JP2007104472A - Apparatus and method for acquiring statistic data - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To obtain an apparatus and method for improving memory utilization efficiency so as to immediately obtain a plurality of distribution statistic data from a section memory. <P>SOLUTION: A statistic data acquiring apparatus of the present invention comprises: a table 3b for storing, in a section memory, a combination of a transmission source device, a transmission destination device and attributes of those devices included in information of a transmission packet, as an entry and storing assignment of a counter corresponding to the entry; a table storage unit 3 for comparing information included in the transmission packet with entries in the section memory and storing, as a new entry, information of which any one of the transmission source device, the transmission destination device and the attributes is different from those of the entry; a counter unit 5 which updates a counter value if the information included in the packet to be transmitted is the same as the entry; and an information collection unit 6 which sets a mask value indicating whether to be collected or not to the information of the transmission source device, the transmission destination device and the attributes and obtains statistic data by scanning the entries in the section memory using said mask value. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  In order to grasp various accesses, intrusions, attacks, etc. on the network, it is necessary to place a device on the network and statistically grasp where and what information has entered. The present invention relates to a statistical data acquisition apparatus and method for grasping information contents on such a network.

In a system for transmitting and receiving social information, the network becomes complicated, and it is necessary to statistically grasp the information content and perform various analyzes as described above. The statistical information is a counter value that is counted for each unit under certain conditions, and certain information is obtained from the counter value for each unit.
Here, a case is considered in which the number of packets exchanged between terminals in a certain network is counted.
In an IP (Internet Protocol) network, a certain address is 32 bits. If the subnet prefix length is 24 bits, the number of terminals in the subnet is the remaining 8 bits, that is, a maximum of 256 terminals.

There is a conventional method for statistically obtaining a value by counting outgoing / incoming data as the number of packets for each address range from 0 to 255. Specifically, a memory matrix composed of 256 types of transmission source × 256 types of transmission destination is prepared, that is, a memory of 65536 sections is prepared, and the number of packets obtained in this matrix memory is set for each section. There are ways to count. This counter matrix is called a distribution counter because it indicates the distribution state of the traffic within the subnet of interest.
Further, in a session established by the TCP (Transmission Control Protocol) protocol over IP, a packet of a protocol other than TCP may flow. In abnormal communications due to attacks, such as port scans to servers, the frequency of occurrence of such packets increases, and there is an increasing demand for capturing these characteristics.
However, although the method using the distribution counter requires a lot of space capacity resources, there are actually many blanks and there is a problem in space efficiency.
Furthermore, since the transmission source and transmission destination are actually composed of a plurality of elements such as {address, port}, in order to obtain statistical data with attributes such as subdivided addresses, distribution according to the attributes It is necessary to prepare multiple counters.
For example, for the communication distribution between addresses, the 256 × 256 inter-address distribution counter shown in FIG. 9 is provided as described above. Furthermore, in order to detect a search attack for the port disclosure status of a specific address in the subnet, so-called port scan attack, a mechanism for further determining the port type is required for each counter of the inter-address distribution counter of this 65536 section. It becomes.

In order to improve the disadvantage that a large memory area of the distribution counter is required, according to Patent Document 1, “Packet Transfer Device and Statistics Collection Method with Statistics Collection Device”, the number of memories in the sections constituting the matrix As a contrivance to reduce the number, if either the source or destination is a new address, a new section is allocated, the necessary sections are increased, and a method for obtaining statistics from the number of memory counters of the section later is shown. ing.
JP-A-2005-51736

The conventional distribution counter is configured as described above, and there is a problem that the space utilization efficiency of the memory is low and it is necessary to provide a more detailed distribution counter in order to obtain different statistical information.
In addition, there is a request for acquiring statistical information for packets other than TCP flowing in the session in consideration of the session. The session is specified by the {address, port} information of the transmission source and the transmission destination. Even in the same session, header information included in packets of protocols other than TCP often does not have port information. For this reason, in the conventional apparatus arrange | positioned on a network, a session cannot be specified only from the header of a packet, but there exists a subject that statistical information is acquired as a packet which does not belong to any session. That is, the correct grasp cannot be made, leading to oversight of an attack sign.
The second conventional example disclosed in Patent Document 1 can also improve the memory utilization efficiency, but does not describe that various statistical information can be easily obtained. Further, there remains a problem that detailed information cannot be obtained for a packet having a protocol other than TCP.

The present invention has been made to solve the above-described problems, and as a statistical data acquisition device for collecting and analyzing statistical information on various accesses, intrusions, attacks, etc. on a network, the number of memory in a section is reduced. Thus, an apparatus and a method for improving the memory utilization efficiency and obtaining a plurality of distribution statistical data immediately from the memory of the section are obtained.
Furthermore, by adding an additional component, it is possible to acquire statistical information in consideration of a session even for a packet having no port information.

The statistical data acquisition apparatus according to the present invention is:
In a statistical data acquisition device that collects information included in a packet transmitted from an arbitrary transmission source device to another arbitrary transmission destination device and acquires it as statistical data,
A table for storing the transmission source device, the transmission destination device, and combinations of attributes of these devices included in the information as an entry and storing them in a section memory, and storing an assignment of a counter corresponding to the entry;
The information contained in the transmitted packet is compared with the entry stored in the section memory, and any one of the transmission source device, transmission destination device, and attribute of the information is different from the entry. A table storage unit that determines that the entry is a new entry, allocates the section memory, and instructs the table to store,
If the information included in the transmitted packet is the same as the entry stored in the table, a counter unit that updates the value of the counter assigned corresponding to the entry;
A mask value indicating whether or not to collect is set in each of the information of the transmission source device, the transmission destination device, and the attribute, and the section memory entry is scanned based on the set mask value. And an information collecting unit for obtaining statistical data based on the value of the counter,
It is equipped with.

As described above, according to the present invention, by setting the mask value, there is an effect that the apparatus scale is small and various statistical information can be easily obtained.
Furthermore, since it is determined whether the packet includes a cause header, even if different protocols flow in the same session, there is an effect that statistical information can be acquired in consideration of the session.

Embodiment 1 FIG.
A data information statistical data acquisition apparatus and method for collecting, acquiring, analyzing, and editing information on various accesses, intrusions, attacks, and the like on a network will be described.
This method pays attention to the section of the distribution counter, allocates memory to each newly communicated section, stores a plurality of attribute values in this memory, and easily obtains distribution statistics for each attribute. . Therefore, it is not necessary to secure all entries in advance in the search table of this method, and since the communication entry is dynamically created, the memory utilization efficiency is good.

First, the concept of the section memory allocation method will be described with reference to FIG.
When a certain packet is input, the {address, port} information of the transmission source device and the transmission destination device is extracted, and a search is made as to whether there is corresponding information in the table configured by the memory of the existing section.
If the corresponding information does not exist, the information is treated as a new entry, and the section memory is allocated and added at the end of the table. Here, the entry 101 and the like indicate information such as addresses 111 and 112 in the table, a mask value indicating whether the information is to be collected as statistical data, and a return value for the entry. If any of them are different, they are treated as new entries.
Here, the mask value is correctly required when acquiring distribution statistical data. When recording the frequency of packets from any source to any destination, not all data is valid. must not. Therefore, all mask values are valid when a packet is analyzed and assigned to a section. In FIG. 1B, from the time t2, the mask value is invalid at the transmission source port. Specifically, at the stage of collecting the distribution statistical data, all are set valid at the time t1, and changed at the time t2. An example is shown.
There are two types of information viewed from the return value, one is a corresponding type flag which is a 4-bit flag indicating validity / invalidity of the area, and the other is an ID (identifier) of a counter corresponding to an entry in the table. The counter ID 122 may be the order in which the entries are assigned, or may be assigned a free counter number.
If the corresponding information exists, a return value is output as a result of the table search, so the numerical value counted by the counter corresponding to the counter ID 122 included in the return value is updated. That is, the counter value advances and the statistical data value of the section only advances.

When a counter value is acquired as statistical data after observation for a predetermined period, an inquiry is made in the same manner as the table search, the counter ID 122 is obtained from the return value, and the counter value is read out.
The initial value of the return value is initialized with a value indicating “not applicable”. In this way, if there is no corresponding entry as a result of the table search, it can be known that there is no entry.
In the table search, it is only necessary to collect information on the area where the mask value is valid.

Next, the configuration of the network distribution statistical data acquisition apparatus according to the present embodiment will be described.
First, in the statistical data acquisition device search table of FIG. 1, a memory corresponding to a section (section memory) is allocated for each new entry, and thereafter, the section memory is sequentially lowered every time a new entry is generated. Go assigned.
FIG. 2 is a diagram illustrating a configuration example of the network distribution statistical data acquisition apparatus 1. This apparatus comprises a sequencer unit 2, a table storage unit 3, a section memory (table) 3b, a return value storage unit 4, a frequency counter unit 5, and a table setting value information collection unit 6 for collecting statistical data. Is done. The sequencer unit 2 that checks the source address, destination address, and attribute of the input packet further includes a search key generation unit 21 such as an address, and a counter update unit 22 that sets a counter value as a statistical value to the latest value. .
The table 3b is suitably a CAM (Content Addressable Memory). When implemented by software, a normal memory is used instead of the CAM, and the table is stored in a tree structure. And a CPU (Central
Processing Unit) or NPU (Network Process)
ing Unit) for searching and storing. The return value storage unit 4 may be an SRAM.
These components are usually composed of hardware. However, some components such as the sequencer unit 2 may be implemented by software in which a function described in an operation flow described later is incorporated in a memory (not shown) by a program, and is read and executed by a processor (not shown).

Next, the table writing operation of this network distribution statistical data acquisition apparatus will be described with reference to FIG.
Until then, the statistical data acquisition apparatus waits for packet reception in S31, and when the packet is input to the sequencer unit 2, the search key generation unit 21 searches for {address, port} information of the transmission source and transmission destination in S32. Extract as a key. In step S33, it is checked whether the same entry already exists in the table 3b by using the search key extracted from the table storage unit 5.
If the entry is a new entry as a result of the search, the table storage unit 3 assigns the new entry to the memory in S34, and the table setting value corresponding to the entry is stored in the table.
If the same entry already exists in the memory in S33 and hits, the memory hit address is input to the return value storage unit 4, the return value is extracted, and the counter update unit 22 is notified in S35. Then, the counter unit 5 advances the counter value of the counter having the corresponding counter ID in accordance with the instruction that the hit has been made.

Next, the fact that various statistical information corresponding to the distribution counter can be acquired with this configuration will be described with reference to FIG. 4 showing an operation flow in the case of acquiring statistical information, with some information examples.
In the following description of the present specification, the title 4′bxxxx represents a 4-bit binary number xxx. In addition, mask values that may be invalid are set at the stage of collection. For example, in the example of FIG. 1, after a certain point in time, for example, after the time t2 when the entry 1 is recorded, the transmission source port is not seen, that is, it is set as invalid and statistical data is obtained. Further, which mask value can be invalidated is determined, for example, by looking at the upper 4 bits of the source address.

1) Obtaining the number of packets by address Obtain the most representative address x address distribution statistics. If an entry whose correspondence type flag is 4′b11 ** (* represents don't care, that is, any numerical value) is collected, this becomes a distribution counter for each address.
In this case, the table setting value information collection unit 6 sets the specified 4′b11 ** mask value as valid for the transmission source address 111 and the transmission destination address 112 for the specified mask value of 4′b11 ** in S41. In step S42, the information collection unit 6 sequentially examines the table shown in FIG. 1 in the memory using the valid flag 4′b11 ** in the above example. In S43, the information collection unit 6 adds a counter value of the corresponding entry group to obtain a numerical value. This is repeated as long as necessary information remains in S44, and if there is no valid mask target information, the process ends.

2) Acquisition of statistics by address × port When the correspondence type flag 121 collects entries of 4′b11 * 1, this becomes address × statistic information by port.
FIG. 5 is a network configuration diagram used for explaining the statistical information. In the figure, a server 8 constitutes a network with a plurality of clients 7, and a network distribution statistical data acquisition apparatus 1 in the present embodiment is arranged on the way. The server 8 performs WEB connection at the port 80, SSL connection at the port 443, and proxy connection at the port 8080.
In this network state, the statistical information of 4′b11 * 1 indicates how many packet communications have been made from the client 7 having the specific transmission source address to the specific port of the server 8 having the specific transmission destination address, for example, the port 80. , Can be examined.

3) Statistics acquisition of port × port-specific distribution When the corresponding type flag collects 4′b ** 11 entries and obtains respective counter values, this becomes a port-specific distribution counter. The above operation is performed by the table setting value information collection unit 6 according to the flow of FIG.

Embodiment 2. FIG.
Next, a configuration in which information is identified for different protocols and a value is obtained will be described.
In FIG. 5 above, when a client 7 requests that a client 7 establish a session to a port number other than the port on which the server 8 is providing a service, and sends a TCP protocol SYN packet, the port is ICMP type = 3 (= Destination Unreachable) indicating that the service is out of service is returned. When the server 8 is a port providing service, a TCP ACK packet is transmitted from the server 8 to the client 7.
This method is used for port scanning, which is one of the attacking actions on the network. In other words, session requests are sent to the server's random port numbers one after another, and the server's service is determined based on the reaction.

In order to detect an attack such as a port scan from the statistical information, it is necessary that the TCP packet, which is a session request thrown first, and the ICMP packet thrown later are counted as the same session.
However, since ICMP does not have port information, it is regarded as another session.
On the other hand, the ICMP packet generated by the previous communication described above includes the IP header of the packet causing the generation and the subsequent 8 bytes in the packet. This internal header is called a cause header. For the cause header, the outer header is called a normal header. A typical configuration example is shown in FIG.
As is apparent from the figure, the header 62 of the TCP SYN packet 61 and the cause header 68 of the ICMP packet 66 that is the response are the same. Therefore, the header analysis by the apparatus having the configuration shown in FIG. 2 is performed for ICMP type = 3. Is performed on the internal cause header, so that the statistical information is acquired with the same entry as the TCP packet that came before that. Thus, both are recorded in the statistical information as the same session.

FIG. 7 shows a configuration of the information collecting apparatus 1b that regards information of different parts as the same as other equivalent information.
That is, in the figure, a special packet determination key generation unit 23 is provided before the search in the sequencer unit 2, and a special packet determination unit 9 that performs a search using the special key obtained here is further provided.

The operation of this component apparatus will be described with reference to FIG. 8 showing a changed part from FIG.
When an ICMP packet comes as an input of a packet, the answer is Yes in S82, and the special packet determination key generation unit 23 extracts the type value from the outer header and passes it to the special packet determination unit 9. If it is not an ICMP packet, nothing is performed and the packet is passed to the next search key generation unit 21 to perform the operation described in the first embodiment.
In step S83, the special packet determination unit 9 that has received the notification determines whether to view the normal header or the cause header outside the ICMP packet in the search table, and notifies the search key generation unit 21 of the determination. Specifically, when the type value is 3, 4, 5, or 11, the cause header 68 is included, so the special packet determination unit 9 notifies that the table search key is generated from the cause header, and otherwise Normally tells you to see the header.
Subsequent operations are the same as those in the first embodiment.
In general, the special packet determination unit 9 preferably refers to a table in consideration of application to a packet generated due to some kind of communication. That is, in the reference table, the transmission source address, the transmission destination address, and the attribute are described in the area to be referred to, and it is checked whether these are within the target range.

The special packet determination unit 9 generates a table search key from the outer header or the cause header based on the determination result, and notifies the search key generation unit 21 of the search key.
Thereafter, the search key generation unit 21 that has received the notification performs the operation described in the first embodiment.
As a result, even when different protocols flow in the same session, statistical information can be acquired in consideration of the session.
The addition of this additional component is also effective when a protocol is included in the search parameter of the search table.

Embodiment 3 FIG.
In each of the embodiments described above, the mask for designating whether or not to collect the table setting value information is only valid / invalid.
However, more detailed information can be obtained by providing the mask length in bit units instead of region units. Specifically, for example, if the address length is 16 bits and the mask of the address is 8 bits when obtaining statistical information, entry information that matches the 8 bits with the set value can be obtained.
Such a change is accompanied by an increase in the amount of processing if it is performed by executing a program as software, but can be implemented without deterioration in processing speed by realizing it by using, for example, a CAM as a hardware configuration. .

In the above statistical information collection devices 1 and 1b, the counter value is counted corresponding to each entry. However, instead of a counter associated with an entry in the search table, it is possible to associate not only a single counter but also an entry composed of a plurality of counters. Specifically, a counter for integrating the number of packet data is separately prepared as a counter corresponding to the entry, and the number of data is analyzed and counted every time there is an entry.
In this way, when the counter value is viewed later in order to obtain statistical information, the frequency counter value and the integrated data value are simultaneously obtained for the corresponding entry.

As explained above, according to this configuration, statistical information such as various accesses, intrusions, attacks, etc. on the network can be collected and analyzed, and writing is performed for each section corresponding to the new entry. A single memory group can be used for writing and reading, and a plurality of types of distribution statistics can be acquired from these single memory groups. Accordingly, there is no need to have a plurality of distribution counters of the same matrix form in a three-dimensional manner corresponding to attributes such as ports. That is, since it is sufficient to dynamically secure the memory of the section in which the entry exists, a simple device configuration with high memory utilization efficiency can be obtained, and statistical information can be easily obtained.
Furthermore, by providing a new component for determining whether or not the packet includes a cause header, statistical information can be acquired in consideration of the session even when different protocols flow in the same session.
In the above description, the configuration and operation are mainly described as hardware devices. However, as a method of storing a program having the operation flow shown in FIGS. 3 and 4 in a memory and reading and executing these programs by a general-purpose processor, Similar effects can be obtained.

It is a figure which shows the search table of the statistical data acquisition apparatus of the network distribution in Embodiment 1 of this invention. 1 is a diagram illustrating a configuration of a network distribution statistical data acquisition apparatus according to Embodiment 1. FIG. FIG. 10 is a diagram showing a table writing operation flow of the network distribution statistical data acquisition apparatus according to the first embodiment. 6 is a diagram showing a table read operation flow of the network distribution statistical data acquisition apparatus according to Embodiment 1. FIG. 2 is a network configuration diagram for explaining statistical information in Embodiment 1. FIG. It is a figure which shows the header format of the ICMP packet of TCP SYN used in Embodiment 2 of this invention, and a response. 6 is a diagram illustrating a configuration of a network distribution statistical data acquisition apparatus according to Embodiment 2. FIG. FIG. 10 is a diagram illustrating a different part of a table writing operation flow of the network distribution statistical data acquisition apparatus according to the second embodiment. It is a figure which shows the example of a distribution counter.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Statistical data acquisition apparatus, 2 Sequencer part, 3 Table storage part, 3b Table (memory), 4 Return value storage part, 5 Counter part, 6 Information collection part, 7 Client, 8
Server, 9 special packet determination unit, 21 search key generation unit, 22 counter update unit, 23 special packet determination key generation unit, 61 TCP SYN packet, 62 TCP SYN normal header, 66 ICMP, 67 ICMP normal header, 68 ICMP cause header , S32 transmission source / destination address / port extraction step, S34 memory allocation numerical value storing step for new entry, S35 counter value incrementing step for existing entry, S41 entry check corresponding to specified mask, S42 statistical information acquisition step, S82 special packet determination Step, S83 Cause header reference designation step.

Claims (6)

In a statistical data acquisition device that collects information included in a packet transmitted from an arbitrary transmission source device to another arbitrary transmission destination device and acquires it as statistical data,
A table for storing the transmission source device, the transmission destination device, and a combination of attributes of these devices included in the information as an entry and storing them in a section memory, and storing an assignment of a counter corresponding to the entry;
The information contained in the transmitted packet is compared with the entry stored in the section memory, and any one of the transmission source device, transmission destination device, and attribute of the information is different from the entry. A table storage unit that determines that the entry is a new entry, allocates the section memory, and instructs the table to store,
If the information included in the transmitted packet is the same as the entry stored in the table, a counter unit that updates the value of the counter assigned corresponding to the entry;
A mask value indicating whether or not to be collected is set in the information of the transmission source device, the transmission destination device, and the attribute, and the entry of the section memory is scanned based on the set mask value. And an information collection unit that obtains statistical data from the value of the counter. A special packet determining unit that analyzes a transmitted packet and determines whether or not the transmitted packet to be analyzed is suitable for comparison with an entry based on information in an internal header different from a normal header And
The table storage unit, when the special packet determination unit determines that the comparison by the information of the internal header is appropriate for the transmitted packet, the information of the transmission source device, the transmission destination device and the attribute in the internal header, 2. The statistical data acquisition apparatus according to claim 1, wherein the statistical data acquisition apparatus is compared with an entry stored in the section memory.   2. The statistical data acquisition apparatus according to claim 1, wherein the information collection unit sets a mask value set with an arbitrary bit configuration and obtains a counter value of an entry corresponding to the set mask value. In a statistical data acquisition method for collecting information included in a packet transmitted from an arbitrary transmission source device to another arbitrary transmission destination device and acquiring it as statistical data,
Treating the transmission source device, the transmission destination device and a combination of attributes of those devices included in the information as entries and storing them in a section memory, and storing an assignment of a counter corresponding to the entries;
The information contained in the transmitted packet is compared with the entry stored in the section memory, and any one of the transmission source device, transmission destination device, and attribute of the information is different from the entry. A comparison / storage step of determining that the entry is a new entry, allocating the section memory, and instructing storage in the section memory;
If the information contained in the transmitted packet is the same as the entry stored in the section memory, updating the value of the counter assigned corresponding to the entry;
Setting a mask value as to whether or not to be collected in the information of each of the transmission source device, the transmission destination device, and the attribute;
A statistical data acquisition method comprising: scanning the section memory entries based on the set mask value to obtain statistical data from the counter value. A special determination step of analyzing a transmitted packet and determining whether or not the transmitted packet to be analyzed is appropriate for comparison with an entry based on information of an internal header different from a normal header And
When the comparison / storage step determines that the comparison based on the information in the internal header is appropriate for the packet transmitted in the special determination step, information on the transmission source device, the transmission destination device, and the attribute in the internal header 5. The statistical data acquisition method according to claim 4, wherein the data is compared with an entry stored in the section memory. In the step of setting the mask value, the mask value set in an arbitrary bit configuration is set on the section memory corresponding to the requested information collection contents,
5. The statistical data obtaining method according to claim 4, wherein the step of obtaining statistical data obtains data based on a counter value of an entry corresponding to the set mask value.

Images