JP2010283668A - Traffic classification system and method, and program, and abnormal traffic detection system and method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To automatically discriminate presence or absence of periodicity in traffic volume variation in a network. <P>SOLUTION: Collected traffic data are time-sequentially stored in a storage device by an input-standby device 51, the time-sequential traffic data stored in the storage device are read and subjected to fast Fourier transform by an input time-sequential/spectrum decomposing device 52, and only predetermined frequency components (for one day, one week, one month, or one year) are extracted from fast Fourier transform result data by a specific spectrum extracting device 53. A spectrum/extraction time-sequence-converting device 54 performs inverse Fourier transform on the extracted frequency components, a correlation value between an inverse Fourier transform result and the fast Fourier transform result is calculated by an input time-sequence/extraction time-sequence comparing device 55, and the calculated correlation value is compared with a predetermined threshold by an input time-sequence classifying device 56 to discriminate the presence or absence of periodicity of the collected traffic data. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a technique for analyzing traffic time-series data observed every moment on a network, and in particular, determines the strength of periodicity such as daily fluctuation and weekly fluctuation of observed traffic, The present invention relates to a technique suitable for use in high-precision analysis of abnormal traffic.

  Against the background of ever-increasing network demand, fraudulent acts that consume a large amount of network traffic resources, such as DDoS (Distributed Denial of Service) attacks, have increased. If the network bandwidth is wasted due to such an illegal act, the communication quality of a general user who uses the network is significantly deteriorated.

  For this reason, network management is required to detect the occurrence of abnormal traffic such as this DDoS attack as soon as possible and take countermeasures.

  In response to such demands, for example, as described in Non-Patent Document 1, abnormal traffic monitoring and control techniques for the entire network are being studied. In this technique, as shown in FIG. 1, statistical information (Netflow data) is collected from network observation points, and anomalies are detected from traffic volume changes such as the number of packets and the number of transfer bytes.

  As an anomalous traffic detection technique, for example, as in Non-Patent Document 2 and Patent Document 1, there is a technique that detects a sudden change in a traffic value using a time series analysis model or a statistical method.

  For traffic with periodicity, such as traffic observed in a backbone network, where the traffic volume varies depending on the life cycle of a person, such traffic volume as in Non-Patent Document 3. There has also been proposed a technique for improving the accuracy of abnormality detection by using the periodicity.

  In order to detect anomalous traffic with high accuracy, it is effective to apply an anomaly detection method that matches the characteristics of time series of observed traffic. For example, a method of setting a fixed threshold value of 50% of the available bandwidth is appropriate for the case where statistical regularity is not seen in the manner of occurrence of traffic as shown in FIG.

  In addition, as shown in FIG. 3, at an observation point with a large amount of traffic, by setting a threshold value using a statistical method such as an average value and a variance of the traffic amount over the past several hours, fluctuations that can be considered statistically normal are Only large fluctuations that have not been detected in the past several hours can be detected without detection.

  Furthermore, when a periodic trend is seen in the traffic fluctuation as shown in FIG. 4, even if it is a sudden traffic fluctuation, the periodic fluctuation seen in the daily cycle or the weekly cycle is not detected. Only other sudden fluctuations can be detected. That is, misinformation can be suppressed to a minimum.

  Such periodic traffic fluctuations include, for example, an increase in traffic during lunch breaks in a corporate network.

  As described above, by applying an abnormality detection method according to time-series characteristics such as the periodicity of traffic, it becomes possible to detect abnormal traffic with higher accuracy and accuracy. However, in the past, periodicity was determined visually.

  In such a visual periodicity determination, in a large-scale network, monitoring items such as monitoring points, the number of packets, and the number of bytes are enormous, and it is difficult to implement all of them manually.

Japanese Patent Laid-Open No. 11-177549 JP 2008-141641 A

Okura, Yagi, Tabuchi, Murayama, “Design of Hierarchical Monitoring and Control System”, 2006 Shingaku Sodai, B-7-70, 2006. A. Soule, K .; Salamatian and N.M. Taft. “Combining Filtering and Statistical Methods for Anomaly Detection”, IMC'05, pp. 331-344, 2005. S. Harada et al. "A Method of Detection Network Anomalies in Cyclic Traffic", IEEE GLOBECOM, 2008.

  The problem to be solved is that the conventional technology cannot efficiently classify a large amount of monitoring traffic based on time-series characteristics such as periodicity.

  An object of the present invention is to solve these problems of the prior art, to automatically determine the periodicity of fluctuations in traffic data, and to detect abnormal traffic in a network with high accuracy.

  In order to achieve the above object, in the present invention, a predetermined period such as one day, one week, one month, one year, etc., in which time-series traffic data collected on a network is subjected to fast Fourier transform and fast Fourier transform. Inverse Fourier transform is performed on the result data (frequency component) in, the correlation value between the inverse Fourier transform result data and the fast Fourier transform result data is calculated, and the calculated correlation value is compared with a preset threshold value. Determine the presence or absence of periodicity. Then, for traffic data determined to have periodicity, a difference in fluctuation of the traffic data is extracted, and when the extracted difference is equal to or greater than a predetermined value, there is a denial of service attack on the network And abnormal traffic is detected.

  According to the present invention, a high score when comparing the input time series and the extracted time series has a strong periodic property, and a low score can automatically determine that the periodic property is weak. Therefore, it can be judged that the application of abnormal traffic detection technology using periodicity is appropriate for traffic with strong periodic properties, and abnormal traffic using statistical methods that do not use periodicity for traffic with weak periodic properties. It can be determined that application of the detection technique or fixed threshold setting should be applied, and it is possible to detect abnormal traffic such as a denial of service attack on the network with high accuracy.

It is explanatory drawing which shows the structural example of the abnormal traffic monitoring system containing the DDoS attack on a network. It is explanatory drawing which shows the example of a threshold setting with respect to the traffic with little flow volume. It is explanatory drawing which shows the example of a threshold setting with respect to the traffic with many flow rates but no periodicity. It is explanatory drawing which shows the example of a threshold value setting with respect to the traffic with periodicity. It is a block diagram which shows the 1st structural example of the traffic classification system which concerns on this invention. It is a block diagram which shows the 2nd structural example of the traffic classification system which concerns on this invention. It is explanatory drawing which shows the example of the fast Fourier transform of the input time series / spectral decomposition apparatus in FIG. 5 and FIG. It is explanatory drawing which shows the process example of the specific spectrum extraction apparatus in FIG. 5 and FIG. It is explanatory drawing which shows the inverse fast Fourier-transform process example of the spectrum / extraction time series conversion apparatus in FIG. 5 and FIG. It is explanatory drawing which shows the process example of the input time series / extraction time series comparison apparatus in FIG. 5 and FIG. It is explanatory drawing which shows the process example of the input time series classification | category apparatus in FIG. 5 and FIG. It is a block diagram which shows the structural example of the period identification apparatus in FIG. It is explanatory drawing which represented the score used as the output result by this invention with each point in the average traffic amount (horizontal axis) of an input time series, and a correlation coefficient (vertical axis). It is explanatory drawing which displayed the classification result example by this invention by each input time series, extraction time series, and a score (title part). It is a block diagram which shows the structural example of the denial of service attack detection system which concerns on this invention.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. FIG. 5 shows a configuration example of a traffic classification system according to the present invention. The traffic classification system of this example is composed of a computer device having a CPU (Central Processing Unit) and a main memory, and is programmed with computer processing. As the means for executing, the input standby device 51, the input time series / spectrum decomposition device 52, the specific spectrum extraction device 53, the spectrum / extraction time series conversion device 54, the input time series / extraction time series comparison device 55, the input time series classification A device 56 is provided.

  That is, the computer device constituting the packet transfer delay measurement cycle determination system of this example includes a display device, an input device, an external storage device in addition to the CPU and the main memory, and a CD-ROM via an optical disk drive device or the like. After installing the program and data recorded in the storage medium such as the external storage device, the program is read into the main memory from the external storage device and processed by the CPU, whereby each input standby device 51, input time series / spectrum decomposition device 52, the specific spectrum extraction device 53, the spectrum / extraction time series conversion device 54, the input time series / extraction time series comparison device 55, and the input time series classification device 56 are executed. With such a configuration, the traffic classification system of this example collects traffic data in the network by programmed computer processing, and automatically determines the presence or absence of periodicity of fluctuations in the traffic data.

  That is, the collected traffic data is stored in the storage device in time series by the input standby device 51, and the time series traffic data stored in the storage device is read out by the input time series / spectrum decomposition device 52 and fast Fourier transformed, Only a predetermined frequency component (1 day, 1 week, 1 month, 1 year, etc.) is extracted from the fast Fourier transform result data by the specific spectrum extraction device 53 and extracted by the spectrum / extraction time series conversion device 54. Inverse Fourier transform is performed on the frequency components thus obtained, the correlation value between the inverse Fourier transform result and the fast Fourier transform result is calculated by the input time series / extraction time series comparison device 55, and the input time series classification device 56 calculates The obtained correlation value is compared with a predetermined threshold value to determine whether the collected traffic data has periodicity.

  The input standby device 51 collects MIB (Management Information Base) information acquired by SNMP (Simple Network Management Protocol) from each device of the network to be monitored. Further, the input time series / spectrum decomposition device 52 performs discrete Fourier transform on the time series traffic data, and the spectrum / extraction time series conversion device 54 performs inverse discrete Fourier transform on the output value of the input time series / spectrum decomposition device 52. .

  Details of the operation and configuration of the traffic classification system of this example having such a configuration will be described below.

  With the configuration shown in FIG. 5, the traffic classification system of this example classifies the enormous amount of monitoring traffic measured from a plurality of observation points in the network as shown in FIG. 1 according to the intensity of periodicity and the average traffic volume. To a state that can be distributed to an anomaly detection method that matches the characteristics of the time series.

  The input to the traffic classification system is time series data composed of a combination of the monitoring item name or identification number and the monitoring traffic amount time series of the corresponding item. Hereinafter, the time series data composed of the above-mentioned combinations are counted as one, two,. In this example, one or more time series data can be input simultaneously.

  Specifically, the features of the input time series are classified according to the following procedure, and the determination result is given to the identification number of the input time series. In this example, in order to determine the strength of periodicity as a classification method, first, the strength of periodicity is scored.

  By utilizing the fast Fourier transform described in Non-Patent Document 3 described above, the input waveform is decomposed into a spectrum of frequency components. A frequency component characteristic of multiple traffic is extracted from the decomposed frequency components. Inverse fast Fourier transform is performed using only the extracted frequency components to obtain a periodic waveform in the input waveform.

  Finally, by comparing the extracted periodic waveform with the input waveform, the degree of coincidence is scored with a real value of 0 to 1 by calculation based on the correlation coefficient, that is, the intensity of periodicity is quantified. . Further, a label corresponding to the strength of the time-series periodicity is paired with the time-series identification number and output using a predetermined threshold value.

  For example, when the strength of periodicity is expressed in five stages, a time series having a score of 0 or more and less than 0.2 is output with “1” as a label (identification number of the corresponding time series, 1), A comparison between a threshold specified in advance and a score, such as outputting “2” as a label to a time series with a score of 0.2 or more and less than 0.4 (output corresponding time series identification number, 2). Judgment is performed by Thereby, the intensity | strength of the periodicity of an input time series is determined.

  In this example, it is assumed that MIB (Management Information Base) information acquired by SNMP (Simple Network Management Protocol) or the like is collected from each device of the network to be monitored.

  Each collected MIB information can be converted into a time series for each monitoring item such as the number of packets and the number of bytes. In this example, each time series is input. The output is a score representing the strength of periodicity, and is calculated for each input time series.

  In the traffic classification system of this example, as shown in FIG. 5, the input standby device 51 receives a plurality of input time series, temporarily holds them, and then sequentially sends out each time series to subsequent devices.

  The input time series / spectrum decomposition device 52 decomposes one input time series sent from the input standby device 51 into frequency components, and the spectrum extraction device 53 is decomposed by the input time series / spectrum decomposition device 52. A frequency component having a period specified in advance is extracted from the frequency component, and the spectrum / extraction time series converter 54 reconverts the spectrum composed of the frequency components extracted by the spectrum extractor 53 into a time series, and inputs The sequence / extraction time series comparison device 55 scores the extraction time series output by the spectrum / extraction time series conversion device 54 and the original input time series by a predetermined function, and the input time series classification device 56 calculates the score. The determination result is given to the identification number of the input time series according to the size of.

  As an apparatus added here, there is a period specifying apparatus that calculates a set value (period to be extracted) input to the spectrum extracting apparatus 53. When these are combined, the configuration shown in FIG. 6 is obtained.

  In the example of FIG. 5, fast Fourier transform (FFT) is used as the input time series / spectrum decomposition device 52, and inverse fast Fourier transform (IFFT: Inverse FFT) is used as the spectrum / extraction time series conversion device 54.

  The spectrum extraction device 53 leaves only the frequency components of a preset period, and sets the spectrum intensity of the other frequency components to zero. The input time series / extraction time series comparison device 55 calculates a correlation coefficient between two time series and sets it as a score representing the strength of periodicity.

  With such a configuration, the following operation is specifically performed.

  First, a time series converted from MIB information is represented as {x — 0, x — 1,..., X — {n−1}}. This time series represents the time variation of the average number of packets and the average number of bytes that are aggregated every minute or every five minutes. For example, when data for 2 hours is observed, if the total is every minute, the time series is n = 120, and if every 5 minutes, the time series is n = 24.

  This time series is simultaneously received as one or a plurality of inputs as input, and is temporarily held in the storage device by the input standby device 51. The subsequent processing is performed for each time series output from the input standby device 51 one by one.

  The time series output from the input standby device 51 is decomposed into a spectrum by FFT in the input time series / spectrum decomposition device 52.

  This process will be described with reference to FIG.

  First, when applying FFT, since the length of the input time series is a power of 2, the data used for the FFT is an interval that is less than the length of the input time series and has a maximum power of 2 {X — 0, x — 1,..., X — {(2 ^ k) −1}} (2 ^ k ≦ n) are cut out and used (S701: input time series shaping).

  The cut input waveform is input to the FFT and decomposed into frequency components (S702: Fast Fourier Transform (FFT)).

  Hereinafter, the frequency components spectrally decomposed by FFT are represented as {f_0, f_1,..., F _ {(2 ^ k) -1}}. The subscripts of {f_0, f_1, ..., f _ {(2 ^ k) -1}} are frequency components appearing on the input time series {x_0, x_1, ..., x _ {(2 ^ k) -1}}. Corresponds to the frequency of.

  Specifically, f_0 has no frequency, that is, a stationary component, f_1 has a frequency 1, that is, a period 2 ^ k, and f_2 has a frequency 2, that is, a period 2 ^ (k-1). Thereafter, with the same correspondence, the j-th item f_j is a period (2 ^ k) / j. Each frequency component has information on the intensity and phase of the wave of that frequency.

  As described above, in the input time series / spectrum decomposition device 52, after the spectrum is decomposed by FFT, the spectrum is extracted by the specific spectrum extraction device 53. The contents of the processing will be described with reference to FIG.

  The spectrum extracted here is a frequency component specified in advance as a set value (set cycle).

  If the time series has a period that strongly depends on the human life cycle, such as network traffic, the frequency component extracted here is a spectrum corresponding to one week or one day in terms of the period.

  For example, it is assumed that the MIB information as an input time series is total data every 5 minutes, and the length thereof is n = 4096 points. At this time, the period to be decomposed as the frequency component is about 2 weeks of 5 minutes × 4096 points (taken out as f_1), f_2 is about 1 week, and f_3 is about 5 days. Therefore, in order to extract the frequency components for one week and one day, it is only necessary to specify f_2 and f_14.

  Except for the frequency component specified here, {f_0, f_1,..., F _ {(2 ^ k) −1}} is rewritten with the wave intensity set to “0” (S801: spectrum extraction). This is again expressed as {f'_0, f'_1, ..., f '_ {(2 ^ k) -1}}.

  After the spectrum is extracted by the specific spectrum extraction device 53 by the processing of FIG. 8, reverse conversion to time series is performed by IFFT in the spectrum / extraction time series conversion device 54. This process will be described with reference to FIG.

  Here, the spectrum in which the intensity other than the specific frequency component is rewritten to 0, that is, {f′_0, f′_1,..., F ′ _ {(2 ^ k) −1}} is input. This extracted spectrum is input to IFFT and converted into time series (S901: Inverse Fast Fourier Transform (IFFT)).

  Hereinafter, a time series converted from a spectrum by IFFT is represented as {y_0, y_1,..., Y _ {(2 ^ k) −1}} and is referred to as an “extraction time series”.

  Then, the input time series / extraction time series comparison device 55 sets the similarity between them as a score. The processing contents by the input time series / extraction time series comparison device 55 will be described with reference to FIG.

  Here, the input time series {x_0, x_1,..., X _ {(2 ^ k) −1}} output from the input time series / spectrum decomposition apparatus 52 and the extraction time output from the spectrum / extraction time series conversion apparatus 54 are shown. The correlation coefficient of the sequence {y_0, y_1,..., Y _ {(2 ^ k) −1}} is used as a score (S1001: correlation coefficient calculation).

  The extraction time series is composed of periodic waves, such as one week or one day in the input time series, specified at the time of spectrum extraction by the specific spectrum extraction device 53. If the input time series has a strong periodicity, The correlation becomes higher.

  Using the score output by the input time series / extraction time series comparison device 55, the input time series classification device 56 finally compares the score with a predetermined threshold value and determines the identification number of the input traffic. Give the result. The processing contents by the input time series classification device 56 will be described with reference to FIG.

  The threshold value is a numerical value set in advance based on the network design policy, and the input time series classification device 56 compares the score output from the input time series / extraction time series comparison device 55 with the threshold value. If it is lower, it is determined that the periodicity is weak, and if the score exceeds the threshold, it is determined that the periodicity is strong (S1101: score / threshold comparison device).

  As the threshold value, a numerical value of about 0.7 may be used when the score calculation is processing based on a correlation coefficient. Moreover, you may classify | categorize into multiple types using a some threshold value. Further, the traffic whose score is below the threshold may be further sorted according to whether the time-series value does not become zero, or whether the average value of the time-series is greater than or less than a threshold value determined separately. This separately determined threshold value is also a numerical value set in advance based on the network design policy.

  The determination result by the input time series classifier 56 is output as a combination of an input traffic identification number and a character string associated with the determination result by a predetermined setting.

  In such a traffic classification system, as shown in FIG. 6, an input standby device 61, an input time series / spectrum decomposition device 62, a specific spectrum extraction device 63, a spectrum / extraction time series conversion device 64, an input time series. / The extraction time series comparison device 65 and the input time series classification device 66 can be combined with a period specifying device 67 for calculating a set value input to the specific spectrum extracting device 63.

  The configuration of the period specifying device 67 is shown in FIG. Specifically, the input time series summing device 71 inputs all the time series to be classified and adds them for each time to create one time series.

  Thereafter, the input time series / spectrum decomposition device 72 of the period specifying device 67 is input as an input time series, and the input time series / spectrum decomposition device 72 decomposes the input time series / spectrum decomposition device 72 into frequency components.

  Then, the spectral intensity upper classifier 73 selects a set of j specifying frequency components f_j corresponding to a predetermined number from those having a high spectral intensity of the decomposed frequency components, or selecting a frequency component having a high spectral intensity. Then, a set of j specifying the frequency component f_j for which the sum of the spectrum intensities is greater than or equal to the numerical value specified in advance is output as a set value for input to the specific spectrum extracting device 63 in FIG.

  As a result, it is possible to automatically discriminate frequency components that are prominent in the multiplexed traffic, and the input of items to be manually set can be omitted.

  Furthermore, in the traffic classification system of this example, discrete Fourier transform (DFT) is used as the input time series / spectrum decomposition devices 52 and 62, and inverse discrete Fourier transform (IDFT) is used as the spectrum / extraction time series conversion devices 54 and 64. Use.

  This eliminates the need to adjust the input length to a power of 2. As a result, a time series of exactly one week or one month can be input and decomposed into frequency components, and the output cycle can be 1 / j times one week or one month.

  As described above, according to the traffic classification system of this example, when the input time series and the extracted time series are compared, a high score has a strong periodic property, and a low score has a low periodic property. Can be judged. As a result, it can be judged that the application of the anomaly detection method using periodicity is appropriate for traffic with strong periodic properties, and statistics that do not use periodicity for traffic with weak periodic properties. It is possible to determine that an anomaly detection method using the method should be applied or that a fixed threshold setting should be applied.

  Hereinafter, further details of the traffic classification system of this example will be described more specifically using mathematical formulas and the like.

  The input time series in the traffic classification system shown in FIG. 5 is obtained by shaping MIB information acquired by SNMP into a time series for each observation item (number of packets and number of bytes) in advance.

  Here, a 20-day byte count time series collected every 5 minutes from z monitoring destinations is taken as an example. In the following, this time series is identified by subscripts m = 1 to z and denoted as {xm — 0, xm — 1,..., Xm — {n−1}}. Here, n is “12 points (number of time series per hour) × 24 hours × 20 days = 5760 points”.

  First, the first embodiment will be described below.

  First, a case where input time series is classified will be described. Note that the set values of the extracted spectrum are “f_0, f_2, f_4, f_14, f_28”. This is to extract a stationary component (f_0), a one-week periodic component (f_2), a half-week periodic component (f_4), a daily periodic component (f_14), and a half-daily periodic component (f_28) when the input time series is 4096 points. Corresponds to the setting.

  In the traffic classification system of this example, z input time series are held in the input standby device 51, and processing is sequentially performed one by one. Here, the m-th time-series process will be described.

  The m-th input time series is input to the input time series / spectral decomposition apparatus 52. As shown in FIG. 7, in the input time series / spectrum decomposition apparatus 52, in order to process the input time series by the fast Fourier transform, first, the maximum 2 ^ k pieces whose input time series does not exceed the number n of input points. (S701).

  That is, if n = 5760, 2 ^ 12 = 4096, and the input time series for performing the Fourier transform is {xm — 0, xm — 1,..., Xm — 4095}.

  The fast Fourier transform is defined by the following equation (1). Here, i represents an imaginary unit.

  Hereinafter, the spectrum calculated by the above-described Fourier transform is represented by {f_0, f_1,..., F _ {(2 ^ k) −1}}.

  In the specific spectrum extraction device 53, the frequency components other than the preset frequency component are replaced with f_j = 0. The replaced spectrum is represented as {f'_0, f'_1, ..., f '_ {(2 ^ k) -1}}. Thereby, only the frequency component of the set value is extracted.

  The spectrum / extraction time series converter 54 performs the inverse fast Fourier transform shown in FIG. 9 on the extracted spectrum to obtain an extraction time series consisting only of specific frequency components. Here, the inverse fast Fourier transform is defined by the following equation (2).

  Thereafter, the extraction time series calculated by the inverse Fourier transform described above from the extracted spectra {f′_0, f′_1,..., F ′ _ {(2 ^ k) −1}} is expressed as {ym — 0, ym — 1,. {(2 ^ k) -1}}.

  After the extraction time series is obtained, the input time series / extraction time series comparison device 55 scores the degree of similarity in comparison with the input time series. Here, the correlation coefficient defined by Equation 3 below is used as the score.

  FIG. 13 shows the result of scoring by the input time series / extraction time series comparison device 55 in the traffic classification system of this example. Note that the score is normalized as necessary so as to take a real value between 0 and 1.

  The score calculated by this correlation coefficient is a numerical value close to 1 when the similarity between the input time series and the extracted time series is strong, and is close to 0 when the similarity is weak. That is, since the extracted time series is a time series having strong periodic characteristics, it can be determined that the original input time series also has strong periodic characteristics if the score is high.

  In the input time series classification device 56, the score calculated above is compared with a preset threshold value, and if the score exceeds the threshold value, the periodicity is classified as strong, and otherwise, the periodicity is classified as weak. .

  As an example of the effect of the processing of the traffic classification system of this example, the relationship between the calculated score and the periodicity of the input time series is shown in FIG. In addition, when using a correlation coefficient as a score, it is good to set a threshold value between 0.6-0.7.

  Next, a second embodiment will be described below.

  In the second embodiment, as shown in FIG. 6, the set value input to the specific spectrum extracting device 63 is calculated by the cycle specifying device 67.

  In the period specifying device 67, z input time series are input to the input time series summing apparatus 71 shown in FIG. The input time series summing device 71 sums the values for each time and outputs one time series as shown in the following equation (4).

  Then, the time series {x — 0, x — 1,..., X — {n−1}} obtained by the above-described processing is input to the input time series / spectrum decomposition device 72. Of the spectra {f_0, f_1,..., F_ {n−1}} obtained by the processing in the input time series / spectrum decomposition device 72, the intensity of the stationary component f_0 is replaced with 0, and the remaining f_1, f_2, ..., normalization is performed so that the sum of the intensities of f_ {n−1} is 1.

  After that, in the spectrum intensity upper selection device 73, the frequency components are added in descending order of the intensities of f_1, f_2,..., F_ {n−1}, and if the sum exceeds the preset set intensity, the added period is added. A period indicating a component (a set of values of 1 to n−1 including 0 of the steady component) is written out as a set value for the specific spectrum extracting device 63 in FIG.

  This makes it possible to automatically extract a characteristic period in multiplexed traffic, and eliminates the need to manually set a period to be extracted.

  Next, a third embodiment will be described below.

  In the present embodiment, a case will be described in which the traffic classification system of this example is operated as a part of the abnormality detection system in the abnormal traffic monitoring control system shown in FIG. A configuration example is shown in FIG. The abnormality detection system in FIG. 15 is a traffic information measuring device (hereinafter referred to as “measurement points (1) to (4)” in the figure) (1) 150a to (4) as means for executing programmed computer processing. ) 150d, a traffic storage device 151, a traffic classification device 152, a traffic distribution device 153, and abnormality detection devices (1) 154 to (3) 156. Note that each of the measurement points (1) 150a to (4) 150d, the traffic storage device 151, the traffic classification device 152, the traffic distribution device 153, and the abnormality detection devices (1) 154 to (3) 156 includes a CPU and a main memory. For example, a program or data recorded in a storage medium such as a CD-ROM is installed in the external storage device via the provided optical disk drive device, etc. The function of each device is executed by reading into the memory and processing by the CPU.

  Here, the traffic information acquired from each measurement point (1) 150a to (4) 150d of the network is the number of packets, the number of bytes, the number of simultaneous connection sessions, and the like.

  The traffic information is periodically acquired for a predetermined period (for example, every 1 minute or every 5 minutes), stored in the traffic storage device 151 separately prepared for each monitoring item, and formed into a time series. The

  The length of the time series depends on the storage capacity of the traffic storage device 151, but stores a preset period (such as one month) for each monitoring item, and the old data is sequentially deleted.

  It is assumed that each time series is assigned an identification number corresponding to the monitoring item of each measurement point (1) 150a to (4) 150d.

  It is assumed that the abnormality detection system of this example has two or more abnormality detection devices. In FIG. 15, it is assumed that three abnormality detection devices (1) 154 to (3) 156 are provided. For example, a device based on the abnormality detection algorithm using the periodicity mentioned in Non-Patent Document 3 mentioned above or a device based on the abnormality detection algorithm based on statistical information not using the periodicity mentioned in Patent Document 2. In this example, it is used to determine which abnormality detection device monitors each measurement point.

  When a predetermined update period (for example, every week or every month) elapses, each time series in the traffic storage device 151 is converted into a traffic classification device 152 as the traffic classification system of this example shown in FIGS. To enter. At this time, each time series is numbered so as to identify what data (number of packets and number of bytes) at which measurement point.

  The traffic classification device 152 analyzes the input time series and classifies the time series according to the intensity of periodicity based on a threshold value specified in advance. Thereafter, the identification number corresponding to the corresponding time series and the periodicity label are output in pairs.

  The pair of the identification number and the label output from the traffic classification device 152 is input to the traffic distribution device 153, and the traffic distribution device 153 corresponds to the traffic acquired at the measurement point corresponding to the identification number with the label. Switching operation is performed so as to input to the abnormality detection devices (1) 154 to (3) 156.

  However, in practice, the monitoring device is changed only for the identification number whose label has changed. In addition, the association between the label provided by the present apparatus and the abnormality detection apparatus is designated in advance as a setting.

  As a result, the abnormality detection method is periodically reviewed in accordance with the strength of the periodicity of each time series, and the accuracy of the entire abnormality detection system can be improved.

  For example, for the traffic data that the traffic classification system in FIGS. 5 and 6 has determined as having periodicity by the input time-series classification devices 56 and 66, the difference of the fluctuation of the traffic data is extracted, and the extracted difference is determined in advance. If the value is greater than or equal to the above value, it is determined that there is a denial-of-service attack on the network and the traffic is abnormal.

  As described above with reference to FIG. 1 and FIG. 5 to FIG. 15, in this example, the time series traffic data collected on the network is subjected to fast Fourier transform and fast Fourier transform. Inverse Fourier transform is performed on the result data (frequency component) in a predetermined period such as one month, one year, etc., the correlation value between the inverse Fourier transform result data and the fast Fourier transform result data is calculated, and the calculated correlation value Is compared with a preset threshold value to determine the presence or absence of periodicity.

  That is, the time series data of the monitoring information that is the input is subjected to fast Fourier transform, the output value is inverse Fourier transformed, and the correlation between the input value and the output value of the inverse Fourier transform in a preset frequency component is calculated, The calculated value is compared with a preset threshold value to determine the presence or absence of periodicity.

  In particular, in the fast Fourier transform process, the time series data of the monitoring information as input is subjected to discrete Fourier transform, and in the inverse Fourier transform process, the output value is subjected to inverse discrete Fourier transform.

  Then, a denial of service attack is detected from the monitoring traffic using the determination result of the presence or absence of periodicity. That is, when traffic fluctuation having periodicity is extracted by the above-described processing, a difference in fluctuation of the traffic data is extracted for traffic data determined to have periodicity, and the extracted difference is a predetermined value. In the above case, it is determined that there has been a denial of service attack on the network, and abnormal traffic is detected.

  As described above, according to the technique of this example, when the input time series and the extracted time series are compared, the one with a high score has a strong periodic property, and the one with a low score automatically has a low periodic property. This makes it possible to determine that the application of abnormal traffic detection technology using periodicity is appropriate for traffic with strong periodic characteristics, and statistics that do not use periodicity for traffic with weak periodic characteristics. It can be determined that the application of abnormal traffic detection technology using a method or a fixed threshold setting should be applied, and it is possible to detect abnormal traffic such as a denial of service attack on the network with high accuracy.

  In addition, this invention is not limited to the example demonstrated using FIG. 1 and FIGS. 5-15, In the range which does not deviate from the summary, various changes are possible. For example, in this example, the Internet has been described as shown in FIG. 1, but the present invention can also be applied to traffic measurement and abnormal traffic detection in other networks such as an intranet.

  Further, as a recording medium used for installing a program in each device constituting the traffic classification system in FIG. 5 and the abnormality detection system in FIG. 15, an FD (Flexible Disk) may be used, or via a network via a communication device. You can also download and install the program.

  51, 61: input standby device, 52, 62: input time series / spectrum decomposition device, 53, 63: specific spectrum extraction device, 54, 64: spectrum / extraction time series conversion device, 55, 65: input time series / extraction Time series comparison device, 56, 66: Input time series classification device, 67: Period specifying device, 71: Input time series summing device, 72: Input time series / spectrum decomposition device, 73: Spectral intensity upper sorting device, 150a˜ 150d: Network measurement points (1) to (4), 151: Traffic storage device, 152: Traffic classification device, 153: Traffic distribution device, 154 to 156: Abnormality detection devices (1) to (3).

Claims (7)

A traffic classification system that collects traffic data in a network by programmed computer processing and determines the presence or absence of periodicity of traffic fluctuations,
As a means of performing programmed computer processing,
A first means for storing the collected traffic data in a storage device in time series;
Second means for reading out the time-series traffic data stored in the storage device and performing a fast Fourier transform;
Third means for extracting only predetermined frequency components from the fast Fourier transform result data by the second means;
A fourth means for performing an inverse Fourier transform on the frequency component extracted by the third means;
Fifth means for calculating a correlation value between the inverse Fourier transform result by the fourth means and the fast Fourier transform result by the second means;
A traffic classification system comprising: a sixth means for comparing the correlation value calculated by the fifth means with a predetermined threshold value to determine the presence or absence of the periodicity of the traffic. The traffic classification system according to claim 1,
The second means is:
Discrete Fourier transform the above time-series traffic data,
The fourth means is
A traffic classification system, wherein an output value of the second means is subjected to inverse discrete Fourier transform. A traffic classification method by a computer device that collects traffic data in a network by programmed computer processing and determines the presence or absence of periodicity of traffic fluctuations,
As a programmed computer processing execution procedure of a computer device,
3. A traffic classification method comprising a processing procedure executed by each means in the traffic classification system according to claim 1.   The program for functioning a computer as each means in the traffic classification system in any one of Claim 1 or Claim 2. An anomaly traffic detection system for detecting anomalies in the network using traffic data collected from the network by programmed computer processing,
As a means of performing programmed computer processing,
Each of the first to sixth means in the traffic classification system according to claim 1 or 2,
Means for extracting the difference in fluctuation of the traffic for traffic determined to have periodicity by the sixth means;
An abnormal traffic detection system comprising: means for determining that there is an abnormality in the network when the difference extracted by the means is equal to or greater than a predetermined value. An abnormal traffic detection method by a computer device for detecting an abnormality of the network using traffic data collected from the network by programmed computer processing,
As a programmed computer processing execution procedure of a computer device,
6. An abnormal traffic detection method comprising a processing procedure executed by each means in the denial-of-service attack detection system according to claim 5.   The program for functioning a computer as each means in the abnormal traffic detection system of Claim 5.

Images