JP2008118242A - Method and device for detecting abnormal traffic, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an abnormal traffic detection technique capable of detecting an abnormal traffic appropriately even if performing packet sampling. <P>SOLUTION: An abnormal traffic detector 20 has a section 31 for determining the number of division groups, a group classification section 32, a time series analysis section 33, and an abnormal traffic detection section 34. The section 31 determines the number of division groups. The group classification section 32 groups an observed amount of traffic N_t into M groups according to predetermined rules, sets the amount of traffic in a jth group to N_t(j) (in this case, Σ<SB>j</SB>=<SB>1-M</SB>N_t(j)=N_t), and notifies the time series analysis section 33 of N_t(j). The time series analysis section 33 analyzes time series relating to N_t(j) in each group j and detects that an abnormal traffic has occurred in the group when a timelike change in N_t(j) is detected. The abnormal traffic detection section 34 notifies an operator of the detection of the abnormal traffic. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a technique for managing traffic in an IP network.

  As IP networks are widely used, there is an increasing demand for guaranteeing communication quality over IP networks. On the other hand, various abnormal traffic such as DDoS attacks and network scans occur, resulting in user communication quality. Inhibiting the problem is a problem. Therefore, it is necessary to monitor the network to quickly detect such abnormal traffic and take appropriate measures. On the other hand, as the scale of the network increases and the speed increases, capturing and analyzing all packets has a problem with scalability. In recent years, packet sampling has been performed at each router, and sampled flows (what is a flow? , Statistical information on the same (packets having the same source IP address, destination IP address, protocol number, source port number, destination port number) is aggregated by a network monitoring device, and wide area traffic monitoring is performed in units of flows Attention has been focused on the method of performing.

  Non-patent documents 1, 2, and 3 have been studied as methods for analyzing sample flow information. Non-Patent Document 1 proposes a method for accurately obtaining statistics of a flow having a large flow size. Non-Patent Document 2 proposes a method of estimating the total number of unflowed flows and the flow size using the number of sampled SYN packets (one of the TCP flags, meaning communication start). ing. Non-Patent Document 3 makes it possible to identify a flow having a large size or a high bandwidth occupancy rate, and to quickly identify users who generate excessive flows. However, any of these documents is a method for analyzing the flow characteristics in a steady state, and is not a technique for detecting a change in the flow characteristics due to abnormal traffic. On the other hand, Non-Patent Document 4 proposes a method for characterizing a change in a traffic pattern due to abnormal traffic, but does not consider how the packet sampling affects its performance.

C. Estan and G. Varghese, “New Directions in Traffic Measurement and Accounting”, ACM SIGCOMM2002, Aug. 2002. N. Duffield, C. Lund, and M. Thorup, “Properties and Prediction of Flow Statistics From Sampled Packet Streams”, ACM SIGCOMM Internet Measurement Conference 2002, Nov. 2002. T. Mori et al., “Identifying elephant flows through periodically sampled packets”, ACM SIGCOMM Internet Measurement Conference, 2004. A. Lakhina, M. Crovella, and C. Diot, “Mining Anomalies Using Traffic Feature Distributions”, Proc. ACM SIGCOMM 2005, September 2005. Takeda, Ota, Kato, Nemoto, “Unauthorized Access Detection and Tracking Method Using Traffic Patterns”, IEICE Transactions B, Vol. J84-B, no.8, pp.1464-1473, August 2001 . A. Gunnar, M. Johansson, and T. Telkamp, “Traffic matrix estimation on a large IP backbone A comparison on real data”, ACM SIGCOMM IMC, Oct, 2004.

  The result measured by the Internet backbone link in FIG. 1 is shown. 1A shows a case where packet sampling is not performed, that is, a sampling probability p = 1, and FIGS. 1B and 1C show cases where the sampling probability p is 0.01 and 0.001, respectively. It is time series data of the number of flows. The horizontal axis represents time, and the vertical axis represents the number of flows. Looking at FIG. 1 (a), it is possible to confirm a location where the number of flows is rapidly increasing. Detailed analysis of actual data revealed that this spike was SYN flooding that sent a large amount of TCP SYN packets from various forged source IP addresses to several destination IP addresses. However, in FIGS. 1B and 1C in which sampling is performed, spikes due to these abnormal traffics become smaller as the sampling probability p becomes smaller. This is because such an abnormal flow is hardly sampled by packet sampling. Abnormal traffic such as network scans, port scans, and worms is characterized by generating a large number of flows although the number of packets per individual flow is small. Since such an abnormal flow has a smaller number of packets per flow than the normal flow, the probability that the abnormal flow is sampled (that is, the probability that at least one packet is sampled from the flow) is normal flow as the sampling probability p decreases. Becomes smaller than the probability of being sampled. As a result, there is a problem that the abnormal flow is buried as shown in FIGS.

  In view of the above-described problems, an object of the present invention is to provide an abnormal traffic detection method, an apparatus, and a program thereof that can appropriately detect abnormal traffic even if packet sampling is performed.

  Of the inventions disclosed in this specification, the outline of typical ones will be briefly described as follows.

In the present invention, the probability of detecting abnormal traffic is increased by dividing the monitoring traffic into several groups. Here, it is assumed that the traffic is monitored for each monitoring unit (for example, for each link or between the ground), the generated traffic amount is measured at a predetermined time interval t0, and the traffic amount in the t-th measurement interval is expressed as N_t. Consider the case where abnormal traffic is detected by looking at the time variation of N_t. For example, by looking at the source IP address of each flow constituting the monitoring traffic, flows having the same IP address are mapped to the same group, and N_t is divided into N_t (j) (j = 1 to M). Here, Σ _{j = 1 to} MN_t (j) = N_t.

  Abnormal traffic such as scanning generates a large number of flows from a specific host to a large number of destination IP addresses and destination port numbers, and such abnormal flows can be aggregated into a specific group. High nature. Therefore, by grouping by source IP address, normal traffic can be distributed to each group while abnormal traffic can be aggregated into a specific group, and the ratio of the number of abnormal flows in this group to the number of normal flows Can increase the probability of abnormality detection. On the other hand, it is considered that attack traffic to a specific destination host (group) such as DDoS can be increased in detection probability by grouping by destination IP address.

In the first method of the present invention, the observed traffic volume N_t is grouped into M according to a predetermined rule, and the traffic volume in the j-th group is N_t (j) (in this case, Σ _{j = 1 to M} N_t (j) = N_t), if a time change of N_t (j) is detected by analyzing the time series related to N_t (j) in each group j, it is detected that abnormal traffic has occurred in the group It is characterized by doing.

  Note that the part of detecting abnormal traffic based on time-series temporal changes is a known technique as described in Non-Patent Document 5, for example.

  In the second method of the present invention, when the time series is analyzed in the first method, if N_t (j) exceeds a value m + α × σ obtained by multiplying the moving average m by a standard deviation σ, anomalous traffic. Is detected as occurring.

  For example, when α = 3, the probability of erroneous detection when abnormal traffic does not occur is suppressed to about 0.13% (assuming that N_t (j) follows a normal distribution). The method of setting the threshold value by adding the average deviation α times the average to the average is a known technique.

  The third method of the present invention is characterized in that any of the number of generated bytes, the number of generated packets, and the number of generated flows is used as N_t as the traffic amount observed in the first method.

  In the first method, as a rule for grouping M pieces, N_t is assigned to N_t by mapping the flows having the same IP address to the same group by looking at the source IP address of each flow constituting N_t. (J) You may divide | segment into (j = 1-M). Further, instead of grouping by source IP address, grouping may be performed by destination IP address.

  In the fourth method of the present invention, as a method of determining the number of divided groups M in the first method, when monitoring the number of flows in the third method, the number of flows before packet sampling is performed for the normal flow. Average m and variance σ ^ 2 are determined in advance by actual data analysis. Here, it is assumed that the normal flow number Y follows a normal distribution N (m, σ ^ 2) having an average m and a variance σ ^ 2, and F (y, m, σ ^ 2) = P [Y <y] (that is, The probability that Y is less than or equal to y is calculated using the normal distribution N (m, σ ^ 2)), and the number of abnormal flows d to be detected is d = argmin {d | F (md−α + σ × σ, m, σ ^ 2) Let <ε}. Note that ε is a predetermined target value for the abnormal traffic non-detection rate (0 <ε <1). Here, the average number of flows m (p) and variance σ (p) ^ 2 when packet sampling is performed with the sampling probability p is measured, and this is divided into M groups. The flow number m (p, j) is m (p, j) = m (p) / M, and the variance σ (p, j) ^ 2 is σ (p, j) ^ 2 = σ (p) ^ 2 / Calculate by M. With the above preparation, the number M of divided groups is set to M = argmin {M | F (m (p, j) + α × σ (p, j), m (p, j) + d × p, σ (p, j ) ^ 2 + d * p * (1-p)) <[epsilon]}.

  Here, the above-described method will be described. The basic idea is to determine the number of divided groups M required to find anomalous traffic that can be detected with a non-detection rate of less than ε if sampling is not performed, with a non-detection rate of less than ε after sampling. .

  First, it is necessary to determine the average m and the variance σ ^ 2 of the original number of flows before sampling. As one method, for example, there is a method in which all packet captures are temporarily obtained in advance. Another method is to estimate the original flow statistics from the sample flow statistics obtained by packet sampling. First, the average m of the original number of flows can be estimated using the method of Non-Patent Document 2, for example. Next, an estimation method of the original flow number variance σ ^ 2 will be described. Assume that sample flow information is collected by performing packet sampling with a sampling probability p0, and sample flow information is generated when sampling is performed with a probability p1, p2,... (P1, p2,... <P0) smaller than p0. For example, if p0 = 0.01 and p1 = 0.001, the sample flow obtained with p0 = 0.01 may be further thinned out with a packet sampling probability of 1/10. Next, the average m (pi) and variance σ (pi) ^ 2 of the number of sample flows for each probability pi are calculated. Thereafter, assuming that a relationship of σ ^ 2 = a × m ^ c holds between the average m and the variance σ ^ 2, the measurement result (m (pi), σ ^ 2 (pi)) (i = 0, 1, 2 ,...) Are calculated such that a and c match this relational expression. Specifically, the log of the relational expression is taken, log {σ ^ 2} = a + c × log {m}, and the value log {m (pi)} obtained by taking the log of the measurement result is used as the explanatory variables Xi, log { The relationship between Xi and Yi is linearly approximated to Y = a + cX with σ (pi) ^ 2} as the explained variable Yi, and the slope c and Y intercept a that minimize the approximation error are obtained. When a and c are obtained, the original variance σ ^ 2 is estimated by σ ^ 2 = a × m ^ c. Note that the relational expression σ ^ 2 = a × m ^ c between the average and the variance used here is based on Non-Patent Document 6, and the average m and the variance σ ^ 2 related to the traffic time series are as described above. To make use of the relationship.

  With the above preparation, the number d of abnormal flows to be detected is set to d = argmin {d | F (md−α × σ, m, σ ^ 2) <ε}. Here, F (m−d + α × σ, m, σ ^ 2) = P [Y + d <m + α × σ], that is, the detection threshold value m + α despite the addition of abnormal traffic d. The probability (that is, non-detection rate) that cannot be detected correctly below xσ. Therefore, d is defined as d = argmin {d | F (m−d + α × σ, m, σ ^ 2) <ε}, and the minimum d with a non-detection rate of less than ε is defined as abnormal traffic. .

  The traffic is divided so that such abnormal traffic d can be detected even after packet sampling, and the number M of divisions required to detect the abnormal traffic with a non-detection rate ε is M = argmin {M | F (M (p, j) + α × σ (p, j), m (p, j) + d × p, σ (p, j) ^ 2 + d × p × (1-p)) <ε} Yes. Here, it is assumed that the abnormal traffic generates an abnormal flow with the generated flow number d, and the average flow number when the flow is sampled with the probability p is d × p, and the variance is d × p × (1−p). It is said. Further, it is assumed that abnormal flows are concentrated in one group even after M division.

  Note that if M is excessively increased, the number of erroneous detections may increase rapidly even though no abnormal traffic has actually occurred, which may increase the burden on the operator. Further, if M is large, the number of data to be time-series analyzed increases accordingly, and the processing cost also increases. Therefore, M is set as small as possible within a range where the abnormal traffic non-detection rate can be made equal to or less than the target value ε. Yes.

  In the fifth method of the present invention, in the fourth method, the number of flows m (p, j) in group j when divided into M groups is m (p, j) = m (p) / Instead of M, the flow number distribution ratio w (i) (Σw (i) = 1, 0 <w (i) <1) when divided into M is determined in advance by actual data analysis. The number of flows in the group j where the number of flows is maximum (that is, the group where w (j) is maximum) is m (p, j) = m (p) × w (j), and the variance σ (p, j) ^ 2 is calculated by σ (p, j) ^ 2 = a × m (p, j) ^ c (a and c are coefficients determined in advance or determined in advance by actual data analysis). The number M of divided groups is determined by the same procedure as the method 4.

  In the fourth method, it is assumed that traffic is divided evenly, but here, the case where there is a bias in the number of normal flows after division is focused on the group with the largest number of flows. This means that if there is a large number of normal flows, there is a high probability that the abnormality will be buried, but even in such a group with a large number of normal flows, the abnormality non-detection rate can be suppressed to less than ε.

  Here, a method for determining the required flow number distribution ratio will be described. For example, all packet captures are temporarily performed in advance (or sample flow information collected in a past time period may be used), and the distribution ratio w (i) when the number of divided groups is M (I = 1 to M) is calculated, and the distribution ratio w (j) in the group j in which the number of flows is maximum is stored. Abnormality is performed for each case where M is changed, and a correspondence table of the distribution ratio w (j) in the group j in which the value of M and the number of flows at that time are maximum is prepared.

  According to the present invention, abnormal traffic can be appropriately detected even when packet sampling is performed.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 2 is a configuration diagram showing an example of a basic configuration of an IP network to which the present invention is applied. In FIG. 2, 20 is an abnormal traffic detection device, and 21 to 24 are routers. As shown in FIG. 2, sample flow information packet-sampled with a sampling probability p from each router 21 to 24 constituting the IP network is output to the abnormal traffic detection device 20, and the abnormal traffic detection device 20 is based on the sample flow information. Detect abnormal traffic.

  FIG. 3 is a block diagram showing a configuration example of the abnormal traffic detection apparatus according to the present invention. The traffic detection device 20 collects and analyzes information relating to flows sampled by packet sampling, measures the amount of traffic generated for each predetermined time interval t0 for each predetermined monitoring unit, and performs traffic in the t-th measurement interval. The amount is set as N_t, and abnormal traffic is detected by looking at the time variation of N_t.

As shown in FIG. 3, the abnormal traffic detection device 20 includes a divided group number determination unit 31, a group classification unit 32, a time series analysis unit 33, and an abnormal traffic detection unit 34. The outline of processing performed by each unit is as follows. The division group number determination unit 31 determines the number of division groups. The group classification unit 32 groups the observed traffic volume N_t into M according to a predetermined rule, and sets the traffic volume in the j-th group to N_t (j) (in this case, Σ _{j = 1 to M} N_t ( j) = N_t), and N_t (j) is notified to the time series analysis unit 33. The time series analysis unit 33 analyzes the time series related to N_t (j) in each group j, and detects a time-dependent change in N_t (j) and detects that abnormal traffic has occurred in the group. The abnormal traffic detection unit 34 notifies the operator that abnormal traffic has been detected upon receiving a notification from the time series analysis unit 33 that an abnormality has been detected.

  As described in the first method of the present invention, the traffic detection device 20 of the present embodiment monitors the traffic for each predetermined monitoring unit (for example, a link unit or a unit between the ground), and the third method of the present invention. The number of flows is monitored as a monitoring traffic item in the method, the number M of divided groups is determined by the fourth method, the monitoring traffic is divided into M by the source IP address, and each group is determined by the second method. Anomalous traffic is detected by analyzing the time series of traffic.

  As shown in FIG. 3, the flow information arriving from the router is determined to belong to which group by the group classification unit 32 (note that this procedure is performed for each monitoring unit). Here, as the flow information, a source IP address, a destination IP address, a protocol number, a source port number, a destination port number, a packet number, and a byte number constituting the flow are described. Here, as an example, the address prefix is checked from the source IP address, and flows having the same prefix are mapped so as to belong to the same group. As another example, an AS (autonomous system) number to which the prefix belongs may be checked from the prefix, and if the remainder obtained by dividing the AS number by M is j, it may be mapped to the group j. When the group to be mapped is determined, the fact is notified to the time series analysis unit 33. The time series analysis unit 33 prepares a counter related to the number of generated flows for each group, and upon receiving notification from the group classification unit that a flow has arrived at the group j, the flow number counter N_t (j of the group j ) Is set to N_t (j) ← N_t (j) +1. When a predetermined time interval t0 has elapsed, N_t (j) is a threshold value m (j) + α × σ (j) (m (j) is an average of N_t (j), and σ (j) is a standard deviation. On the other hand, α is compared with a predetermined coefficient), and if the threshold value is exceeded, the abnormal traffic detection unit 34 is notified of this. Thereafter, the average m (j) is updated by m (j) ← (1−γ) × m (j) + γ × N_t (j), and the difference between N_t (j) and m (j) for the past n periods The standard deviation is calculated as σ. Thereafter, N_t (j) is cleared to 0. When the abnormal traffic detection unit 34 receives notification from the time-series analysis unit 33 that abnormality has been detected, the abnormal traffic detection unit 34 notifies the operator of the group number.

On the other hand, the division group number determination unit 31 determines the division group number M according to the following procedure.
Regarding the normal flow, the average m of the number of flows before packet sampling and the variance σ ^ 2 are given. For example, it is obtained by capturing all packets temporarily in advance. Alternatively, the average m of the original number of flows is estimated from the sample flow statistics obtained by packet sampling (for example, the method of Non-Patent Document 2 is used). Next, the variance σ ^ 2 of the original number of flows is estimated by the following procedure. Assume that sample flow information is collected by performing packet sampling with a sampling probability p0, and sample flow information is generated when sampling is performed with a probability p1, p2,... (P1, p2,... <P0) smaller than p0. For example, if p0 = 0.01 and p1 = 0.001, the sample flow obtained with p0 = 0.01 may be further thinned out with a packet sampling probability of 1/10. Next, the average m (pi) and variance σ (pi) ^ 2 of the number of sample flows for each probability pi are calculated. Thereafter, assuming that a relationship of σ ^ 2 = a × m ^ c holds between the average m and the variance σ ^ 2, the measurement result (m (pi), σ ^ 2 (pi)) (i = 0, 1, 2 ,...) Are calculated such that a and c match this relational expression. Specifically, the log of the relational expression is taken, log {σ ^ 2} = a + c × log {m}, and the value log {m (pi)} obtained by taking the log of the measurement result is used as the explanatory variables Xi, log { The relationship between Xi and Yi is linearly approximated to Y = a + cX with σ (pi) ^ 2} as the explained variable Yi, and the slope c and Y intercept a that minimize the approximation error are obtained. When a and c are obtained, the original variance σ ^ 2 is estimated by σ ^ 2 = a × m ^ c. A ^ B means A to the Bth power. Here, it is assumed that the normal flow number Y follows a normal distribution N (m, σ ^ 2) having an average m and a variance σ ^ 2, and F (y, m, σ ^ 2) = P [Y <y] (that is, Y Is calculated using the normal distribution N (m, σ ^ 2)), and the number of abnormal flows d to be detected is d = argmin {d | F (md + α × σ, m, σ ^ 2) Let <ε}. Note that argmin {A | B} means the smallest value of A that satisfies the condition B. Also, ε is a predetermined target value for the abnormal traffic non-detection rate (0 <ε <1). Here, the average number of flows m (p) and variance σ (p) ^ 2 when packet sampling is performed with the sampling probability p is measured, and this is divided into M groups. The flow number m (p, j) is m (p, j) = m (p) / M, and the variance σ (p, j) ^ 2 is σ (p, j) ^ 2 = σ (p) ^ 2 / Calculate by M. With the above preparation, the number M of divided groups is set to M = argmin {M | F (m (p, j) + α × σ (p, j), m (p, j) + d × p, σ (p, j ) ^ 2 + d * p * (1-p)) <[epsilon].

  In the second embodiment, the number M of divided groups is determined by the fourth method of the present invention. In the second embodiment, as in the first embodiment, the number of flows m (p, j) in group j when divided into M groups is set to m (p, j) = m (p) / M. In addition, the flow number distribution ratio w (i) (Σw (i) = 1, 0 <w (i) <1) when divided into M is determined in advance by actual data analysis, and the number of flows is maximized after dividing into M. The number of flows m (p, j) = m (p) × w (j) in the group j (that is, the group in which w (j) is maximum) is used. Further, the variance σ (p, j) ^ 2 is calculated by σ (p, j) ^ 2 = a × m (p, j) ^ c (a and c are determined in advance or determined in advance by actual data analysis). Factor). Other points are the same as in the first embodiment.

  In the third embodiment, instead of grouping based on the source IP address as in the first embodiment, grouping is performed using the destination IP address. Alternatively, grouping may be performed using a protocol number, or grouping may be performed using a source port number or a destination port number. Further, by combining these, for example, flows having the same source IP address and protocol number pair may correspond to a common group. Other points are the same as in the first embodiment.

  In the fourth embodiment, instead of monitoring the number of flows as in the first embodiment, abnormal traffic detection is performed using the number of packets, the number of bytes, or a combination thereof. When monitoring the number of packets, when the time series analysis unit 33 receives a notification that a flow has arrived from the group j, the packet number counter Pkt_t (j) ← Pkt_t (j) + {the flow of the group j Number of packets}. In the case of monitoring the number of bytes, B_t (j) ← B_t (j) + {number of bytes of the flow} may be set. The determination of the number of divided groups M in the case of the number of packets or the number of bytes is as follows.

  In the case of the number of packets, with respect to the normal flow, the average number of arrival packets and the variance at the time interval t0 are measured or estimated in advance. Let this be the average m of all arriving packets from the normal flow before sampling and variance σ ^ 2. Here, it is assumed that the number of normal packets Y follows a normal distribution N (m, σ ^ 2) with an average m and variance σ ^ 2, and F (y, m, σ ^ 2) = P [Y <y] (that is, Y Is calculated using the normal distribution N (m, σ ^ 2)), and the number of abnormal packets d to be detected is d = argmin {d | F (md + α × σ, m, σ ^ 2) <ε. Note that ε is a predetermined target value for the abnormal traffic non-detection rate (0 <ε <1). Here, the average number of packets m (p) and the variance σ (p) ^ 2 when packet sampling is performed with the sampling probability p is measured, and this is divided into M groups. The number of packets m (p, j) is m (p, j) = m (p) / M, and the variance σ (p, j) ^ 2 is σ (p, j) ^ 2 = σ (p) ^ 2 / Calculate by M. With the above preparation, the number M of divided groups is set to M = argmin {M | F (m (p, j) + α × σ (p, j), m (p, j) + d × p, σ (p, j ) ^ 2 + d * p * (1-p)) <[epsilon]}.

In the case of the number of bytes, m is the average number of bytes arrived from all normal flows, and the same procedure as the above-described procedure regarding the number of packets is performed.
The other points are the same as those in the first embodiment.

  FIG. 4, which reports the results of evaluating the effectiveness of the present invention, shows the results of analyzing certain real traffic. The horizontal axis represents time, and the vertical axis represents the number of flows [flows / min]. 4A shows the total number of flows before sampling (sampling probability p = 1), FIG. 4B shows the total number of sample flows when the sampling probability is p = 0.001, and FIG. 4C shows p = It is a time series of the number of sample flows of each group when 0.001 and the number of divided groups M = 5. As shown in FIG. 4A, it can be seen that the number of flows is rapidly increasing. As a result of detailed analysis of the data, it was found that this is SYN flooding in which a certain host sends out SYN packets for a huge number of destination IP addresses. As can be seen by comparing the result of the total number of flows in FIG. 4B (p = 0.001) and the result of FIG. 4C, by dividing the traffic, abnormal traffic that was buried as a whole can be reduced. It can be visually checked. Here, the group is divided into five groups based on the source IP address. Here, in the group D (class D in the figure), the SYN flooding described with reference to FIG.

  As is clear from comparison between FIGS. 4B and 4C, FIG. 4B, which is not divided into groups, shows that the rapid increase in the number of flows due to SYN flooding is not so clear, but is divided into groups. In 4 (c), the rapid increase in the number of flows due to SYN flooding is clear in class D.

  As described above, according to the present invention, it is possible to appropriately detect abnormal traffic that is buried by packet sampling by appropriately dividing the monitoring target traffic.

  The abnormal traffic detection apparatus described above has means for realizing its functions and operations, and the means can be constituted by a computer and a program. Further, hardware may be used in place of part or all of the program.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Of course.

It is a graph showing the example in which abnormal traffic is buried when packet sampling is carried out. It is a block diagram which shows the basic structural example of the network to which this invention is applied. It is a block diagram which shows the structural example of the abnormal traffic detection apparatus in this invention. It is an evaluation result which shows the effect of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 20 ... Abnormal traffic detection apparatus, 21-24 ... Router, 31 ... Divided group number determination part, 32 ... Group classification | category part, 33 ... Time series analysis part, 34 ... Abnormal traffic detection part

Claims (7)

Collect and analyze information about the flow, measure the amount of traffic generated at each predetermined time interval t0 for each predetermined monitoring unit, set the traffic amount at the t-th measurement interval as N_t, and see the time variation of N_t In the abnormal traffic detection method in the abnormal traffic detection device for detecting abnormal traffic,
The abnormal traffic detection device comprises group classification means and time series analysis means,
The group classification means groups the observed traffic volume N_t into M according to a predetermined rule, and sets the traffic volume in the jth group to N_t (j) (in this case, Σ _{j = 1 to M} N_t ( j) = N_t) and notifying N_t (j) to the time series analysis means;
The time series analyzing means analyzing a time series related to N_t (j) in each group j, and detecting a temporal change in N_t (j), detecting that abnormal traffic has occurred in the group;
A method for detecting abnormal traffic, comprising: The method for detecting abnormal traffic according to claim 1,
A step of detecting that abnormal traffic has occurred when N_t (j) exceeds a value m + α × σ obtained by multiplying the moving average m by a standard deviation σ when the time series analyzing means analyzes the time series; An abnormal traffic detection method comprising: The method for detecting abnormal traffic according to claim 1,
An abnormal traffic detection method characterized in that any one of the number of generated bytes, the number of generated packets, and the number of generated flows is used as N_t as the amount of traffic to be observed. The abnormal traffic detection method according to claim 3,
The abnormal traffic detection device includes a division group number determining means,
When the division group number determination means monitors the number of flows when determining the division group number M,
Regarding normal flows, the average m of the number of flows before packet sampling and the variance σ ^ 2 are determined in advance by actual data analysis,
Assume that the normal flow number Y follows a normal distribution N (m, σ ^ 2) with an average m and variance σ ^ 2, and F (y, m, σ ^ 2) = P [Y <y] (that is, Y is less than or equal to y) And the number of abnormal flows to be detected d = argmin {d | F (md−α × σ, m, σ ^ 2) < ε} (ε is a predetermined target value for the abnormal traffic non-detection rate (0 <ε <1)),
The average flow number m (p) and variance σ (p) ^ 2 when packet sampling is performed with the sampling probability p is measured, and the flow number m (p) in the group j when this is divided into M groups. , J) is m (p, j) = m (p) / M, and the variance σ (p, j) ^ 2 is calculated by σ (p, j) ^ 2 = σ (p) ^ 2 / M When,
With the preparation of the above step, the number M of divided groups is set to M = argmin {M | F (m (p, j) + α × σ (p, j), m (p, j) + d × p, σ (p, j) setting ^ 2 + d * p * (1-p)) <[epsilon]};
A method for detecting abnormal traffic, comprising: The abnormal traffic detection method according to claim 4,
The division group number determining means includes
Instead of setting m (p, j) = m (p) / M as the number of flows m (p, j) in group j when divided into M groups,
The flow number distribution ratio w (i) (Σw (i) = 1, 0 <w (i) <1) when divided into M is determined in advance by actual data analysis, and the number of flows becomes maximum after dividing into M. The flow number m (p, j) = m (p) × w (j) in the group j (that is, the group in which w (j) is maximum) is set, and the variance σ (p, j) ^ 2 is set to σ (p, j j) ^ 2 = a × m (p, j) ^ c is calculated (a and c are predetermined or coefficients determined in advance by actual data analysis) to determine the number of divided groups M To detect abnormal traffic. Collect and analyze information about the flow sampled by packet sampling, measure the amount of traffic generated at each predetermined time interval t0 for each predetermined monitoring unit, set the traffic amount at the t-th measurement interval as N_t, In the abnormal traffic detection device that detects abnormal traffic by looking at the time variation of N_t,
The observed traffic amount N_t is grouped into M according to a predetermined rule, and the traffic amount in the j-th group is N_t (j) (in this case, Σ _{j = 1 to M} N_t (j) = N_t). , N_t (j), group classification means for notifying the time series analysis means,
A time series analysis unit that analyzes a time series related to N_t (j) in each group j and detects that abnormal traffic has occurred in the group when a temporal change in N_t (j) is detected;
An abnormal traffic detection device comprising:   A program for causing a computer to execute the steps according to any one of claims 1 to 5.

Images