JP2011130238A - Abnormal traffic monitoring method, and abnormal traffic monitoring device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To allow a superintendent to confirm the relevancy between a plurality of alerts swiftly. <P>SOLUTION: In an abnormal traffic monitoring device which monitors traffic on a network and detects an abnormal state, the monitoring device has a module for receiving statistical information of the traffic from a network device on the network, detecting the abnormal state of the traffic from the statistical information of the traffic, and notifying to the superintendent as alert information, a module for analyzing traffic information in the abnormal state upon notification of the alert information as a trigger, and storing it as analysis information accompanying the alert information, and a module for retrieving the associated alert information from the stored analysis information, and presenting it to the superintendent. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an abnormal traffic monitoring method and an abnormal traffic monitoring apparatus, and more particularly to a technique that enables a monitor to quickly determine a countermeasure by presenting a relationship between a plurality of alerts.

In the conventional abnormal traffic monitoring device, when a plurality of alerts are detected, the related alerts are extracted based on information (for example, destination address) acquired when the alerts are detected, and enumerated in time series, Their relevance was presented to the observer.
On the other hand, a technique for reducing the number of alerts by consolidating a plurality of alerts into one alert has been proposed. (See Patent Document 1 below)
In Patent Document 1 described above, the number of alerts per unit time is measured for each alert type, and when the number exceeds a certain number, alert information exceeding the threshold is generated. In this method, the information that can be confirmed by the monitor is aggregated alert information, and the alerts that can be aggregated are also limited to the same type. Therefore, the monitor cannot grasp the relationship between multiple types of alerts. It was difficult.

JP 2006-237842 A

JP 2009-44501 A

In the conventional abnormal traffic monitoring device, the detection of the abnormal state of the traffic uses the information of the attack target to be monitored and its traffic volume, so the relevance cannot be determined only by associating the alert with the information at the time of detection. There are cases of anomalous traffic, and it has been difficult to present enough relevance between multiple alerts to the observer.
For this reason, in the conventional abnormal traffic monitoring device, it is necessary for a monitor to manually and alternately refer to a plurality of alert information to determine the relationship between alerts, and it takes time to grasp and determine abnormal traffic. There was a problem that needed.
Several cases where it is difficult to present the relevance of a plurality of alerts will be described below as examples of monitoring DoS attacks occurring on the Internet.

(1) A DoS attack has occurred from the same attack source to a plurality of attack destinations, and as an alert for abnormal traffic caused by the attack, it is detected as a separate alert for each attack destination, and the same attack source Case in which it cannot be determined from the alert information (2) A backscatter attack has occurred from a certain attack source to a specific attack destination, and as an alert of abnormal traffic resulting from the attack, the traffic from the attack source to the attack destination A case where a sudden increase is detected as an alert, and a sudden increase in rebound traffic from the attack destination is detected as another alert at the same time. (3) A DoS attack is intermittently repeated from the same attack source to a specific attack destination. Occurred and detected as multiple alerts, during that time, another attack source from the same attack destination against the DoS attack The present invention has been made to solve the problems of the prior art described above, and the object of the present invention is to provide a relationship between a plurality of alerts by a monitor. It is an object of the present invention to provide a technique capable of quickly confirming.
The above and other objects and novel features of the present invention will become apparent from the description of this specification and the accompanying drawings.

Of the inventions disclosed in this application, the outline of typical ones will be briefly described as follows.
(1) An abnormal traffic monitoring method in an abnormal traffic monitoring apparatus that monitors traffic on a network and detects an abnormal state, and receives the statistical information of traffic from the network apparatus on the network; Detecting an abnormal state of traffic from the traffic statistical information received in step 2, and notifying the monitor as alert information, and analyzing the traffic information in the abnormal state triggered by the notification of the alert information in step 2 Step 3 for storing the analysis information accompanying the alert information, Step 4 for searching for the related alert information from the analysis information stored in Step 3, and the related alert information searched for in Step 4 And step 5 presenting to the observer. .

(2) In (1), when searching for related alert information from the analysis information, the step 4 includes 5 of the analysis result destination address, transmission source address, protocol number, destination port number, transmission source port number. And at least one of the two pieces of information is matched, and the alert information including the time information of each alert information is searched as a related alert in a range of a certain time width before and after the time information of the alert information, It has the step which determines automatically the relationship between alerts, It is characterized by the above-mentioned.
(3) In step (1), when searching for related alert information from the analysis information, the step 4 includes that the destination information of the analysis result of the alert information and the transmission source information of the analysis result of each alert information are identical. In addition, the alert information that includes the time information of the alert information within the range of a certain time width before and after the time information of the alert information, or the sender information of the analysis result of the alert information and the analysis of each alert information Search for alert information that includes the time information of the alert information in the range of a certain time width before and after the time information of the alert information that matches the destination information of the result as the related alert, and find the relationship between the alerts It has the step which determines automatically.

(4) In (1), the step 3 includes a step of searching for a domain name from a destination address or a source address of the analysis result, and the step 4 searches for related alert information from the analysis information. When the domain name searched from the destination address or the source address matches, the alert information including the time information of each alert information is related to the range of the predetermined time width from the time information of the alert information. It is characterized by having a step of searching as an alert and automatically determining a relationship between alerts.
(5) In any one of (1) to (4), in step 4, a plurality of search conditions for relevant alert information are set, and in addition, the priority of the search conditions is set and related from the analysis information. When searching for alert information, using the search conditions corresponding to the order of priority, the related alert information is sequentially searched, and the relevance between alerts is automatically determined.
(6) In any one of (1) to (5), the time change of the traffic amount due to the GUI is displayed as a graph as the abnormal traffic information detected in step 2 to the monitor. In step 5, Time information is extracted from the retrieved alert information, and the extracted time information is displayed in a graph display of the abnormal traffic information.
(7) Moreover, this invention is an abnormal traffic monitoring apparatus which performs the above-mentioned abnormal traffic monitoring method.

The effects obtained by the representative ones of the inventions disclosed in the present application will be briefly described as follows.
According to the present invention, it is possible for a supervisor to quickly confirm the relationship between a plurality of alerts.

It is a block diagram which shows the network structure to which the abnormal traffic monitoring apparatus of the Example of this invention is applied. It is a block diagram which shows schematic structure of the abnormal traffic monitoring apparatus of the Example of this invention. It is a figure which shows an example of the analysis information analyzed with the abnormal traffic monitoring apparatus of the Example of this invention. It is a figure which shows an example of the related alert information detected with the abnormal traffic monitoring apparatus of the Example of this invention. It is a figure which shows an example of the traffic graph displayed on the abnormal traffic monitoring apparatus of the Example of this invention. It is a figure which shows an example of the relationship between analysis information and correlation conditions in the abnormal traffic monitoring apparatus of the Example of this invention. It is a figure which shows the other example of the relationship between analysis information and correlation conditions in the abnormal traffic monitoring apparatus of the Example of this invention. It is a figure which shows the other example of the relationship between analysis information and correlation conditions in the abnormal traffic monitoring apparatus of the Example of this invention. It is a figure which shows an example of the table holding the setting of a correlation condition and its priority in the abnormal traffic monitoring apparatus of the Example of this invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
In all the drawings for explaining the embodiments, parts having the same functions are given the same reference numerals, and repeated explanation thereof is omitted. Also, the following examples do not limit the interpretation of the scope of the claims of the present invention.
FIG. 1 is a block diagram showing a network configuration to which an abnormal traffic monitoring apparatus according to an embodiment of the present invention is applied.
In the network configuration shown in FIG. 1, the monitoring network 20 includes network devices # 1 to 4 (11 to 14), and a destination server 40 and a transmission source terminal 30 are connected to the monitoring network 20. As the network devices # 1 to 4 (11 to 14), for example, routers in an IP network are applicable. In this case, in the monitoring network 20, the traffic of IP communication between the transmission source terminal 30 and the destination server 40 is transferred. Is done.
In addition, the abnormal traffic monitoring device 100 is connected to the network devices # 1 to 4 (11 to 14). The connection between the network devices # 1 to 4 (11 to 14) and the abnormal traffic monitoring device 100 may be a LAN or WAN connection, or a connection via a monitoring network.
A monitor terminal 60 is connected to the abnormal traffic monitoring apparatus 100. The connection between the abnormal traffic monitoring apparatus 100 and the supervisor terminal 60 may be, for example, via a LAN or via a WAN such as the Internet.
In addition, a DNS server 50 is connected to the abnormal traffic monitoring apparatus 100. The connection between the abnormal traffic monitoring apparatus 100 and the DNS server 50 may be via a LAN or via a WAN such as the Internet.

In the configuration shown in FIG. 1, when communication traffic from the source terminal 30 to the destination server 40 occurs, the network device # 3 (13) and the network device # 4 (14) that pass through the communication traffic The statistical information of traffic for each group of destination address, transmission source address, destination port number, transmission source port number, and protocol number is calculated as flow information, and these are transmitted to the abnormal traffic monitoring apparatus 100.
The abnormal traffic monitoring device 100 receives the flow information from each of the network devices # 1 to 4 (11 to 14). The abnormal traffic monitoring device 100 can grasp the state of the monitoring network 20 by analyzing the flow information received from each of the network devices # 1 to # 4 (11 to 14).
When each of the network devices # 1 to 4 (11 to 14) transmits flow information to the abnormal traffic monitoring device 100, a protocol such as NetFlow or sFlow is used.
On the other hand, the monitor 70 operates the monitoring terminal 60 to access the abnormal traffic monitoring apparatus 100, thereby enabling the abnormal traffic monitoring apparatus 100 to be operated remotely. Here, the abnormal traffic monitoring apparatus 100 operates as a Web server, and accepts access from the monitoring terminal 60 by a Web browser on the monitoring terminal. Web servers and Web browsers are configured by conventional techniques.
Furthermore, the DNS server 50 has a function of managing the correspondence between addresses and domain names and responding to address resolution requests from external domain names and domain name search requests from addresses. Consists of.

FIG. 2 is a block diagram illustrating a schematic configuration of the abnormal traffic monitoring apparatus 100 according to the embodiment of this invention.
The abnormal traffic monitoring apparatus 100 includes a flow information reception function 101, an abnormal traffic detection function 102, an abnormal traffic analysis function 103, a related alert search function 104, a GUI / graph display function 105, a flow information accumulation function 106, The analysis information storage function 107, the alert information storage function 108, and the domain name acquisition function 109 are configured.
When the flow information is transmitted from each of the network devices # 1 to 4 (11 to 14) to the abnormal traffic monitoring device 100, the flow information receiving function 101 is sent from each of the network devices # 1 to 4 (11 to 14). Terminate the communication protocol and receive flow information. The flow information reception function 101 transmits the received flow information to the flow information storage function 106.
The flow information storage function 106 sequentially stores the flow information received from the flow information reception function 101, extracts the corresponding flow information in response to the request, and transmits it to the request source.
The abnormal traffic detection function 102 is a function that analyzes flow information received during a certain period and detects a sudden change in traffic as alert information of abnormal traffic.
The abnormal traffic detection function 102 requests the flow information accumulation function 106 for flow information for each fixed period. When a plurality of pieces of flow information are received from the flow information storage function 106 in response to the request, the received flow information is inspected for abnormal traffic, and abnormal traffic is detected.
Here, the method for inspecting abnormal traffic is not particularly limited, and an arbitrary algorithm may be employed depending on the purpose. For example, there is a method of accumulating the traffic amount for each specific destination address from the stored flow information, and determining that the traffic is abnormal for the destination address when a predetermined threshold value is exceeded.

The abnormal traffic detection function 102 sequentially assigns alert IDs to the detected abnormal traffic, and transmits alert information to the alert information storage function 108. Here, as the alert information, an alert ID, an occurrence date and time information, a traffic amount, and a destination address are transmitted. Further, when detecting abnormal traffic, the abnormal traffic detection function 102 transmits an alert ID to the abnormal traffic analysis function 103.
The alert information storage function 108 sequentially stores the alert information received from the abnormal traffic detection function 102, extracts the corresponding alert information in response to the request, and transmits it to the request source.
The abnormal traffic analysis function 103 is a function that analyzes the flow information in detail based on the alert information and identifies the flow information that caused the abnormal traffic. When the abnormal traffic analysis function 103 receives the alert ID from the abnormal traffic detection function 102, the abnormal traffic analysis function 103 requests the alert information storage function 108 for the alert information of the corresponding alert ID. When the requested alert information is received from the alert information storage function 108 in response to the request, the flow information storage function 106 is requested for flow information based on the alert information.
When the requested flow information is received from the flow information storage function 106 in response to the request, an abnormal traffic analysis is performed on the flow information to identify the flow information that caused the abnormal traffic. That is, the destination address, the source address, the destination port number, the source port number, the protocol number, and the traffic amount are obtained as the flow information that has caused the abnormal traffic.
Here, the method of analyzing abnormal traffic is not particularly limited, but any algorithm that can identify flow information that causes abnormal traffic may be adopted. For example, in Patent Document 2 described above, the flow information that caused the change in the traffic is specified by extracting the difference between the flow information before and after detecting the abnormal traffic. The specified flow information may be single or plural.

The abnormal traffic analysis function 103 transmits the address information included in the identified flow information to the domain name acquisition function 109. The domain name acquisition function 109 has a function of transmitting the received address to the DNS server 50 and resolving the domain name as a response. The domain name acquisition function 109 returns the received domain name to the abnormal traffic analysis function 103.
The abnormal traffic analysis function 103 assigns a flow ID to the identified plurality of flow information. An analysis ID is assigned every time an abnormal traffic analysis is performed. Further, the abnormal traffic analysis function 103 is obtained from the alert ID, analysis ID, single or plural flow IDs corresponding to the analysis ID, flow information corresponding to each flow ID, and the domain name acquisition function 109 as analysis information. The domain name is transmitted to the analysis information storage function 107.
FIG. 3 is a diagram illustrating an example of analysis information analyzed by the abnormal traffic monitoring apparatus 100 according to the present embodiment.
The analysis information in FIG. 3 includes a plurality of flow IDs (flow ID: 0001, flow ID: 0002) for the analysis ID: 0043, flow information corresponding to each flow ID (destination address, domain name of destination address, transmission) Source address, source address domain name, destination port number, source port number, protocol number). FIG. 3 shows an example in which the flow information is plural, but it may be single.
The abnormal traffic analysis function 103 transmits the alert ID and the analysis ID to the related alert search function 104 after transmitting the analysis information.
The analysis information storage function 107 sequentially stores the analysis information received from the abnormal traffic analysis function 103, extracts the corresponding analysis information in response to the request, and transmits it to the request source.

The related alert search function 104 is a function for identifying other analysis information related to the analysis information. Upon receiving the alert ID and analysis ID from the abnormal traffic analysis function 103, the related alert search function 104 transmits the analysis ID to the analysis information storage function 107 and requests the analysis information. Upon receiving the requested analysis information from the analysis information storage function 107 in response to the request, the analysis information storage function 107 is requested based on the correlation condition designating other analysis information related to the analysis information, and the related analysis information Get. The related analysis information obtained at this time may be single or plural.
Moreover, alert ID is extracted from each obtained related analysis information, and this is made into related alert ID. Furthermore, the alert information received from the abnormal traffic analysis function 103 and the retrieved related alert ID are transmitted to the GUI / graph display function 105 as related alert information.
FIG. 4 is a diagram illustrating an example of related alert information searched by the abnormal traffic monitoring apparatus 100 according to the present embodiment.
The related alert information shown in FIG. 4 is composed of a list of alert IDs (alert ID: 0018 and alert ID: 0022) of related alerts with respect to the alert ID: 0024 that triggered the search. In FIG. 4, a plurality of examples of related alerts are shown, but a single alert may be used.
The correlation condition means a condition for searching that there is a relationship between one analysis information and another analysis information.

The GUI / graph display function 105 extracts the alert ID from the received related alert information, transmits it to the alert information storage function 108, and acquires the corresponding alert information. In addition, the flow graph is drawn by acquiring the flow information of the section including the date and time of occurrence of the acquired alert information and calculating the traffic amount for each time unit. Further, the GUI / graph display function 105 extracts the occurrence date and time from the previously acquired alert information for the drawn traffic graph, and shows the time information of the related alert.
FIG. 5 is a diagram illustrating an example of a traffic graph displayed on the abnormal traffic monitoring apparatus 100 according to the present embodiment.
In FIG. 5, a traffic graph corresponding to the alert ID: 0024 is displayed. The alert ID 0024 that occurred at the date and time C is displayed by a solid line at the location of the occurrence date and time in the traffic graph, and the alert IDs of the related alert ID 0018 and alert ID 0022 are the same as each alert ID. Is displayed with a dotted line with respect to the location (date / time A, date / time B) of the occurrence date and time of alert information corresponding to.
When the monitor 70 accesses the abnormal traffic monitoring apparatus 100 via the web browser of the monitoring terminal 60, the GUI / graph display function 105 receives this, and alert information related to the traffic graph is received as the GUI function. indicate.
Thereby, the supervisor 70 can confirm alert information, the traffic graph of the alert information, and time information of the alert information related to the alert information on one screen, and can quickly determine the response.

Hereinafter, the correlation condition in the related alert search function will be described with a more specific example.
The related alert search function 104 requests the related analysis information to the analysis information storage function 107 based on the correlation condition. The related alert search function 104 generates a search condition from the specified correlation condition and the analysis information as the search source, and performs analysis. By making a request to the information storage function 107, it is possible to obtain related analysis information as a response.
FIG. 6 is a diagram illustrating an example of the relationship between the analysis information and the correlation condition in the abnormal traffic monitoring apparatus 100 according to the present embodiment.
In FIG. 6, as a correlation condition, a condition in which single or plural information matches among 5-tuple information (destination address, transmission source address, protocol number, destination port number, transmission source port number) is extracted from the analysis information. This is an example.
In the correlation condition: A, a condition that “target date and time” and “destination address match” is set, and when this is applied to the flow ID: 0001 of the analysis information of the analysis ID: 0043, the search condition: A-0001 is can get.
Further, in the correlation condition B, a condition that “target date and time” and “destination address match” and “transmission source address match” is set, and this is similarly applied to the flow ID of analysis information of analysis ID 0043: When applied to 0002, a search condition: B-0001 is obtained.

FIG. 7 is a diagram illustrating another example of the relationship between the analysis information and the correlation condition in the abnormal traffic monitoring apparatus 100 according to the present embodiment.
FIG. 7 shows an example in which, as the correlation condition, the condition in which the destination information and the transmission source information match or the transmission source information and the destination information match is extracted from the analysis information.
In the correlation condition: C, the condition “target date and time” and “destination address and source address match” are set, and when this is applied to the flow ID: 0001 of the analysis information of the analysis ID: 0043, the search condition: C-0001 is obtained.
Further, in the correlation condition D, a condition that “target date and time” and “source address and destination address match” is set, and when this is applied to the flow ID 0002 of the analysis information of the analysis ID 0043, the search is performed. Condition: D-0001 is obtained.
FIG. 8 is a diagram illustrating another example of the relationship between the analysis information and the correlation condition in the abnormal traffic monitoring apparatus 100 according to the present embodiment.
FIG. 8 shows an example in which a condition that matches the destination or source domain name is extracted from the analysis information as the correlation condition.
In the correlation condition: E, a condition for “target date and time” and “the domain name of the destination address match” is set. When this is applied to the flow ID: 0001 of the analysis information of the analysis ID: 0043, the search condition: E -0001 is obtained.
Further, in the correlation condition F, a condition that “target date and time” and “domain name of the source address match” is set, and when this is applied to the flow ID 0002 of the analysis information of the analysis ID 0043, the search is performed. Condition: F-0001 is obtained.
The related alert search function 104 transmits the search conditions exemplified in these search conditions: A-0001, B-0001, C-0001, D-0001, E-0001, and F-0001 to the analysis information storage function 107. Then, the analysis information satisfying the corresponding correlation condition is extracted.

A method for extracting related alerts using a plurality of correlation conditions in the related alert search function 104 will be described below.
The related alert search function 104 generates a search condition from the analysis information based on the correlation condition, and transmits the search condition to the analysis information storage function 107, thereby extracting the analysis information satisfying the correlation condition.
FIG. 9 is a diagram showing the contents of a table holding a plurality of correlation conditions set in the related alert search function 104 and their priority settings in the abnormal traffic monitoring apparatus of the embodiment of the present invention.
The related alert search function 104 extracts correlation conditions in the order of priority set from a plurality of correlation conditions set in advance, and extracts related alerts. If the corresponding alert is extracted, the process is terminated. If not, the related alert is extracted using the correlation condition having the next priority. By repeating this until a related alert is extracted or a search for all correlation conditions is completed, it is possible to extract a related alert using a plurality of correlation conditions.
In the above description, the case where the abnormal traffic monitoring apparatus 100 is configured by one apparatus has been described. However, the abnormal traffic monitoring apparatus 100 may be configured by a plurality of apparatuses.

As described above, in the abnormal traffic monitoring apparatus of the present embodiment, instead of associating alerts using only information at the time of detecting an abnormal traffic alert, the traffic analysis is performed after the alert detection, and the obtained analysis result is displayed. By using the means to determine the relevance between multiple alerts, it becomes possible to automatically determine the relevance even in the case of abnormal traffic that cannot be determined only by the information at the time of alert detection, It becomes possible to present the relevance between a plurality of alerts to the monitor.
As described above, according to the present embodiment, in the system that monitors traffic on the network and detects an abnormal state, the alert information related to the abnormal traffic is displayed together with the alert information of the abnormal traffic. The related alert information can be quickly confirmed, and the countermeasure can be easily determined.
As mentioned above, the invention made by the present inventor has been specifically described based on the above embodiments. However, the present invention is not limited to the above embodiments, and various modifications can be made without departing from the scope of the invention. Of course.

11-14 Network devices # 1 to # 4
DESCRIPTION OF SYMBOLS 20 Monitoring network 30 Source terminal 40 Destination server 50 DNS server 60 Monitor terminal 70 Monitor 100 Abnormal traffic monitoring apparatus 101 Flow information reception function 102 Abnormal traffic detection function 103 Abnormal traffic analysis function 104 Related alert search function 105 GUI / graph display Function 106 Flow information storage function 107 Analysis information storage function 108 Alert information storage function 109 Domain name acquisition function

Claims (15)

An abnormal traffic monitoring method in an abnormal traffic monitoring device for monitoring traffic on a network and detecting an abnormal state,
Receiving traffic statistics information from a network device on the network; and
Detecting an abnormal state of traffic from the traffic statistical information received in step 1, and notifying the monitor as alert information;
Step 3 of analyzing the traffic information in an abnormal state triggered by the notification of the alert information in Step 2, and storing it as analysis information accompanying the alert information;
Searching for relevant alert information from the analysis information stored in step 3;
And a step 5 of presenting the relevant alert information retrieved in the step 4 to a monitor.   In the step 4, when searching for relevant alert information from the analysis information, at least one of the five information of destination address, source address, protocol number, destination port number and source port number of the analysis result is obtained. Search for alert information that includes the time information of each alert information as a related alert in the range of a certain time width before and after the time information of the alert information that matches, and automatically determine the relevance between alerts The abnormal traffic monitoring method according to claim 1, further comprising the step of:   In step 4, when searching for related alert information from the analysis information, the destination information of the analysis result of the alert information matches the transmission source information of the analysis result of each alert information, and the alert information The alert information that includes the time information of the alert information within the range of a certain time width before and after the time information, or the source information of the analysis result of the alert information matches the destination information of the analysis result of each alert information, And, there is a step of searching the alert information including the time information of the alert information as related alerts within a certain time width range before and after the time information of the alert information, and automatically determining the relevance between the alerts. The abnormal traffic monitoring method according to claim 1, wherein: The step 3 includes a step of searching a domain name from a destination address or a source address of the analysis result,
When searching for related alert information from the analysis information, the step 4 matches a domain name searched from a destination address or a source address, and a range of a certain time width from the time information of the alert information. The abnormal traffic monitoring method according to claim 1, further comprising: searching for alert information including time information of each alert information as related alerts and automatically determining a relationship between the alerts.   In step 4, when a plurality of search conditions for related alert information are set, in addition, the priority of the search conditions is set, and when the related alert information is searched for from the analysis information, the priority order is met. 5. The abnormal traffic monitoring method according to claim 1, wherein the alert information is sequentially searched using the search condition, and the association between the alerts is automatically determined. In the step 2, the time change of the traffic amount due to the GUI is displayed as a graph as the detected abnormal traffic information for the monitor.
6. The time information is extracted from the retrieved alert information in the step 5, and the extracted time information is displayed in a graph display of the abnormal traffic information. The abnormal traffic monitoring method according to claim 1. An abnormal traffic monitoring device that monitors traffic on a network and detects an abnormal state,
Means 1 for receiving traffic statistical information from a network device on the network, detecting an abnormal state of traffic from the traffic statistical information, and notifying a monitor as alert information;
Triggering the notification of the alert information, analyzing the traffic information in an abnormal state, and storing means 2 as analysis information accompanying the alert information;
An abnormal traffic monitoring apparatus comprising means 3 for searching for relevant alert information from the stored analysis information and presenting it to a monitor.   When the means 3 retrieves relevant alert information from the analysis information, at least one of the five information of the destination address, the source address, the protocol number, the destination port number, and the source port number of the analysis result is retrieved. Search for alert information that includes the time information of each alert information as a related alert in the range of a certain time width before and after the time information of the alert information that matches, and automatically determine the relevance between alerts The abnormal traffic monitoring apparatus according to claim 7, further comprising:   When the means 3 retrieves relevant alert information from the analysis information, the destination information of the analysis result of the alert information matches the transmission source information of the analysis result of each alert information, and the alert information The alert information that includes the time information of the alert information within the range of a certain time width before and after the time information, or the source information of the analysis result of the alert information matches the destination information of the analysis result of each alert information, And it has means for searching for alert information including the time information of the alert information as a related alert in a range of a certain time width before and after the time information of the alert information, and automatically determining the relevance between the alerts. The abnormal traffic monitoring apparatus according to claim 7, wherein the apparatus is an abnormal traffic monitoring apparatus. The means 2 includes means for searching a domain name from a destination address or a source address of the analysis result,
When the means 3 searches for the relevant alert information from the analysis information, the domain name searched from the destination address or the source address matches, and the range of a certain time width before and after the time information of the alert information The abnormal traffic monitoring apparatus according to claim 7, further comprising means for searching for alert information including time information of each alert information as related alerts and automatically determining a relationship between the alerts.   The means 3 sets a plurality of search conditions for related alert information, sets the priority of the search conditions in addition, and searches for related alert information from the analysis information, corresponding to the order of the priorities. 11. The abnormal traffic monitoring apparatus according to claim 7, wherein related alert information is sequentially searched using a search condition, and an association between alerts is automatically determined. The means 1 displays a time change in traffic volume by GUI as abnormal traffic information detected for the monitor,
The said means 3 extracts time information from the searched alert information, and displays the extracted time information in a graph display of the abnormal traffic information. The abnormal traffic monitoring device according to claim 1. An abnormal traffic monitoring device that monitors traffic on a network and detects an abnormal state,
Flow information reception function,
Flow information storage function,
Anomaly traffic detection function,
Alert information storage function,
Anomaly traffic analysis function,
Analysis information storage function,
A related alert search function,
The flow information reception function receives flow information from a network device on the network, transmits the received flow information to the flow information storage function,
The flow information accumulation function sequentially stores the flow information received from the flow information reception function, extracts corresponding flow information in response to a request, and transmits it to the request source.
The abnormal traffic detection function requests the flow information accumulation function for flow information at a fixed period, performs an inspection of abnormal traffic on the flow information received from the flow information accumulation function, and detects the detected abnormality. An alert ID is assigned to the traffic, is sent to the alert information storage function as alert information, and an alert ID is sent to the abnormal traffic analysis function,
The alert information storage function sequentially stores alert information received from the abnormal traffic detection function, extracts corresponding alert information in response to a request, and transmits it to the request source.
When the abnormal traffic analysis function receives an alert ID from the abnormal traffic detection function, the abnormal traffic analysis function requests alert information of the alert ID from the alert information storage function, and receives the requested alert information from the alert information storage function. Request flow information based on information to the flow information storage function, perform abnormal traffic analysis on the flow information received from the flow information storage function, identify and identify the flow information that caused the abnormal traffic A flow ID is assigned to a plurality of flow information, an analysis ID is assigned every time an abnormal traffic analysis is performed, the analysis information of the analysis ID is transmitted to the analysis information storage function, and an alert ID and analysis are performed. Send ID to related alert search function,
The analysis information storage function sequentially stores the analysis information received from the abnormal traffic analysis function, extracts the corresponding analysis information according to the request, and transmits it to the request source.
When the related alert search function receives an alert ID and an analysis ID from the abnormal traffic analysis function, the related alert search function requests analysis information of the analysis ID to the analysis information storage function, and receives the analysis information requested from the analysis information storage function. Then, a request is made to the analysis information storage function based on a correlation condition specifying other analysis information related to the analysis information, and an alert ID is extracted from the obtained related analysis information, and this is used as the related alert ID. An abnormal traffic monitoring device characterized by that. It has a GUI / graph display function,
The GUI / graph display function acquires the alert ID received from the related alert search function and the alert information of the related alert ID from the alert information storage function, and the flow information of the section including the occurrence date and time of the acquired alert information is obtained. Obtained from the flow information storage function, calculates the traffic volume per time unit and draws a traffic graph, extracts the date and time of occurrence from the obtained alert information for the drawn traffic graph, The time information of the related alert information of the acquired related alert ID is extracted and time information is extracted, and the extracted time information is displayed during the traffic graph display. Traffic monitoring device. It has a domain name acquisition function,
The domain name acquisition function receives address information included in the flow information specified in the abnormal traffic analysis function from the abnormal traffic analysis function and transmits it to the DNS server, and receives a corresponding domain name from the DNS server. 15. The abnormal traffic monitoring apparatus according to claim 13, wherein the received domain name is returned to the abnormal traffic analysis function.

Images