JP2007143020A - Repeater and program for repeater - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To surely discard an attack packet without enabling an attacker to know a defense pattern such as detection rules. <P>SOLUTION: A distributed data generation section generates distributed data at normal time and abnormal time regarding an input packet, a distributed data management section manages distributed data generated by the distributed data generation section, and an abnormality degree calculation section calculates an abnormality degree on the basis of the normal time distributed data and the abnormal time distributed data managed by the distributed data management section. A packet control section then judges packet passing/cutoff on the basis of the abnormality degree calculated by the abnormality degree calculation section, and a packet to be passed is output. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a relay device and a relay device program that are provided on a network and perform relay control of a packet that circulates through the network, and in particular, an attack packet can be reliably identified without an attacker knowing a defense pattern such as a detection rule. The present invention relates to a relay device and a relay device program that can be discarded.

  In recent years, network attacks that interfere with networks provided by service providers have become a problem. This network attack is, for example, a DoS attack (Denial of Service) in which a malicious attacker places a load on the network by sending a large number of packets to the network, thereby blocking the service of the network service provider. And DDoS attacks (Distributed Denial of Service) are known.

  In order to protect communication devices (such as server devices) connected to the network from these attacks, various attack defense methods have been proposed. For example, in Patent Document 1, a detection rule for detecting an attack packet is registered in a relay device such as a router that relays a packet circulating on the network, and the relay device discards the attack packet based on the detection rule. Techniques to perform are disclosed.

JP 2005-039721 A

  However, when the relay device disclosed in Patent Document 1 is used, if the above-described detection rule is known to the attacker, the attacker can start a new attack while avoiding the detection rule. . That is, since a relay device of a type that holds a detection rule has a risk that the detection rule may be leaked to an attacker, such a relay device cannot reliably discard an attack packet. Was left.

  For this reason, how to realize a relay device that can reliably discard attack packets without the attacker knowing a defense pattern such as a detection rule is a major issue.

  The present invention has been made to solve the above-described problems caused by the prior art, and is a relay device and a relay device program capable of reliably discarding attack packets without the attacker knowing the defense pattern The purpose is to provide.

  In order to solve the above-described problems and achieve the object, the invention according to claim 1 is a relay device that is provided on a network and performs relay control of a packet that circulates through the network. A distribution data generating unit that targets at least one attribute selected from the above, divides a possible value of the attribute value of the attribute into a plurality of areas, and generates distribution data for the number of packets belonging to each area; And a packet passage control means for controlling the passage / blocking of the packet based on the distribution data generated by the data generation means.

  In the invention according to claim 2, in the above invention, the normal distribution data representing the normal distribution data generated by the distribution data generating means and the abnormal distribution data representing the distribution data at the time of abnormality are compared. An abnormality degree calculating means for calculating an abnormality degree indicating the degree of abnormality for each of the areas, and the packet passing control means for each area based on the abnormality degree of the area calculated by the abnormality degree calculating means. The packet passing / blocking is controlled.

  In the invention according to claim 3, in the above invention, the packet passage control means sequentially calculates the cumulative number of packets belonging to the area included in the abnormality distribution data in descending order of the abnormality degree, and the abnormality distribution When the value obtained by subtracting the cumulative number from the total number of data packets is less than the allowable number of output packets, the packets belonging to the area and the area before the area are blocked.

  According to a fourth aspect of the present invention, in the above invention, the packet passage control means includes a normal cumulative number, which is a cumulative number of packets belonging to the area included in the normal distribution data, in the abnormal distribution data. The value obtained by dividing the cumulative number of packets that belong to the total number of packets belonging to is sequentially calculated in descending order of the degree of abnormality. If the calculated value exceeds a predetermined value, packets belonging to the area before the area are blocked. It is characterized by that.

  In the invention according to claim 5, in the above invention, the packet passage control means calculates a normal cumulative number, which is a cumulative number of packets belonging to an area included in the normal distribution data, as a total number of packets of the normal distribution data. The divided value is sequentially calculated in descending order of the degree of abnormality, and when the calculated value exceeds a predetermined value, packets belonging to the area before the area are blocked.

  In the invention according to claim 6, in the above invention, the packet passage control means sequentially calculates the cumulative number of packets belonging to the area included in the abnormality distribution data in ascending order of the abnormality degree, and the cumulative number When the number exceeds the allowable number of output packets, packets belonging to the area and the areas after the area are blocked.

  According to a seventh aspect of the present invention, in the above invention, the packet passage control means includes a normal cumulative number, which is a cumulative number of packets belonging to the area included in the normal distribution data, in the abnormal distribution data. When the value divided by the cumulative number of abnormalities, which is the cumulative number of packets belonging to, is sequentially calculated in ascending order of the degree of abnormality, and the calculated value falls below a predetermined value, packets belonging to the area and the subsequent areas It is characterized by blocking.

  In the invention according to claim 8, in the above invention, the packet passage control means calculates a normal cumulative number that is a cumulative number of packets belonging to an area included in the normal distribution data in descending order of the abnormality degree. A value obtained by dividing the distribution data by the total number of packets is sequentially calculated, and when the calculated value falls below a predetermined value, packets belonging to the area and the subsequent areas are blocked.

  In the invention according to claim 9, in the above invention, the abnormality degree calculation means belongs to the area included in the normal distribution data corresponding to the area, the number of packets belonging to the area included in the abnormality distribution data. A value obtained by dividing by the number of packets is defined as the degree of abnormality.

  According to a tenth aspect of the present invention, in the above invention, the abnormality degree calculating means belongs to an area included in the normal distribution data corresponding to the area from the number of packets belonging to the area included in the abnormality distribution data. A value obtained by subtracting the number of packets is set as the degree of abnormality.

  According to an eleventh aspect of the present invention, in the above invention, the abnormality degree calculating means belongs to an area included in the normal distribution data corresponding to the area from the number of packets belonging to the area included in the abnormality distribution data. A value obtained by dividing a value obtained by subtracting the number of packets by a standard deviation of the abnormal distribution data is used as the abnormality degree.

  In the invention according to claim 12, in the above invention, the packet passage control means uses a difference number obtained by subtracting the number of normal packets from the number of abnormal packets as the cumulative number of packets belonging to the area. The packet of the difference number is blocked among the packets belonging to the area determined to be blocked.

  According to a thirteenth aspect of the present invention, there is provided a relay device program installed in a relay device that is provided on a network and performs relay control of a packet that circulates through the network, and is selected from each attribute included in the packet A distribution data generation procedure that targets at least one attribute and divides a possible value of the attribute value of the attribute into a plurality of areas and generates distribution data for the number of packets belonging to each area; and the distribution data generation procedure And a packet passage control procedure for controlling packet passage / blocking based on the distribution data generated by the computer.

  The invention according to claim 14 compares the normal distribution data representing the normal distribution data generated by the distribution data generation procedure with the abnormal distribution data representing the distribution data at the time of abnormality. Accordingly, the computer further executes an abnormality degree calculation procedure for calculating an abnormality degree indicating the degree of abnormality for each area, and the packet passing control procedure is based on the abnormality degree of the area calculated by the abnormality degree calculation procedure. Packet passing / blocking is controlled for each area.

  According to the invention of claim 1 or 13, at least one attribute selected from each attribute included in the packet is targeted, and possible values of the attribute value of the targeted attribute are divided into a plurality of areas, Since the distribution data for the number of packets belonging to the area is generated and the packet passing / blocking is controlled based on the generated distribution data, the packet is not based on the static detection pattern but on the dynamic distribution data. By performing the blocking control, it is possible to reliably discard the attack packet without the attacker knowing the defense pattern.

  Further, according to the invention of claim 2 or 14, the degree of abnormality indicating the degree of abnormality for each area by comparing normal distribution data representing normal distribution data and abnormal distribution data representing abnormal distribution data. Since the packet passing / blocking is controlled for each area based on the calculated degree of abnormality in the area, the packet distribution is determined based on the degree of abnormality obtained by comparing the normal distribution data and the abnormal distribution data. By performing blocking control, there is an effect that attack packets can be discarded efficiently.

  According to the invention of claim 3, the cumulative number of packets belonging to the area included in the abnormal distribution data is sequentially calculated in descending order of the degree of abnormality, and a value obtained by subtracting the cumulative number from the total number of packets of the abnormal distribution data is the output packet. If it falls below the allowable number of packets, it is configured to block packets belonging to this area and areas before this area, so if the output packet exceeds the allowable number, priority is given to areas with high abnormalities. There is an effect that can be.

  According to the invention of claim 4, the normal cumulative number that is the cumulative number of packets belonging to the area included in the normal distribution data is divided by the abnormal cumulative number that is the cumulative number of packets belonging to the area included in the abnormal distribution data. If the calculated value exceeds the predetermined value, packets belonging to the area before this area are blocked, so the normal cumulative number is divided by the abnormal cumulative number. By selecting an area to be blocked based on the detected value, that is, the false detection rate, it is possible to suppress the ratio of non-attack packets belonging to the area to be blocked and being blocked together with the attack packets. There is an effect.

  Further, according to the invention of claim 5, a value obtained by dividing the normal cumulative number that is the cumulative number of packets belonging to the area included in the normal distribution data by the total number of packets of the normal distribution data is sequentially calculated in descending order of the degree of abnormality, When the calculated value exceeds the predetermined value, the packet belonging to the area before this area is blocked, so the normal cumulative number is divided by the total number of packets of the normal distribution data, that is, based on the winding rate. By selecting the block target area, it is possible to reduce the ratio of non-attack packets belonging to the block target area being blocked together with the attack packets.

  According to the invention of claim 6, when the cumulative number of packets belonging to the area included in the abnormal distribution data is sequentially calculated in ascending order of the degree of abnormality, the cumulative number exceeds the allowable number of output packets. Since the configuration is such that packets belonging to the area and the areas after this area are blocked, when the number of output packets exceeds the allowable number, an area having a high degree of abnormality can be blocked with priority.

  According to the invention of claim 7, the normal cumulative number that is the cumulative number of packets belonging to the area included in the normal distribution data is divided by the abnormal cumulative number that is the cumulative number of packets belonging to the area included in the abnormal distribution data. Since the calculated value is sequentially calculated in ascending order of the degree of abnormality, and the calculated value falls below the predetermined value, packets belonging to this area and the areas after this area are blocked, so the normal cumulative number is the abnormal cumulative By selecting the area to be blocked based on the value divided by the number, that is, the false detection rate, the ratio of blocking non-attack packets belonging to the area to be blocked together with the attack packets is suppressed. There is an effect that can be.

  Further, according to the invention of claim 8, the value obtained by dividing the normal cumulative number that is the cumulative number of packets belonging to the area included in the normal distribution data in descending order of the degree of abnormality by the total number of packets of the normal distribution data is sequentially calculated. When the calculated value falls below the predetermined value, the packet that belongs to this area and the areas after this area is blocked, so the value obtained by dividing the normal cumulative number by the total number of packets of the normal distribution data, that is, the winding By selecting the block target area based on the rate, it is possible to suppress the ratio of non-attack packets belonging to the block target area being blocked together with the attack packets.

  According to the invention of claim 9, the degree of abnormality is a value obtained by dividing the number of packets belonging to the area included in the abnormal distribution data by the number of packets belonging to the area included in the normal distribution data corresponding to this area. Therefore, by setting the value obtained by dividing the sum of the number of attack packets and the number of non-attack packets by the number of non-attack packets as the degree of abnormality, it is possible to easily discriminate an area where the ratio of attack packets is high.

  According to the invention of claim 10, the degree of abnormality is defined as a value obtained by subtracting the number of packets belonging to the area included in the normal distribution data corresponding to this area from the number of packets belonging to the area included in the abnormal distribution data. Therefore, by subtracting the number of non-attack packets from the sum of the number of attack packets and the number of non-attack packets, that is, by setting the number of attack packets as the degree of abnormality, it is possible to easily determine an area containing many attack packets. There is an effect.

  According to the eleventh aspect of the invention, a value obtained by subtracting the number of packets belonging to the area included in the normal distribution data corresponding to this area from the number of packets belonging to the area included in the abnormal distribution data is a standard for the abnormal distribution data. Since the value divided by the deviation is set as the degree of abnormality, the value obtained by dividing the number of attack packets by the standard deviation is set as the degree of abnormality, so that an area to be blocked can be appropriately selected. .

  According to the twelfth aspect of the invention, as the cumulative number of packets belonging to the area, the difference number obtained by subtracting the number of packets at the normal time from the number of packets at the time of abnormality is used, and the packet belongs to the area determined to be blocked. Since the difference number of packets among the packets is blocked, it is possible to effectively suppress an event that the non-attack packet is blocked together with the attack packet.

  Exemplary embodiments of a relay device and a program for the relay device according to the present invention will be explained below in detail with reference to the accompanying drawings.

  First, features of the relay apparatus according to the present invention will be described with reference to FIG. FIG. 1 is a diagram showing characteristics of a relay device 10 according to the present invention. As shown in FIG. 1, a relay apparatus 10 according to the present invention is provided in a network environment in which each network of an Internet 20, an ISP network 21 managed by an ISP (Internet Service Provider), and a corporate network 22 are connected. Here, the relay device 10 is a device that performs processing for relaying packets transmitted and received between the ISP network 21 and the corporate network 22. Although FIG. 1 shows the case where the relay device 10 is provided in the ISP network 21, the present invention is not limited to this, and the relay device 10 is provided between the ISP network 21 and the corporate network 22 or in the corporate network 22. It may be provided.

  In the network environment shown in FIG. 1, an attacker sends a large amount of attack packets to the corporate network 22 via the Internet 20 and the ISP network 21 in order to attack the corporate network 22. The relay apparatus 10 according to the present embodiment is used for the purpose of protecting the corporate network 22 by controlling the relay of such attack packets. The corporate network 22 is provided with an IDS (Intrusion Detection System) (not shown), and when an abnormal state such as an attack on the corporate network 22 is detected, the relay apparatus 10 is notified of such an abnormality. And

  The relay apparatus 10 shown in FIG. 1 has a function (packet statistical function) for acquiring statistics of packets to be relayed, and generates normal distribution data in the absence of an attack (see (1) in FIG. 1). ). Here, “distributed data” means that field setting values for one or more attributes (hereinafter referred to as “fields”) constituting a packet (for example, IP (Internet Protocol) packet) are divided into a plurality of areas. Thus, the data is obtained by counting the distribution of the number of packets for each area.

  Examples of the “field” include TTL (Time To Live), Protocol, transmission source address, and destination address of the IP header. And "dividing into a plurality of areas" means dividing into 0-7, 8-15, 16-23, for example, assuming that TTL takes a value of 0-255. In this embodiment, the case where each area is equally divided will be described. However, each area does not need to be equally divided, for example, each area is configured to be unequal according to the amount of packets. It is good.

  The description of the operation of the relay device 10 will be continued. When an attacker sends a large amount of attack packets to the corporate network 22 via the Internet 20 and the ISP network 21, the IDS of the corporate network 22 detects an abnormality and notifies the relay apparatus 10 (see (2) in FIG. 1). ). Receiving the abnormality notification, the relay apparatus 10 generates distribution data at the time of abnormality using the packet statistical function described above (see (3) in FIG. 1). Then, based on the comparison result between the generated abnormal time distribution data and the normal time distribution data generated in the normal time (there is no attack), packet blocking control for the corporate network 22 is performed (FIG. 1). (Refer to (4)).

  As described above, the relay apparatus 10 according to the present embodiment controls the blocking of the attack packet based on the comparison result between the “normal distribution data” and the “abnormal distribution data”, and thus provides a defense pattern to the attacker. There is no risk of being read. That is, in the type of relay device in which the attack packet detection rule is set in advance, if the set detection rule is known to the attacker, there is a risk that an attack that avoids the detection rule may be launched. On the other hand, the relay device 10 according to the present embodiment dynamically determines the packet to be blocked by comparing the packet amount at the time of abnormality and the packet amount at the normal time, so that the attacker knows the defense pattern. There is no fear. Therefore, if the relay apparatus 10 according to the present embodiment is used, the attack packet can be reliably discarded (blocked).

  Next, the internal configuration of the relay apparatus 10 according to the present embodiment will be described with reference to FIG. FIG. 2 is a block diagram illustrating a configuration of the relay device 10. As shown in the figure, the relay apparatus 10 includes an input interface unit 11, an output interface unit 12, a distribution data generation unit 13, a distribution data management unit 14, an abnormality degree calculation unit 15, and a packet control unit 16. It has. In the following description, a packet conforming to IP will be described as an IP packet, and the case where the relay apparatus 10 relays the IP packet will be described.

  The input interface unit 11 includes a communication device such as a LAN (Local Area Network) board, and accepts IP packets transferred via the ISP network 21 and IP packets transferred via the corporate network 22. It is a processing unit that performs processing for passing the received IP packet to the distribution data generation unit 13 and the packet control unit 16. Similarly to the input interface unit 11, the output interface unit 12 includes a communication device such as a LAN board. The output interface unit 12 performs processing for outputting to the ISP network 21 or the corporate network 22 an IP packet that the packet control unit 16 has decided to pass. It is a processing part to perform.

  The distribution data generation unit 13 determines, for each area, the value set in each field corresponds to one or more fields constituting the IP packet passed from the input interface unit 11. It is a processing part which produces | generates the distribution data regarding the number of packets.

  Specifically, the distribution data generation unit 13 generates distribution data (normal time distribution data 14a) at the time of non-attack (normal time) and passes it to the distribution data management unit 14, and at the time of attack (at the time of abnormality). The distribution data (abnormal distribution data 14b) is generated and passed to the distribution data management unit 14. The distribution data generation unit 13 may receive a notification that the corporate network 22 is abnormal, or a new processing unit that receives the abnormality notification is provided. A notification may be passed.

  In addition, the distribution data generation unit 13 counts how many packets belong to each area per unit time. In addition, as unit time, time, such as 1 second, can be used, for example, and it can be changed to arbitrary time according to a communication amount, an operation system, etc.

  The distribution data management unit 14 manages the normal time distribution data 14a and the abnormal time distribution data 14b passed from the distribution data generation unit 13 by using a storage device such as a nonvolatile RAM (Random Access Memory) or a magnetic disk device. A processing unit that performs processing. Here, an example of distribution data managed by the distribution data management unit 14 will be described with reference to FIG. FIG. 3 is a diagram illustrating an example of distribution data managed by the distribution data management unit 14. 3A is an example of the normal time distribution data 14a, and FIG. 3B is an example of the abnormal time distribution data 14b.

  In the graph of each distribution data (14a and 14b) shown in the figure, the horizontal axis represents the “area” described above, and the vertical axis represents the number of packets (frequency). Each graph shows a case where the TTL field is selected from the fields constituting the IP packet. As shown in FIG. 3, all packets are set in accordance with the TTL value, such as a packet in which the value set in the TTL is 0 to 7 in the area 1, a packet in the 8-15 is in the area 2, and so on. And categorize each area. Although FIG. 3 shows the case where the value of the TTL field is made to correspond to each area every eight, the present invention is not limited to this, and it may be classified every one or every arbitrary number n.

  Further, instead of focusing on a single field as in the TTL field, for example, it is possible to determine an area to which each packet belongs by focusing on a plurality of fields such as TTL and Protocol. In other words, any field may be adopted as long as it can identify that an attack is set, and attention may be paid not only to a single field but to a plurality of fields.

  The shaded area shown in FIG. 3B corresponds to the number of packets increased from the normal distribution data shown in FIG. As described above, the abnormal time distribution data shown in FIG. 3B is generated at the normal time shown in FIG. 3A generated at the same time one day ago, one week ago, or one month ago. It is shown that the number of packets is increased compared to the distribution data. As the normal time distribution data 14a used by the relay device 10, it is desirable to use distribution data when the IP packet blocking process is not performed.

  Returning to the description of FIG. 2, the abnormality degree calculation unit 15 will be described. The abnormality degree calculation unit 15 calculates “abnormality” indicating the degree of abnormality during an attack (at the time of abnormality) based on the normal time distribution data 14a and the abnormal time distribution data 14b managed by the distribution data management unit 14. Part.

であらわされる。 The degree-of-abnormality calculation unit 15 compares the number of packets at normal time (black rectangle in FIG. 3) with the number of packets at abnormal time (hatched rectangle + black rectangle in FIG. 3) for each zone. "Abnormality" is calculated. For example, if the number of normal packets is N [i] (i is an integer of 0 or more and corresponds to each area), and the abnormal packet is A [i], the degree of abnormality is

It is expressed.

  As shown in Expression (1), it is determined that the degree of abnormality is higher in an area having a larger value obtained by dividing the number of packets at the time of abnormality by the number of packets at the time of normality. Then, the abnormality degree calculation unit 15 gives priority to each area in descending or ascending order of the abnormality degree, and packets belonging to the area with higher priority are subject to packet blocking by the packet control unit 16 described later. . When N [i] is 0, the abnormality degree calculation unit 15 determines that the area having a larger A [i] has a higher abnormality degree.

  The packet control unit 16 is a processing unit that performs a process of outputting a packet determined to be a passage target to the network via the output interface unit 12 after determining whether to block / pass the packet received from the input interface unit 11. is there. Specifically, the packet control unit 16 determines whether or not each area is to be blocked based on the degree of abnormality calculated by the abnormality degree calculating unit 15, and when the packet belongs to the area to be blocked. Blocks this packet. On the other hand, if the packet does not belong to the block target area, the packet is allowed to pass.

  Note that each of the distribution data generation unit 13, the distribution data management unit 14, the abnormality degree calculation unit 15, and the packet control unit 16 described above may be a module of a program processed by a processor such as a CPU (Central Processing Unit). . Each module may be processed by one CPU, or may be distributed to a plurality of CPUs.

  Next, details of processing performed by the abnormality degree calculation unit 15 and the packet control unit 16 will be described with reference to FIG. FIG. 4 is a flowchart showing a processing procedure of packet control processing performed in the relay apparatus 10. As shown in the figure, first, the cumulative number of abnormalities representing the cumulative number of packets at the time of abnormality is initialized to 0 (step S101), and the total number of packets belonging to the abnormal distribution data 14b is calculated (step S102).

  Subsequently, the degree of abnormality (for example, number (1)) is calculated for each area (step S103), the areas are arranged from the highest degree of abnormality to the lower degree, and the area having the highest degree of abnormality is selected. (Step S104). Then, the number of abnormal packets (A [i]) in the selected area is added to the cumulative total number of abnormalities (step S105), and whether or not the value obtained by subtracting the cumulative total number of packets from the total number of packets is smaller than the allowable number of packets. Determination is made (step S106). Here, the allowable number of packets is a value determined in advance according to the speed of a line connecting the ISP network 21 and the corporate network 22, for example. Note that the number of allowable packets can be changed as appropriate according to the operation status.

  If it is determined in step S106 that the number of packets is not less than the allowable number (step S106, No), it is determined to block all IP packets in the selected area (step S107), and an area having the next highest degree of abnormality is determined. It selects as a target area (step S108) and repeats the process after step S105.

  On the other hand, if it is determined in step S106 that the number is smaller than the allowable number of packets (step S106, Yes), it is determined to block all IP packets in the selected area (step S109), and the IP packets that have not been blocked are determined. Pass (step S110) and the process is terminated. Note that if the determination in step S106 is “No”, even if the determination is “No”, that is, if the total number of packets in the distribution data at the time of abnormality is less than the allowable number of packets, the operation in step S109 is performed. All IP packets may be allowed to pass through (without blocking IP packets).

  Next, Modification 1 of the packet control process shown in FIG. 4 will be described with reference to FIG. FIG. 5 is a flowchart showing a first modification of the packet control process shown in FIG. In the first modification, the normal cumulative number obtained by accumulating the number of packets for each area of the normal time distribution data 14a is divided by the abnormal cumulative number obtained by accumulating the number of packets for each area of the abnormal time distribution data 14b. Until the value is exceeded, packets belonging to the corresponding area are to be blocked.

  As shown in FIG. 5, first, an abnormal cumulative number representing the cumulative number of packets at the time of abnormalities and a normal cumulative number representing the cumulative number of packets at the normal time are initialized to 0 (step S201). The degree (for example, number (1)) is calculated (step S202). Then, after arranging the areas from the higher degree of abnormality to the lower degree, the area having the maximum degree of abnormality is selected (step S203).

  Subsequently, the abnormal packet number (A [i]) in the selected area is added to the abnormal cumulative number (step S204), and the normal packet number (N [i]) is added to the normal cumulative number (step S205). ). Then, it is determined whether or not a value obtained by dividing the normal cumulative number by the abnormal cumulative number is larger than a predetermined allowable value (step S206).

  Here, this “value obtained by dividing the normal cumulative number by the abnormal cumulative number” is referred to as a false detection rate. If this false detection rate is 0, the normal IP packet belonging to the area to be blocked is not wrapped together with the abnormal IP packet. In addition, the greater the false detection rate, the higher the rate at which normal IP packets are attached. The predetermined allowable value is a value determined in advance according to the operation status, and can be appropriately changed according to a change in the operation status.

  If it is determined in step S206 that it is equal to or smaller than the predetermined allowable value (step S206, No), it is determined to block all IP packets in the selected area (step S207), and the area having the next highest degree of abnormality is determined. Is selected as a target area (step S208), and the processes in and after step S205 are repeated. On the other hand, if it is determined in step S206 that it is greater than the predetermined allowable value (step S206, Yes), the IP packet that has not been blocked is passed (step S209), and the process is terminated.

  Next, a second modification of the packet control process shown in FIG. 4 will be described with reference to FIG. FIG. 6 is a flowchart showing a second modification of the packet control process shown in FIG. This modification 2 is a modification in consideration of the wrapping of the IP packet at the normal time (the normal packet included in the block target area is blocked together with the abnormal packet).

  As shown in FIG. 6, first, the normal cumulative number representing the cumulative number of packets at the normal time is initialized to 0 (step S301), and the total number of packets belonging to the normal distribution data 14a is calculated (step S302).

  Subsequently, the degree of abnormality (for example, number (1)) is calculated for each area (step S303), the areas are arranged from the highest degree of abnormality to the lower degree, and the area having the highest degree of abnormality is selected. (Step S304). Then, the normal number of packets (N [i]) in the selected area is added to the normal cumulative number (step S305), and a value obtained by dividing the normal cumulative number by the total number of packets calculated in step S302 is a predetermined allowable value. It is determined whether it is larger than (step S306).

  Here, this “value obtained by dividing the normal cumulative number by the total number of packets at the normal time” is referred to as a winding rate. If this wrapping rate is 0, the normal IP packet belonging to the area to be blocked will not be wrapped and blocked together with the abnormal IP packet. In addition, the larger the wrapping rate, the higher the rate at which normal IP packets are wrapped. The predetermined allowable value is a value determined in advance according to the operation status, and can be appropriately changed according to a change in the operation status.

  If it is determined in step S306 that it is less than or equal to the predetermined allowable value (step S306, No), it is determined to block all IP packets in the selected area (step S307), and the area having the next highest degree of abnormality is determined. Is selected as a target area (step S308), and the processes in and after step S305 are repeated. On the other hand, if it is determined in step S306 that it is larger than the predetermined allowable value (step S306, Yes), the IP packet that has not been blocked is passed (step S309), and the process is terminated.

  Next, Modification 3 of the packet control process shown in FIG. 4 will be described with reference to FIG. FIG. 7 is a flowchart showing a third modification of the packet control process shown in FIG. In this modified example 3, the processing performed in FIG. 4, the modified example 1 (FIG. 5) and the modified example 2 (FIG. 6) from the region with the higher degree of abnormality toward the lower part (in descending order of the degree of abnormality) The processing procedure when performed in ascending order is shown. FIG. 7 shows the case where the processing shown in FIG. 4 is performed in ascending order of the degree of abnormality. Similarly, the processing shown in FIG. 5 or 6 can be performed in ascending order of the degree of abnormality. is there.

  As shown in FIG. 7, first, the abnormal total number representing the total number of packets at the time of abnormality is initialized to 0 (step S401), and the total number of packets belonging to the abnormal distribution data 14b is calculated (step S402).

  Subsequently, the degree of abnormality (for example, number (1)) is calculated for each area (step S403), the areas are arranged from the lowest degree of abnormality to the higher degree, and the area having the smallest degree of abnormality is selected. (Step S403). Then, the number of abnormal packets (A [i]) in the selected area is added to the cumulative cumulative number of abnormalities (step S405), and whether or not the value obtained by subtracting the cumulative cumulative number of packets from the total number of packets is larger than the allowable number of packets. Determination is made (step S406).

  If it is determined in step S406 that the number of packets is not more than the allowable number (step S406, No), it is determined that all IP packets in the selected area are allowed to pass (step S407), and the area having the next lowest degree of abnormality is selected. It selects as a target area (step S408), and repeats the process after step S405.

  On the other hand, when it is determined in step S406 that the number is larger than the allowable number of packets (step S406, Yes), it is determined to block all packets belonging to the area after the selected area (step S409), and the process is terminated. .

とあらわすこととしてもよい。 In the above description, the degree of abnormality is a value obtained by the above equation (1). However, the degree of abnormality may be calculated by a different calculation formula. That is, as in equation (1), the normal number of IP packets is N [i] (i is an integer equal to or greater than 0, corresponding to each area), and the abnormal IP packet is A [i]. Degree,

It may be expressed as:

  That is, in Equation (2), the degree of abnormality is a value obtained by subtracting the number of normal packets N [i] from the number of abnormal packets A [i]. By using Expression (2), it is possible to preferentially set an area in which the number of packets at the time of abnormality is greatly increased with reference to the normal time as a blocking target.

とあらわすこととしてもよい。 As another example of the calculation formula for calculating the degree of abnormality, there is a method using the standard deviation SD of the area i related to the distribution data for each time at the time of abnormality. That is, as in Expression (1) or Expression (2), the number of normal IP packets is N [i] (i is an integer equal to or larger than 0 and corresponds to each area), and the abnormal IP packets are A In addition to [i], the above-mentioned standard deviation is taken as SD,

It may be expressed as:

  Further, in the flowcharts shown in FIGS. 4 to 7, the case has been described in which all packets belonging to the area determined to be blocked are blocked in Step S107, Step S207, Step S307, and Step S408. However, the present invention is not limited to this, and it is also possible to block the number of packets (see the hatched rectangle in FIG. 3) that have increased during anomaly among the packets belonging to the area determined to be blocked.

  As described above, in this embodiment, the distribution data generation unit generates distribution data at normal time and abnormal time for the input packet, and the distribution data management unit generates each distribution generated by the distribution data generation unit. The data is managed, and the degree of abnormality calculation unit is configured to calculate the degree of abnormality based on the normal time distribution data and the abnormal time distribution data managed by the distribution data management unit. The packet control unit is configured to determine whether the packet has passed or blocked based on the degree of abnormality calculated by the degree of abnormality calculation unit, and to output a packet to be passed. Therefore, it is possible to reliably discard the attack packet without the attacker knowing the defense pattern such as the detection rule.

  By the way, in the above-described embodiment, the case where the distribution data at the time of abnormality is generated when the relay apparatus receives an abnormality notification from the IDS has been described. However, the present invention is not limited to this, and it is also possible to generate abnormality distribution data without using IDS (without receiving an abnormality notification). Specifically, the relay device handles the latest distribution data as abnormal distribution data, and the abnormal distribution data is generated at the same time the previous day, one week ago, one month ago, etc. The distribution data may be normal time distribution data.

  In the above-described embodiments, the relay device according to the present invention has been described in terms of functions. However, each function of the relay device is programmed in a computer such as a personal computer or a workstation, or a communication device such as a router in which a program can be installed. It can also be realized by executing.

  In other words, the various processing procedures described above can be realized by executing a program prepared in advance on a computer. These programs can be distributed via a network such as the Internet. Further, these programs can be recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD, and can be executed by being read from the recording medium by the computer.

  That is, for example, a CD-ROM storing the relay device program shown in each embodiment may be distributed, and each computer may read and execute the program stored in the CD-ROM.

  As described above, the relay device and the relay device program according to the present invention are useful for blocking an attack packet, and in particular, the attacker can reliably discard the attack packet without knowing a defense pattern such as a detection rule. Suitable if you want to. The present invention can be applied not only to the relay device but also to other communication devices such as a router, a shaper, or a switch.

It is a figure which shows the characteristic of the relay apparatus which concerns on this invention. It is a block diagram which shows the structure of a relay apparatus. It is a figure which shows an example of the distribution data which a distribution data management part manages. It is a flowchart which shows the process sequence of the packet control process performed in a relay apparatus. 6 is a flowchart illustrating a first modification of the packet control process illustrated in FIG. 4. 6 is a flowchart illustrating a second modification of the packet control process illustrated in FIG. 4. 10 is a flowchart showing a third modification of the packet control process shown in FIG. 4.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Relay apparatus 11 Input interface part 12 Output interface part 13 Distribution data generation part 14 Distribution data management part 14a Normal time distribution data 14b Abnormal time distribution data 15 Abnormality degree calculation part 16 Packet control part 20 Internet 21 ISP network 22 Corporate network

Claims (14)

A relay device that performs relay control of a packet that is provided on a network and circulates through the network,
Distribution that targets at least one attribute selected from each attribute included in the packet, divides the possible value of the attribute value of the attribute into a plurality of areas, and generates distribution data on the number of packets belonging to each area Data generation means;
And a packet passage control means for controlling the passage / blocking of packets based on the distribution data generated by the distribution data generation means. The normality data representing the distribution data at the normal time generated by the distribution data generating means is compared with the abnormal distribution data representing the distribution data at the time of abnormality to calculate the degree of abnormality indicating the degree of abnormality for each area. An abnormality degree calculating means for
The packet passage control means includes
The relay apparatus according to claim 1, wherein packet passing / blocking is controlled for each of the areas based on the degree of abnormality of the area calculated by the abnormality degree calculating unit. The packet passage control means includes
When the cumulative number of packets belonging to the area included in the abnormal distribution data is sequentially calculated in descending order of the abnormal degree, and the value obtained by subtracting the cumulative number from the total number of packets of the abnormal distribution data is less than the allowable number of output packets 3. The relay apparatus according to claim 2, wherein a packet belonging to the area and an area before the area is blocked. The packet passage control means includes
A value obtained by dividing the normal cumulative number that is the cumulative number of packets belonging to the area included in the normal distribution data by the abnormal cumulative number that is the cumulative number of packets belonging to the area included in the abnormal distribution data, in descending order of the abnormality degree. 3. The relay apparatus according to claim 2, wherein the relay apparatus sequentially calculates, and when the calculated value exceeds a predetermined value, a packet belonging to an area before the area is blocked. The packet passage control means includes
A value obtained by dividing the normal total number of packets belonging to the area included in the normal distribution data by the total number of packets of the normal distribution data is sequentially calculated in descending order of the degree of abnormality, and the calculated value exceeds a predetermined value. 3. The relay apparatus according to claim 2, wherein when the packet is received, a packet belonging to an area before the area is blocked. The packet passage control means includes
When the cumulative number of packets belonging to the area included in the abnormal distribution data is sequentially calculated in ascending order of the degree of abnormality, and the cumulative number exceeds the allowable number of output packets, The relay apparatus according to claim 2, wherein the packet belonging thereto is blocked. The packet passage control means includes
A value obtained by dividing the normal cumulative number that is the cumulative number of packets that belong to the area included in the normal distribution data by the abnormal cumulative number that is the cumulative number of packets that belong to the area included in the abnormal distribution data, in ascending order of the abnormality degree. 3. The relay apparatus according to claim 2, wherein the relay apparatus sequentially calculates, and when the calculated value falls below a predetermined value, blocks belonging to the area and the areas after the area are blocked. The packet passage control means includes
A value obtained by dividing the normal cumulative number that is the cumulative number of packets belonging to the area included in the normal distribution data in descending order of the degree of abnormality is sequentially calculated, and the calculated value falls below a predetermined value. 3. The relay apparatus according to claim 2, wherein in the case of the packet, the packet belonging to the area and the area after the area is blocked. The abnormality degree calculating means includes:
9. The abnormality level is a value obtained by dividing the number of packets belonging to an area included in the abnormal distribution data by the number of packets belonging to an area included in the normal distribution data corresponding to the area. The relay apparatus as described in any one of. The abnormality degree calculating means includes:
9. The abnormality level is a value obtained by subtracting the number of packets belonging to an area included in the normal distribution data corresponding to the area from the number of packets belonging to the area included in the abnormal distribution data. The relay apparatus as described in any one of. The abnormality degree calculating means includes:
A value obtained by dividing a value obtained by subtracting the number of packets belonging to the area included in the normal distribution data corresponding to the area from the number of packets belonging to the area included in the abnormal distribution data by the standard deviation of the abnormal distribution data. The relay device according to claim 2, wherein the relay device is a degree. The packet passage control means includes
As the cumulative number of packets belonging to the area, the difference number obtained by subtracting the normal packet number from the abnormal packet number is used, and the difference number of packets belonging to the area determined to be blocked is blocked. The relay device according to claim 1, wherein the relay device is a relay device. A relay device program installed in a relay device that is provided on a network and performs relay control of packets that flow through the network,
Distribution that targets at least one attribute selected from each attribute included in the packet, divides the possible value of the attribute value of the attribute into a plurality of areas, and generates distribution data on the number of packets belonging to each area Data generation procedure;
A relay device program that causes a computer to execute a packet passage control procedure for controlling packet passage / blocking based on distribution data generated by the distribution data generation procedure. The degree of abnormality indicating the degree of abnormality for each area is calculated by comparing the normal distribution data representing the distribution data at the normal time generated by the distribution data generation procedure with the abnormal distribution data representing the distribution data at the time of abnormality. Cause the computer to further execute the abnormality calculation procedure
The packet passing control procedure includes:
14. The relay device program according to claim 13, wherein packet passing / blocking is controlled for each of the areas based on the degree of abnormality of the area calculated by the abnormality degree calculation procedure.

Images