the plurality of packets included in the input packet traffic A mixing unit that mixes the packets and outputs them as mixed packets;
The mixed packet output by the mixing unit is input, a duplicate packet that is a duplicate of the mixed packet is generated based on the input mixed packet, and the mixed packet and the duplicate packet are set as output targets. Any one of them is output as an output packet toward the packet detection device, the output packet not output as the output packet is set as a residual packet, the detection packet included in the residual packet is deleted, and the detection packet is deleted And a duplicating unit that outputs the residual packet toward the predetermined network. The packet detection device includes:
Detect packets that attack the network,
The detection packet generator is
The detection packet generation device according to claim 1, wherein a packet that attacks the network is generated as the detection packet. An evaluation packet generator for generating an evaluation packet used for evaluating the passage time in a packet passage time evaluation device for evaluating a passage time when a packet passes through a packet detection device that detects a predetermined packet as a detection target; ,
A transit time evaluation unit for evaluating the transit time;
Input the packet traffic indicating the flow of a plurality of packets toward a predetermined network and the evaluation packet generated by the evaluation packet generator, and input the plurality of packets included in the input packet traffic A mixing unit that mixes the packets and outputs them as mixed packets;
The mixed packet output by the mixing unit is input, and based on the input mixed packet, a first duplicate packet and a second duplicate packet that are duplicates of the mixed packet are generated, and the mixed packet and the first duplicate packet are generated. And the second duplicate packet as an output target, any one of the output targets is output to the packet detection device as a first output packet, and any one of the output targets that is not output as the first output packet Is output to the transit time evaluation unit as the second output packet, and the output target that is not output as the first output packet or the second output packet is included in the third output packet as the third output packet. And the third output packet from which the evaluation packet has been deleted is transferred to the predetermined network. Only and a replication unit for outputting,
The transit time evaluation unit
The second output packet output from the duplicating unit and the first output packet that has passed through the packet detection device are input, and the first output that is input to the evaluation packet included in the input second output packet A packet transit time characterized by recording each input time with the evaluation packet included in the packet and evaluating a transit time of the packet passing through the packet detection device based on each recorded input time Evaluation device. In a packet loss evaluation device that evaluates the loss of the packet that passes when a packet passes through a packet detection device that detects a predetermined packet as a detection target,
A loss evaluation unit for evaluating packet loss;
A packet traffic indicating a flow of a plurality of packets toward a predetermined network is input, and a first replication packet and a second replication packet that are duplicates of the plurality of packets based on the plurality of packets included in the input packet traffic, Generating the plurality of packets, the first duplicate packet, and the second duplicate packet as output targets, and outputting any one of the output targets to the packet detection device as a first output packet, Any one of the output targets that are not output as one output packet is output as a second output packet to the loss evaluation unit, and the output target that is not output as either the first output packet or the second output packet is the third output packet. A duplicating unit that outputs the output packet toward the predetermined network;
The loss evaluation unit
Based on the input first output packet and the input second output packet, the first output packet that has passed through the packet detector and the second output packet output by the duplicating unit are input. A packet loss evaluation apparatus characterized by evaluating a loss of a packet passing through a packet detection apparatus. The loss evaluation unit
A second output packet input unit for inputting the second output packet from the duplication unit;
A first output packet input unit for inputting the first output packet that has passed through the packet detection device;
A storage unit for storing second individual possession information possessed by each packet included in the second output packet input by the second output packet input unit;
The second individual holding information corresponding to the first individual holding information is stored using the first individual holding information held by each packet included in the first output packet input by the first output packet input unit. When the second individual holding information corresponding to the first individual holding information is hit, the second individual holding information that has been hit is deleted from the storage unit and deleted from the storage unit. 5. The packet loss evaluation apparatus according to claim 4, further comprising: a storage control unit that evaluates a loss of a packet passing through the packet detection apparatus based on a deletion result of the individual possession information. The storage unit
6. The packet loss evaluation apparatus according to claim 5, further comprising a content referable memory (CAM). In a detection packet generation device that generates a packet for detection by a packet detection device that detects a predetermined packet as a detection target, a detection packet generation unit that generates a detection packet for detection by the packet detection device;
Input a packet traffic indicating a flow of a plurality of packets toward a predetermined network and the detection packet generated by the detection packet generator, and based on the plurality of packets included in the input packet traffic A duplicate packet that is a duplicate of a packet is generated, and the input detection packet is mixed with any of the plurality of packets and the duplicate packet, and is output to the packet detection device as a mixed packet. An apparatus for generating a detection packet, comprising: a duplication unit that outputs any one of the plurality of packets and the duplication packet in which no detection packet is mixed to the predetermined network.

Images