JP2007096544A - Transmission source tracking apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a transmission source tracking apparatus whereby a tracking function of an attack terminal is introduced to a whole network at a low cost and capable of performing tracking of an attack packet even on the occurrence of a fault in part of relay apparatuses. <P>SOLUTION: The transmission source tracking apparatus includes a topology map database 26 for indicating physical connection relations between relay apparatuses with a tracking function and relay apparatuses without the tracking function, generates a tracking request message including a feature of the attack packet and a reply request of a tracking information message when an IDS (Instruction Detection System) section 2 detects an attack, refers to topology map information and transmits the tracking request message to the relay apparatuses with the tracking function. A tracking request message generating section 24 refers to the topology map information on the basis of a sender address included in the tracking information message and transmits a tracking request message to the relay apparatuses with the tracking function at a sender side of the relay apparatuses for transmitting the tracking information message. A tracking information analysis section 22 merges addresses included in the tracking information messages to specify the transmission source of the attack packet. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a transmission source tracking system for specifying a transmission source of a communication packet, and relates to a transmission source tracking device for acquiring communication packet tracking information in the system.

  In recent years, with the spread of open networks represented by the Internet, attacks on terminals connected to the network have become a problem. Typical attacks include a DoS (Denial of Service) attack that sends a large number of IP (Internet Protocol) packets from a certain attacking terminal to a specific victim terminal, and a plurality of attacking terminals connected to the network. A so-called DDoS (Distributed Dos) attack is known in which a large number of IP packets are transmitted to a victim terminal as a whole by transmitting IP packets to a particular victim terminal. These denial-of-service attacks not only paralyze the service provisioning function of the victim terminal by saturating the processing of the victim terminal that is the attack target, but also place an excessive load on the entire network. Measures are required.

  One possible countermeasure is to identify the source address of attack packets sent in large quantities to the victim terminal and block communication from the terminal having that address. However, since the source address is easily misrepresented, just specifying this source address does not necessarily specify the source of the attack packet.

  Therefore, ICMP (Internet Control Message Protocol) traceback (hereinafter referred to as itrace) that can identify the attacking terminal by sequentially following the path of the attack packet has been proposed by the Internet Engineering Task Force (IETF). . In this itrace, each relay device (router) selects an IP packet that passes through the relay device with a probability of about 1 / 20,000, and tracking information such as an interface through which the selected IP packet passes is sent to the network. The attack terminal is specified by transmitting to a connected tracking device and connecting a plurality of tracking information transmitted from the relay device by this tracking device. As techniques using such itrace, those described in Patent Document 1 and Patent Document 2 below are known.

  However, in this itrace, the IP packet selection has a low probability of 1 / 20,000 so as not to burden the network. Therefore, particularly when a DDoS attack is received, there is a problem that an attack packet is not selected and a considerable time is required for tracking or tracking becomes impossible. In addition, since the relay apparatus autonomously creates tracking information, there is a problem that an IP packet to be tracked cannot be selected. Therefore, in order to solve such a problem, it is known that an active source tracking system in which the tracking device itself independently acquires tracking information is configured.

  For example, in the technique described in Patent Document 1, if a tracking terminal is prepared separately from the victim terminal and a large number of attack packets are transmitted from the attack terminal to the victim terminal via a plurality of relay devices, the tracking device Makes a request for tracking attack packets to the relay device, and each relay device sequentially sends a tracking request to the relay device on the attacking terminal side as seen from itself and sends a specific result to the tracking device. The attacking terminal is identified by sending.

Further, in the technique described in Patent Document 2, when a large number of attack packets are transmitted to the victim terminal, the tracking device requests the relay device to track the attack packet, and each relay device receives a destination address. When the attack packet directed to the victim terminal is captured, the interface through which the packet has passed is specified, and tracking information including the interface information is acquired and transmitted to the tracking device. Then, the tracking device makes a tracking request to the next relay device based on the tracking information, and identifies the attacking terminal by repeating this request.
JP 2000-124952 A JP 2003-264553 A

  As described above, in the inventions disclosed in each of these Patent Documents 1 and 2, the tracking device itself actively acquires the tracking information, so that even if the DDoS attack is received, Tracing can be performed at high speed, and it is not impossible to trace due to attack packet deselection, which is a drawback of itrace. However, in these inventions, since the characteristics of the attack packet to be tracked are determined based on the predetermined information, a packet having the same characteristics may be tracked by chance even though it is not an attack packet.

  That is, in the invention disclosed in Patent Document 1, since an IP packet including a source address or a victim terminal address is selected as a destination address to be tracked (see paragraph 0033), an attacking terminal transmits When the source address is misrepresented, it also tracks the transmission packet from the legitimate terminal of the source address, or a malicious user who tries to communicate with the address of the victim terminal as the destination address (hereinafter referred to as legitimate user) ) Will also track the terminal's transmission packets.

  On the other hand, even in the invention disclosed in Patent Document 2, in the same manner as in Patent Document 1, in addition to the problem that occurs using the source IP address and the destination IP address, information such as the type of the upper protocol is displayed. Since it is used (see paragraph 0022), an IP packet having the same characteristics is tracked by chance.

  As described above, in the inventions disclosed in the above-mentioned Patent Documents 1 and 2, there is a problem that a load is applied to the entire network by tracking IP packets that are not attack packets.

  On the other hand, the applicant of the present application uses a source search system (Japanese Patent Application No. 2004-336696 “Source tracking system and its system” for the purpose of not increasing the network load even if the process of specifying the attacking terminal is performed. Relay device)). This source search system is composed of a network composed of relay devices having a tracking function and a tracking terminal that controls source search, and connects a tracking terminal and a victim terminal to a certain relay device. deep.

  In this source search system, when an attack terminal in a network to which a plurality of relay devices are connected forges a source address toward a victim terminal and sends an attack packet, the tracking terminal detects the attack, In order to determine the true source of the attack, a tracking request is transmitted to the relay device closest to the victim terminal. In this tracking request, the feature information (destination address, protocol number, port number, etc.) obtained from the attack packet is specified, and the relay terminal that receives the tracking request monitors the passing packet and uses it as the feature information. Monitor matching packets.

  When a packet having a feature that matches the feature information of the attack packet passes, tracking information including the address of the relay apparatus upstream of the packet is transmitted to the tracking terminal. Next, when the tracking terminal receives the tracking information, the tracking terminal transmits a tracking request toward an upstream relay device included in the tracking information. By repeating this, a tracking request is made from the relay device nearest to the victim terminal to the relay device nearest to the attack terminal, and the address of the attack terminal can be specified.

  However, even with this transmission source search system, it is necessary to implement a function for creating tracking information in all relay apparatuses, so that introduction is expensive. In addition, this transmission source search system has a problem that if a failure occurs in the tracking information creation function of one relay device between the victim terminal and the attack terminal, the relay device to which the attack terminal is connected cannot be specified. .

  Therefore, the present invention has been proposed in view of the above-described circumstances, and the introduction of the attack terminal tracking function is made inexpensive throughout the network, and an attack is performed even if some relay device fails. It is an object of the present invention to provide a source tracking apparatus capable of performing packet tracking.

  The present invention is a source tracking device that tracks the source of an attack packet that is transmitted from an attacking terminal and is received by a victim terminal via a plurality of relay devices. The storage device stores the topology map information describing the physical connection relationship between the relay device having the function of creating the information message and the relay device not having the function of creating the tracking information message, and is further received by the victim terminal. Packet analysis means for detecting an attack packet from the packet characteristics, the attack packet characteristics analyzed by the packet analysis means, and transmission of the packet when the packet having the same characteristics as the attack packet is relayed Tracking information message including a pair of an original address and its own address and a pair of a destination address of the packet and its own address A tracking request message is created in a relay device having a function of creating a tracking information message among a plurality of relay devices by referring to the topology map information and a tracking request message creating means for creating a tracking request message including a request to return a response The source of the attack packet by connecting the tracking request message transmission means for transmitting the tracking request message created by the means and the address contained in the tracking information message from the relay apparatus having the function of creating the tracking information message Tracking information analysis means for identifying the tracking information message, and the tracking information message transmission means refers to the topology map information from the transmission source address included in the tracking information message, and sends the tracking information message to the transmission source side of the relay apparatus that has transmitted the tracking information message. Relay device that exists and has a function of creating a tracking information message Sending a tracking request message.

  When such a source tracking device receives a tracking information message from a relay device having a certain tracking function, it then sends a tracking request message from the source address and destination address included in the tracking information message. When determining the relay device, the tracking request message can be transmitted only to the relay device having the tracking function, with reference to the topology map information, except for the relay device that cannot transmit the tracking information message.

  The present invention is a source tracking device that tracks the source of an attack packet that is transmitted from an attacking terminal and is received by a victim terminal via a plurality of relaying devices. Creates a tracking information message by receiving topology map information describing the physical connection relationship of the device and a packet that is connected to the communication line through which the attack packet passes and is relayed by the relay device through the communication line. Packet analysis means for detecting attack packets from the characteristics of the packets received by the victim terminal, further comprising storage means for storing tracking device arrangement information describing the connection relationship between the tracking dedicated device having a function and the relay device When the packet having the same characteristics as the characteristics of the attack packet analyzed by the packet analysis means and the attack packet is detected, the packet is transmitted. Tracking request message creating means for creating a tracking request message including a request for returning a tracking information message including a pair of an address and a self address and a pair of a transmission destination address of the packet and the self address; and topology map information And a tracking request message sending means for sending the tracking request message created by the tracking request message creating means to the tracking dedicated device with reference to the tracking device arrangement information, and an attack included in the tracking information message from the tracking dedicated device A tracking information analyzing unit that identifies a source of an attack packet by connecting a source address and a destination address of a packet having the same characteristics as the packet, and the tracking information message transmitting unit is included in the tracking information message Topology map information and tracking device location information from source address See, it sends a tracking request message to the tracking-only apparatus existing source side of the track only apparatus which has transmitted the tracking information message.

  When such a source tracking device receives a tracking information message from a certain device dedicated to tracking, the source tracking device uses the source address and destination address included in the tracking information message as the next destination of the tracking request message. When the dedicated device is determined, the tracking request message can be transmitted only to the tracking dedicated device except for the relay device by referring to the tracking device arrangement information.

  According to the present invention, the connection relationship between the relay device that can transmit the tracking information message and the relay device that cannot transmit the tracking information message is stored as topology map information, and the tracking request message is sent only to the relay device that can transmit the tracking information message. Even in a network where relay devices that cannot send tracking request messages are mixed, attack packets can be tracked, and the introduction of the tracking function can be made inexpensive throughout the network. The attack packet can be traced even if a failure occurs in the relay device and the trace information message cannot be transmitted.

  Further, according to the present invention, the connection relationship of the relay device is stored as topology map information, and the connection relationship of the tracking dedicated device to the relay device is stored as the tracking device arrangement information, so that the attack packet is relayed. A tracking information message can be received from the tracking-only device when it passes the device. Therefore, attack packets can be tracked by simply inserting a dedicated tracking device without installing a relay device that can send tracking information messages, making the introduction of the tracking function inexpensive throughout the network and figurative tracking. Attack packets can be traced even if a failure occurs in some relay apparatuses that can transmit information messages and the tracking information message cannot be transmitted.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  As shown in FIG. 1, the source tracking device according to the present invention includes a victim terminal V and a plurality of relay devices R1 to R6 (hereinafter, collectively referred to as “relay device Rn”). In the source search system, it is applied to the tracking terminal M connected to the relay device R2 together with the victim terminal V. In this source search system, a large number of IP packets are sent from the attacking terminals A1 and A2 connected to certain relay devices R4 and R6 (hereinafter simply referred to simply as “attacking terminal An”) to the victim terminal V. When a DDoS (Distributed Dos) attack that disables other processing of the victim terminal V is performed, the IP packet transmitted from the attack terminals A1 and A2 to the victim terminal V passes through the relay device Rn. .

  On the other hand, the tracking terminal M uses the tracking function of the relay device Rn to identify the attacking terminals A1 and A2, but the tracking terminal M has a tracking function between the relay devices Rn having the tracking function. By storing the topology map information that defines the physical connection relationship, the attack terminals A1 and A2 can be identified even if the tracking function is not implemented in all the relay devices Rn. That is, when the tracking terminal M detects an attack from the attacking terminal A to the victim terminal V, the tracking terminal M requests the relay apparatus having the tracking function to transmit the information of the IP packet that constitutes the attack by the tracking request message. Although the tracking information message is received from the relay device having the tracking function, even if the relay device Rn having the tracking function and the relay device Rn not having the tracking function are mixed, the tracking information from the relay device Rn having the tracking function is mixed. The attack terminal An can be specified using the message. As a result, the present invention makes it possible to introduce the attack terminal tracking function inexpensively throughout the transmission source search system.

  Further, in the present invention, even if a failure occurs in a part of the relay devices having the tracking function, the attack packet can be tracked by updating the topology map information stored in the tracking terminal M. The best mode to which the present invention is applied will be described below.

  In this embodiment, a tracking function is implemented in relay devices R2, R3, R4, and R6 that are router devices (including gateway devices) among relay devices R1 to R6, and a tracking function is included in relay devices R1 and R5. Is not implemented, the victim terminal V and the tracking terminal M are connected to the relay device R2, the attack terminal A1 is connected to the relay device R4, and the attack terminal A2 is connected to the relay device R6 Will be described.

"Configuration of tracking terminal M"
A tracking terminal M is connected between the relay device R2 and the victim terminal V via a not-shown concentrator (hub, tap device, etc.), and the tracking terminal M has a port monitoring function of the concentrator. Thus, a copy packet of the IP packet transmitted / received between the relay device R2 and the victim terminal V is acquired. In this acquisition, as shown in FIG. 2, the tracking terminal M acquires the IP packet from the communication interface unit 1 which is a so-called NIC (Network Interface Card). The communication interface unit 1 is connected to an IDS (Intrusion Detection System) unit 2 that detects an attack on the victim terminal V, and a source tracking unit 3 that identifies the attack terminals A1 and A2. Send and receive.

  The tracking terminal M performs processing for monitoring the IP packet received by the victim terminal V via the relay device R2 by the IDS unit 2 and identifying the attacking terminal An by the source tracking unit 3.

  The IDS unit 2 is an IP packet related to unauthorized access by being connected to the IDS packet analyzing unit 11 that analyzes an IP packet transmitted and received between the relay device R2 and the victim terminal V, and the IDS packet analyzing unit 11 And a database for identifying this. As an example, this database includes an unauthorized access pattern database 12 storing various attack patterns such as a DDOS attack, a Syn Flood attack, a Ping of Death attack, and a port scan attack, and the attack pattern, date and time when there is an attack. And the unauthorized access statistics database 13 for storing statistical information such as the number of times. The various attack patterns stored in the unauthorized access pattern database 12 are input and registered in advance by the user of the source search system from the input unit 4 via the IDS packet analysis unit 11. . The input unit 4 corresponds to a user interface for updating information registered in the unauthorized access pattern database 12 and the unauthorized access statistics database 13 of the IDS unit 2.

  When such an IDS packet analyzer 11 detects an IP packet corresponding to an unauthorized access pattern defined in the unauthorized access pattern database 12 by the IDS packet analyzer 11, the IDS packet analyzer 11 The feature information of the IP packet constituting the access is acquired, and the source tracking unit 3 is notified that an attack to the victim terminal V by the attack terminal An has occurred. The IDS packet analysis unit 11 registers statistical information including attack pattern information, date information, and the like in which the attack has occurred in the unauthorized access statistical database 13. The statistical information stored in the unauthorized access statistical database 13 can be referred to by a user of the source search system, a user of the victim terminal V, and the like.

  When the IDS unit 2 detects an attack on the victim terminal V, the transmission source tracking unit 3 transmits a tracking request message to the relay device Rn having a tracking function, and the relay device Rn that is a response to the tracking request message The tracking information message from is received and the attacking terminal An is specified. The source tracking unit 3 includes a tracking information message detecting unit 21 that acquires a tracking information message transmitted from the relay devices R2, R3, R4, and R6 having a tracking function, and a tracking information analyzing unit that analyzes the tracking information message. 22, a link list database 23 for sequentially storing intermediate routes from the victim terminal V to the attack terminals A1, A2, a tracking request message creating unit 24 for transmitting a tracking request message to the relay device Rn, and tracking information In response to the commands from the analysis unit 22 and the IDS packet analysis unit 11 of the IDS unit 2, the tracking control unit 25 causes the tracking request message generation unit 24 to generate a tracking request message, and the physical structure of the relay device Rn in the source search system A topology map database 26 storing topology map information defining connection relations and the like.

  The topology map information stored in the topology map database 26 is referred to by the tracking control unit 25 to identify the relay device Rn that is the transmission destination of the tracking request message. As shown in FIG. 3, this topology map information is stored in the interface of the relay device Rn for each ID (R1, R2, R3, R4, R5, R6...) Of the relay device Rn constituting the source search system. , The ID of the adjacent relay device Rn, and the presence / absence of the tracking function of returning a tracking information message in response to the tracking request message from the tracking terminal M are stored. This topology map information can be updated by the user of the source search system via the input unit 4. For example, when a relay device Rn having a certain tracking function fails, the tracking function presence / absence information of the relay device Rn can be updated to “no tracking function”.

  The tracking information message detection unit 21 detects the tracking information message transmitted from the relay device Rn among the messages received by the communication interface unit 1 and passes it to the tracking information analysis unit 22. The tracking information analysis unit 22 analyzes the tracking information message received by the tracking information message detection unit 21 and stores the tracking result information of the attacking terminal An, which is the analysis result, in the link list database 23.

  The contents stored in the link list database 23 include, as shown in FIG. 4, for example, the ID of the tracking information message, the ID of the path for tracking the attack packet (tracking ID), and the tracking information message at the tracking terminal M. , The IP address of the device behind the relay device Rn that transmitted the tracking information message, the relay device Rn that transmitted the tracking information message, and the rear side of the relay device Rn (attack terminal An side) ) Back link information that is a pair of IP addresses (or MAC addresses) that identify the connection relationship with the device, the relay device Rn that transmitted the tracking information message, and the front side (transmission destination, victim terminal V side) of the relay device Rn ) A pair of IP addresses that specify the connection relationship with the device. Among these, the tracking information analysis unit 22 acquires the reception time of the tracking information message from a timer or the like (not shown), acquires the backward device IP address, the backward link information, and the forward link information from the tracking information message, and links The data is stored in the list database 23.

  In addition, the tracking information analysis unit 22 passes the rear device IP address included in the tracking information message to the tracking control unit 25. The tracking control unit 25 refers to the topology map database 26, confirms whether or not a tracking request has already been made based on the rear device IP address received from the tracking information analysis unit 22, and determines whether the relay device Rn has a tracking function. If the relay device does not have the tracking function, the IP address of the relay device Rn having the tracking function nearby is listed. Then, the tracking control unit 25 extracts the IP address of the relay device Rn to which the tracking request message is to be transmitted from the topology map database 26 and passes it to the tracking request message creating unit 24.

  In response to this, the tracking request message creation unit 24 generates a tracking request message with all IP addresses designated by the tracking control unit 25 as destination IP addresses, and causes the communication interface unit 1 to transmit the tracking request message. Here, as a parameter included in the tracking request message created by the tracking request message creating unit 24, a value set by the input unit 4 or the like is used. The parameters included in the tracking request message are, for example, a timeout time for preventing infinite circulation when the tracking request message is not received, an upper limit value of the number of times the tracking request message is retransmitted, and the like.

  In addition, although the above-mentioned tracking terminal M demonstrated the case where the IDS part 2 and the transmission source tracking part 3 were comprised by the single apparatus, even if the IDS part 2 and the transmission source tracking part 3 are provided separately, it is. good.

"Configuration of relay device"
As shown in FIG. 5, the relay device Rn having a tracking function relays IP packets to and from the communication interface unit 31 that transmits and receives IP packets to be relayed, including reception of tracking request messages and transmission of tracking information messages. Therefore, a router function unit 32 that performs a routing process and a source source tracking function unit 33 that performs an analysis process of whether or not the IP packet received by the relay device Rn matches the characteristics to be tracked are provided.

  The communication interface unit 31 includes a physical layer interface 41 that is connected to a communication line and performs processing corresponding to layer 1 of an OSI (Open Systems Interconnection) reference model, and a data link layer interface 42 that performs processing corresponding to layer 2. The router function unit 32 and the source tracking function unit 33 are connected to the latter data link layer interface 42, respectively.

  The router function unit 32 fetches a data link frame (herein referred to as a MAC frame) from the data link layer interface 42, and the destination address (IP of the network layer header corresponding to layer 3 in the OSI reference model included in the frame data) Address), a routing control unit 51 that performs relay control of an IP packet to a predetermined relay device or terminal, and a table used for the relay control, in which a transmission interface corresponding to the destination IP address is stored A routing table 52 and an ARP (Address Resolution Protocol) table 53 storing MAC (Media Access Control) addresses corresponding to IP addresses are provided.

  When a MAC frame that does not include a tracking request message is supplied from the data link layer interface 42, the router function unit 32 sets the relay device Rn or terminal that transmits from the IP address included in the MAC frame to the routing table 52 and the ARP table. 53, the communication interface unit 31 transmits the MAC frame whose MAC address is recognized and recognized.

  The source tracking function unit 33 takes in a MAC frame from the data link layer interface 42 and acquires a data link address (herein, a MAC address) included in the frame header, and an IP packet The packet analysis unit 62 determines whether the frame data matches the feature information of the IP packet to be tracked, and the feature information database 63 that stores the feature information of the IP packet to be tracked. Further, the source tracking function unit 33 creates a tracking information message based on the timer unit 64 that measures the time for which the source source tracking process is continued, and information transmitted from the timer unit 64 and the packet analysis unit 62. A source tracking control unit 65 that acquires various types of information necessary for this purpose, and a tracking information message creation unit 66 that creates a tracking information message including information on an interface through which an IP packet that matches the characteristics has passed. The details of the operation in the relay device Rn having this tracking function will be described later.

  Further, the relay device Rn that does not have the tracking function is configured to include the communication interface unit 31 and the router function unit 32 without the transmission source tracking function unit 33 in FIG.

  In the source search system configured as described above, the tracking terminal M monitors the communication between the relay device R2 and the victim terminal V, and the IDS packet analysis unit 11 refers to the unauthorized access pattern database 12, Analyze whether it corresponds to the attack pattern. When the IDS packet analysis unit 11 detects an attack pattern, the IDS packet analysis unit 11 causes the tracking request message creation unit 24 to create a tracking request message including the characteristic information of the attack packet and transmit it from the communication interface unit 1.

  On the other hand, when the relay device Rn having a tracking function receives an IP packet that matches the feature information, the relay device Rn includes a tracking including the rear device IP address, the rear link information, and the front link information illustrated in FIG. The information message is returned to the tracking terminal M, and the tracking terminal M registers the backward link information and the forward link information in the link list database 23, and refers to the topology map database 26 from the IP address of the backward side device. The relay apparatus Rn that transmits the tracking request message is determined and the tracking request message is transmitted. In this way, the tracking request message is transmitted only to the relay device Rn having the tracking function, and the process of receiving the tracking information message and updating the link list database 23 is repeated, so that any of the relay devices Rn is connected. Can be recognized as the attack terminal An.

  The characteristic information of the attack packet may be information on the protocol higher than the transport layer, including information on the IP header such as the source IP address, the destination IP address, and the type of the upper protocol, for example, TCP (Transmission Information such as destination port number of Control Protocol (UDP) and UDP (User Datagram Protocol) is used, and the feature information is configured by each or a combination thereof. Note that the addresses and the like do not necessarily have to be single, for example, there are ranges such as source IP addresses 0.0.0.0 to 255.255.255.255, destination IP addresses 133.254.181.0 to 133.254.182.0, port numbers 0 to 1024, etc. There may be.

  Next, regarding the process of identifying the attack terminal An that has attacked the victim terminal V by the tracking terminal M and the relay apparatus Rn configured as described above, the flowcharts of FIGS. 6 to 8 and the source search system of FIG. This will be described with reference to the configuration.

  First, the tracking terminal M constantly monitors the communication of the victim terminal V. Specifically, the tracking terminal M obtains an IP packet by the communication interface unit 1 and transmits the packet data to the IDS packet analysis unit 11. The packet analysis unit 11 refers to the unauthorized access pattern database 12 and analyzes whether the packet transmission pattern of the IP packet corresponds to an attack pattern for the victim terminal V. When an attack packet is transmitted from the attack terminal An to the victim terminal V and a copy packet of the attack packet is acquired by the communication interface unit 1, the IDS packet analysis unit 11 of the tracking terminal M is an attack pattern. Is detected and feature information is created (FIG. 6, step S1), and a tracking request message creation request including feature information of the attack packet is transmitted to the source tracking unit 3.

  Upon receiving the tracking request message creation request, the source tracking unit 3 refers to the topology map database 26 by the tracking control unit 25 in step S2, and first determines the relay device Rn that transmits the tracking request message. Create a to-be-requested list. This request schedule list is an ID representing a relay device Rn having a tracking function capable of transmitting an IP packet with the closest number of hops from the victim terminal V, and there may be a relay device Rn having a plurality of tracking functions. Note that the IP address of the relay device Rn nearest to the victim terminal V, that is, the relay device R2 in FIG. 1 may be registered in advance by the user via the input unit 4. The requested list indicating whether the tracking request message has been transmitted is set to an empty initialization state.

  Next, in step S <b> 3, the source tracking unit 3 creates a tracking request message storing feature information of the attack packet by the tracking request message creation unit 24, and transmits the tracking request message from the communication interface unit 1.

  In the tracking request message creation / transmission process, as shown in FIG. 7, the IP address corresponding to the ID of one relay device Rn is extracted from the request schedule list created in step S2 (step S31). The ID of the relay device Rn having the IP address is added to the requested list (step S32). This is because the same tracking request message is not transmitted twice to the same IP address.

  Next, in step S33, the tracking request message creating unit 24 uses the IP address extracted in step S31 as the destination address, information indicating that it is a tracking request, and for distinguishing each route when forming a plurality of tracking routes. A tracking request message including the tracking ID, the upper limit value of the tracking information aggregation number, the upper limit value of the tracking information acquisition number, the time for continuing the source tracking process, and the feature information is created. Here, the upper limit value of the tracking information aggregation number and the upper limit value of the tracking information acquisition number are set as the parameters of the tracking request message because the relay device Rn having the tracking function sets the communication packet related to the normal communication as a feature of the attack packet. This is because it is determined that the information corresponds to the information, and the tracking information message for specifying the normal communication packet is not transmitted.

  The tracking request message creation unit 24 stores the tracking ID and the feature information in association with each other in its own buffer (not shown) when creating the tracking request message. The creation of the message may be formed using a communication protocol such as UDP, TCP, ICMP (Internet Control Message Protocol), or SNMP (Simple Network Management Protocol). The tracking request message created in this manner is transmitted from the communication interface unit 1 to the relay device Rn (step S34).

  Next, it is determined by the communication interface unit 1 of the tracking terminal M whether or not the transmission of the tracking request message has succeeded (step S35). And the process proceeds to step S4 in FIG.

  On the other hand, if the tracking request message has been successfully transmitted, but the request schedule list is not empty, the processing of steps S31 to S35 is repeated in order to transmit the tracking request message to another relay device Rn. For example, when the IDs of the relay devices R4 and R6 are registered in the request schedule list, the processes in steps S31 to S35 are repeated for each relay device.

  If the tracking request message has not been successfully transmitted due to a failure due to a failure of the relay device or communication interruption due to an attack, the process proceeds from step S35 to step S37. In the processing after this step S37, in order to continue tracking even if some of the relay devices fail, the ID of the neighboring relay device is added to the request schedule list from the relay device that could not transmit the tracking request message ( Step S37 to Step S43).

  First, in step S37, the tracking request message creating unit 24 initializes the contents of a candidate list in which candidates for the relay device Rn, which is a transmission destination of the tracking request message stored in a memory (not shown), are listed as empty. .

  Next, the tracking request message creating unit 24 refers to the topology map information in the topology map database 26 for the relay device that failed to transmit the tracking request message, and extracts the IDs of all adjacent relay devices from the relay device. The ID is added to the candidate list (step S38).

  Next, the tracking request message creation unit 24 extracts one relay device ID from the candidate list (step S39), and if the relay device ID is registered in the requested list or the requested schedule list (step S40). It is determined whether or not the candidate list is empty, and the processes after step S39 are repeated until the candidate list becomes empty (step S43).

  If the ID of the relay device extracted from the candidate list in step S39 is not registered in either the requested list or the requested schedule list (step S40), is the tracking function implemented in the relay device based on the topology map information? It is confirmed whether or not (step S41). If the tracking function is not implemented, the ID of the relay device is added to the requested list (step S44), and the process returns to step S38. On the other hand, when the tracking function is implemented (step S41), the ID of the relay device is added to the request schedule list (step S42), and the processes after step S39 are repeated until the candidate list becomes empty in step S43.

  As a result, the tracking request message creating unit 24, when a failure occurs in a part of the relay device Rn having the tracking function and the tracking request message cannot be transmitted, the tracking function close to the relay device Rn. Can be searched for and added to the request schedule list. When the relay device Rn registered in the topology map information as the relay device Rn having the tracking function becomes unable to receive the tracking request message, the relay device Rn is deleted from the topology map information and newly The ID of the relay device Rn added to the request schedule list may be added.

  On the other hand, the relay device Rn having the tracking function to which the tracking request message is transmitted from the tracking terminal M receives the tracking request message in step S4 of FIG. At this time, the relay device Rn sends a tracking request message to the data link layer interface 42 via the physical layer interface 41, and the data link layer interface 42 extracts the MAC frame and transmits it to the packet analysis unit 62. To do. When the packet analysis unit 62 refers to the frame data of the MAC frame and detects that it is a tracking request message, the packet analysis unit 62 stores the feature information included in the tracking request message in the feature information database 63 and stores the tracking ID, The upper limit value of the tracking information aggregation number, the upper limit value of the tracking information acquisition number, and the time for continuing the transmission source tracking process are transmitted to the transmission source tracking control unit 65. Then, the transmission source tracking control unit 65 operates the timer unit 64 to start measuring time for continuing the transmission source tracking process (step S5), and the relay device Rn starts the attack terminal from the normal mode in which only routing is performed. Transition to the tracking mode for specifying An. The MAC frame extracted by the data link layer interface 42 is also transmitted to the routing control unit 51. The routing control unit 51 refers to the routing table 52 from the destination address of the packet header included in the MAC frame. Then, since it recognizes that the IP packet is addressed to itself, the relay operation is not performed.

  When shifting to this tracking mode, the packet analysis unit 62 refers to the feature information database 63 and connects each interface (the front victim terminal V or the relay device Rn and the rear attack device An side relay device Rn are connected). Frame data is monitored for each port (step S6), and when the frame data is recognized as an IP packet (attack packet) to be tracked, that fact is transmitted to the source tracking control unit 65 (step S7). ). At this time, the source tracking control unit 65 relays the header of the MAC frame including the attack packet received by the relay device Rn from the packet analysis unit 62 and the attack packet by the router function unit 32 and stores it again in the MAC frame. When this is done, the header of the MAC frame is stored in a buffer (buffer not shown). That is, the IP address of the relay device R1 can be received as the IP address of the backward device from the tracking information message transmitted from the relay device R2 regarding the attack packet, and the IP address of the victim terminal V on the front side and the IP address of the relay device R2 can be received. A set of addresses can be acquired as forward link information, and a set of IP addresses of the relay device R1 and the relay device R2 on the rear side can be acquired as back link information.

  On the other hand, if the frame data being monitored is not a tracking target, it is determined whether or not the time for continuing the source tracking process has been exceeded (step S16), and if not, steps S6 and S7 are repeated. .

  When the tracking target IP packet is detected, the source tracking control unit 65 adds 1 to the tracking information aggregation number (step S8), and when the tracking information aggregation number exceeds the upper limit (step S9), A tracking information message is created (step S10). If the upper limit value of the tracking information aggregation number is not exceeded, the tracking information message is not created (step S10), and monitoring of IP packets for each interface is continued unless time is up (step S16, S16). Step S6, Step S7). Thus, a tracking information message is created and transmitted only when an IP packet that matches the characteristics of an attack packet is detected a plurality of times (when the upper limit value is exceeded).

  Further referring to the creation of the tracking information message described above, the source tracking control unit 65 uses the IP address of the tracking terminal M, which is the source of the tracking request message, as the destination address, and from the back link information, The MAC address of a certain relay device Rn is extracted. Next, the source tracking control unit 65 refers to the ARP table 53 from the extracted MAC address, obtains the IP address of the backward relay device Rn, and determines the IP address, tracking ID, forward link, and backward link. Each information is transmitted to the tracking information message creation unit 66. At this time, the attack packet data detected by the packet analysis unit 62 may be included in order to use it as a log indicating that there was an attack or to perform detailed analysis at the tracking terminal M or the like.

  The tracking information message creation unit 66 that has received these pieces of information creates packet data that stores the information and the tracking information (step S10), and transmits the packet data to the routing control unit 60. Note that this packet data may be configured by the above-described UDP or the like. Next, the routing control unit 51 refers to the routing table 52 for the IP address of the tracking terminal M that is the destination address, obtains a corresponding interface, and sends the packet data together with the interface information to the data link layer interface 42. And send. Then, a tracking information message including the above-described information is transmitted to the tracking terminal M (step S11).

  When the tracking information message is transmitted, the tracking terminal M detects that the tracking information message is the tracking information message transmitted from the relay device Rn having the tracking function, and the tracking information message The stored various information is transferred to the tracking information analysis unit 22 (step S20). The tracking information analysis unit 22 stores in the link list database 23 the time when the fact that the tracking information message has been detected, the tracking ID, the IP address of the backward device, the backward link information, and the forward link information are stored. Then, the tracking result information as shown in FIG. 4 is created (step S21).

  Next, the tracking terminal M passes the IP address of the rear device included in the tracking information message from the tracking information analysis unit 22 to the tracking control unit 25. Then, based on the IP address, the tracking control unit 25 creates a request schedule list that is a list of relay devices Rn having a tracking function as a transmission destination of the tracking request message thereafter (step S22). If there is an ID of the relay device Rn in the schedule list, the attack packet can be traced, so the process returns to step S3 and subsequent steps, and if the ID of the relay device Rn is not in the request schedule list, the attack packet cannot be traced. Therefore, the process ends.

  As shown in FIG. 8, the tracking control unit 25 first initializes the candidate list to be stored in the memory so that the IP address is not registered (step S51). Next, the rear device IP address included in the tracking information message received in step S20 is extracted (step S52).

  Next, the tracking control unit 25 determines whether or not the rear device IP address extracted in step S52 is the IP address of the relay device Rn registered in the topology map database 26 (step S53), and the relay device Rn. If it is not the IP address, the terminal is assumed to be a terminal that may be the attacking terminal An and added to the attacking terminal list, and the process ends (step S54).

  On the other hand, if the IP address acquired in step S52 is the IP address of the relay device Rn, the ID of the relay device corresponding to the IP address is added to the candidate list (step S55). Then, the next step S56 to step S61 performs the same processing as step S38 to step S44 in FIG. 7 to determine whether each relay device Rn added to the candidate list has been requested or whether it has a tracking function. If it is a relay device Rn that has been requested or has not been added to the request schedule list and has a tracking function, the relay device Rn is newly added to the request schedule list.

  By performing such processing, even if the relay device Rn corresponding to the rear device IP address included in the tracking information message does not have the tracking function, the tracking function near the relay device Rn can be performed. The relay device Rn having the tracking request message can be the transmission destination of the tracking request message, and the tracking of the attack packet can be continued.

  When the request schedule list is created in this way, in step S3, the source tracking function unit 33 refers to the request schedule list to obtain a relay device Rn having a tracking function as a destination of the tracking request message next time, The feature information stored in its own buffer is read from the tracking ID, and the tracking request, the tracking ID, the upper limit value of the tracking information aggregation number, the upper limit value of the tracking information acquisition number, the source source tracking process, are sent to the rear side device. The tracking request message including the time to continue the process and the read characteristic information is created, and the tracking request message is transmitted to the rear side device. By repeating such processing, the tracking information is sequentially stored in the link list database 23 of the tracking terminal M shown in FIG. 2, so that the attack terminal An and the like can be specified by connecting these pieces of information. Can do.

  By the way, paying attention again to the operation flow of the relay device Rn, after the tracking information message is transmitted to the tracking terminal M (step S11), the source tracking control unit 65 of the relay device Rn sets the tracking information acquisition number to 1. In addition (step S12), if the number of acquisitions exceeds the upper limit (step S13), the tracking process is terminated in order to prevent a large amount of tracking information messages from being transmitted. At this time, the tracking information aggregation number and the tracking information acquisition number are reset (step S14). On the other hand, if the upper limit of the number of tracking information acquisitions has not been reached, the tracking information message has already been transmitted, so the tracking information aggregation number is reset (step S15), and the time for continuing the source tracking process is exceeded. (Step S16). In step S16, an IP packet is received, but it is not a tracking target IP packet (attack packet) (step S7), or the upper limit value of the tracking information aggregation number has not been reached (step S9). In addition, it is determined whether or not to continue the source tracking process (step S16).

  Then, if the time for continuing the source tracking process has not been exceeded (step S16), the source tracking control unit 65 causes the packet analysis unit 62 to continuously monitor the packet data for each interface. (Step S6). On the other hand, if the time to continue the source tracking process has been exceeded (step S16), the tracking information message creating unit 66 is not requested to create the tracking information message, and the IP of the tracking target If the characteristics of the packet (attack packet) match even once (step S17), a tracking information message is created in the same manner as in steps S10 and S11 (step S18), and the created message is sent to the tracking terminal M. (Step S19).

"Example of operation of tracking terminal M and relay device Rn"
Next, in the tracking terminal M and the relay device Rn that perform the processing as described above, as shown in FIG. 9A, the attack terminal An is composed of the attack terminal A1 and the attack terminal A2, and the attack terminal A1 The attack packet P1a is transmitted to the victim terminal V via the relay device R4, the relay device R1, and the relay device R2, and the attack packet P1b is damaged by the relay device R6, the relay device R5, and the relay device R2 from the attack terminal A2. The case where it transmits to the terminal V is demonstrated. Here, the relay devices R1 and R5 do not have the tracking function, and the relay devices R2, R3, R4, and R6 have the tracking function and perform the processing shown in FIG. Further, it is assumed that the topology map database 26 of the tracking terminal M stores the topology map information shown in FIG.

  As shown in FIG. 9A, when the attack packet P1a is transmitted from the attack terminal A1 and the attack packet P1b is transmitted from the attack terminal A2, and the attack to the victim terminal V is started, the victim terminal V1 Then, attack packets P1a and P1b are received from the attacking terminals A1 and A2, respectively. At this time, the copy packets P2a and P2b of the attack packets P1a and P1b transmitted from the relay device R2 to the victim terminal V are transmitted to the tracking terminal M.

  When the tracking terminal M receives the copy packets P2a and P2b of the attack packet, the tracking terminal M performs attack detection by the IDS packet analysis unit 11 and the unauthorized access pattern database 12 of the IDS unit 2 and succeeds in detecting the attack (step S1). A tracking request message P3 including feature information (destination, protocol number, port number, other packet data portion, etc.) is transmitted to the relay device R2 having the tracking function closest to the victim terminal V by starting the tracking operation (step) S2, step S3). The relay device R2 that has received the tracking request message starts monitoring packets (steps S4 to S6).

  Next, as shown in FIG. 9 (b), when the attack packet P4 is transmitted again from the attack terminal A1, the relay device R2 obtains the characteristic information of the attack packets P1a and P1b previously acquired by the relay packet R4. Is checked (step S7). Then, when it is found that it matches the characteristics of the attack packet P1a, the IP address of the relay device R1 that is the IP address of the rear side device, the address pair of the relay device R1 and the relay device R2 that is the back link information, A tracking information message P5 including an address pair of the victim terminal V and the relay device R2 that is forward link information is transmitted to the tracking terminal M (steps S8 to S11).

  When the tracking information message P5 is received by the tracking terminal M (step S20), the tracking information analysis unit 22 creates tracking result information of the index “1” in FIG. 4 from the tracking information message P5 and includes it in the tracking information message P5. The IP address of the relay device R1, which is the IP address of the rear side device, is taken out (step S21). However, since it can be seen from the topology map information in the topology map database 26 that the relay device R1 does not have the tracking function, the tracking control unit 25 performs relaying with the relay device R3 adjacent to the relay device R1 instead of the relay device R1. Decide to send a trace request message to device R4. At this time, the tracking terminal M creates a request schedule list by performing the processes of steps S51 to S53 and steps S55 to S61 in FIG. Then, according to the request schedule list, the tracking terminal M transmits a tracking request message P6a to the relay device R3, and transmits a tracking request message P6b to the relay device R4 (steps S23 and S3).

  Next, as shown in FIG. 9C, when the attack packet P7 is transmitted again from the attack terminal A1, the attack packet P7 is received by the relay device R4. Since the attack packet P7 matches the feature information of the attack packet P1a, the relay device R4 matches the IP address of the attack terminal A1 that is the IP address of the backward device, the attack terminal A1 that is the backward link information, and the relay device R4. A tracking information message P8 including the address pair and the address pair of the relay device R1 and the relay device R4, which is forward link information, is transmitted to the tracking terminal M (steps S7 to S11).

  When the tracking information message P8 is received by the tracking terminal M (step S20), the tracking information analysis unit 22 creates tracking result information of the index “2” in FIG. 4 from the tracking information message P8 and includes it in the tracking information message P8. The IP address of the attacking terminal A1, which is the IP address of the rear side device, is taken out (step S21). Since the IP address of the attack terminal A1 does not correspond to any of the IP addresses of the relay device Rn stored in the topology map database 26, the IP address of the attack terminal A1 is stored in the attack terminal list (step S22). S51 to step S54).

  As a result, the tracking of the attack terminal A1 is completed, and the path until the attack packet P1a is received by the victim terminal V can be confirmed by referring to the fields of the indexes 1 and 2 in the link list database 23 and connecting them.

  Also, as shown in FIG. 10A, when the attack packet P9 is transmitted again from the attack terminal A1, the relay device R2 matches the feature information of the attack packet P1b acquired previously. Therefore (step S7), the IP address of the relay device R5 that is the IP address of the rear side device, the address pair of the relay device R5 and the relay device R2 that is the back link information, the victim terminal V that is the front link information, and the relay device A tracking information message P10 including an address pair with R2 is transmitted to the tracking terminal M (steps S8 to S11).

  When the tracking information message P10 is received by the tracking terminal M (step S20), the tracking information analysis unit 22 creates tracking result information of the index “3” in FIG. 4 from the tracking information message P10 and includes it in the tracking information message P10. The IP address of the relay device R5, which is the IP address of the rear side device, is extracted (step S21), but since the relay device R5 does not have the tracking function, the tracking control unit 25 causes the relay device R5 to Instead, the tracking request message P11 is transmitted to the relay device R6 adjacent to the relay device R5 (step S51 to step S53, step S55 to step S61, step S23, step S3).

  Next, as shown in FIG. 10B, when the attack packet P12 is transmitted again from the attack terminal A2, the attack packet P12 is received by the relay device R6. Since the attack packet P12 matches the feature information of the attack packet P1b, the relay device R6 matches the IP address of the attack terminal A2 that is the IP address of the backward device, the attack terminal A1 that is the backward link information, and the relay device R6. A tracking information message P13 including the address pair and the address pair of the relay device R5 and the relay device R6, which is forward link information, is transmitted to the tracking terminal M (steps S7 to S11).

  When the tracking information message P13 is received by the tracking terminal M (step S20), the tracking information analysis unit 22 creates tracking result information of the index “1” in FIG. 4 from the tracking information message P13 and includes it in the tracking information message P13. The IP address of the attacking terminal A2, which is the IP address of the back side device, is extracted (step S21). Since the IP address of the attack terminal A1 does not correspond to any of the IP addresses of the relay device Rn stored in the topology map database 26, the IP address of the attack terminal A2 is stored in the attack terminal list (step S22). S51 to step S54).

  Thus, the tracking of the attack terminal A2 is completed, and the path until the attack packet P1b is received by the victim terminal V can be confirmed by connecting the columns of the indexes 3 and 4 in the link list database 23.

  As shown in FIG. 11, when the transmission of the tracking request message fails due to a failure of the relay device R2 having the tracking function (step S35 → NO), the tracking control unit 25 uses the topology map information in the topology map database 26. Referring to FIG. 2, attention is focused on the relay device R1 and the relay device R5 that are adjacent to the relay device R2. However, since the relay device R1 and the relay device R5 do not have the tracking function, the tracking request messages P2a, P2b, and the relay device R3, the relay device R4, and the relay device R6 having the tracking function are referred to the topology map information. P2c is transmitted (step S37 to step S44, step S36 to step S34). As a result, the tracking terminal M can receive the tracking information message from the relay devices R3, R4, R6 having the tracking function even when the relay device Rn having a part of the tracking function fails, and the attack terminal A1 , A2 can be specified.

  Although FIG. 11 illustrates that the tracking request message is transmitted from the tracking terminal M to the relay devices R3, R4, and R6 without passing through the relay device R2, a problem occurs in the source tracking function unit 33. However, when the router function unit 32 of the relay device R2 is operating, the tracking request message can be transmitted via the relay device R2.

  Further, when the source search system has a small network configuration, the tracking terminal M is registered in the topology map information with reference to the topology map information in the topology map database 26 when an attack packet is detected. The tracking request message may be broadcast to all the relay devices Rn having the tracking function.

  In step S2 of FIG. 6 for initial setting of the request schedule list, such a tracking terminal M first relays all the tracking functions registered in the topology map information in step S71 as shown in FIG. The ID of the device Rn is added to the request schedule list. Then, in step S3 in FIG. 6, a process for extracting the IP addresses of all the relay devices Rn is performed in place of step S31 in FIG. 7, and the requested list is replaced as shown in step S72 in FIG. 12 instead of step S32. Are added with the IP addresses of all the relay devices Rn to create a tracking request message. Then, as shown in FIG. 13, the tracking request messages P1a, P1b, P1c, and P1d are transmitted to the relay devices R2, R3, R4, and R6 having the tracking function, respectively (steps S32 and S33).

  Thus, in the initial setting of the request schedule list in step S2 described above, only the nearest relay device Rn is registered in the victim terminal V, but the IDs of all relay devices Rn having a tracking function are added to the request schedule list. Thus, it is possible to speed up the process of tracking attack packets by sending the tracking request message all at once. Further, when the tracking request message is transmitted all at once, it is possible to avoid unnecessary transmission of the tracking request message by adding the relay device Rn having all the tracking functions to the requested list.

  Next, another tracking terminal M to which the present invention is applied will be described. As shown in FIG. 14, the tracking terminal M is connected to a communication line between the relay devices Rn or between the relay device Rn and the terminal, monitors packets passing through the communication line, and performs the tracking function described above. A source search system having dedicated tracking devices U1, U2, U3 (hereinafter simply referred to as “tracking dedicated device Un” when collectively referred to) that implement the functions of the source tracking function unit 33 in the relay device Rn. Prepared for. That is, this source search system has a source tracking function unit 33 that returns a tracking information message in response to a tracking request message, not in the relay device Rn but in the tracking dedicated device Un.

  As shown in FIG. 15, the tracking dedicated device Un includes a communication interface unit 71, a physical layer interface 81, and a data link layer having the same functions as those of the communication interface unit 31, the physical layer interface 41, and the data link layer interface 42 described above. Interface 82, packet analysis unit 62, feature information database 63, transmission source tracking control unit 65, tracking information message creation unit 66, packet analysis unit 91 having the same functions as timer unit 64, feature information database 92, transmission A source tracking function unit 72 including a source tracking control unit 94, a tracking information message creating unit 93, and a timer unit 95 is provided.

  In the configuration of the tracking dedicated device Un shown in FIG. 15, the source link function unit 72 does not show the data link address detection unit 61 or the ARP table 53 in FIG. It is assumed that the ARP function or correspondence table for converting to an address is installed in the source tracking control unit 94.

  When receiving the tracking request message from the tracking terminal M, the tracking dedicated device Un stores the tracking ID and the feature information included in the tracking request message in the feature information database 92, and matches the feature information with the IP. When a packet is detected, a tracking information message is returned to the tracking terminal M. At this time, the source tracking control unit 94 of the tracking dedicated device Un uses the IP of the relay device Rn in front of the passing link (packet transmission source) through which the attack packet has passed as forward link information or backward link information to be included in the tracking information message. The address and the IP address of the rear (packet transmission destination) relay device Rn are acquired, and the IP address of the packet transmission source side relay device Rn is acquired as the IP address of the rear device. Then, the tracking information message creation unit 93 creates the tracking information message in which the IP address of the relay device Rn ahead of the passing link and the IP address of the relay device Rn behind are used as the back link information, and no forward link information is stored. Then, the communication interface unit 71 transmits it to the tracking terminal M.

  When such a dedicated tracking device Un is provided in the transmission source search system, the topology map database 26 of the tracking terminal M includes topology map information defining the physical connection relationship between the relay devices Rn as shown in FIG. 17 and tracking device arrangement information that defines the connection relationship of the dedicated tracking device Un to the relay device Rn as shown in FIG. In the tracking device arrangement information, the ID of the tracking dedicated device Un, the IP address of the tracking dedicated device Un, and the ID of the adjacent relay device Rn are associated with each other. The tracking device arrangement information is input in advance by the input unit 4 and stored in the topology map database 26. Note that the topology map information shown in FIG. 16 is a case where all the relay apparatuses Rn do not have a tracking function. When the tracking control unit 25 of the tracking terminal M transmits the tracking request message, the tracking dedicated device Un is also included in the request schedule list.

  In the source search system having such a tracking dedicated device Un, in addition to the tracking request message transmission processing (steps S31 to S44) of FIG. 7 in step S3 described above, as shown in FIG. Following step S37, the processes of step S81 and step S82 are performed. Further, instead of step S62 of the request schedule list creation process of FIG. 8 in step S22 described above, the processes of step S91 and step S92 of FIG. 19 are performed.

  As shown in FIG. 18, the process in step S81 is performed after the tracking request message transmission to the relay device Rn having no tracking function fails (step S35) and the candidate list is initialized (step S37). The tracking-only device Un that is not registered in the requested list is added to the requested scheduled list and the requested list. Next, in step S82, the relay device Rn in which no tracking dedicated device Un exists between the adjacent relay devices Rn is searched from the topology map information and / or tracking device arrangement information, and the ID of the relay device Rn is selected as a candidate. Add to list.

  As a result, the ID of the relay device Rn added to the candidate list in step S82 is extracted in step S39, and the ID of the relay device Rn having no tracking function is “NO” in steps S40 and S41. The ID of the relay device Rn added to the requested list and having the tracking function is added to the requested schedule list in step S42.

  After that, when the tracking terminal M receives the tracking information message, the tracking device Rn stores the relay device Rn stored in the tracking information message and the ID of the relay device Rn that does not have the tracking function added to the candidate list, from step S58 to step S61. The process proceeds and is added to the requested list. On the other hand, the relay device Rn having the tracking function is added to the request schedule list in step S59.

  In step S91, the tracking control unit 25 adds all the tracking dedicated devices Un that are not in the requested list among the tracking dedicated devices Un adjacent to the relay device Rn to the request scheduled list and the requested list from the tracking device arrangement information. Thereafter, in step S92, the tracking control unit 25 selects the topology map information and the tracking dedicated device that have no tracking dedicated device Un among the relay devices Rn adjacent to the relay device Rn added to the candidate list in step S55. A search is made from the arrangement information, and all the IDs of the searched relay device Rn are added to the candidate list. As a result, the IDs of the relay devices Rn that do not have the tracking function added to the candidate list are all added to the requested list in step S61.

  As a result, when there is a dedicated tracking device Un during the tracking of attack packets, the tracking function of the relay device Rn can be used.

  In the source search system having such a tracking-dedicated device Un, as shown in FIG. 20A, the attack packet P1 from the attack terminal A1 passes through the relay device R4, the relay device R1, and the relay device R2. If the victim terminal V receives the attack, the tracking terminal M can detect the attack. Here, all the relay devices R1 to R5 do not have a tracking function, a tracking dedicated device U1 is provided between the attack terminal A1 and the relay device R4, and between the relay device R1 and the relay device R2. A tracking dedicated device U2 is provided, and a tracking dedicated device U3 is provided between the relay device R1 and the relay device R3. The topology terminal information shown in FIG. 16 and the tracking device arrangement shown in FIG. Information is stored.

  When an attack is detected by the tracking terminal M, the relay device R2 has no tracking function, so the topology map information and the tracking device arrangement information are referred to, and the relay device is used as the tracking dedicated device Un adjacent to the relay device R2. A tracking request message P2 is transmitted to the IP address of the dedicated tracking device U2 connected to the passing link between R2 and the relay device R1. As a result, the tracking-dedicated device U2 starts monitoring the IP packet flowing through the passing link between the relay device R1 and the relay device R2.

  Next, as shown in FIG. 20 (b), when the attack packet P3 is transmitted again from the attack terminal A1, the tracking-dedicated device U2 determines that the attack packet P3 includes the characteristic information of the attack packet P1 acquired previously and Since they match, the tracking information message P4 including the IP address of the relay device R1 that is the IP address of the rear side device and the address pair of the relay device R1 and the relay device R2 that is the back link information is transmitted to the tracking terminal M.

  When the tracking information message P4 is received by the tracking terminal M, the tracking terminal M extracts the IP address of the relay device R1 as the IP address of the rear side device included in the tracking information message P4. The information does not have a tracking function. Accordingly, the tracking terminal M determines from the tracking device arrangement information to transmit a tracking request message to the tracking dedicated device U3 and the tracking dedicated device U1, and sends the tracking request messages P5a and P5b to the tracking dedicated terminals U3 and U1. Send.

  Next, as shown in FIG. 20 (c), when the attack packet P6 is transmitted again from the attacking terminal A1, the tracking apparatus U1 can detect the attack packet P6 and attack it as the IP address of the rear side device. A tracking information message P7 including the IP address of the terminal A1 can be transmitted to the tracking terminal M. Then, the tracking terminal M confirms that the IP address of the attacking terminal A1 is not included in the topology map information, and can store the IP address of the attacking terminal A1 as the attacking terminal.

  As described above, by providing the tracking dedicated device Un, even when the relay device Rn having the tracking function does not exist in the existing system, the relay device can be simply inserted between the relay devices Rn. The attack packet can be traced only by an external device without exchanging Rn. Moreover, even when the relay device Rn having the tracking function exists in the source search system, the probability that the tracking information message can be received by the tracking terminal M is increased by adding and inserting the dedicated tracking device Un. It is possible to improve the tracking accuracy of attack packets.

  The above-described embodiment is an example of the present invention. For this reason, the present invention is not limited to the above-described embodiment, and various modifications can be made depending on the design and the like as long as the technical idea according to the present invention is not deviated from this embodiment. Of course, it is possible to change.

It is a system diagram of a transmission source search system including a relay device having a tracking function. It is a block diagram which shows the structure of the tracking terminal to which this invention is applied. It is a figure which shows an example of topology map information. It is a figure which shows an example of the tracking result information produced from the several tracking information message. It is a block diagram which shows the structure of the relay apparatus which has a tracking function. It is a flowchart which shows the processing procedure of a tracking terminal and the relay apparatus which has a tracking function in the transmission source search system provided with the relay apparatus which has a tracking function. It is a flowchart which shows the process sequence of the transmission process of a tracking request message in the transmission source search system provided with the relay apparatus which has a tracking function. It is a flowchart which shows the process sequence of the preparation process of a request schedule list | wrist in the transmission source search system provided with the relay apparatus which has a tracking function. (A) is a flow chart of a packet in which an attack packet is transmitted from the attacking terminal A1 and the attacking terminal A2 and a tracking request message is transmitted from the tracking terminal M to the relay apparatus R2, and (b) is a tracking information message from the relay apparatus R2 to the tracking terminal M. Is a flow chart of a packet in which a tracking request message is transmitted from the tracking terminal M to the relay devices R3 and R4, and (c) is a packet flow in which a tracking information message that can identify the attack terminal A1 is transmitted from the relay device R4 to the tracking terminal M. It is a flowchart. (A) is a flowchart of a packet for transmitting a tracking request message P11 from the tracking terminal M to the relay device R6, and (b) is a flowchart of a packet for transmitting the tracking information message P13 from the relay device R6 to the tracking terminal M. It is a system figure for demonstrating a process when a failure generate | occur | produces in the relay apparatus which has a tracking function which comprises a transmission source search system. It is a flowchart which shows the process sequence of the process which broadcasts a tracking request message to the relay apparatus which has a tracking function from a tracking terminal. It is a system diagram which distributes a tracking request message simultaneously from a tracking terminal to a relay device having a tracking function. It is a system diagram which shows the structure of the transmission source search system which inserted the apparatus only for tracking between relay apparatuses. It is a block diagram which shows the structure of the apparatus only for tracking. It is a figure which shows the other structure of topology map information. It is a figure which shows the structure of tracking apparatus arrangement | positioning information. It is a flowchart which shows the process sequence of the transmission process of the tracking request message by a tracking terminal in the transmission source search system provided with the apparatus for tracking. It is a flowchart which shows the process sequence of the preparation process of the request plan list | wrist by a tracking terminal in the transmission source search system provided with the apparatus for tracking. (A) is a flow chart of a packet for transmitting a tracking request message to the tracking dedicated device U2, and (b) is a tracking information message P4 transmitted from the tracking dedicated device U2 to the tracking terminal M, and the tracking terminal M from the tracking dedicated device U1, U3. (C) is a flowchart of a packet in which a tracking information message that can identify the attacking terminal A1 is transmitted from the tracking-only device U1 to the tracking terminal M.

Explanation of symbols

Rn relay device An attacking terminal M tracking terminal Un tracking dedicated device V victim terminal 1 communication interface unit 2 IDS unit 3 source tracking unit 4 input unit 11 IDS packet analysis unit 12 unauthorized access pattern database 13 unauthorized access statistics database 21 tracking information message Detection unit 22 Tracking information analysis unit 23 Link list database 24 Tracking request message creation unit 25 Tracking control unit 26 Topology map database 31, 71 Communication interface unit 32 Router function unit 33, 72 Source tracking function unit 41, 81 Physical layer interface 42 , 82 Data link layer interface 51 Routing control unit 52 Routing table 53 ARP table 60 Routing control unit 61 Data link address detection unit 62, 91 Tsu DOO analyzer 63,92 characteristic information database 64,95 timer section 65,94 source tracking controller 66,93 tracking information message generator

Claims (2)

A source tracking device that tracks the source of an attack packet transmitted from an attacking terminal and received by a victim terminal via a plurality of relay devices,
From the characteristics of the packet received at the victim terminal, packet analysis means for detecting the attack packet;
When a packet having the same characteristics as the characteristics of the attack packet analyzed by the packet analysis means and the attack packet is relayed, a combination of a source address of the packet and its own address and transmission of the packet A tracking request message creating means for creating a tracking request message including a request for returning a tracking information message including a pair of a destination address and a self address;
Storage means for storing topology map information describing a physical connection relationship of a relay apparatus having a function of creating the tracking information message and a relay apparatus having no function of creating the tracking information message;
Referring to the topology map information, tracking request message transmission for transmitting the tracking request message created by the tracking request message creating means to the relay device having the function of creating the tracking information message among the plurality of relay devices. Means,
Tracking information analysis means for identifying the source of the attack packet by connecting addresses included in the tracking information message from the relay device having a function of creating the tracking information message,
The tracking information message transmission means refers to the topology map information from the transmission source address included in the tracking information message and creates the tracking information message that exists on the transmission source side of the relay apparatus that transmitted the tracking information message. A transmission source tracking device, characterized in that a tracking request message is transmitted to a relay device having a function of: A source tracking device that tracks the source of an attack packet transmitted from an attacking terminal and received by a victim terminal via a plurality of relay devices,
From the characteristics of the packet received at the victim terminal, packet analysis means for detecting the attack packet;
When a packet having the same characteristics as the characteristics of the attack packet analyzed by the packet analysis means and the attack packet is detected, a combination of the source address of the packet and its own address and transmission of the packet A tracking request message creating means for creating a tracking request message including a request for returning a tracking information message including a pair of a destination address and a self address;
The topology map information describing the physical connection relationship of the relay device and the packet connected to the communication line through which the attack packet passes and relayed by the relay device through the communication line are received, and the tracking Storage means for storing tracking device arrangement information describing a connection relationship between the dedicated tracking device having a function of creating an information message and the relay device;
A tracking request message transmitting means for referring to the topology map information and the tracking device arrangement information and transmitting the tracking request message created by the tracking request message creating means to the tracking dedicated device;
Tracking information analysis means for identifying the source of the attack packet by connecting addresses included in the tracking information message from the tracking dedicated device,
The tracking information message transmission means exists on the transmission source side of the dedicated tracking apparatus that has transmitted the tracking information message by referring to the topology map information and the tracking apparatus arrangement information from the transmission source address included in the tracking information message. A source tracking device, wherein a tracking request message is transmitted to a tracking dedicated device.

Images