JP2008244632A - System, method, and program for setting object to be monitored, network monitoring system, management device, and collection device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To monitor network traffics of a plurality of objects to be monitored simultaneously by automatically adding an object to be monitored by a network monitoring system. <P>SOLUTION: A monitoring object setting system is the network monitoring system. The network monitoring system has: a plurality of collection means for obtaining traffic flow information having prescribed collection conditions, based on the packet information of all communication packets flowing on one or a plurality of monitoring lines; and a management means for managing the totaling information of a prescribed object to be monitored totaled based on the traffic flow information from respective collection means. In the monitoring object setting system for setting the object to be monitored, there is a monitoring object setting management means for managing monitoring conditions identifying the object to be monitored in the management means, for setting the monitoring setting conditions of a new object to be monitored based on the monitoring object identification information received from an external monitoring object notification means, and for performing setting to respective collection means with the monitoring setting condition as new collection conditions. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a monitoring target setting system, a monitoring target setting method, a monitoring target setting program, a network monitoring system, a management device, and a collection device, for example, multipoint broadband traffic monitoring for observing traffic flow information on a broadband network at multiple points. Applicable to the system.

  In recent years, complex and sophisticated viruses have been generated on the network every day. In addition, with the progress of network technology in recent years, networks are generally widely spread, but it is expected that broadband networks will be widely introduced and penetrated as a social infrastructure in the future due to further technological progress. Therefore, a system that can monitor not only an existing scale network but also a large-scale broadband network and efficiently detect a network abnormality is strongly desired.

  In general, as a conventional network security system, for example, setting of permission or denial in a packet unit by a firewall or unauthorized communication in a packet unit by an intrusion detection system (IDS (Intrusion Detection System) or IPS (Intrusion Prevention System)). Is detected.

  In addition, there are various techniques as a conventional network traffic monitoring system. One of them is a technique for monitoring traffic information such as the amount of communication packets based on packet information of packets passing through the network. (See Patent Document 1).

  For example, as a technique for monitoring the amount of packets on a network, for example, as shown in FIG. 2, a monitoring device is connected from a relay device such as a router or a switching hub using a protocol such as SNMP (Simple Network Management Protocol). Technology that acquires and monitors the amount of packets that pass through, or technology that, for example, a switching device such as a switching hub has a mirror port, provides packets via the mirror port to the monitoring device, and the monitoring device directly measures the packet amount and so on.

  In the conventional network monitoring system, monitoring conditions are set in advance, network traffic is monitored in real time according to the preset conditions, and the traffic flow amount is analyzed.

  By the way, for example, it is not known when and where network failures and virus infections occur. Therefore, conventional investigation and analysis methods such as failures are security system security events (for example, switch-down and traffic flow volume spike detection) Etc.) has occurred after the occurrence.

JP-A-5-260063

  By the way, a conventional firewall, an unauthorized intrusion detection system, or the like can detect a network abnormality in units of communication packets, but cannot recognize the state of the entire network at the time of detection. .

  On the other hand, a conventional network monitoring system monitors a network according to preset monitoring conditions, but cannot automatically set monitoring conditions. Further, the network monitoring system is not linked with a firewall, an unauthorized intrusion detection system, and the like.

  Therefore, for example, after detecting a packet with a security event, a change in the network state is predicted, but the monitoring conditions of the conventional network monitoring system cannot be set automatically, so the traffic flow related to the security event It cannot be observed.

  At this time, if a plurality of monitoring conditions are set and monitored simultaneously, the monitoring target becomes enormous and the monitoring burden may increase. In addition, when setting the monitoring target, the same monitoring target may be simultaneously monitored.

  Therefore, the monitoring target setting system, the monitoring target setting method, the monitoring target setting, which can solve the above problems, can automatically add the monitoring target of the network monitoring system and simultaneously monitor the network traffic of multiple monitoring targets There is a need for programs, network monitoring systems, management devices and collection devices.

  In order to solve such a problem, the monitoring target setting system of the first aspect of the present invention provides a plurality of traffic flow information for a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines. In the monitoring target setting system for setting the monitoring target, a network monitoring system comprising: a collecting means; and a management means for managing the aggregate information of a predetermined monitoring target that is totaled based on the traffic flow information from each collecting means. (1) Manage monitoring conditions for specifying a monitoring target in the management means, and set a new monitoring target monitoring setting condition based on the monitoring target specifying information received from the external monitoring target notification means, It is characterized by comprising monitoring target setting management means for causing each collecting means to set the monitoring setting condition as a new collecting condition

  A network monitoring system according to a second aspect of the present invention includes: (1) a plurality of collection means for obtaining traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines; 2) a management unit that manages aggregate information of a predetermined monitoring target that is aggregated based on traffic flow information from each collection unit; (3) a monitoring target notification unit that notifies monitoring target specifying information that specifies a monitoring target; (4) Manages monitoring conditions for specifying a monitoring target in the management means, sets a new monitoring target monitoring setting condition based on the monitoring target specifying information from the monitoring target notification means, and sets the monitoring setting condition And a monitoring target setting management unit that sets each collection unit as a new collection condition.

  The management device according to the third aspect of the present invention includes a plurality of collection devices for obtaining traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines, A management device that constitutes a network monitoring system that includes a management device that manages aggregate information of a predetermined monitoring target that is aggregated based on traffic flow information, and (1) that manages monitoring conditions for identifying the monitoring target in the management device A monitoring target that sets a monitoring setting condition for a new monitoring target based on the monitoring target specifying information received from an external monitoring target notification means, and sets the monitoring setting condition as a new collection condition in each collection device A setting management means is provided.

  According to a fourth aspect of the present invention, there is provided a collection device that obtains traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines, A management unit that manages aggregate information of a predetermined monitoring target that is aggregated based on traffic flow information, and a monitoring condition that identifies the monitoring target in the management unit, and that is received from an external monitoring target notification unit Each of the network monitoring systems that includes a monitoring target setting management unit that sets a monitoring setting condition for a new monitoring target based on the target identification information and sets the monitoring setting condition as a new collection condition in each collecting unit In the collection device, (1) When adding new collection conditions, if the monitoring conditions overlap with existing collection conditions, the monitoring period will be extended. , To execute the measurement of the traffic flow acquisition conditions of the existing, if not duplicate, characterized in that it comprises a traffic flow information measurement means for executing the measurement of the traffic flow information based on the new collection condition.

  A monitoring object setting method according to a fifth aspect of the present invention includes a plurality of collection means for obtaining traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines, and each collection means In a monitoring target setting method for setting a monitoring target, the network monitoring system includes a management unit that manages total information of a predetermined monitoring target that is totaled based on the traffic flow information from: (1) the monitoring target in the management unit The monitoring target setting management unit that manages the monitoring condition to be specified sets a new monitoring target monitoring setting condition based on the monitoring target specifying information received from the external monitoring target notification unit, and newly sets the monitoring target setting condition. And a monitoring object setting management step for setting each collection means as a proper collection condition.

  The monitoring object setting program of the sixth aspect of the present invention includes a plurality of collection means for obtaining traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines, and each collection means A monitoring target setting program for setting a monitoring target in a network monitoring system including a management unit that manages total information of a predetermined monitoring target that is totaled based on traffic flow information from the computer, and (1) in the management unit Monitors monitoring conditions for specifying monitoring targets. Based on the monitoring target specifying information received from the external monitoring target notification means, a new monitoring setting condition for the monitoring target is set, and the new monitoring setting condition is set. Program that functions as a monitoring target setting management unit that causes each collection unit to set as a specific collection condition.

  According to the monitoring target setting system, the monitoring target setting method, the monitoring target setting program, the network monitoring system, the management apparatus, and the collection apparatus of the present invention, the monitoring target of the network monitoring system is automatically added, and a plurality of monitoring target networks are added. Monitor traffic simultaneously

(A) First Embodiment Hereinafter, a first embodiment of a monitoring target setting system, a monitoring target setting method, a monitoring target setting program, a network monitoring system, a management apparatus, and a collection apparatus according to the present invention will be described with reference to the drawings. To do.

(A-1) Configuration of the First Embodiment FIG. 1 is a configuration diagram showing the overall configuration of the network monitoring system of the first embodiment. In FIG. 1, a network monitoring system 6 according to the first embodiment includes a manager device 1, a collection probe device 2 (2-1 to 2-2), a detection device 3, and a relay device 5 (5-1 to 5-2). And at least an administrator terminal 7.

  In the first embodiment, as a network medium, for example, a wired line such as an electric line or an optical fiber line, or a part having all or part of a wireless line can be applied. Further, the protocol corresponding to the transport layer of the OSI basic reference model is not particularly limited, but, for example, TCP, UDP, ICMP, or the like can be applied.

  The collection probe devices 2-1 to 2-2 connect to the relay devices 5-1 to 5-2, acquire all the packets that pass on the relay devices 5-1 to 5-2, and packet information of all the packets. Based on the above, the traffic volume of traffic corresponding to a predetermined collection condition (hereinafter also referred to as traffic flow statistical information) is measured. The collection probe devices 2-1 to 2-2 provide the measured traffic flow statistical information to the manager device 1 constantly or periodically.

  When the collection probe devices 2-1 to 2-2 receive the setting information to be monitored from the manager device 1, the collection probe devices 2-1 to 2-2 set collection conditions for collecting packet information according to the setting information.

  At this time, the collection probe devices 2-1 to 2-2 can set a plurality of collection conditions, and measure traffic flow statistical information for each collection condition. As a result, even when a new collection condition is added, the traffic flow statistical information measurement process corresponding to the collection condition set before the addition, and the traffic flow statistical information measurement process corresponding to the added collection condition Can be executed simultaneously. As a result, the traffic volume of the packet related to the security event can be measured during the event occurrence period.

  Further, the collection probe devices 2-1 to 2-2 determine whether the monitoring target to be added is new or existing when adding the collection condition to be monitored, and are the new monitoring targets. In this case, the setting information is newly added, and if the monitoring target is an existing monitoring target, the monitoring setting is managed to be postponed. Note that the determination of whether or not the information is existing is based on the determination of whether or not the information overlaps with existing setting information.

  Further, when the collection probe devices 2-1 to 2-2 receive the setting information to be monitored from the manager device 1, the collection probe devices 2-1 to 2-2 determine whether the monitoring time condition is in the past time range based on the setting information, When the setting information is a past time condition, the packet information of the monitoring time condition is used for analysis of a failure or the like from the already held packet information while maintaining the measurement processing of the real-time traffic flow statistical information. Save separately.

  FIG. 4 is a functional block diagram illustrating main internal functions of the collection probe apparatus 2 (2-1 to 2-2) according to the first embodiment. As shown in FIG. 4, the collection probe apparatus 2 includes a packet acquisition unit 201, a packet information holding unit 202, a collection target selection unit 203, a manager transmission / reception unit 204, an analysis unit 205, a new traffic amount storage unit 206, an analysis unit 207, A new traffic amount storage unit 208.

  The packet acquisition unit 201 captures all communication packets that pass through the relay device 5. As an acquisition method of the packet acquisition unit 201, for example, a method of acquiring from the relay device 5 (for example, a router or a switching hub) using a protocol such as SNMP, or a connection to the mirror port of the relay device 5 and flowing over the network A method of acquiring a packet can be applied.

  The packet information holding unit 202 holds packet information of all communication packets acquired by the packet acquisition unit 201 in association with reception times.

  The collection target selection unit 203 selects conditions for collecting packet information according to the setting information from the manager device 1.

  Here, the setting information from the manager device 1 specifies, for example, a monitoring condition for specifying a monitoring target (for example, a transmission source IP address, a transmission destination IP address, a VLAN tag number, a communication port number, etc.) and a monitoring time range. Packet information analysis rule information having time conditions (for example, monitoring start time, monitoring end time, etc.), alert setting information (for example, setting information for unauthorized communication such as port scan or IP sweep, threshold value for each port or application) Etc.) and the like.

  In addition, when new setting information of the monitoring target is notified from the manager device 1, the collection target selection unit 203 activates an analysis unit 207 different from the analysis unit 205 that is currently being executed, and according to the new collection conditions. Measurement of traffic flow statistics information is executed.

  Further, the collection target selection unit 203 determines whether or not the time condition that is the received monitoring target setting information specifies a past time range, and the time condition specifies a past time range. In this case, packet information according to the setting information is collected from an existing packet information storage unit (not shown), and traffic flow statistical information under a predetermined collection condition is measured.

  The manager transmission / reception unit 204 exchanges various types of information with the manager device 1. The manager transmission / reception unit 204 transmits the traffic flow statistical information stored in the new traffic amount storage units 206 and 208 to the manager device 1 at predetermined time intervals. The time interval for transmitting the traffic flow statistical information can be arbitrarily set / changed, and may be set / changed in accordance with an instruction from the manager device 1.

  The analysis unit 205 measures the traffic volume of the traffic to be collected by counting the number and size of currently passing packets according to the collection conditions selected by the collection target selection unit 203 for each unit time. Thereby, the traffic flow statistical information to be monitored can be obtained in real time.

  The analysis unit 207 also has the same function as the analysis unit 205. The analysis unit 207 measures the traffic flow statistical information according to the newly added collection condition, and the analysis unit 207 executes the measurement process of the traffic flow statistical information before adding the new collection condition. It is.

  The new traffic volume storage units 206 and 208 store the traffic flow statistical information obtained by the analysis units 205 and 207. The traffic flow statistical information stored in the new traffic volume storage units 206 and 208 is transmitted to the manager device 1 by the manager transmission / reception unit 204 constantly or periodically.

  If the monitoring target setting conditions are within the past time range, data in this time range should be stored in a storage area that can be stored for a long time, and only the information necessary for analysis should be stored for a long time. To.

  Returning to FIG. 1, the manager apparatus 1 will be described. The manager device 1 acquires the traffic information collected by the plurality of collection probe devices 2-1 to 2-2 constantly or periodically, and totals the traffic flow information for each predetermined monitoring target. Thereby, it is possible to aggregate the traffic flow statistical information from each of the collection probe devices 2 arranged at multiple points. Furthermore, by processing these traffic flow statistical information, the traffic analysis of the entire broadband network can be performed. Obtainable.

  In addition, when the manager device 1 fetches the setting information for specifying the monitoring target of the network traffic from the administrator terminal 7 or the detection device 3, the manager device 1 manages the setting information of the monitoring target and all the setting information of the monitoring target. The collection probe device 2 (2-1 to 2-2) is notified.

  Note that the initial setting of the setting information to be monitored for network traffic is basically based on an instruction from the administrator terminal 7. However, after that, when the detection device 3 detects a packet of a predetermined security event, the detection device 3 instructs the manager device 1 to set the setting information for monitoring the event, and the setting information for monitoring the event. Is automatically set by the manager device 1.

  FIG. 5 is a functional block diagram illustrating a main functional configuration of the manager device 1 according to the first embodiment. As illustrated in FIG. 5, the manager device 1 includes a monitoring setting reception unit 101, a monitoring target setting management unit 102, and an output control unit 103.

  The monitoring setting reception unit 101 receives monitoring target setting information from the administrator terminal 7 and / or the detection device 3, and provides the monitoring target setting information to the monitoring target setting management unit 102.

  Here, the setting information to be monitored from the administrator terminal 7 corresponds to the setting information captured in response to the operation of the administrator. Further, the monitoring target setting information from the detection device 3 corresponds to packet information and detection time information of a packet detected by the detection device 3 according to a predetermined security event detection condition.

  The monitoring target setting management unit 102 manages the setting information of one or a plurality of monitoring targets acquired by the monitoring setting reception unit 101, and stores the monitoring target setting information for all the collection probe devices 2 (2-1 to 2-). 2).

  FIG. 6 is an explanatory diagram illustrating a configuration example of setting information to be monitored. In FIG. 6, as setting information to be monitored, as described above, for example, a monitoring condition such as a transmission source IP address, a transmission destination IP address, a VLAN number, a protocol ID, a communication port number, and a time condition for specifying a monitoring time And at least information.

  In FIG. 6, the time condition is that the monitoring time range is not specified like “Condition No. 1”, or the monitoring time range is specified like “Condition No. 2”. Can do. For example, in the case of “Condition No. 2” and “Condition No. 3”, monitoring is started from “2007/2/1, monitoring period is updated on 2007/2/15, and monitoring is performed on 2007/3/15” For example, in the case of “Condition No. 4”, it is a condition for analyzing past data from 2006/10/1 to 2007/3/15.

  Note that FIG. 6 shows a case where the monitoring target setting management unit 102 manages two types of conditions, but three or more types of conditions can also be managed. In this case, there may be two or more types for which the time condition is set, and / or two or more types for which the time condition is not set.

  The output control unit 103 acquires the traffic flow statistical information analyzed by each of the collection probe devices 2-1 to 2-2 from all the collection probe devices 2-1 to 2-2, and performs predetermined processing based on each traffic flow statistical information. A processing process (for example, an aggregation process or the like) is performed, and the processing result is output to the administrator terminal 7.

  Returning to FIG. 1, the administrator terminal 7 is a terminal operated by the administrator of the network monitoring system 6 of the first embodiment, and corresponds to an information processing apparatus such as a personal computer. The administrator terminal 7 receives the setting information of the monitoring target in response to the operation of the administrator, gives the setting information of the monitoring target to the manager device 1, and receives the operation of the administrator, In cooperation, it displays the traffic flow statistical results that have been subjected to predetermined processing.

  The detection device 3 is a security system that detects a packet of communication content that matches a predetermined communication invalid condition or an incident event. For example, a security system such as a firewall, an unauthorized intrusion detection system represented by IDS, IPS, or the like is used. Applicable. When the detection device 3 detects a packet that matches a predetermined detection condition, the packet information (for example, transmission source IP address, transmission destination IP address, VLAN number, port number, protocol ID, etc.) and detection time information are detected by the manager device. 1 is given. 1 shows a case where one detection device 3 is shown for convenience of explanation, a plurality of detection devices 3 may be provided.

  The relay devices 5 (5-1 to 5-2) correspond to devices such as switching hubs and routers, for example, and give all passing packets to the corresponding collection probe devices 2-1 to 2-2.

(A-2) Operation of the First Embodiment Next, in the network monitoring system 6 of the first embodiment, processing conditions for automatically adding network traffic monitoring conditions and monitoring the network will be described with reference to the drawings. While explaining.

  In FIG. 1, when an administrator of the network monitoring system 6 inputs monitoring target setting information using the administrator terminal 7, the administrator terminal 7 gives the input monitoring target setting information to the manager device 1. (Step S1).

  Note that the monitoring target setting information in step S1 corresponds to the setting information set in advance as in the prior art. That is, the setting information to be monitored includes monitoring conditions such as a transmission source IP address, a transmission destination IP address, a VLAN number, a communication port number, and a time condition.

  In the manager device 1, when the monitoring setting reception unit 101 receives the monitoring target setting information from the administrator terminal 1, the monitoring setting reception unit 101 gives the received monitoring target setting information to the monitoring target setting management unit 102. When the monitoring target setting information is given to the monitoring target setting management unit 102, the monitoring target setting information is managed by the monitoring target setting management unit 102 and all the collection probe devices 2- 1-2 is notified (step S2).

  In each of the collection probe devices 2-1 to 2-2, all the packets flowing on the monitoring line are acquired by the packet acquisition unit 201, and the packet information of all packets is stored by the packet information holding unit 202 (step S3).

  Then, the traffic flow statistical information according to the collection condition based on the monitoring target setting information is measured by the analysis unit 205 of each of the collection probe devices 2-1 to 2-2 and stored in the new traffic amount storage unit 206. Thereafter, the measured traffic flow statistical information is transmitted to the manager device 1 at predetermined time intervals by the manager transmission / reception unit 204 (step S4).

  The above is the basic network monitoring process flow of the network monitoring system 6. As a result, the manager device 1 obtains an aggregate result obtained by performing predetermined processing on the basis of the traffic flow statistical information collected from all the collection probe devices 2-1 to 2-2, and the aggregate result Can be output to the administrator terminal 7.

  Thereafter, the detection device 3 detects a packet of a security event that matches a predetermined detection condition. In addition, since the existing technique can be applied to the detection process of the detection apparatus 3, detailed description here is abbreviate | omitted.

  Then, the detection device 3 transmits packet information (for example, transmission source IP address, transmission destination IP address, VLAN number, communication port number, protocol ID, etc.) and detection time information of the detected packet to the manager device 1 ( Step S5).

  When packet information and detection time information are provided from the detection device 3 to the manager device 1, the monitoring target setting management unit 102 of the manager device 1 manages the packet information and detection time information as new monitoring target setting information. The

  That is, the monitoring target setting management unit 102 manages the content of the packet information from the detection device 3 as the content of the monitoring condition and the detection time information from the detection device 3 as the time condition (monitoring start time).

  Then, the monitoring target setting management unit 102 notifies the new monitoring target setting information to all the collection probe devices 2-1 to 2-2 (step S6).

  When new monitoring target setting information is given from the monitoring target setting management unit 102 to all of the collection probe devices 2-1 to 2-2, the collection probe devices 2-1 to 2-2 perform the following operations. .

  FIG. 7 is a flowchart showing the traffic amount measurement operation in each of the collection probe devices 2-1 to 2-2.

  First, when new monitoring target setting information is acquired by the manager transmission / reception unit 204 (step S101), the collection target selection unit 203 determines that the content of the acquired monitoring target setting information is a new collection condition. Determination is made (step S102).

  At this time, it is determined whether or not the new monitoring target setting information is a new collection condition by determining whether or not the new monitoring target setting information overlaps with the existing monitoring target setting information. If the new monitoring target setting information does not overlap with the existing setting information, it is determined as a new collection condition.

  Then, the collection target selection unit 203 activates another analysis unit 207 different from the currently executed analysis unit 205 (step S103), and the traffic flow corresponding to the collection condition based on the new monitoring target setting information The statistical information is analyzed by the analysis unit 207 (step S104), and the analysis result is stored in the new traffic amount storage unit 208 (step S105).

  Then, the traffic volume in the new traffic volume storage unit 208 is transmitted to the manager device 1 at predetermined time intervals by the manager transmission / reception unit 204 (step S106, step S7 in FIG. 1).

  At this time, the processing of the analysis unit 207 is executed in parallel with the processing of the analysis unit 205. As a result, the analysis process of the analysis unit 205 and the analysis process of the analysis unit 207, which are executed before setting a new collection condition, can be executed simultaneously.

  On the other hand, when the new monitoring target setting information overlaps with the existing setting information in step S102, the monitoring period of the analysis unit 205 that analyzes the existing monitoring target is extended. Thereby, it is possible to efficiently monitor the same monitoring target without newly adding monitoring.

  For example, it is assumed that “condition No. 2” in FIG. If “condition No. 3” is set as a new monitoring target, the new “condition No. 3” has a different time condition, but the monitoring condition overlaps with “condition No. 2”. Therefore, in this case, the monitoring period of the monitoring according to “condition No. 2” is extended from the time of “condition No. 2” to the time of “condition No. 3”.

  When the setting information to be monitored indicates a past time range, only the collected information necessary for analysis (for example, packet information at the time of alert detection) is stored so that it can be stored for a long period of time.

  As a result, in the manager device 1, the traffic flow statistical information of the new collection condition for which the event is to be monitored is aggregated within the event occurrence period while the traffic flow statistical information of the existing collection condition is retained. Can do. Thus, for example, if an attack on country B originating from country A occurred in the past hour, at the current time point affected by this attack, The traffic can be analyzed.

(A-3) Effect of First Embodiment As described above, according to the first embodiment, a plurality of packets are obtained based on packet information and detection time information acquired from another security system during network monitoring. Since a monitoring condition can be added, the monitoring time and the monitoring range can be changed without initializing the monitoring state.

  As a result, system monitoring that is not affected by time conditions and monitoring conditions can be realized in network monitoring of a multi-site / wide area network.

(B) Other Embodiments (B-1) In the first embodiment, one manager device is provided in one network, but a plurality of manager devices may be provided. In this case, an overall management device that further supervises a plurality of manager devices may be provided.

  Further, one observation probe device may observe a traffic flow passing through a plurality of relay devices. In this case, the observation probe device needs to identify which router the traffic flow has passed through is statistical information.

(B-2) The functional units included in the collection probe device described in the first embodiment may not be physically mounted on the same collection probe device. That is, as long as cooperation processing can be achieved between the functional units and the functions described in the first embodiment can be realized, the functional units may be separately distributed. Similarly, each functional unit included in the manager device of the first embodiment may be separately distributed.

  The manager device may have a part or all of the functional units of the collection probe device, or the collection probe device may have some or all of the functional units of the manager device.

  Furthermore, the relay device may be mounted with part or all of the functional units included in the collection probe device, or may be mounted with part or all of the functional units included in the manager device. Further, the relay device may be mounted with a part or all of the functional units of the collection probe device and a part or all of the functional units of the manager device.

(B-3) In the first embodiment, the manager device 1 has shown a case where the monitoring target setting information of all the collection probe devices 2 is managed in common. However, the manager device 1 may manage the setting information to be monitored for each one or a plurality of collection probe devices 2.

(B-4) The monitoring target notification means in the claims is not limited to the detection device 3 of the first embodiment, but is a concept including an administrator terminal and other security systems. Further, other security systems including the detection device 3 may exist in an external network.

(B-5) The collection probe device and the manager device described in the first embodiment can be realized by software processing realized by a hardware resource (for example, a CPU) executing a program. That is, various functions of the collection probe device and the manager device are stored as programs. Note that the processing of the collection probe device and the manager device may be realized by hardware.

It is a figure which shows the operation | movement which monitors the traffic in the past monitoring time range with the whole structure of the network monitoring system of 1st Embodiment. It is explanatory drawing explaining the conventional network monitoring system (the 1). It is explanatory drawing explaining the conventional network monitoring system (the 2). It is a functional block diagram which shows the internal structure of the collection probe apparatus of 1st Embodiment. It is a functional block diagram which shows the internal structure of the manager apparatus of 1st Embodiment. It is explanatory drawing explaining the example of the content of the setting information of the monitoring object of 1st Embodiment. It is an operation | movement flowchart which shows the process of the collection probe apparatus of 1st Embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Manager apparatus, 2-1 to 2-2 ... Collecting probe apparatus, 3 ... Detection apparatus, 5-1 to 5-2 ... Relay apparatus, 101, 301 ... Monitoring setting reception part, 102 ... Monitoring object setting part, 103 DESCRIPTION OF SYMBOLS Output control part 201 ... Packet acquisition part 202 ... Packet holding part 203 ... Collection target selection part 204 ... Manager transmission / reception part, 205, 207 ... Analysis part, 206, 208 ... New traffic amount memory | storage part.

Claims (9)

A plurality of collection means for obtaining traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines;
In a monitoring target setting system for setting the monitoring target, a network monitoring system comprising: a management unit that manages total information of a predetermined monitoring target that is totaled based on the traffic flow information from each of the collecting means;
The monitoring means for managing the monitoring target in the management means is managed, and based on the monitoring target specifying information received from the external monitoring target notification means, a new monitoring target monitoring setting condition is set. A monitoring target setting system comprising monitoring target setting management means for causing each of the collection means to set a monitoring setting condition as the new collection condition.   The monitoring object notifying means is an illegal packet detecting means for detecting an illegal packet, and the monitoring target specifying information includes packet information and / or detection time information of the illegal packet detected by the illegal packet detecting means. The monitoring object setting system according to claim 1.   The monitoring object setting system according to claim 1 or 2, wherein the monitoring object setting management means can simultaneously set a plurality of monitoring setting conditions having different contents. A plurality of collection means for obtaining traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines;
Management means for managing aggregate information of a predetermined monitoring target that is aggregated based on the traffic flow information from each of the collection means;
Monitoring target notification means for notifying monitoring target specifying information for specifying a monitoring target;
A monitoring condition for specifying the monitoring target in the management means is managed, and a new monitoring target monitoring setting condition is set based on the monitoring target specifying information from the monitoring target notification means, and the monitoring setting is set. A network monitoring system comprising: a monitoring target setting management unit that causes each of the collection units to set a condition as a new collection condition.   When each of the collection means is additionally set with the new collection condition, the traffic flow information is based on the new collection condition in parallel with the measurement of the traffic flow information based on another existing collection condition. The network monitoring system according to claim 4, further comprising a traffic flow information measuring unit that measures A plurality of collection devices for obtaining traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines;
A management device that configures a network monitoring system comprising: a management device that manages aggregate information of a predetermined monitoring target that is aggregated based on the traffic flow information from each of the collection devices,
A monitoring condition for specifying the monitoring target in the management device is managed, and a monitoring setting condition for a new monitoring target is set based on the monitoring target specifying information received from an external monitoring target notifying unit, and the monitoring is performed. A management apparatus comprising monitoring target setting management means for causing each collection apparatus to set a setting condition as a new collection condition. A plurality of collection means for obtaining traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines;
Management means for managing aggregate information of a predetermined monitoring target that is aggregated based on the traffic flow information from each of the collection means;
The monitoring means for managing the monitoring target in the management means is managed, and based on the monitoring target specifying information received from the external monitoring target notification means, a new monitoring target monitoring setting condition is set. In each of the collection devices constituting the network monitoring system comprising: a monitoring target setting management unit that causes the collection unit to set a monitoring setting condition as a new collection condition.
When the new collection condition is added, if the monitoring condition overlaps with the existing collection condition, the monitoring period is extended and the traffic flow measurement of the existing collection condition is executed. A collection apparatus comprising: traffic flow information measurement means for executing measurement of the traffic flow information based on a new collection condition. A plurality of collection means for obtaining traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines;
A monitoring target setting method for setting the monitoring target in a network monitoring system comprising: management means for managing aggregate information of a predetermined monitoring target totaled based on the traffic flow information from each of the collecting means,
The monitoring target setting management means for managing the monitoring condition for specifying the monitoring target in the management means sets the monitoring setting condition for the new monitoring target based on the monitoring target specifying information received from the external monitoring target notification means. A monitoring object setting method comprising: a monitoring object setting management step for causing the collection means to set the monitoring object setting condition as a new collection condition. A plurality of collection means for obtaining traffic flow information of a predetermined collection condition based on packet information of all communication packets flowing on one or a plurality of monitoring lines;
A monitoring target setting program for setting the monitoring target in a network monitoring system comprising: management means for managing the total information of a predetermined monitoring target totaled based on the traffic flow information from each of the collecting means,
On the computer,
The monitoring means for managing the monitoring target in the management means is managed, and based on the monitoring target specifying information received from the external monitoring target notification means, a new monitoring target monitoring setting condition is set. A monitoring target setting program that functions as a monitoring target setting management unit that causes each collection unit to set a monitoring setting condition as a new collection condition.

Images