JP2009044501A - Traffic amount change factor specifying method, system, program, and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem wherein, abnormal traffic such as a DDoS (distributed denial of service) attack, traffic concentration, device failure, or the like, is generally detected as variables of the traffic amount in network management but which cause traffic cannot be understood by mere detection, so that it is impossible to understand the current situation, cope with abnormal traffic and take countermeasures. <P>SOLUTION: Traffic that causes a traffic amount change is compared with traffic, before occurrence of the traffic amount change and traffic under the occurrence of the change, so that only the traffic that causes the change is extracted as a flow identifier. In this flow identifier determination, trade-off relation of three elements of a degree of contribution to the traffic amount change of traffic corresponding to the flow identifier, the degree of presence, prior to the change and the number of flow identifiers, is optimized according to an evaluation expression, thereby a flow identifier that maximizes the degree of contribution to the traffic amount change with the minimum number of flow identifiers and minimizing the degree of presence prior to the change is decided. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention is based on the traffic information obtained from the traffic flowing on the network or the accumulated traffic information when the traffic volume change is detected by an external device or manually designated. It relates to the technology that identifies the traffic that became.

  Network operators such as ISP (Internet Service Provider) usually monitor the network traffic situation in time series of traffic volume (bytes per second / packets per second), DDoS (Distributed Denial of Service) attacks, traffic concentration Anomalies such as device failures are detected by changes over time.

  However, simply discovering the change in traffic volume does not reveal the cause of the change, and it is impossible to grasp, deal with, or take countermeasures for the current situation. In order to implement countermeasures against traffic changes, a method for identifying the cause traffic that caused the traffic change is necessary.

  There have been many proposals for this approach, particularly in the field of DDoS attack detection and analysis.

  Among these, Patent Document 1 proposes a method of identifying the cause of traffic volume change as a multidimensional flow identifier by capturing the traffic that caused the traffic volume change as attribute values in a plurality of attribute types. Yes.

  On the other hand, since this method monitors changes in traffic volume in units of traffic destination addresses and transmission source addresses, if the traffic volume changes due to traffic that is distributed by attack sources that occur in DDoS attacks, etc. There is a problem that the amount of traffic per source address is small and the attack source cannot be accurately identified.

  As a countermeasure against this distributed attack source, in Patent Document 2, clustering is performed for the attribute type of the source and destination addresses, which is treated as a cluster in which attribute values are specified using a prefix, and the traffic volume of each cluster A method to observe changes is proposed.

  However, the cause of the traffic amount change performed in Patent Document 2 is performed only independently for each of the source address attribute and the destination address attribute, and as a result, the flow identifier having only the source address information and the destination address information The flow identifier having only the address is output independently, and the flow identifier cannot be specified as a pair of the source address and the destination address. For this reason, there is a problem that the change cause traffic identification accuracy is low as compared with the multidimensional flow identifier which is a total of a plurality of attribute types.

  In Non-Patent Document 1, as a proposal having the advantages of the above two methods, a multi-dimensional traffic amount change cause identifying method using a range as an attribute value is proposed. In this method, the traffic that has contributed to the traffic change is specified as the multidimensional flow identifier.

JP 2005-159551 A Japanese Patent Laying-Open No. 2005-210601 C. Estan, S. Savage, G. Varghese, “Automatically Inferring Patterns of Resource Consumption in Network Traffic,” SIGCOMM'03. G. Pack, J. Yoon, E. Collins, C. Estan, “On Filtering of DDoS Attacks Based on Source Address Prefixes,” SecureComm'06.

  However, none of the proposals described above takes into account how much traffic of the identified flow identifier has existed before the occurrence of the change when the change cause traffic is specified. The amount of traffic identified by the flow identifier before the change in traffic volume is referred to as the degree of presence before the change. When the traffic identified by the flow identifier has a large presence before the change, there is a problem that there is a high possibility that normal traffic is also filtered when control such as filtering is performed on the corresponding flow identifier.

  In addition, the method of Non-Patent Document 1 identifies the change cause traffic by clustering the traffic in the normal section and the traffic in the abnormal section and then extracting the difference in the traffic amount between the clusters. There is a problem that the amount of calculation in the difference extraction is large, and in addition, an error accompanying clustering is included in the specific result.

  On the other hand, Non-Patent Document 2 proposes a method for identifying a cause of change that can reduce the degree of presence before the change. However, the cause of change by this proposal is limited to the source address attribute, and traffic identification information that combines other attribute types cannot be obtained. For this reason, there is a problem that the change cause traffic identification accuracy is low as compared with the multidimensional flow identifier which is a total of a plurality of attribute types.

  The present invention has been made to solve these problems, and the object of the present invention is to extract the difference of the traffic to be analyzed prior to the traffic clustering, so that the range in which the traffic clustering is performed, The amount of calculation is reduced by limiting the range to include the traffic that contributed to the change.

  The second object of the present invention is to maximize the contribution to the change in traffic volume in the abnormal section while reducing the presence before the change by considering the traffic distribution in the normal section when identifying the cause of change traffic. And reducing the number of flow identifiers.

Here, the following trade-off relationship exists between the presence degree, the contribution degree, and the number of flow identifiers of the second object.
In order to reduce the presence before the change, when a flow identifier with a certain contribution level or more is output using a plurality of narrow range flow identifiers, the number of flow identifiers increases.
-Conversely, if the range is widened, a high coverage can be realized with a small number of flow identifiers, but the presence before the change increases.

  The second object of the present invention is to identify the traffic causing the change in traffic volume while optimizing this trade-off.

  Of the inventions disclosed in this specification, the outline of typical ones will be briefly described as follows.

  A first invention is a traffic volume change cause identifying method in a traffic volume change cause identifying system for identifying cause traffic of a traffic volume change by using one or a plurality of flow identifiers, wherein the traffic volume change cause identifying system includes: , Attribute type independent difference acquisition means, attribute type independent clustering means and multiple attribute clustering means, the attribute type independent difference acquisition means, each attribute type of the traffic data of the normal section and the traffic data of the abnormal section, respectively In each of the attribute values of the normal section and abnormal section independently, the normal section traffic volume and the attribute type independent difference acquisition step for obtaining the differential traffic volume that is the difference between the normal section and the abnormal section traffic volume, The clustering means independent of attribute type is the normal An attribute type independent clustering step for obtaining a one-dimensional flow identifier of the attribute type for each attribute type from the traffic amount between and the difference traffic amount, and the multiple attribute clustering means And a multi-attribute clustering step of creating a multi-dimensional flow identifier of a multi-attribute type by combining the one-dimensional flow identifiers.

  According to a second aspect, in the first aspect, the multidimensional flow identifier includes a source address, a destination address, a protocol, a source port, a destination port, a TTL (Time To Live), a source AS number. , A destination AS number, a router interface number used for transfer, and a transit router, and a combination of attribute values in a single or a plurality of attribute types.

  According to a third invention, in the first invention, an attribute value range is used as an attribute value constituting the flow identifier.

  According to a fourth aspect, in the first aspect, when determining the flow identifier in the attribute type independent clustering step and / or the multiple attribute clustering step, a contribution to a change in traffic volume due to traffic corresponding to the flow identifier Considering the trade-off relationship between the three factors, the degree of traffic, the presence before the change of traffic corresponding to the flow identifier, and the number of flow identifiers, the contribution to the change in traffic volume is maximized with the minimum number of flow identifiers. The flow identifier is determined so as to minimize the presence before the change.

  In a fifth aspect based on the first aspect, each of the one or more flow identifiers has information on a degree of contribution to the amount of change in traffic corresponding to each flow identifier and an existing degree before the change. It is characterized by.

  A sixth aspect of the present invention is a traffic volume change cause identifying system for identifying a cause traffic of a traffic volume change by using one or a plurality of flow identifiers, and each attribute type of traffic data in a normal section and traffic data in an abnormal section In each, independently for each attribute value of the normal section / abnormal section, the traffic amount of the normal section and the attribute type independent difference acquisition means for obtaining the difference traffic amount that is the difference between the traffic amount of the normal section and the abnormal section; An attribute type-independent clustering means for obtaining a one-dimensional flow identifier of the attribute type for each attribute type from the traffic volume of the normal section and the difference traffic amount, and the one-dimensional flow identifier obtained for each attribute type To create a multi-attribute type multi-dimensional flow identifier. Characterized in that it comprises a grayed means.

  A seventh invention is a program for causing a computer to execute the steps of the first invention.

  An eighth invention is a computer-readable recording medium recording a program for causing a computer to execute the steps of the first invention.

According to the present invention,
-By extracting the difference of the traffic to be analyzed prior to traffic clustering, the amount of calculation can be reduced by limiting the range of traffic clustering to the range that includes the traffic that contributed to the change,
-By considering the traffic distribution in the normal section at the time of clustering, it becomes possible to identify the cause of change traffic with a reduced presence before the change.
・ In addition, by using the evaluation formula to evaluate the trade-off between the degree of presence before the change in traffic volume, the degree of contribution to the traffic volume change by the traffic specified by the flow identifier, and the number of flow identifiers A set of optimized flow identifiers can be output.

Next, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 shows a block diagram of a traffic volume change cause identifying system including a method according to an embodiment of the present invention. 101 is attribute type independent difference acquisition means, 102 is attribute type independent clustering means, and 103 is a multi-attribute clustering means. The traffic amount change cause identifying system of this embodiment is an apparatus including an attribute type independent difference acquisition unit 101, an attribute type independent clustering unit 102, and a multi-attribute clustering unit 103. The traffic amount change cause identifying system of this embodiment can be configured by one or a plurality of computers and programs. Moreover, you may comprise using hardware instead of a part or all of the said program.

  111 is the traffic data of the normal section, and 112 is the traffic data of the abnormal section. The traffic data 111 in the normal section and the traffic data 112 in the abnormal section are input information to the attribute type independent difference acquisition unit 101. 121 to 125 and 131 to 135 are internal intermediate information output from the attribute type independent difference acquisition unit 101, and these are input to the attribute type independent clustering unit 102. Reference numerals 141 to 145 denote internal intermediate information output by the attribute type independent clustering unit 102, and these are input to the multi-attribute clustering unit 103. 151 is a multi-attribute flow identifier (multi-dimensional flow identifier) output from the multi-attribute clustering means 103. The multi-attribute flow identifier 151 is the final output information of the traffic amount change cause identifying system of this embodiment.

  The outline of the operation of the traffic amount change cause identifying system of this embodiment is as follows. First, the attribute type-independent difference acquisition means 101 performs normal section traffic for each attribute value of the normal section / abnormal section independently for each attribute type of the traffic data 111 of the normal section and the traffic data 112 of the abnormal section. The amount 121-125 and the difference traffic amount 131-135 which is the difference of the traffic amount of a normal area and an abnormal area are calculated | required. Next, the attribute type-independent clustering means 102 obtains the one-dimensional flow identifiers 141 to 145 of the attribute type for each attribute type from the traffic amounts 121 to 125 in the normal section and the differential traffic amounts 131 to 135. Next, the multi-attribute clustering means 103 creates a multi-attribute type multi-attribute flow identifier (multi-dimensional flow identifier) 151 by combining the one-dimensional flow identifiers 141 to 145 obtained for each attribute type and outputs them. To do.

  The input of the traffic volume change cause identification system is (1) normal section / abnormal section specification information (each start / end time information) specifying the traffic volume change to be analyzed, and (2) normal section / abnormal It is two of the traffic data of the analysis object containing the traffic of an area.

  The traffic data 111 of the normal section and the traffic data 112 of the abnormal section shown in FIG. 1 are obtained from the traffic of the normal section / abnormal section (2) using the section designation information of the normal section / abnormal section (1). The traffic data in the normal section and the traffic data in the abnormal section abnormal section created from the traffic data to be analyzed. The traffic data in the normal section is the traffic data before the occurrence of the change, and the traffic data in the abnormal section is the traffic data in which the change is occurring.

  Upon receiving these inputs, the attribute type independent difference acquisition unit 101 counts the traffic data 111 in the normal section and the traffic data 112 in the abnormal section as the traffic amount corresponding to the attribute value that appears for each attribute type. To do. This is referred to as normal section traffic and abnormal section traffic for each attribute type.

  The attribute type is a source address, a destination address, a protocol, a source port, a destination port, a source AS number, a destination AS number, which are constituent elements of the multiple attribute type flow information to be finally obtained. , Router interface number used for transfer, via router. Among these attribute types, information other than the relay router can be acquired by NetFlow / sFlow, which is traffic data output from the router. The route router information can be calculated from the source address and the destination address using the route information.

  The attribute value that appears is, for example, each source host address if it is a source address attribute.

  In addition, the attribute type independent difference acquisition unit 101 calculates the total traffic volume of the normal section and the abnormal section at the same time.

  Next, the attribute type independent difference acquisition unit 101 subtracts the normal section traffic from the abnormal section traffic for each attribute type and the traffic amount for each attribute value. The result of this subtraction is called a difference traffic amount for each attribute type.

  Further, a difference between the total traffic volume in the normal section and the abnormal section is obtained, and these are referred to as a total differential traffic volume.

  The attribute type independent difference acquisition unit 101 outputs the information created as described above. In FIG. 1, among these, the traffic volume 121 in the normal section for each source address attribute value, the differential traffic volume 131 for each source address attribute value, the traffic volume 122 in the normal section for each destination address attribute value, the destination address Differential traffic volume 132 for each attribute value, normal traffic volume 123 for each protocol attribute value, differential traffic volume 133 for each protocol attribute value, normal traffic volume 124 for each transmission port attribute value, transmission source port attribute value A difference traffic amount 134 for each destination, a traffic amount 125 in a normal section for each destination port attribute value, and a difference traffic amount 135 for each destination port attribute value are shown.

  For each attribute type, the attribute type independent clustering means 102 receives the difference traffic volume and the traffic volume in the normal section as input, and determines the change cause traffic corresponding to the total difference traffic volume as a one-dimensional flow identifier for each attribute. .

  The attribute type independent clustering means 102 outputs a one-dimensional flow identifier for each attribute determined in this way. FIG. 1 shows a flow identifier 141 of a source address attribute, a flow identifier 142 of a destination address attribute, a flow identifier 143 of a protocol attribute, a flow identifier 144 of a source port attribute, and a flow identifier 145 of a destination port attribute. Show.

  At this time, a tree is created according to the inherent hierarchical structure of each attribute type, and a flow identifier is determined as output node determination.

  In the transmission source address attribute, the flow identifier determination operation using this tree is shown. FIG. 2 is a diagram showing an example of a tree according to the hierarchical structure of the IP address used in the operation of the present embodiment. The tree in the source address attribute is a graph having a depth of 32 at the maximum with “0.0.0.0/0” as a vertex according to the hierarchical structure of the IP address shown in FIG. It has information on address range, degree of change contribution, and presence before change.

  In FIG. 2, 201 is a node with depth = 0 (vertex). As shown in the legend of the upper left node in FIG. 2, the upper row is the address range, the lower left portion is the contribution (contribution rate), and the lower right portion is the abundance (presence rate) from before the change. Since the address range of the node 201 is “0.0.0.0/0”, the node 201 represents the entire range of the 32-bit IP address.

  211 and 212 are nodes with depth = 1. Since the node 211 has an address range of “0.0.0.0/1”, the node 211 represents an address range in which the upper 1 bit of the 32-bit IP address is “0”. Since the address range of the node 212 is “128.0.0.0/1”, the upper 1 bit of the 32-bit IP address represents the address range of “1”.

  221 to 224 are nodes with depth = 2. Since the address range of the node 221 is “0.0.0.0/2”, the upper 2 bits of the 32-bit IP address represent the address range of “00”. Since the address range of the node 222 is “64.0.0.0/2”, the upper 2 bits of the 32-bit IP address represent the address range of “01”. Since the address range of the node 223 is “128.0.0.0/2”, the upper 2 bits of the 32-bit IP address represent the address range of “10”. Since the address range of the node 224 is “192.0.0.0/2”, the upper 2 bits of the 32-bit IP address represent the address range of “11”.

  261,... Are nodes with depth = 31. Since the address range of the node 261 is “0.0.0.0/31”, the node 261 represents an address range in which the upper 31 bits of the 32-bit IP address are all “0”.

  271, 272,... Are nodes with depth = 32 (the lowest order). Since the address range is “0.0.0.0/32”, the node 271 represents an address in which all the bits of the 32-bit IP address are “0”. Since the address range of the node 272 is “0.0.0.1/32”, the upper 31 bits of the 32-bit IP address are all “0” and the lowest bit is “1”. Represents a node.

  The contribution degree is a ratio of the difference traffic volume corresponding to the address range to the total difference traffic volume.

  The presence before the change is the ratio of the normal section traffic volume corresponding to the address range to the total normal section traffic volume.

  The tree in the transmission source address attribute is obtained by calculating the contribution and presence from the differential traffic volume and the normal traffic volume for each transmission source address attribute value that has already been obtained, and the lowest in the tree (depth in the example of FIG. 2). = 32) as a node.

  In the example of FIG. 2, the node 271 (address where all 32 bits are “0”) has a contribution 10 / existence 3, and the node 272 (all the upper 31 bits are “0”, and the lowest 1 bit is The “1” address) is 0 contribution / 0 existence.

  Next, the node of depth = 31 is obtained by obtaining the sum of the nodes of depth = 32. By repeating this operation, nodes up to depth = 0 are calculated and the tree is completed.

  In the example of FIG. 2, the contribution / presence of the node 261 is the contribution 10 / existence 3 obtained by adding the contribution 10 / existence 3 of the node 271 and the contribution 0 / existence 0 of the node 272. The contribution degree / presence degree of the node 211 is a contribution degree 30 / presence degree 50 obtained by adding the contribution degree 20 / presence degree 20 of the node 221 and the contribution degree 10 / presence degree 30 of the node 222. The contribution / presence of the node 212 is a contribution 70 / presence 50 obtained by adding the contribution 20 / presence 30 of the node 223 and the contribution 50 / presence 20 of the node 224. The contribution degree / presence degree of the node 201 is a contribution degree 100 / existence degree 100 obtained by adding the contribution degree 30 / existence degree 50 of the node 211 and the contribution degree 70 / existence degree 50 of the node 212.

  Next, the flow identifier in the transmission source attribute is determined using the completed tree. This is because an arbitrary node set whose address ranges do not overlap from tree is selected, and the node set whose coverage rate of the node set is not less than a certain level and whose evaluation value is the maximum in the evaluation formula shown in Formula 1 is set as a set of flow identifiers. This is realized by outputting as

式１は、寄与度が大きいほど評価値が大きくなり、存在度が大きいほど評価値が小さくなり、フロー識別子数が多いほど評価値が下がるという特徴がある。もちろん評価式は式１に限るものではない。式中α、β及びγは重みづけ用定数であり、これらを変更することで、運用ネットワークにおける優先度や運用ポリシを反映可能である。この式を用いることで、正常区間から存在しているトラフィックが含まれないようにフロー識別子を決定することができる。

Formula 1 is characterized in that the evaluation value increases as the degree of contribution increases, the evaluation value decreases as the degree of presence increases, and the evaluation value decreases as the number of flow identifiers increases. Of course, the evaluation formula is not limited to Formula 1. In the formula, α, β, and γ are weighting constants, and by changing these, it is possible to reflect the priority and the operation policy in the operation network. By using this equation, the flow identifier can be determined so that traffic existing from the normal section is not included.

  In the present embodiment, the one-dimensional flow identifier is determined using Equation 1, but generally, when determining the flow identifier, the degree of contribution to the traffic change due to the traffic corresponding to the flow identifier and Considering the trade-off relationship between the presence of the traffic corresponding to the flow identifier before the change and the number of flow identifiers, and considering the trade-off with the minimum number of flow identifiers according to an appropriate evaluation formula, the traffic volume What is necessary is just to determine a flow identifier so that the contribution to a change may be maximized and the presence before the change may be minimized. This also applies to determination of a multi-attribute flow identifier (multi-dimensional flow identifier) described later.

  The flow identifier in the destination address attribute is determined by the same operation as that in the transmission source address attribute.

In the protocol attribute, ^“ tree” is a vertex (depth = 0) ^“*” (unspecified) and leaf node (depth = 1) = two levels of tree of each attribute value, and the other operations are the same as the source address attribute To determine the flow identifier. The flow identifier output by the protocol attribute is limited to 1.

^{“*” Indicates} no designation. Unspecified means not to specify an attribute value of the attribute, and an unspecified node in each attribute is a node including all attribute values of the attribute.

In the transmission source port attribute and the destination port attribute, the tree is apex (depth = 0) = ^“*” (unspecified), depth = 1 is low_port, high_port, and depth = 2 is each output information element 3 As the tree of the hierarchy, the flow identifier is determined by the same operation as that of the transmission source address attribute. At this time, the number of flow identifiers output by the transmission source port attribute and the destination port attribute is limited to 1, respectively.

  In addition, the source AS number attribute, the destination AS number attribute, the router interface number attribute used for transfer, and the flow identifier in the transit router are determined in the same manner as the protocol attribute.

  With the above operation, a one-dimensional flow identifier for each attribute type is determined.

  Next, the multi-attribute clustering means 103 creates a multi-attribute type multi-dimensional flow identifier based on the above-described one-dimensional identifier for each attribute type, and again creates the traffic using normal and abnormal sections. The degree of contribution and the degree of presence for each multi-dimensional flow identifier calculated are calculated.

  An example of the creation of the above multidimensional flow identifier is shown in FIG. 3, 310 is an example of a one-dimensional flow identifier for each attribute, and 320 is an example of a multi-dimensional flow identifier (multi-attribute flow identifier) created from the one-dimensional flow identifier 310 for each attribute.

  In the one-dimensional flow identifier 310 for each attribute in FIG. 3, the one-dimensional flow identifier of the source address attribute is “10.2.0.0/16” indicated by reference numeral 311 and “201.10.0 indicated by reference numeral 312. .0 / 20 ”and the one-dimensional flow identifier of the destination address attribute is“ 128.0.0.0/14 ”indicated by reference numeral 313 and“ 210.0.0.0/16 ”indicated by reference numeral 314. The one-dimensional flow identifier of the protocol attribute is “17” indicated by reference numeral 315, the one-dimensional flow identifier of the transmission source port attribute is “high” indicated by reference numeral 316, and the one-dimensional flow identifier of the destination port attribute is reference numeral 317. “80” shown in FIG.

  The operation of creating a multi-dimensional flow identifier is to obtain a logical product of one-dimensional flow identifiers of each attribute type. In addition, when a plurality of flow identifiers are output with a single attribute type, such as a transmission source address attribute and a destination address attribute, a plurality of multidimensional flow identifiers are created as a result.

  In the example of FIG. 3, there are two one-dimensional flow identifiers 311 and 312 for the source address attribute and two one-dimensional flow identifiers 313 and 314 for the destination address attribute. , Four multidimensional flow identifiers indicated by reference numerals 321, 322, 323, and 324 are created.

  The multidimensional flow identifier 321 includes a source address “10.2.0.0.0 / 2”, a destination address “128.0.0.0/14”, a protocol “17”, a source port “high”, and a destination port. This is an identifier indicating a flow of “80”.

  The multi-dimensional flow identifier 322 includes a source address “10.2.0.0/16”, a destination address “210.0.0.0/16”, a protocol “17”, a source port “high”, and a destination port. This is an identifier indicating a flow of “80”.

  The multi-dimensional flow identifier 323 includes a source address “201.10.0.0/20”, a destination address “128.0.0.0/14”, a protocol “17”, a source port “high”, and a destination port. This is an identifier indicating a flow of “80”.

  The multi-dimensional flow identifier 324 includes a source address “201.10.0.0/20”, a destination address “210.0.0.0/16”, a protocol “17”, a source port “high”, and a destination port. This is an identifier indicating a flow of “80”.

  Next, the traffic volume of the normal section / abnormal section that matches each of the multidimensional flow identifiers created above is calculated, and the contribution and presence of each multidimensional flow identifier are calculated. An example of the calculation result is shown in FIG. In the example of FIG. 4, the contribution of the multidimensional flow identifier 421 is 35% and the presence is 0%, the contribution of the multidimensional flow identifier 422 is 0%, and the presence is 0%. The contribution degree of 423 is 5% and the presence degree is 20%, and the contribution degree of the multidimensional flow identifier 424 is 50% and the existence degree is 10%.

  Finally, the multidimensional flow identifier to be finally output is determined again using the evaluation formula of Formula 1 with respect to the multidimensional flow identifiers 421 to 424 to which the contribution and presence are attached.

  This is because an arbitrary number of multi-dimensional flow identifiers are selected from the previously obtained multi-dimensional flow identifiers, the total contribution is a certain level or more, and the evaluation value shown in Equation 1 is the largest. This is realized by adopting a set of attribute flow identification information as the final output. FIG. 5 shows examples 501 and 502 of multi-dimensional flow identifiers determined by this operation and finally output.

With the above operation, finally,
・ The cause of the traffic change The traffic is identified as one or more appropriate flow identifiers,
・ Furthermore, since each flow identifier is added with information on the degree of contribution to the amount of change and the degree of presence from before the change, the effects and impacts of implementing control using specific results will be reflected in actual control. An estimate can be made in advance.

  The multi-dimensional flow identifiers 321 to 324, 421 to 424, and 501 to 502 shown in FIGS. 3, 4, and 5 are composed of combinations of attribute values in the transmission source address, the destination address, the protocol, the transmission source port, and the destination port. In addition to this, a multi-dimensional flow is made by combining attribute values in one or a plurality of attribute types among TTL, source AS number, destination AS number, router interface number used for transfer, and transit router. An identifier may be configured.

  Further, as shown in FIG. 3, in the one-dimensional flow identifiers 311 and 312 of the transmission source address attribute and the one-dimensional flow identifiers 313 and 314 of the destination address attribute, the address range (attribute Similarly, in the multidimensional flow identifiers 321 to 324, 421 to 424, and 501 to 502 shown in FIGS. 3, 4, and 5, address ranges are used as attribute values related to the source address and the destination address. (Attribute value range) is used.

  Hereinafter, an example in which the above embodiment is applied to specific change in traffic volume will be described. (1) is the case of traffic volume increase due to DDoS attack, (2) is the case of traffic volume decrease due to failure such as equipment failure, and (3) is traffic increase due to rapid traffic concentration to popular web server etc. This is the case.

(1) When the traffic volume sudden increase is a DDoS attack When analyzing the traffic volume increase caused by the DDoS attack according to the present embodiment, as a result of specifying the cause of the traffic volume change,
A single or small number of destination addresses that are the attacked host, and
-The range of attack source addresses that are sending attack traffic to the target attack address,
-Information on traffic attribute values other than the above that constitute attack traffic can be obtained as flow identifiers.

  In addition, the source address range in this case is determined to exclude the traffic before the occurrence of the attack using the evaluation formula.

  For this reason, when a filter or flow rate restriction is performed in the router using the specific result according to the present embodiment, the probability of hindering normal communication is low, and the flow identifier according to the present embodiment is an ideal DDoS attack filter condition. .

  Furthermore, the attack traffic suppression effect by control and the influence on normal traffic can be estimated before the execution of control based on the contribution to the variable attached to the specific result and the presence information before the change.

(2) When the decrease in traffic volume is caused by a failure such as a device failure When this embodiment analyzes a decrease in traffic volume caused by a device failure or the like, the result of specifying the cause of the change in traffic volume exists before the change. However, traffic that does not exist after the change can be specified as a flow identifier.

  At this time, if the router interface attribute or the transit router attribute is used as the flow identifier, the attribute value that caused the change is the cause of the decrease in the traffic volume, and the fault location can be found.

  In commercial networks, apparatus alive monitoring systems are often introduced, but in these systems, dealing with silent failures that do not issue an alarm when a failure occurs is an issue in commercial network operation. On the other hand, according to the present embodiment, it is possible to specify the failure location even in the case of a silent failure.

(3) When traffic volume sudden increase is stochastic fluctuation of traffic volume or traffic concentration Traffic volume change when traffic volume rapid increase is normal traffic concentration or traffic volume stochastic fluctuation due to the occurrence of popular web site etc. As a result of the identification, it is possible to obtain a range of destination addresses and source addresses that cause an increase in traffic volume.

  However, there is a large presence before the accompanying change, and it can be determined that the increase in traffic volume is due to traffic similar to the traffic that existed before the change, which is normal traffic concentration and stochastic fluctuation of traffic volume It turns out.

  Thereby, a false alert (False Positive) that cannot be avoided in the abnormal traffic detection system using the traffic volume and erroneously recognizes that the traffic fluctuation is the occurrence of the abnormality can be identified as a false alert.

  According to the present embodiment, it is possible to identify a false alert and eliminate the need to manually re-analyze the false alert when the false alert is not sent to the operator, thereby reducing the operation cost. .

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Of course.

It is a block diagram of a traffic volume change cause identification system including the method of the embodiment of the present invention. It is the figure which showed the example of the tree according to the hierarchical structure of IP address used in operation | movement of embodiment of this invention. It is the figure which showed the example of multidimensional flow identifier preparation in the operation | movement of embodiment of this invention. It is the figure which showed the example of the contribution for every created multidimensional flow identifier, and an existing degree. It is the figure which showed the example of the multidimensional flow identifier output finally.

Explanation of symbols

101 ... Attribute type independent difference acquisition means, 102 ... Attribute type independent clustering means, 103 ... Multi-attribute clustering means, 111 ... Normal section traffic data, 112 ... Abnormal section traffic data, 121 ... Source address attribute value , Traffic volume in the normal section for each destination address attribute value, 123, traffic volume in the normal section for each protocol attribute value, 124, traffic volume in the normal section for each source port attribute value, 125 ... traffic volume in normal section for each destination port attribute value, 131 ... differential traffic volume for each source address attribute value, 132 ... differential traffic volume for each destination address attribute value, 133 ... differential traffic volume for each protocol attribute value, 134 ... Differential traffic volume for each source port attribute value 135: Differential traffic volume for each destination port attribute value 141: Flow identifier of source address attribute 142: Flow identifier of destination address attribute 143: Flow identifier of protocol attribute 144: Flow identifier of source port attribute 145 ... Destination port attribute flow identifiers, 151 ... multi-attribute flow identifiers (multi-dimensional flow identifiers), 201-272 ... nodes in tree according to the hierarchical structure of IP address, 310 ... one-dimensional flow identifiers for each attribute, 311, 312 ... Example of one-dimensional flow identifier of source address attribute 313, 314 ... Example of one-dimensional flow identifier of destination address attribute 315 ... Example of one-dimensional flow identifier of protocol attribute 316 ... One-dimensional of source port attribute Examples of flow identifiers, 317 ... one-dimensional flow knowledge of destination port attribute 320: Multi-dimensional flow identifier, 321-324 ... Multi-dimensional flow identifier example, 421-424 ... Multi-dimensional flow identifier example with contribution and presence, 501, 502 ... Finally output Examples of multidimensional flow identifiers

Claims (8)

A traffic volume change cause identifying method in a traffic volume change cause identifying system for identifying a cause traffic of a traffic volume change using one or a plurality of flow identifiers,
The traffic amount change cause identifying system includes an attribute type independent difference acquisition unit, an attribute type independent clustering unit, and a multiple attribute clustering unit.
The attribute type-independent difference acquisition means is configured so that, for each attribute type of traffic data in the normal section and traffic data in the abnormal section, the traffic volume in the normal section and the normal section for each attribute value in the normal section / abnormal section An attribute type independent difference acquisition step for obtaining a difference traffic amount that is a difference between the traffic amount of the section and the abnormal section;
The attribute type independent clustering means, an attribute type independent clustering step for obtaining a one-dimensional flow identifier of the attribute type for each attribute type from the traffic volume of the normal section and the difference traffic volume;
A multi-attribute clustering step in which the multi-attribute clustering means creates a multi-dimensional flow identifier of a multi-attribute type by combining the one-dimensional flow identifier obtained for each attribute type;
A method for identifying a cause of a change in traffic volume, comprising: The multidimensional flow identifier is
In addition to source address, destination address, protocol, source port, destination port,
A combination of attribute values in one or a plurality of attribute types among a TTL (Time To Live), a transmission source AS number, a destination AS number, a router interface number used for transfer, and a transit router. Item 1. The method for identifying the cause of traffic change in Item 1.   The method according to claim 1, wherein an attribute value range is used as an attribute value constituting the flow identifier. In the attribute type independent clustering step and / or the multiple attribute clustering step,
When determining the flow identifier, a trade-off relationship between the contribution to the traffic volume change by the traffic corresponding to the flow identifier, the presence before the change of the traffic corresponding to the flow identifier, and the number of flow identifiers. 2. The traffic volume according to claim 1, wherein the flow identifier is determined so as to maximize the contribution to the traffic volume change with the minimum number of flow identifiers and to minimize the presence before the change. Change cause identification method.   2. The traffic amount change cause identification according to claim 1, wherein each of the one or more flow identifiers has information on a degree of contribution to the amount of change of traffic corresponding to each flow identifier and an existing degree from before the change. Method. A traffic volume change cause identification system that identifies the cause traffic of a traffic volume change using one or more flow identifiers,
For each attribute type of traffic data of normal section and traffic data of abnormal section, the difference between the traffic volume of normal section and the traffic volume of normal section and abnormal section for each attribute value of normal section / abnormal section independently. An attribute type independent difference obtaining means for obtaining a certain amount of difference traffic;
An attribute type independent clustering means for obtaining a one-dimensional flow identifier of the attribute type for each attribute type from the traffic amount of the normal section and the difference traffic amount;
Multi-attribute clustering means for creating a multi-dimensional flow identifier of a multi-attribute type by combining the one-dimensional flow identifier obtained for each attribute type;
A traffic volume change cause identifying system characterized by comprising:   A program for causing a computer to execute the steps according to claim 1.   A computer-readable recording medium on which a program for causing a computer to execute the steps according to claim 1 is recorded.

Images