JP2009302625A - Network configuration information collection analysis system, network configuration information collection analysis server, and network configuration information collection analysis method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To respond to a change in network configuration information of each network equipment in real time while suppressing loads on a network, the loads being placed thereon when obtaining network configuration information of a plurality of network equipment. <P>SOLUTION: A passive scan performing part 1230 performs passive scan on a packet flowing a sub-network 2100 and generates network configuration information of certain network equipment 1300. When a network configuration information analysis part 1140 detects a change in the network configuration information of the network equipment 1300, an active scan performing part 1240 performs active scan on another network equipment 1300 and generates network configuration information on the other network equipment 1300. A network configuration information database part 1130 updates network configuration information currently stored by the generated network configuration information. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a network configuration information collection / analysis system, a network configuration information collection / analysis server, and a network configuration information collection / analysis method. In particular, the present invention relates to a system for collecting the status of a plurality of resources arranged in a network (hereinafter referred to as “network configuration information”). Here, the network configuration information includes, for example, the name of a network device connected to the managed network, an IP (Internet Protocol) address, a MAC (Media Access Control) address, an open port, and the like. Service, application used and version information, OS (Operating System) and version information, CPU (Central Processing Unit) usage rate, HDD (Hard Disk Drive) usage, network settings, serial Number, patch application status, DNS (Domain Name Service) name, device type (router, printer, modem, PC (Personal Computer) , Servers, etc.), it refers to the network usage, any information (particularly regarding the network devices such operating condition, the information indicating the configuration of the packet communication, i.e., information) showing the structure affecting packet communications.

  In recent years, networks have become indispensable for business, and the degree of dependence has increased, and security incidents via networks have frequently occurred. In order to prevent security incidents, a security audit is performed to understand network configuration information that indicates what devices are connected to the network to be managed, how they are used, and how they are used. It is necessary to manage and detect illegally connected devices and unauthorized network devices that use prohibited software, or leave evidence that the network devices are being used correctly.

The network configuration information can be collected by installing a collection program in the network device to be monitored and collecting the network configuration information directly on the network device that is different from the network device to be monitored. There is an agentless type that introduces a collection program and collects network configuration information via a network. As an agentless type collection method, there are a passive collection method (hereinafter referred to as “passive scan”) and an active collection method (hereinafter referred to as “active scan”). The passive scan is a method for acquiring network configuration information by acquiring a packet flowing in a monitored network and analyzing the acquired packet. In active scan, network configuration information can be obtained by communicating with a network device to be monitored in the network, or communicating with other network devices that have information about the network device to be monitored. It is a method to obtain. There is also a method of collecting network configuration information using both passive scan and active scan (see, for example, Patent Document 1).
JP-A-5-75628

  Passive scanning collects network configuration information by collecting packets flowing through the network, and therefore has an advantage in that no load is applied to the network even if information is collected. In addition, there is an advantage that monitoring is always possible because it does not place a burden on the network even if information is collected. However, in the conventional passive scan, a packet related to network configuration information is transmitted from a network device, and information cannot be collected unless the packet is received at that time. There was a big problem of not.

  On the other hand, in the active scan, it can be requested when desired information is desired. However, in the conventional active scan, it is necessary to communicate directly with a network device in order to obtain network configuration information, and there is a problem that a load is imposed on the network by collecting information. Furthermore, since information collection causes a load on the network, it is generally not practical to perform constant monitoring such as passive scanning, and it is necessary to collect information at certain time intervals. For this reason, there has been a problem that it is not possible to cope with changes in network configuration information in real time, such as increase / decrease in network devices and software changes.

  Conventionally, in a method of collecting network configuration information using both passive scan and active scan, resource information is acquired by active scan when resource information cannot be acquired by passive scan within a specified time. However, this method is intended for systems that regularly report the operating status from network devices, and cannot collect the advantages of the original passive scan that does not put a load on the network even if information is collected. was there.

  For example, an object of the present invention is to cope with a change in network configuration information of each network device in real time while suppressing a load on the network in order to obtain network configuration information of a plurality of network devices.

A network configuration information collection and analysis system according to an aspect of the present invention includes:
A network configuration information collection and analysis system that collects network configuration information that is information about each network device and analyzes the network configuration information for a plurality of network devices that perform packet communication in a network,
A network configuration information database unit for storing network configuration information of each network device in a storage device;
A packet analysis unit that analyzes a packet flowing through a network by a processing device and generates network configuration information of a network device that has transmitted the packet;
The processing device analyzes the difference between the network configuration information of the network device generated by the packet analysis unit and the network configuration information of the network device stored by the network configuration information database unit, and the network configuration information of the network device A network configuration information analysis unit for detecting changes in
When a change is detected in the network configuration information of the network device by the network configuration information analysis unit, a request transmission unit that transmits a request for information on each network device to a network device other than the network device;
A response analysis unit that analyzes a response to the request transmitted by the request transmission unit, and generates network configuration information of the network device that transmitted the response, and
The network configuration information database unit, when a change is detected in the network configuration information of the network device by the network configuration information analysis unit, the network configuration of each network device generated by the packet analysis unit and the response analysis unit The network configuration information of each network device stored in the storage device with information is updated.

  According to one aspect of the present invention, in the network configuration information collection and analysis system, the packet analysis unit analyzes a packet flowing through the network, generates network configuration information of the network device that transmitted the packet, and the request transmission unit When a change is detected in the network configuration information of the network device by the network configuration information analysis unit, a request is transmitted to a network device other than the network device, and the response analysis unit transmits the response to the network configuration of the network device. Network configuration information of each network device stored in the storage device with the network configuration information of each network device generated by the packet analysis unit and the response analysis unit. By updating the while suppressing load on the network to obtain the network configuration information of the plurality of network devices, it is possible to correspond to the real time to changes in the network configuration information for each network device.

  FIG. 1 is a diagram showing a basic configuration and functions of a network configuration information collection / analysis system 1000 according to each embodiment of the present invention to be described later.

In FIG. 1, a network configuration information collection / analysis system 1000 includes a network configuration information collection / analysis server 1100 and a network configuration information collection sensor 1200. The network configuration information collection / analysis system 1000 can collect network configuration information from a plurality of network devices 1300 connected to the network 2000. Here, as the network device 1300, network devices X _{1 to} X _n (n is an integer satisfying _n > 1) are connected to the network 2000, and perform packet communication with each other or with external devices on the network 2000. To do. The network device X _k (k = 1, 2,..., N) corresponds to all devices connected to the network 2000, such as Web servers, personal PCs, firewalls, and printers.

In the network configuration information collection / analysis system 1000, the network configuration information collection / analysis server 1100 controls the network configuration information collection sensor 1200. For this purpose, the network configuration information collection / analysis server 1100 is connected to the network configuration information collection sensor 1200 via the network 2000 or another network. Specifically, the network configuration information collection analysis server 1100 instructs the network configuration information collection sensor 1200 to collect the network configuration information Y _{1 to} Y _n . Network configuration information collecting sensor 1200 in accordance with an instruction to collect network configuration information _Y 1 to Y _n from the network device _X 1 to X _n. The network configuration information Y _k indicates information related to the network device X _k by classifying it into a plurality of items. Here, m items (m is an integer satisfying m> 2) exist, and each item is represented as network configuration information y _{i, k} (i = 1, 2,..., M). That is, the network configuration information Y _k is a set of network configuration information y _{1, k} , y _{2, k} ,..., Ym _{, k} . As described above, the network configuration information y _{i, k} includes the name, IP address, MAC address, open port, used service, used application and version information thereof, OS, and the like of the network device X _k. Version information, CPU usage, HDD usage, network settings, serial number, patch application status, DNS name, device type (router, printer, modem, PC, server, etc.), network usage, operation status, etc. All information related to the device _Xk is applicable.

In each embodiment, the network configuration information collection analysis server 1100 causes the network configuration information collection sensor 1200 to collect the network configuration information Y _{1 to} Y _n or the network configuration information Y _{1 to} Y _n input by the user. And the network configuration information Y _{1 to} Y _n is held in advance. In addition, first, the network configuration information collection sensor 1200 performs constant monitoring by passive scanning to acquire network configuration information y _{i, k} . The network configuration information collection / analysis server 1100 compares the network configuration information y _{i, k} acquired by the network configuration information collection sensor 1200 with the network configuration information y _{i, k} held in advance _, thereby comparing the network configuration information y _{i. , K} is detected.

Network configuration information _{y i} of the network configuration information collection analysis server 1100 network devices _{X k,} When detecting a change in _k, then, the network configuration information collecting sensor 1200, the network configuration information _{y 1} of the network device _{X k, k ~y (i-1),} k, y (i + 1), k ~y m, for _k out the information collection by active scanning. By doing so, the latest network configuration information Y can be quickly obtained without waiting for the network configuration information Y _{k to} be obtained by passive scanning for the network device X _k whose network configuration information y _{i, k} has changed. _k can be collected. The network configuration information collection / analysis server 1100 holds the network configuration information y _{1, k to} y _{(i−1), k 1} , y _{(i + 1), k 1 to} y _{m, k} collected by the network configuration information collection sensor 1200 in advance. The network configuration information Y1 _{, k-} y _{(i-1), k} , y _{(i + 1), k-} ym _{, k} is compared to detect a change in the network configuration information _Yk .

If the network configuration information collection / analysis server 1100 detects a change in a plurality of items included in the network configuration information Y _k of the network device X _k , then the network configuration information collection sensor 1200 is connected to the other network devices X ₁ to X ₁ . _{X (k-1), X} (k + 1) ~X network configuration _n information _{Y 1 ~Y (k-1)} , Y (k + 1) ~Y n implement information collection by active scan for. Here, items for which the network configuration information collection / analysis server 1100 has detected a change in the network configuration information Y _k of the network device X _k are collectively expressed as network configuration information Z _{k, k} . And the item corresponding to the network configuration information Z _{k, k} in the network configuration information Y _h of the other network device X _h (h = 1, 2,..., K−1, k + 1,..., N). Collectively, it is expressed as network configuration information Zh _{, k} . For example, the network configuration information y _{1, k} indicates the name of the network device X _k , the network configuration information y _{2, k} indicates the IP address of the network device X _k , and the network configuration information collection analysis server 1100 indicates the IP address of the network device X _k . If only a change is detected, the network configuration information Z _{k, k} includes only the network configuration information y _{2, k} . In this case, the network configuration information Z _{h, k} includes only network configuration information y _{2, h} indicating the IP address of the network device X _h . In each embodiment, the network configuration information collection sensor 1200 includes network configuration information Y _{1 to} Y _(k−1) and Y of other network devices X _{1 to} X _(k−1) and X _{(k + 1) to} X _{n. (k +} 1) for all to Y _n, instead of performing the information collection by active scanning, network configuration information _{Z 1, k ~Z (k-} 1), k, Z (k + 1), k ~Z n, active scanning for _k Information collection by As a result, when there is a change in a part of the network configuration information of a certain network device 1300, the active scan is performed only for a portion that is likely to be changed similarly in the network configuration information of the other network device 1300. Thus, it is possible to cope with changes in the network configuration information of each network device 1300 in real time while suppressing the load on the network.

  As described above, according to each embodiment of the present invention, for example, when the network configuration information of a plurality of network devices 1300 changes at the same time due to the application of a security patch or the spread of viruses, one network device. From the detection of the change of one item in the network configuration information 1300, the change of all items in the network configuration information of the network device 1300 is immediately inspected, and other network devices existing in the network 2000 based on the inspection result. Changes in items that are likely to change in the network configuration information 1300 can be inspected with the minimum necessary active scan.

  FIG. 2 is a diagram illustrating an example of the hardware configuration of each of the network configuration information collection / analysis server 1100 and the network configuration information collection sensor 1200.

  In FIG. 2, a network configuration information collection / analysis server 1100 and a network configuration information collection sensor 1200 are computers, a display device 1901 having a CRT (Cathode / Ray / Tube) or LCD (Liquid Crystal Display) display screen, a keyboard 1902 ( K / B), a mouse 1903, an FDD 1904 (Flexible Disk Disc Drive), a CDD 1905 (Compact Disk Disc Drive), and a printer device 1906, which are connected by cables and signal lines.

  The network configuration information collection analysis server 1100 and the network configuration information collection sensor 1200 include a CPU 1911 that executes a program. The CPU 1911 is an example of a processing device. The CPU 1911 includes a ROM 1913 (Read / Only / Memory), a RAM 1914 (Random / Access / Memory), a communication board 1915, a display device 1901, a keyboard 1902, a mouse 1903, an FDD 1904, a CDD 1905, a printer device 1906, and a magnetic disk. It is connected to a device 1920 (HDD) and controls these hardware devices. Instead of the magnetic disk device 1920, a storage medium such as an optical disk device or a memory card reader / writer may be used.

  The RAM 1914 is an example of a volatile memory. The storage media of the ROM 1913, the FDD 1904, the CDD 1905, and the magnetic disk device 1920 are an example of a nonvolatile memory. These are examples of the storage device. A communication board 1915, a keyboard 1902, a mouse 1903, an FDD 1904, a CDD 1905, and the like are examples of input devices. The communication board 1915, the display device 1901, the printer device 1906, and the like are examples of output devices. The communication board 1915 is an example of a communication device.

  The communication board 1915 is connected to a LAN (Local / Area / Network) or the like. The communication board 1915 is not limited to a LAN, but is the Internet, or an IP-VPN (Internet, Protocol, Private, Network), a wide area LAN, an ATM (Asynchronous, Transfer, Mode) network, or other WAN (Wide, Area, Network) network. ) Or the like. LAN, the Internet, and WAN are examples of the network 2000.

  The magnetic disk device 1920 stores an OS 1921, a window system 1922, a program group 1923, and a file group 1924. The programs in the program group 1923 are executed by the CPU 1911, OS 1921, and window system 1922. The program group 1923 stores a program for executing a function described as “˜unit” in the description of each embodiment. The program is read and executed by the CPU 1911. The file group 1924 includes data and information described as “˜data”, “˜information”, “˜ID (identifier)”, “˜flag”, and “˜result” in the description of each embodiment. Signal values, variable values, and parameters are stored as items of “˜file”, “˜database”, and “˜table”. The “˜file”, “˜database”, and “˜table” are stored in a storage medium such as a disk or a memory. Data, information, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 1911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for processing (operation) of the CPU 1911 such as calculation / control / output / printing / display. Data, information, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during processing of the CPU 1911 such as extraction, search, reference, comparison, calculation, control, output, printing, and display. Is remembered.

  In addition, the arrows in the block diagrams and flowcharts used in the description of each embodiment mainly indicate input and output of data and signals. The data and signals are the memory such as the RAM 1914, the flexible disk (FD) of the FDD 1904, and the compact of the CDD 1905. Recording is performed on a recording medium such as a disk (CD), a magnetic disk of the magnetic disk device 1920, other optical disks, a mini disk (MD), and a DVD (Digital Versatile Disc). Data and signals are transmitted via a bus 1912, signal lines, cables, and other transmission media.

  In addition, what is described as “to part” in the description of each embodiment may be “to circuit”, “to device”, and “to device”, and “to step” and “to process”. , “˜procedure”, and “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 1913. Alternatively, it may be realized only by software, or only by hardware such as an element, a device, a board, and wiring, or a combination of software and hardware, and further by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, flexible disk, optical disk, compact disk, minidisk, or DVD. This program is read by the CPU 1911 and executed by the CPU 1911. In other words, the program causes the computer to function as “˜unit” described in the description of each embodiment. Alternatively, it causes the computer to execute the procedures and methods described in the description of each embodiment.

  Hereinafter, each embodiment of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.
Hereinafter, the present embodiment will be described with reference to FIGS.

  FIG. 3 is a diagram showing an outline of the configuration and functions of the network configuration information collection / analysis system 1001 according to the present embodiment.

  3, the network configuration information collection / analysis system 1001 includes a network configuration information collection / analysis server 1101 and a network configuration information collection sensor 1201. Here, a plurality of network configuration information collection sensors 1201 may be provided. On the sub-network 2100 where the network configuration information collection sensor 1201 exists, there are a plurality of network devices 1300 that are network configuration information collection targets.

The network configuration information collection / analysis server 1101 manages and analyzes the network configuration information input by the user and the network configuration information collected by the network configuration information collection sensor 1201, and the network configuration information collection sensor 1201 according to changes in the network configuration information. To collect network configuration information. The network configuration information collection sensor 1201 analyzes a packet flowing on the sub-network 2100 according to an instruction from the network configuration information collection analysis server 1101, and thereby performs a passive scan for collecting network configuration information and a network device X to be monitored. performs communication with respect to _k (may communicate to other network devices 1300 with information about the network devices X _k, but in such case, the network device 1300 and the network equipment X _k Since the same can be seen below, it will not be described separately), an active scan for collecting the network configuration information _Yk is performed, and the collected network configuration information is collected in the network configuration information collection analysis server 1101.

  FIG. 4 is a block diagram showing the configuration of the network configuration information collection / analysis system 1001.

  4, the network configuration information collection / analysis server 1101 includes a network configuration information input unit 1110, a network configuration information output unit 1120, a network configuration information database unit 1130, a network configuration information analysis unit 1140, a network configuration information analysis rule storage unit 1150, A server sensor interface unit 1160 is provided. Although not shown, the network configuration information collection / analysis server 1101 includes hardware such as a storage device, a processing device, an input device, an output device, and a communication device.

The network configuration information input unit 1110 receives input from the input device such as network configuration information Y _{1 to} Y _n of the network devices X _{1 to} X _n and network configuration information analysis rules by the user.

Network configuration database section 1130 stores the network configuration information _Y 1 to Y _n of the network device _X 1 to X _n in the storage device. For example, the network configuration information database section 1130 stores the network configuration information _Y 1 to Y _n of the network device _X 1 to X _n, which are input to the network configuration information input unit 1110 to the storage device.

  The network configuration information analysis rule storage unit 1150 stores the network configuration information analysis rule in the storage device. For example, the network configuration information analysis rule storage unit 1150 stores the network configuration information analysis rule input to the network configuration information input unit 1110 in the storage device.

  The inter-server-sensor interface unit 1160 is obtained by mounting a communication interface between the network configuration information collection / analysis server 1101 and the network configuration information collection sensor 1201 on a communication device.

The network configuration information analysis unit 1140 instructs the network configuration information collection sensor 1201 to perform a passive scan, and is generated by the packet analysis unit 1232 of the network configuration information collection sensor 1201 based on the result of the passive scan, as will be described later. It acquires network configuration information of the network device X _k Y _k or at least its items that.

As an example, if the network configuration information analysis unit 1140 acquires network configuration information y _{i, k} that is one item of the network configuration information Y _k of the network device X _k , the network configuration information analysis unit 1140 y _{i, k} and network configuration information _{y i} of the network device _{X k} stored by the network configuration information database _1130, and analyzed by the processor to difference between _k, network device _{X k} of the network configuration information _{y i,} in _k Detect changes.

Subsequently, the network configuration information analyzing unit 1140 instructs the implementation of active scanning to target network device X _k in the network configuration information gathering sensor 1201, as described later, the network configuration information based on the result of its active scan The network configuration information y _{1, k to} y _{(i−1), k} , y _{(i + 1), k to} y _{m, k} of the network device X _k generated by the response analysis unit 1244 of the collection sensor 1201 is acquired. The network configuration information analysis unit 1140 stores the network configuration information y _{1, k to} y _{(i-1), k} , y _{(i + 1), k to} y _{m, k} and the network configuration information database unit 1130. network configuration information _y 1 of the network device _{X k, k ~y (i-} 1), k, and analyzed by _{y (i + 1), k} ~y m, processor the difference between _k, the network configuration of the network device _{X k} Changes in the information y1 _{, k to} y _{(i-1), k} , y _{(i + 1), k to} ym _{, k} are detected. That is, the network configuration information analysis unit 1140 identifies the network configuration information Z _{k, k} of the network device X _k .

Further continued, the network configuration information analyzing unit 1140 instructs the implementation of active scanning the network device 1300 other than the network device X _k in the network configuration information collecting sensor 1201 of interest, as described later, the result of its active scan Based on the network configuration information Z _{1, k to} Z _{(k− ) of} the network devices X _{1 to} X _(k−1) and X _{(k + 1) to} X _n generated by the response analysis unit 1244 of the network configuration information collecting sensor 1201. _{1), k} , Z _{(k + 1), k to} Zn _{, k} are acquired. The network configuration information analyzing unit 1140 stores the network configuration information Z _{1, k to} Z _{(k−1), k 1} , Z _{(k + 1), k to} Z _{n, k} and the network configuration information database unit 1130. network equipment _{X 1 ~X (k-1)} , X (k + 1) ~X network configuration information of _{n Z 1, k ~Z (k} -1), k, Z (k + 1), k ~Z n, and _k difference was analyzed by the processing device, the network device _{X 1 ~X (k-1)} , X (k + 1) network configuration to X _n information _{Z 1, k ~Z (k-} 1), k, Z (k + 1), Changes in _{k to} Zn _{, k} are detected.

As in the above example, when the network configuration information analysis unit 1140 detects a change in the network configuration information y _{i, k} of the network device X _k , the network configuration information analysis unit 1140 identifies the network configuration information database unit 1130. a network configuration information _{Z k, k} of the network devices _{X k} that is, the network device _{X 1 ~X (k-1)} , X (k + 1) network configuration to X _n information _{Z 1, k ~Z (k-} 1) _{, K} , Z _{(k + 1), k 1 to} Z _{n, k} , the network configuration information Y of the network devices X _{1 to} X _n stored in the storage device with the change detected by the network configuration information analysis unit 1140. of ₁ to Y _n, and updates that apply. That is, the network configuration information database unit 1130 stores each network device 1300 stored in the storage device with the network configuration information of each network device 1300 generated by the packet analysis unit 1232 and the response analysis unit 1244 of the network configuration information collection sensor 1201. Update network configuration information.

  The network configuration information output unit 1120 outputs the processing result of each unit to the output device.

  The network configuration information collection sensor 1201 includes a sensor control unit 1210, an inter-server sensor interface unit 1220, one or more passive scan execution units 1230, and one or more active scan execution units 1240. Although not shown, the network configuration information collection sensor 1201 includes hardware such as a storage device, a processing device, an input device, an output device, and a communication device. Here, the passive scan execution unit 1230 and the active scan execution unit 1240 may be one or more in total, and one of them may be omitted.

  The inter-server-sensor interface unit 1220 is obtained by mounting a communication interface between the network configuration information collection / analysis server 1101 and the network configuration information collection sensor 1201 on a communication device.

  In accordance with an instruction from the network configuration information collection / analysis server 1101, the sensor control unit 1210 targets the network device 1300 existing on the connected subnetwork 2100 and performs a passive scan and active scan execution unit 1240 by the passive scan execution unit 1230. The network configuration information is collected using the active scan according to, and provided to the network configuration information collection analysis server 1101.

  The passive scan execution unit 1230 includes a passive scan setting unit 1231, a packet analysis unit 1232, and a packet acquisition unit 1233.

  The passive scan setting unit 1231 stores, in a storage device, information related to setting of passive scan performed by the sensor control unit 1210 according to an instruction from the network configuration information collection analysis server 1101.

  The packet acquisition unit 1233 acquires a packet flowing through the subnetwork 2100 by the communication device.

The packet analysis unit 1232 analyzes the packet acquired by the packet acquisition unit 1233 by the processing device, and the network configuration information Y _k of the network device X _k that transmitted the packet or at least one item thereof (for example, the network configuration information y _{i , K} ).

  The active scan execution unit 1240 includes an active scan setting unit 1241, a request generation unit 1242, a request transmission unit 1243, a response analysis unit 1244, and a response reception unit 1245.

  The active scan setting unit 1241 stores, in the storage device, information related to the active scan setting performed by the sensor control unit 1210 according to an instruction from the network configuration information collection / analysis server 1101.

Request generating unit 1242, as described above, if a change in at least one item of network configuration information Y _k of the network device X _k is detected by the network configuration information analyzing portion 1140 of the network configuration information collection analysis server 1101, the network device as a request to be transmitted to the X _k, of the information about the network devices X _k, generated by processor requests items other than the item. Further, as described above, when the change is detected in at least one item of the network configuration information Y _k of the network device X _k by the network configuration information analysis unit 1140 of the network configuration information collection analysis server 1101, the request generation unit 1242 as a request to be transmitted to the network device X _k network equipment 1300 other than, of the information about the network devices 1300, produced by processor requests only items of the same classification and the item.

As an example, if the network configuration information analysis unit 1140 of the network configuration information collection / analysis server 1101 detects a change in the network configuration information y _{i, k} , which is one item of the network configuration information Y _k of the network device X _k , a request is generated. part 1242, as a request to be transmitted to the network device _{X k,} items other than the item (network configuration information _{y 1, k ~y (i-} 1), k, y (i + 1), k ~y m, corresponds to a _k ) Request. Subsequently, when the network configuration information analysis unit 1140 of the network configuration information collection analysis server 1101 identifies the network configuration information Z _{k, k} of the network device X _k , the request generation unit 1242 causes the network devices X _{1 to} X _{(k−1). ) (as} a request to be transmitted to the _{k +} 1) to X _n, items with the same classification as the items included network configuration information _{Z k,} the _k (network configuration information _{Z 1, k ~Z (k-} 1) X, k, Z ₍ Equivalent to _{(k + 1), k to} Z _{n, k} ) is generated.

  The request transmission unit 1243 transmits the request generated by the request generation unit 1242 by the communication device.

  The response reception unit 1245 receives a response to the request transmitted by the request transmission unit 1243 by the communication device.

  The response analysis unit 1244 analyzes the response received by the response reception unit 1245 by the processing device, and generates network configuration information of the network device 1300 that has transmitted the response.

As an example, when the response receiving unit 1245 receives a response to a request for an item other than the network configuration information y _{i, k} transmitted to the network device X _k by the request transmitting unit 1243, the response analyzing unit 1244 displays the network configuration information y _{1. , K to} y _{(i-1), k} , y _{(i + 1), and k to} ym _{, k} are generated. Subsequently, the response receiving unit 1245 has the same classification as the items included in the network configuration information Z _{k, k} transmitted to the network devices X _{1 to} X _(k−1) and X _{(k + 1) to} X _n by the request transmitting unit 1243. When the response to the request for the item is received, the response analysis unit 1244 generates network configuration information Z1 _{, k to} Z _{(k-1), k} , Z _{(k + 1), k} toZn _{, k} .

  Next, the operation of the network configuration information collection / analysis system 1001 will be described with reference to FIGS.

  FIG. 5 is a flowchart showing an operation when the network configuration information collection analysis server 1101 collects network configuration information.

  In step S101, the network configuration information input unit 1110 receives an initial setting input from the user from the input device. As an initial setting, network configuration information and network configuration information analysis rules currently known by the user are input. The input method does not matter. For example, command input or file input may be used, or the state at the previous end may be used. Network configuration information analysis rules include "selection of network configuration information to be monitored", "extraction method of network configuration information change", and "conditions of network devices that perform an active scan for network configuration information in which a change has been detected" A rule for detecting changes in network configuration information. For example, as “selection of network configuration information to be monitored”, the network configuration information (item) to be monitored is set from various network configuration information such as the OS, IP address, MAC address, and application used of the network device 1300. Can do. At this time, there may be a plurality of items to be set. Further, as a “network configuration information change extraction method”, there is a certain amount of change in the amount of traffic from a certain network device 1300 that determines that the OS of a certain network device 1300 has changed as a change in network configuration information. If there is, it is possible to set a rule that it is determined that the network configuration information has changed. In addition, as “a condition of a network device that performs an active scan related to network configuration information in which a change is detected”, when another network device 1300 performs an active scan related to network configuration information in which a change is detected in a network device 1300. The conditions of the network device 1300 that is the target of the active scan can be set. For example, the active scan is performed only on the network device 1300 in which one or a plurality of arbitrary items are the same among the OS, software, service to be used, use application (for example, for web server, office use) of the network device 1300, etc. It is possible to set conditions such as. Of the input settings, network configuration information is recorded in the network configuration information database unit 1130, and network configuration information analysis rules are recorded in the network configuration information analysis rule storage unit 1150.

  In step S102, the network configuration information analysis unit 1140 uses the inter-server sensor interface unit 1160 to instruct the network configuration information collection sensor 1201 to perform a passive scan.

  In step S103, the network configuration information analysis unit 1140 waits until it receives network configuration information from the network configuration information collection sensor 1201.

In step S104, the network configuration information analysis unit 1140 uses the network configuration information analysis rules stored in the network configuration information analysis rule storage unit 1150 to receive the network configuration information and the network configuration information received from the network configuration information collection sensor 1201. The network configuration information stored in the database unit 1130 is compared to determine a change in the network configuration information. For example, the network configuration information analysis unit 1140 detects a network device 1300 having an unregistered IP address, or detects that the OS of a certain network device 1300 has changed. When detecting a change in the network configuration information corresponding to the network device X _k in the sub-network 2100 proceeds to step S105, if the change in the network configuration information corresponding to the network device X _k is not detected the process returns to step S102 .

In step S105, the network configuration information analyzing unit 1140, using the server inter-sensor interface unit 1160, the network configuration information gathering sensor 1201 instructs the implementation of active scanning for a network device _{X k,} other network devices _{X k} Check for changes in network configuration information. In this case, the network configuration information to be active scan target, and network configuration information other than the network configuration information detected changes in network equipment X _k.

In step S106, the network configuration information analysis unit 1140 uses the inter-server sensor interface unit 1160, and the network configuration information collection sensor 1201 detects the network in which a change is detected in step S104 for other network devices 1300 in the subnetwork 2100. instructs the implementation of active scanning for network configuration information detected by the configuration information and the step S105, changes similar to the network device X _k is inspected or not occurred in the other network devices 1300. Here, the network configuration information analysis unit 1140 determines the network device 1300 to be inspected based on the network configuration information analysis rule registered in the network configuration information analysis rule storage unit 1150. For example, the network configuration information analysis unit 1140 may target all network devices 1300 in the sub-network 2100, or only network devices 1300 that have the same OS, software, service to be used, and usage purpose of the network device 1300. It may be a target.

  In step S107, the network configuration information analysis unit 1140 updates the network configuration information registered in the network configuration information database unit 1130. The network configuration information of the network device 1300 not registered in the network configuration information database unit 1130 is newly registered.

  FIG. 6 is a flowchart showing the operation of the network configuration information collection sensor 1201.

  In step S108, the sensor control unit 1210 connects to the network configuration information collection / analysis server 1101 via the server-sensor interface unit 1220.

  In step S109, the sensor control unit 1210 waits for an instruction from the network configuration information collection analysis server 1101, and a packet or response from the subnetwork 2100. The sensor control unit 1210 performs steps S110 to S112 when receiving an instruction regarding passive scan from the network configuration information collection analysis server 1101, and performs step S113 when receiving an instruction regarding active scan from the network configuration information collection analysis server 1101. Steps S116, S117, and S120 are executed when a packet flowing through the subnetwork 2100 is acquired, and steps S118 to S120 are executed when a response from the network device 1300 in the subnetwork 2100 is received. Here, the instruction related to passive scan refers to an instruction to execute, stop, change settings and add passive scan, and the instruction related to active scan refers to an instruction to execute, stop active, change settings and add.

  In step S110, the sensor control unit 1210 receives a passive scan execution instruction from the network configuration information collection analysis server 1101 using the server-sensor interface unit 1220. Here, a passive scan execution instruction received from the network configuration information collection analysis server 1101 includes a list of network configuration information collected by the passive scan (for example, collecting IP addresses, not collecting MAC addresses, etc.), network A list of configuration information collection conditions (for example, designation of a network device 1300 in the sub-network 2100 that collects network configuration information, designation of a network device 1300 that is not collected, etc.) and a program for performing a passive scan are included.

  In step S111, the sensor control unit 1210 updates the passive scan setting unit 1231 using a list included in the passive scan execution instruction. Here, the information to be updated includes, for example, setting information such as acquiring only packets of the network device 1300 having a certain IP address, acquiring only packets using a certain protocol, and network configuration for collecting network configuration information. A program for executing a passive scan received from the information collection analysis server 1101.

  In step S112, the sensor control unit 1210 starts the passive scan by the passive scan execution unit 1230, and returns to step S109.

  In step S113, the sensor control unit 1210 receives an active scan execution instruction from the network configuration information collection analysis server 1101 using the server-sensor interface unit 1220. Here, the active scan execution instruction received from the network configuration information collection analysis server 1101 includes a list of network configuration information collected by the active scan (eg, collecting IP addresses, not collecting MAC addresses, etc.), network A list of configuration information collection conditions (for example, designation of a network device 1300 in the sub-network 2100 that collects network configuration information, designation of a network device 1300 that is not collected, and the like) and a program for performing an active scan are included.

  In step S114, the sensor control unit 1210 updates the active scan setting unit 1241 using the list included in the active scan execution instruction. Here, the information to be updated refers to the setting of the network device 1300 that collects the network configuration information by the active scan, the network configuration information that is collected from the network device 1300, and the network configuration information collection / analysis server that collects the network configuration information A program for executing an active scan received from 1101.

  In step S115, the request generation unit 1242 generates a request for active scan for the network device 1300 included in the setting of the active scan setting unit 1241, and transmits the request to the network device 1300 using the request transmission unit 1243. To do. The active scan uses a conventional method. For example, an ICMP (Internet / Control / Message / Protocol) / echo request is transmitted to check the existence of the network device 1300, or to perform a port scan to check an operating port. After sending the request, the process returns to step S109.

  In step S116, the packet acquisition unit 1233 acquires a packet flowing through the subnetwork 2100.

  In step S117, the packet analysis unit 1232 performs filtering and analysis of the packet acquired by the packet acquisition unit 1233 using the setting of the passive scan setting unit 1231, and acquires network configuration information. The passive scan uses a conventional method. For example, a method called OS / fingerprinting that obtains information such as a source IP address, a destination IP address, and a used port number by analyzing information in a packet header, or identifies an OS based on characteristics of protocol implementation for each OS. Use it to get information. After obtaining the information, the process proceeds to step S120.

  In step S118, the response receiving unit 1245 receives a response from the network device 1300.

  In step S119, the response analysis unit 1244 analyzes the response using the settings of the active scan setting unit 1241, and acquires network configuration information.

  In step S120, the sensor control unit 1210 transmits network configuration information to the network configuration information collection / analysis server 1101 using the server-sensor interface unit 1220. After transmission, the process returns to step S109.

  As described above, according to the present embodiment, it is possible to automatically grasp the network configuration information related to the network device 1300 connected to the management target network and the change thereof, and change the changed portion of the network configuration information. By performing the active scan mainly, it is possible to collect network configuration information that can quickly respond to changes in the network configuration information while suppressing the load on the network to be managed.

Embodiment 2. FIG.
Hereinafter, the present embodiment will be described with reference to FIGS.

  FIG. 7 is a diagram showing an outline of the configuration and functions of the network configuration information collection / analysis system 1002 according to the present embodiment.

  The network configuration information collection / analysis system 1002 according to the present embodiment adds a multi-stage connection function to the network configuration information collection sensor 1201 of the network configuration information collection / analysis system 1001 according to the first embodiment, and the network in the plurality of sub-networks 2100 The configuration information can be collected.

  In FIG. 7, the network configuration information collection / analysis system 1002 includes a network configuration information collection / analysis server 1102 and a network configuration information collection sensor 1202. Here, the network configuration information collection / analysis server 1102 is the same as the network configuration information collection / analysis server 1101 of the network configuration information collection / analysis system 1001 according to the first embodiment, and thus description thereof is omitted.

  The network configuration information collection sensor 1202 is connected to the network configuration information collection / analysis server 1102 or the higher-level network configuration information collection sensor 1202, and instructs the network configuration information collection / analysis server 1102 to receive the network configuration information collection / analysis server 1102 or higher-level network configuration. The network configuration information is received from the information collection sensor 1202 and collected in the same manner as the network configuration information collection sensor 1201 according to the first embodiment. Then, the network configuration information collection sensor 1202 notifies the network configuration information collection analysis server 1102 of the collected network configuration information via the upper network configuration information collection sensor 1202. The network configuration information collection sensor 1202 also instructs the lower network configuration information collection sensor 1202 from the network configuration information collection analysis server 1102 and the network configuration from the lower network configuration information collection sensor 1202 to the network configuration information collection analysis server 1102. Relay information.

  FIG. 8 is a block diagram showing the configuration of the network configuration information collection / analysis system 1001.

  As described above, the network configuration information collection / analysis server 1102 is the same as the network configuration information collection / analysis server 1101 of the network configuration information collection / analysis system 1001 according to the first embodiment, and a description thereof will be omitted.

  In FIG. 8, the network configuration information collection sensor 1201 includes a sensor control unit 1210, an inter-server sensor interface unit 1220, one or more passive scan execution units 1230, one or more active scan execution units 1240, and an inter-sensor interface unit. 1250. Although not shown, the network configuration information collection sensor 1201 is provided with hardware such as a storage device, a processing device, an input device, an output device, and a communication device, as in the first embodiment. Here, the sensor control unit 1210, the inter-server sensor interface unit 1220, the passive scan execution unit 1230, and the active scan execution unit 1240 are the same as those included in the network configuration information collection sensor 1201 according to the first embodiment. Omit the explanation.

  The inter-sensor interface unit 1250 is obtained by mounting a communication interface used for communication between the network configuration information collection sensors 1202 on a communication device. Specifically, the inter-sensor interface unit 1250 receives an instruction from the network configuration information collection analysis server 1102 transmitted from the upper network configuration information collection sensor 1202 and relays it to the lower network configuration information collection sensor 1202. And / or relay the network configuration information transmitted from the lower network configuration information collection sensor 1202 to the upper network configuration information collection sensor 1202, and collect the network configuration information collected by the upper network configuration information collection sensor 1202. Used to send to.

  Next, the operation of the network configuration information collection / analysis system 1002 will be described with reference to FIG.

  FIG. 9 is a flowchart showing the operation of the network configuration information collection sensor 1202 connected to the upper network configuration information collection sensor 1202 and connected from the lower network configuration information collection sensor 1202.

  In step S121, the sensor control unit 1210 transmits the instruction from the network configuration information collection analysis server 1102 transmitted from the higher-level network configuration information collection sensor 1202, and the network configuration information transmitted from the lower-level network configuration information collection sensor 1202. And waits for a packet or response from the subnetwork 2100.

  In step S122, the sensor control unit 1210 receives a passive scan execution instruction from the upper network configuration information collection sensor 1202 using the inter-sensor interface unit 1250. Thereafter, the sensor control unit 1210 performs Steps S111 and S112 in the same manner as in Embodiment 1, and returns to Step S121.

  In step S123, the sensor control unit 1210 receives an active scan execution instruction from the higher-level network configuration information collection sensor 1202 using the inter-sensor interface unit 1250. Thereafter, the sensor control unit 1210 performs steps S114 and S115 as in the first embodiment, and returns to step S121.

  In step S124, the sensor control unit 1210 receives an instruction from the network configuration information collection analysis server 1102 for the lower network configuration information collection sensor 1202 from the upper network configuration information collection sensor 1202 using the inter-sensor interface unit 1250. .

  In step S125, the sensor control unit 1210 transmits an instruction from the network configuration information collection analysis server 1102 to the lower network configuration information collection sensor 1202 using the inter-sensor interface unit 1250, and the process returns to step S121.

  In step S126, the sensor control unit 1210 receives network configuration information from the lower network configuration information collection sensor 1202 using the inter-sensor interface unit 1250.

  In step S127, the sensor control unit 1210 transmits the network configuration information to the host network configuration information collection sensor 1202 using the inter-sensor interface unit 1250, and the process returns to step S121.

  In step S128, when receiving a packet from the subnetwork 2100, the sensor control unit 1210 executes steps S116 and S117 as in the first embodiment, and then executes step S127. When the sensor control unit 1210 receives a response to the active scan request from the sub-network 2100, the sensor control unit 1210 executes steps S118 and S119 as in the first embodiment, and then executes step S127.

  As described above, according to the present embodiment, even when the network configuration information collection / analysis server 1102 and the network configuration information collection sensor 1202 cannot communicate directly, information can be indirectly exchanged by multi-stage connection. it can. For example, the network configuration information collection / analysis server 1102 is arranged outside the sub-network 2100 that actually collects the network configuration information, and the network configuration information collection / analysis server 1102 and the network configuration information collection sensor 1202 are directly connected by a firewall. When communication is not possible, the network configuration information collection sensor 1202 arranged for each subnetwork 2100 collects information inside the network to be managed, and the network configuration information collection sensor 1202 arranged in the subnetwork 2100 capable of external communication and the network The configuration information collection / analysis server 1102 communicates with the network configuration information collection sensor 1202 that cannot directly communicate with the network configuration information collection / analysis server 1102. It is possible to exchange.

Embodiment 3 FIG.
Hereinafter, the present embodiment will be described with reference to FIGS.

  FIG. 10 is a diagram showing an outline of the configuration and functions of the network configuration information collection / analysis system 1002 according to the present embodiment.

  The network configuration information collection / analysis system 1003 according to the present embodiment adds a function for monitoring the update of the network configuration information to the network configuration information collection / analysis server 1102 of the network configuration information collection / analysis system 1002 according to the second embodiment. In addition, by instructing execution of active scan for network configuration information for which information has not been obtained for a certain period of time, it is possible to prevent omission of acquisition of network configuration information.

  In FIG. 10, the network configuration information collection / analysis system 1003 includes a network configuration information collection / analysis server 1103 and a network configuration information collection sensor 1203. Here, the network configuration information collection sensor 1203 is the same as the network configuration information collection sensor 1202 of the network configuration information collection analysis system 1002 according to the second embodiment, and thus description thereof is omitted.

  The network configuration information collection / analysis server 1103 monitors the update status of the network configuration information, and instructs the network configuration information collection sensor 1203 to perform an active scan for the network configuration information for which information has not been obtained for a certain period of time.

  FIG. 11 is a block diagram showing the configuration of the network configuration information collection / analysis system 1003.

  As described above, the network configuration information collection sensor 1203 is the same as the network configuration information collection sensor 1202 of the network configuration information collection analysis system 1002 according to the second embodiment, and thus description thereof is omitted.

  In FIG. 11, the network configuration information collection / analysis server 1103 includes a network configuration information input unit 1110, a network configuration information output unit 1120, a network configuration information database unit 1130, a network configuration information analysis unit 1140, a network configuration information analysis rule storage unit 1150, A server sensor interface unit 1160 and a network configuration information update monitoring unit 1170 are provided. Although not shown, the network configuration information collection / analysis server 1103 includes hardware such as a storage device, a processing device, an input device, an output device, and a communication device, as in the first and second embodiments. Shall. Here, the network configuration information input unit 1110, the network configuration information output unit 1120, the network configuration information database unit 1130, the network configuration information analysis unit 1140, the network configuration information analysis rule storage unit 1150, and the server sensor interface unit 1160 are implemented. Since the network configuration information collection / analysis servers 1101 and 1102 of the first and second embodiments are the same as those of the first and second embodiments, the description thereof is omitted.

  The network configuration information update monitoring unit 1170 monitors the update status of the network configuration information of each network device 1300 stored by the network configuration information database unit 1130, and detects the network configuration information of the network device 1300 that has not been updated for a certain period. When the network configuration information update monitoring unit 1170 detects the network configuration information of the network device 1300 that has not been updated for a certain period of time, the request transmission unit 1243 of the network configuration information collection sensor 1203 sends the information related to the network device 1300 to the network device 1300. An instruction for transmitting the request is transmitted to the network configuration information collection sensor 1203. That is, the network configuration information update monitoring unit 1170 monitors the network configuration information registered in the network configuration information database unit 1130, and collects network configuration information that has not been updated for a certain period of time by active scanning. Requests can be made to the information collection sensor 1203.

  Next, the operation of the network configuration information collection / analysis system 1003 will be described with reference to FIG.

  FIG. 12 is a flowchart showing the operation of the network configuration information update monitoring unit 1170 of the network configuration information collection / analysis server 1103.

  Network configuration information input / analysis unit 1110, network configuration information output unit 1120, network configuration information database unit 1130, network configuration information analysis unit 1140, network configuration information analysis rule storage unit 1150, server sensor interface unit of network configuration information collection / analysis server 1103 Since the operation of 1160 is the same as that of the network configuration information collection / analysis servers 1101 and 1102 of the first and second embodiments, a description thereof will be omitted.

  In step S129, the network configuration information update monitoring unit 1170 monitors the update status of the network configuration information registered in the network configuration information database unit 1130.

  In step S130, the network configuration information update monitoring unit 1170 executes step S131 if any network configuration information has not been updated for a certain period of time. If not, the process returns to step S129 to continue monitoring the update status of the network configuration information.

  In step S131, the network configuration information update monitoring unit 1170 instructs the network configuration information collection sensor 1203 to collect information by active scan for network configuration information that has not been updated for a certain period of time. Here, the monitoring time until the active scan is instructed can be arbitrarily set for each item of the network device 1300 and the network configuration information. For example, an OS is set to perform an active scan if no information is obtained for one week, an IP address is set to perform an active scan if no information is obtained for one hour, or a network device 1300 is set to a network. For example, the configuration information may not be updated and monitored. After instructing the active scan, the network configuration information update monitoring unit 1170 returns to step S129 and continues to monitor the update status of the network configuration information.

  As described above, according to the present embodiment, even when the network configuration information is not obtained by the passive scan, it is possible to prevent the network configuration information from being missed by collecting the network configuration information by the active scan. .

As described above, the network configuration information collection / analysis system according to Embodiment 1 collects network configuration information as follows.
(1) A change in network configuration information is detected by collecting passive and active network configuration information.
(2) Active network configuration information is collected for network configuration information that has not been collected, and other network configuration information has not changed for network devices that have detected a change in network configuration information. inspect.
(3) A network device in which a change has been detected by collecting active network configuration information for the network configuration information in which a change has been detected in the above (1) and (2) with respect to another network device. Inspect whether there is a change similar to.

The network configuration information collection / analysis system according to Embodiment 1 includes a network configuration information collection / analysis server and a network configuration information collection sensor having the following characteristics.
The network configuration information collection / analysis server accumulates and manages network configuration information.
The network configuration information collection / analysis server collects and analyzes network configuration information. Specifically, the network configuration information collection sensor is instructed to execute passive and active network configuration information collection, and a network configuration change is detected from the network configuration information collected by the network configuration information collection sensor. Instructs the collection of network configuration information in response to changes in
-The network configuration information collection sensor collects passive network configuration information and / or active network configuration information according to instructions from the network configuration information collection / analysis server. To the network configuration information collection and analysis server.

In the network configuration information collection and analysis system according to the second embodiment, the network configuration information collection sensor further has the following characteristics.
-The network configuration information collection sensor can be connected in multiple stages.
The network configuration information collection sensor relays instructions from the network configuration information collection analysis server to the lower network configuration information collection sensor, and the network configuration information collected by the lower network configuration information collection sensor Relay to collection sensor or network configuration information collection and analysis server.

In the network configuration information collection / analysis system according to Embodiment 3, the network configuration information collection / analysis server further has the following characteristics.
The network configuration information collection / analysis server monitors the update status of the network configuration information, and instructs active collection of network configuration information regarding the network configuration information for which information has not been obtained for a certain period of time.

  As mentioned above, although embodiment of this invention was described, you may implement combining 2 or more embodiment among these. Alternatively, one of these embodiments may be partially implemented. Or you may implement combining two or more embodiment among these partially.

It is a figure which shows the fundamental structure and function of the network configuration information collection analysis system which concern on each embodiment. It is a figure which shows an example of the hardware constitutions of the network configuration information collection analysis server and network configuration information collection sensor which concern on each embodiment. It is a figure which shows the structure of the network configuration information collection analysis system concerning Embodiment 1, and the outline | summary of a function. 1 is a block diagram showing a configuration of a network configuration information collection / analysis system according to Embodiment 1. FIG. 6 is a flowchart showing the operation of the network configuration information collection / analysis server according to the first embodiment. 4 is a flowchart showing an operation of the network configuration information collection sensor according to the first embodiment. It is a figure which shows the outline | summary of a structure and function of the network configuration information collection analysis system concerning Embodiment 2. FIG. It is a block diagram which shows the structure of the network configuration information collection analysis system which concerns on Embodiment 2. FIG. 10 is a flowchart showing an operation of the network configuration information collection sensor according to the second embodiment. It is a figure which shows the outline | summary of a structure and function of the network configuration information collection analysis system which concerns on Embodiment 3. FIG. FIG. 10 is a block diagram illustrating a configuration of a network configuration information collection / analysis system according to a third embodiment. 10 is a flowchart showing an operation of a network configuration information collection analysis server according to the third embodiment.

Explanation of symbols

  1000, 1001, 1002, 1003 Network configuration information collection / analysis system, 1100, 1101, 1102, 1103 Network configuration information collection / analysis server, 1110 Network configuration information input unit, 1120 Network configuration information output unit, 1130 Network configuration information database unit, 1140 Network configuration information analysis unit, 1150 Network configuration information analysis rule storage unit, 1160 Server sensor interface unit, 1170 Network configuration information update monitoring unit, 1200, 1201, 1202, 1203 Network configuration information collection sensor, 1210 Sensor control unit, 1220 server Inter-sensor interface unit, 1230 passive scan execution unit, 1231 passive scan setting unit, 1232 packet analysis unit 1233 packet acquisition unit, 1240 active scan execution unit, 1241 active scan setting unit, 1242 request generation unit, 1243 request transmission unit, 1244 response analysis unit, 1245 response reception unit, 1250 inter-sensor interface unit, 1300 network device, 2000 network, 2100 Subnetwork, 1901 Display device, 1902 Keyboard, 1903 Mouse, 1904 FDD, 1905 CDD, 1906 Printer device, 1911 CPU, 1912 Bus, 1913 ROM, 1914 RAM, 1915 Communication board, 1920 Magnetic disk device, 1921 OS, 1922 Window System, 1923 program group, 1924 file group.

Claims (8)

A network configuration information collection and analysis system that collects network configuration information that is information about each network device and analyzes the network configuration information for a plurality of network devices that perform packet communication in a network,
A network configuration information database unit for storing network configuration information of each network device in a storage device;
A packet analysis unit that analyzes a packet flowing through a network by a processing device and generates network configuration information of a network device that has transmitted the packet;
The processing device analyzes the difference between the network configuration information of the network device generated by the packet analysis unit and the network configuration information of the network device stored by the network configuration information database unit, and the network configuration information of the network device A network configuration information analysis unit for detecting changes in
When a change is detected in the network configuration information of the network device by the network configuration information analysis unit, a request transmission unit that transmits a request for information on each network device to a network device other than the network device;
A response analysis unit that analyzes a response to the request transmitted by the request transmission unit, and generates network configuration information of the network device that transmitted the response, and
The network configuration information database unit, when a change is detected in the network configuration information of the network device by the network configuration information analysis unit, the network configuration of each network device generated by the packet analysis unit and the response analysis unit A network configuration information collection / analysis system characterized by updating network configuration information of each network device stored in a storage device with information. The network configuration information of each network device indicates information related to each network device by classifying it into a plurality of items.
When a change is detected in at least one item of the network configuration information of the network device by the network configuration information analysis unit, the request transmission unit transmits to the network device other than the network device, The network configuration information collection / analysis system according to claim 1, wherein a request for only an item having the same classification as the item is transmitted. The packet analysis unit analyzes a packet flowing through the network, generates at least one item of network configuration information of a network device that has transmitted the packet,
The network configuration information analysis unit detects a change in the item of network configuration information of the network device generated by the packet analysis unit,
When a change is detected in the item of the network configuration information of the network device by the network configuration information analysis unit, the request transmission unit sends information on the item other than the item to the network device. Send a request,
The response analysis unit analyzes a response to the request transmitted to the network device by the request transmission unit, and generates network configuration information of the network device,
The network configuration information analysis unit analyzes the difference between the network configuration information of the network device generated by the response analysis unit and the network configuration information of the network device stored by the network configuration information database unit, and The network configuration information collection / analysis system according to claim 2, wherein a change in the network configuration information of the device is detected. The network configuration information collection and analysis system further includes:
A network configuration information update monitoring unit that monitors the update status of the network configuration information of each network device stored by the network configuration information database unit and detects network configuration information of the network device that has not been updated for a certain period of time;
When the network configuration information of the network device that has not been updated for a certain period is detected by the network configuration information update monitoring unit, the request transmission unit transmits a request for information regarding the network device to the network device,
The response analysis unit analyzes a response to the request transmitted by the request transmission unit, and generates network configuration information of the network device,
The network configuration information database unit updates the network configuration information of the network device stored in a storage device with the network configuration information of the network device generated by the response analysis unit. The network configuration information collection and analysis system according to any one of the above. The network configuration information collection and analysis system includes:
While having a network configuration information collection analysis server comprising the network configuration information database unit and the network configuration information analysis unit,
A plurality of network configuration information collection sensors comprising at least one of the packet analysis unit, the request transmission unit and the response analysis unit;
The network configuration information collection analysis server controls at least one network configuration information collection sensor,
The network configuration information according to any one of claims 1 to 4, wherein the network configuration information collection sensor controlled by the network configuration information collection analysis server controls at least one other network configuration information collection sensor. Collection analysis system.   The network configuration information of each network device includes at least the name of each network device, an IP (Internet / protocol) address, a MAC (Media / Access / Control) address, an open port, a service used, Application used and version information, OS (Operating System) and version information, CPU (Central Processing Unit) usage, HDD (Hard Disk Drive) usage, network settings, serial number, patch Application status, DNS (Domain / Name / Service) name, device type, network usage, or operating status Network configuration information collection and analysis system according to any one of claims 1 to 5, characterized in that. Network configuration information collection analysis that acquires and analyzes the network configuration information from a network configuration information collection sensor that collects network configuration information, which is information about each network device, for multiple network devices that perform packet communications on the network A server,
A network configuration information database unit for storing network configuration information of each network device in a storage device;
A network configuration information generation instruction unit that instructs the network configuration information collection sensor to analyze a packet flowing through the network and generate network configuration information of the network device that has transmitted the packet;
A processing device for processing the difference between the network configuration information of the network device generated by the network configuration information collection sensor according to the instruction from the network configuration information generation instruction unit and the network configuration information of the network device stored by the network configuration information database unit And a network configuration information analysis unit that detects a change in the network configuration information of the network device,
When the network configuration information analysis unit detects a change in the network configuration information of the network device, the network configuration information generation instruction unit sends each network device to a network device other than the network device. Send an information request, analyze the response to the request, instruct to generate network configuration information for the network device that sent the response,
The network configuration information database unit, when a change is detected in the network configuration information of the network device by the network configuration information analysis unit, each generated by the network configuration information collection sensor according to an instruction from the network configuration information generation instruction unit A network configuration information collection / analysis server that updates network configuration information of each network device stored in a storage device with network configuration information of the network device. A network configuration information collection and analysis method for collecting network configuration information, which is information about each network device, for a plurality of network devices performing packet communication in a network, and analyzing the network configuration information,
A first step in which a storage device of the computer stores network configuration information of each network device;
A second step in which a computer processing device analyzes a packet flowing through a network and generates network configuration information of a network device that has transmitted the packet;
The processing device of the computer analyzes the difference between the network configuration information of the network device generated in the second step and the network configuration information of the network device stored in the first step, and the network configuration of the network device A third step of detecting changes in the information;
A fourth step in which when a change is detected in the network configuration information of the network device by the third step, the computer communication device transmits a request for information on each network device to a network device other than the network device;
A fifth step in which a computer processing device analyzes a response to the request transmitted in the fourth step and generates network configuration information of the network device that has transmitted the response;
When a change is detected in the network configuration information of the network device by the third step, the storage device of the computer uses the network configuration information of each network device generated by the second step and the fifth step. A network configuration information collection / analysis method comprising: a sixth step of updating network configuration information of each network device stored in one step.

Images