JP2011146808A - Traffic analyzer, traffic analyzing method, and traffic analysis program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To inhibit normal traffic from being erroneously excluded as abnormal traffic from analysis objects. <P>SOLUTION: A traffic analyzer 10 includes: a traffic analyzing part 123 for analyzing traffic on the basis of traffic data 112; a ratio difference calculating part 121 for calculating a difference between a ratio for which the number of transmission sources in which the total value obtained by accumulating traffic included in the traffic data 112 in a transmission source unit is equal to or less than a first threshold 111 accounts of the number of the entire transmission sources and a ratio for which the total of traffic of transmission sources in which the total value is equal to or less than the first threshold 111 accounts of the entire traffic; and an abnormal traffic excluding part 122 for excluding the traffic of transmission sources in which the total value is larger than the first threshold 111 from analysis objects by a traffic analyzing part 123, when the difference calculated by the ratio difference calculating part 121 is greater than a second threshold 113. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a traffic analysis device, a traffic analysis method, and a traffic analysis program.

  2. Description of the Related Art Conventionally, a technique for analyzing network traffic and generating analysis data for use in improving communication quality is known. By analyzing the traffic, for example, various information such as the transition of the number of users in each time zone, the message type ratio, and the error rate can be obtained as analysis data.

  Also, a technique for excluding abnormal traffic from the analysis target is known for the purpose of improving the accuracy of analysis in analyzing network traffic. For example, Patent Document 1 discloses a technique of creating a frequency distribution table based on traffic volume and deleting a certain percentage of data from the top in descending order of traffic volume in order to exclude the influence of malware or the like.

JP 2005-323183 A

  By the way, in addition to changing according to the day of the week and the time zone, the amount and content of traffic may change greatly due to an unexpected event such as an event or a campaign. For this reason, as in the conventional technology described above, if abnormal traffic is always excluded based on a certain standard, even normal traffic is excluded from the analysis target, and the accuracy of the analysis may be reduced. .

  The present invention has been made in view of the above, and an object of the present invention is to provide a traffic analysis device, a traffic analysis method, and a traffic analysis program that can prevent normal traffic from being erroneously excluded from analysis as abnormal traffic. And

  In order to solve the above-described problems and achieve the object, a traffic analysis apparatus according to the present invention includes an analysis unit that analyzes traffic based on traffic data, and aggregates traffic included in the traffic data in units of transmission sources. The difference between the ratio of the number of transmission sources whose total value is equal to or less than the first threshold to the total number of transmission sources and the ratio of the total traffic of the transmission sources whose total value is equal to or less than the first threshold to the total traffic When the difference calculated by the ratio difference calculation unit and the ratio difference calculation unit is larger than a second threshold, the analysis unit determines the traffic of the transmission source whose aggregate value is greater than the first threshold. And an exclusion unit that is not subject to analysis.

  In addition, the traffic analysis method according to the present invention includes an analysis step of analyzing traffic based on traffic data, and a transmission source in which a total value obtained by totaling traffic included in the traffic data for each transmission source is equal to or less than a first threshold value A ratio difference calculating step for calculating a difference between the ratio of the total number of transmission sources to the total number of transmission sources and the ratio of the total traffic of the transmission sources whose total value is equal to or less than a first threshold to the total traffic, and the ratio difference And an exclusion step of excluding the traffic of the transmission source whose aggregate value is larger than the first threshold value from being analyzed in the analysis step when the difference calculated by the calculation step is larger than the second threshold value. It is characterized by.

  A traffic analysis program according to the present invention causes a computer to function as the traffic analysis device.

  The traffic analysis apparatus, the traffic analysis method, and the traffic analysis program according to the present invention have an effect that normal traffic can be prevented from being erroneously excluded from the analysis target as abnormal traffic.

FIG. 1 is a diagram illustrating the configuration of the traffic analysis apparatus according to the first embodiment. FIG. 2 is a diagram for explaining exclusion of abnormal traffic. FIG. 3 is a diagram illustrating a processing procedure of the traffic analysis apparatus according to the first embodiment. FIG. 4 is a diagram illustrating the configuration of the traffic analysis apparatus according to the second embodiment. FIG. 5 is a diagram illustrating an example of total data. FIG. 6 is a diagram for explaining the determination of the abnormal threshold value. FIG. 7 is a diagram for explaining exclusion of abnormal traffic. FIG. 8 is a diagram illustrating a processing procedure of the traffic analysis apparatus according to the second embodiment. FIG. 9 is a diagram illustrating a processing procedure of traffic analysis processing. FIG. 10 is a diagram illustrating the traffic analysis method according to the second embodiment. FIG. 11 is a functional block diagram illustrating a computer that executes a traffic analysis program. FIG. 12 is a diagram illustrating an example of how to obtain traffic data.

  Embodiments of a traffic analysis apparatus, a traffic analysis method, and a traffic analysis program according to the present invention will be described below in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.

  A traffic analysis apparatus and a traffic analysis method according to this embodiment will be described with reference to FIGS. FIG. 1 is a block diagram illustrating a configuration of a traffic analysis device 10 according to the present embodiment. As illustrated in FIG. 1, the traffic analysis device 10 includes a storage unit 11 and a control unit 12. The storage unit 11 is, for example, a hard disk device or a semiconductor storage device, and stores an abnormal threshold value (first threshold value) 111, traffic data 112, a ratio difference threshold value (second threshold value) 113, and the like.

  The traffic data 112 is data in which information about messages (also referred to as packets or frames) flowing on the network is recorded. For example, information such as a transmission source address, a transmission destination address, a message type, a message length, and a time stamp indicating a transmission time is recorded in the traffic data 112 for each message flowing on the network. The traffic data 112 may be stored in another device that the traffic analysis device 10 can access via the network.

  An example of how to obtain the traffic data 112 is shown in FIG. In the network environment shown in FIG. 12, SIP (Session Initiation Protocol) clients 2 a to 2 n and a SIP server 3 are connected via the Internet 1. The SIP clients 2a to 2n are terminals that are callers or callees of IP telephones. The SIP server 3 establishes a session between the caller and the callee of the IP phone and relays a call message exchanged between the caller and the callee.

  The tap 4 is provided on a path connecting the SIP clients 2 a to 2 n and the SIP server 3, and records items necessary for analysis among the items included in the passing message or the passing message itself as the traffic data 112. To do. In the traffic data 112, information related to a message for session establishment / disconnection or a call is recorded for each message. The traffic data 112 is transferred to the traffic analysis device 10 via a network, a recording medium, or the like.

  Returning to the description of FIG. 1, the abnormal threshold value 111 and the ratio difference threshold value 113 are parameters for controlling the exclusion of abnormal traffic, and are set by the user of the traffic analysis device 10. The abnormal threshold 111 is used to determine whether the traffic aggregated in units of transmission sources is normal traffic or abnormal traffic. The ratio difference threshold 113 is used to determine whether it is appropriate to exclude abnormal traffic based on the abnormal threshold 111.

  Here, the abnormal traffic is a large amount of traffic generated by an attack by a Service-to-Self or malware, a device failure or a program bug, a user's operation mistake, and the like, and refers to traffic that reduces the accuracy of traffic analysis. The transmission source may be an individual device identified by a transmission source address or the like, or may be a subnetwork identified by a predetermined part of the transmission source address or the like.

  Note that the abnormal threshold 111 and the ratio difference threshold 113 do not necessarily need to be stored in the storage unit 11, and may be input by a user using a user interface (not shown) whenever necessary, It is good also as calculating dynamically using.

  The control unit 12 is a control unit that totally controls the traffic analysis device 10, and includes a ratio difference calculation unit 121, an abnormal traffic exclusion unit 122, and a traffic analysis unit 123. The ratio difference calculation unit 121 totals traffic such as the number of messages and the amount of message data recorded in the traffic data 112 in units of transmission sources, and the total number of transmission sources whose total traffic is the abnormal threshold value 111 or less is the total transmission source. The difference between the ratio in the number and the ratio in which the total traffic of the transmission sources whose aggregated traffic is the abnormality threshold value 111 or less occupies the total traffic is calculated.

  The abnormal traffic excluding unit 122 compares the ratio difference calculated by the ratio difference calculating unit 121 with the ratio difference threshold 113, and when the ratio difference calculated by the ratio difference calculating unit 121 is larger, the traffic data 112 Anomalous traffic included in is excluded from analysis. The traffic that is excluded from the analysis target when the ratio difference calculated by the ratio difference calculation unit 121 is larger is the traffic of the transmission source whose aggregated traffic is greater than the abnormal threshold value 111.

  The traffic analysis unit 123 performs a predetermined analysis based on traffic other than the traffic excluded from the analysis target by the abnormal traffic exclusion unit 122 among the traffic recorded in the traffic data 112. As a result of the analysis of the traffic analysis unit 123, for example, various information such as the transition of the number of users for each time zone, the ratio of message types, and the error rate, and traffic model data used by other analysis devices are generated. The

  The exclusion of abnormal traffic in the traffic analyzer 10 will be described in more detail with reference to FIG. The graph shown in FIG. 2 shows the relationship between the traffic per transmission source and the cumulative ratio of the number of transmission sources based on the result of counting the traffic recorded in the traffic data 112 for each transmission source. It represents the relationship between traffic and the cumulative ratio of traffic.

  In the graph shown in FIG. 2, ρ is an appropriately set abnormality threshold value 111. Further, R1 represents the ratio of the total number of senders whose total traffic is less than or equal to ρ to the total number of sources, and R2 is the total traffic of sources whose total traffic is less than or equal to ρ. It represents the ratio. In general, in a network environment, R1 is larger than R2 because a significant portion of the total traffic tends to be occupied by a relatively small number of source traffic.

  Since abnormal traffic is a large amount of traffic from a small number of sources, when traffic data 112 includes abnormal traffic, a larger portion of the total traffic tends to be occupied by traffic from a smaller number of sources. Thus, the difference between R1 and R2 becomes larger than in normal times. On the other hand, if the traffic of many senders exceeds ρ when there is a specific day of the week, time of day, or a specific event, a larger part of the total traffic tends to be occupied by fewer traffic from the source Is not so strong, the difference between R1 and R2 does not change much.

  Therefore, by comparing the difference between R1 and R2 with the appropriately set ratio difference threshold 113, it can be determined whether or not abnormal traffic is included in the traffic data 112. That is, if the difference between R1 and R2 is smaller than the ratio difference threshold 113, it can be determined that even if there are transmission sources whose traffic aggregated over the transmission source exceeds the abnormal threshold 111, the traffic of those transmission sources is normal. . On the other hand, if the difference between R1 and R2 is larger than the ratio difference threshold 113, it can be determined that the traffic of the transmission source whose traffic aggregated in units of transmission sources exceeds the abnormal threshold value 111 is abnormal traffic.

  Next, a processing procedure of analysis processing by the traffic analysis device 10 shown in FIG. 1 will be described with reference to FIG. Based on the traffic data 112, the ratio difference calculation unit 121 acquires the ratio of the number of transmission sources whose traffic is below the abnormal threshold 111 to the total number of transmission sources (step S101), and the transmission source whose traffic is below the abnormal threshold 111 The ratio of the total traffic to the total traffic is acquired (step S102), and the difference between these ratios is calculated (step S103).

  If the ratio difference is larger than the ratio difference threshold 113 (Yes in Step S104), the abnormal traffic exclusion unit 122 excludes the traffic of the transmission source whose traffic is larger than the abnormal threshold 111 from the analysis target as abnormal traffic (Step S105). The traffic analysis unit 123 performs analysis based on the traffic data 112 from which abnormal traffic is excluded from the analysis target (step S106). On the other hand, if the difference in the ratio is not greater than the ratio difference threshold 113 (No in step S104), the traffic analysis unit 123 performs analysis based on the traffic data 112 from which the abnormal traffic is not excluded (step S106).

  As described above, in the traffic analysis apparatus and the traffic analysis method according to the present embodiment, the ratio of the number of transmission sources whose traffic is the abnormal threshold value 111 or less to the total number of transmission sources and the traffic of the transmission source whose traffic is the abnormal threshold value 111 or less. Since the necessity of excluding abnormal traffic is determined based on the difference between the total and the ratio of the total traffic, it is possible to prevent normal traffic from being erroneously excluded from the analysis target as abnormal traffic.

  Another embodiment of the present invention will be described. In this embodiment, the size of traffic is evaluated based on the number of messages. In addition, INVITE, REGISTER, ACK, BYE, CANCEL, and OPTIONS, which are SIP messages generated from the caller side in an IP phone, are called. Only six types of messages are to be analyzed. Therefore, in the present embodiment, the item described as “traffic” in the first embodiment may be described as “number of messages”, and the item described as “transmission source” in the first embodiment may be described as “source”. May be described as "caller".

  FIG. 4 is a block diagram illustrating a configuration of the traffic analysis device 20 according to the present embodiment. As illustrated in FIG. 4, the traffic analysis device 20 includes a storage unit 21 and a control unit 22. The storage unit 21 is, for example, a hard disk device or a semiconductor storage device, and stores a window size 211, an abnormal threshold determination parameter 212, traffic data 213, a ratio difference threshold 214, weight 215, analysis result data 216, and the like.

  The traffic data 213 is data in which information related to IP telephone related messages flowing on the network is recorded. The traffic data 213 includes, for example, for each message, an ID for identifying the calling party, an ID for identifying the called party, an ID for identifying the session, a message type, a message length, and a transmission time. Information such as a time stamp is recorded. The traffic data 213 may be stored in another device that the traffic analysis device 20 can access via the network.

  The analysis result data 216 is data generated as an analysis result. The window size 211, the abnormal threshold determination parameter 212, the traffic data 213, the ratio difference threshold 214 and the weight 215 are parameters for controlling the operation of the traffic analysis device 20, and are set by the user of the traffic analysis device 20. The user of the traffic analysis device 20 can adjust the processing time and the probabilistic accuracy by changing these parameters.

  The window size 211 indicates a unit of time zone for classifying the traffic data 213. The abnormal threshold determination parameter 212 is used to determine a threshold corresponding to the abnormal threshold 111 shown in FIG. The ratio difference threshold 214 corresponds to the ratio difference threshold 113 shown in FIG. The weight 215 is used to adjust the analysis result based on each sub-data obtained by classification.

  The control unit 22 is a control unit that totally controls the traffic analysis device 20, and includes a classification unit 221, a totaling unit 222, an abnormal threshold determination unit 223, a ratio difference calculation unit 224, an abnormal traffic exclusion unit 225, traffic An analysis unit 226 and an analysis result adjustment unit 227 are included.

  The classification unit 221 classifies information on each message included in the traffic data 213 into one of a plurality of sub data based on the message type and the time stamp. For example, if the window size 211 indicates that the information should be classified every 30 minutes, and the traffic data 213 includes information for 6 hours, the classification unit 221 includes the traffic data 213. Information corresponding to the above-mentioned type of information regarding each message is classified into one of 72 (12 time zones × 6 types) sub-data based on the type and time stamp of each message. .

  Since the traffic data 213 may contain an enormous amount of information, the processing time required for aggregation and analysis becomes very long and the processing load becomes very high if the entire data is processed at once. There is a fear. Thus, by classifying information about each message included in the traffic data 213 and performing aggregation and analysis in units of sub-data after classification, it is possible to reduce the overall processing time and the processing load.

  The unit of the time zone set in the window size 211 is preferably short when a large amount of abnormal traffic occurs in a short period of time, and is preferably long when abnormal traffic occurs continuously.

  The aggregation unit 222 executes aggregation processing in units of sub-data after classification by the classification unit 221 and creates aggregation data as shown in FIG. 5 for each sub-data. The aggregate data shown in FIG. 5 includes n sets of sets (1) to (n). Each set includes the number of messages, the number of callers, the cumulative ratio of the number of messages, and the number of callers. It has an item of cumulative ratio. The sets (1) to (n) are sorted in ascending order based on the number of messages.

  The number of messages is a value obtained by summing up the number of messages for each caller. The number of callers is the number of callers in which the number of messages aggregated for each caller is the same as the value of the message number item. The cumulative ratio of the number of messages is a ratio of the total number of messages of the number of callers whose number of messages aggregated per caller is equal to or less than the value of the number of messages item to the total number of messages. The cumulative ratio of the number of callers is the ratio of the total number of callers to the number of callers in which the number of messages aggregated per caller is equal to or less than the value of the message number item.

For example, in the aggregated data set (2) shown in FIG. 5, “Nm ₂ ” is set as the number of messages, “Nc ₂ ” is set as the number of callers, and “Rm ₂ ” is set as the cumulative ratio of the number of messages. “Rc ₂ ” is set as the cumulative ratio of the number of callers. This is because the number of callers for which the number of messages aggregated for each caller is “Nm ₂ ” is “Nc ₂ ”, and the number of messages for each caller is “Nm ₂ ” or less. The ratio of the total number of messages of a certain number of callers to the total number of messages is “Rm ₂ ”, and the total number of callers whose total number of messages per caller is “Nm ₂ ” or less. It shows that the ratio of the number of callers to “Rc ₂ ”.

  In order to avoid variation in values for each set or an increase in the number of sets to increase the required storage capacity and processing load, the number of messages aggregated per caller is: The value may be rounded or handled by rounding down to the nearest 100 or rounding off.

  Based on the abnormal threshold determination parameter 212 and the total data created by the totaling unit 222, the abnormal threshold determination unit 223 determines whether the traffic corresponding to the number of messages aggregated in units of transmission sources is normal traffic or abnormal traffic. An abnormal threshold value for determining whether or not there is is determined.

  The determination of the abnormal threshold by the abnormal threshold determination unit 223 will be described in more detail with reference to FIG. The abnormal threshold determination unit 223 determines the abnormal threshold ρ using the following equation (1).

  Where μ is the average number of messages per caller, and δ is the standard deviation of the number of messages per caller. μ and δ are calculated using the following equations (2) and (3), respectively.

  ω is the value of the abnormal threshold determination parameter 212, and takes one of 1, 2, and 3, for example.

  The ratio difference calculation unit 224 calculates the total number of messages by the ratio of the number of callers whose number of messages is equal to or less than the abnormal threshold ρ to the total number of callers and the number of messages of callers whose number of messages is equal to or less than the abnormal threshold ρ The difference from the ratio to the ratio is calculated.

The ratio difference calculation by the ratio difference calculation unit 224 will be described in more detail with reference to FIG. When the set whose value of the item of the number of messages is the same or closest to the abnormal threshold ρ is the set (t), the ratio difference calculation unit 224 calls the set (t) from the totaled data created by the totaling unit 222 It gets the Rc _t is the value of the cumulative proportion of number of interrupted, and Rm _t is the value of the cumulative ratio of the number of messages, and calculates the differences.

  Note that the total data created by the totaling unit 222 does not include the cumulative ratio of the number of callers and the cumulative ratio of the number of messages, and the ratio difference calculation unit 224 calculates the ratio difference using the following equation (4). It is good to do.

  The abnormal traffic excluding unit 225 compares the ratio difference calculated by the ratio difference calculating unit 224 with the ratio difference threshold 214, and if the ratio difference calculated by the ratio difference calculating unit 224 is larger, The abnormal traffic included in the sub-data corresponding to the aggregated data is excluded from analysis. The traffic that is excluded from the analysis target when the ratio difference calculated by the ratio difference calculation unit 224 is larger is the traffic of the caller whose number of messages aggregated per caller is larger than the abnormal threshold ρ. is there.

  The traffic analysis unit 226 performs a predetermined analysis based on traffic other than the traffic excluded from the analysis target by the abnormal traffic exclusion unit 225 among the traffic included in the sub data corresponding to the aggregated data to be processed. .

  The analysis result adjustment unit 227 adjusts the analysis result by mixing the analysis result of the traffic analysis unit 226 with the analysis result of the traffic analysis unit 226 for the same type of sub-data in the previous time zone at a predetermined rate. The adjustment by the analysis result adjustment unit 227 is performed using, for example, the following formula (5).

Here, w is the value of the weight 215 and is set in the range of 0-1. _Vprevious is the _current analysis result by the traffic analysis unit 226, _Vcurrent is the analysis result of the same type of subdata in the previous time zone by the traffic analysis unit 226, and V is the analysis result after adjustment. It is. By mixing the analysis results in this way, variations in the analysis results for each time zone can be suppressed.

  Next, a processing procedure of analysis processing by the traffic analysis apparatus 20 shown in FIG. 4 will be described with reference to FIGS. The classification unit 221 classifies the information regarding each message included in the traffic data 213 for each time zone based on the window size 211 (step S201), and classifies the data for each type to sub-data for each time zone and each type. Create (step S202).

  The counting unit 222 selects an unselected type (step S203) and selects the first time zone (step S204). Then, the totaling unit 222 selects sub-data corresponding to the selected type and time zone (step S205), and creates total data (step S206).

  Subsequently, the abnormal threshold determination unit 223 determines an abnormal threshold based on the average and standard deviation calculated from the total data generated by the totaling unit 222 and the abnormal threshold determination parameter 212 (step S207). Then, based on the total data generated by the totaling unit 222, the abnormal threshold determined by the abnormal threshold determining unit 223, and the ratio difference threshold 214, a traffic analysis process to be described later is executed and the selected time zone And an analysis result corresponding to the type is obtained (step S208).

  Then, the analysis result adjustment unit 227 adjusts the analysis result obtained this time by mixing with the analysis result corresponding to the previous time zone of the same type at a ratio based on the weight 215 (step S209). If the selected time zone is not the last time zone (No at Step S210), the next time zone is selected (Step S211), and the processing procedure is restarted from Step S205. On the other hand, if the selected time zone is the last time zone (Yes at Step S210), if not all types have been selected (No at Step S212), the processing procedure is restarted from Step S203, and all types are selected. Is already selected (Yes at step S212), the analysis process is completed.

  As shown in FIG. 9, in the traffic analysis processing shown in FIG. 8, the ratio difference calculation unit 224 determines the ratio of the number of callers whose number of messages is equal to or less than the abnormal threshold to the total number of callers based on the aggregated data. (Step S301), the ratio of the total number of messages of callers whose number of messages is equal to or less than the abnormal threshold to the total number of messages is acquired (step S302), and the difference between the ratios is calculated (step S303). ).

  If the ratio difference is larger than the ratio difference threshold 214 (Yes at Step S304), the abnormal traffic exclusion unit 225 excludes the caller's traffic whose number of messages is larger than the abnormal threshold from the analysis target as abnormal traffic (Step S305). ) The traffic analysis unit 226 performs analysis based on the sub data from which the abnormal traffic is excluded from the analysis target (step S306). On the other hand, if the difference in ratio is not greater than the ratio difference threshold 214 (No in step S304), the traffic analysis unit 226 performs analysis based on the sub-data in which the abnormal traffic is not excluded (step S306).

  As shown in FIG. 10, in the traffic analysis apparatus and the traffic analysis method according to the present embodiment, a threshold value ρ for determining whether or not the traffic is abnormal is dynamically calculated. When it is determined that it is appropriate to exclude abnormal traffic based on the threshold value ρ, the traffic of the caller having the number of messages larger than the threshold value ρ is excluded as abnormal traffic. Then, the analysis is performed using the remaining normal traffic excluding the abnormal traffic, and the analysis result is adjusted using the weight w.

  By implementing the function of the control unit 12 or 22 of the traffic analysis device 10 or 20 described above as software and executing this by a computer, a function equivalent to that of the traffic analysis device 10 or 20 can be realized. An example of a computer that executes a traffic analysis program 1071 in which the function of the control unit 12 is implemented as software will be described below.

  FIG. 11 is a functional block diagram showing a computer 1000 that executes the traffic analysis program 1071. The computer 1000 includes a CPU (Central Processing Unit) 1010 that executes various arithmetic processes, an input device 1020 that receives input of data from a user, a monitor 1030 that displays various information, and a medium that reads a program from a recording medium. A bus 1080 includes a reading device 1040, a network interface device 1050 that exchanges data with other computers via a network, a RAM (Random Access Memory) 1060 that temporarily stores various information, and a hard disk device 1070. Connected and configured.

  The hard disk device 1070 includes a traffic analysis program 1071 having the same function as that of the control unit 12 shown in FIG. 1 and traffic analysis data 1072 corresponding to various data stored in the storage unit 11 shown in FIG. Is memorized. The traffic analysis data 1072 can be appropriately distributed and stored in another computer connected via a network.

  Then, the CPU 1010 reads out the traffic analysis program 1071 from the hard disk device 1070 and develops it in the RAM 1060, whereby the traffic analysis program 1071 functions as the traffic analysis process 1061. Then, the traffic analysis process 1061 expands information read from the traffic analysis data 1072 as appropriate in an area allocated to itself on the RAM 1060, and executes various data processing based on the expanded data.

  The traffic analysis program 1071 is not necessarily stored in the hard disk device 1070, and the computer 1000 may read and execute the program stored in a storage medium such as a CD-ROM. . The computer 1000 stores the program in another computer (or server) connected to the computer 1000 via a public line, the Internet, a LAN (Local Area Network), a WAN (Wide Area Network), or the like. You may make it read and run a program from these.

DESCRIPTION OF SYMBOLS 1 Internet 2a-2n SIP client 3 SIP server 4 Tap 10, 20 Traffic analysis apparatus 11, 21 Storage part 111 Abnormal threshold value 112, 213 Traffic data 113, 214 Ratio difference threshold value 12, 22 Control part 121,224 Ratio difference calculation part 122 225 Abnormal traffic exclusion unit 123, 226 Traffic analysis unit 211 Window size 212 Abnormal threshold determination parameter 215 Weight 216 Analysis result data 221 Classification unit 222 Totaling unit 223 Abnormal threshold determination unit 227 Analysis result adjustment unit 1000 Computer 1010 CPU
1020 Input device 1030 Monitor 1040 Medium reader 1050 Network interface device 1060 RAM
1061 Traffic analysis process 1070 Hard disk device 1071 Traffic analysis program 1072 Traffic analysis data 1080 Bus

Claims (7)

An analysis unit that analyzes traffic based on traffic data;
The ratio of the total number of transmission sources in which the total value of traffic included in the traffic data is aggregated for each transmission source is less than or equal to the first threshold to the total number of transmission sources, and transmission in which the aggregation value is less than or equal to the first threshold A ratio difference calculator that calculates the difference between the total of the original traffic and the total traffic,
When the difference calculated by the ratio difference calculation unit is larger than a second threshold value, an exclusion unit that excludes the traffic of the transmission source whose aggregate value is larger than the first threshold value from the analysis by the analysis unit; A traffic analysis apparatus comprising: A classification unit that classifies the traffic data for each time period;
The traffic analysis apparatus according to claim 1, wherein the analysis unit, the ratio difference calculation unit, and the exclusion unit execute processing for each classification performed by the classification unit.   The traffic analysis apparatus according to claim 2, wherein the classification unit further classifies the traffic data for each message type.   The traffic analysis apparatus according to claim 2, further comprising an adjustment unit that mixes and adjusts the analysis results of the analysis unit for different time zones at a predetermined ratio.   The traffic analyzer according to any one of claims 1 to 4, further comprising a threshold value determination unit that determines the first threshold value based on an average value and a standard deviation value of the aggregate values. An analysis process that analyzes traffic based on traffic data;
The ratio of the total number of transmission sources in which the total value of traffic included in the traffic data is aggregated for each transmission source is less than or equal to the first threshold to the total number of transmission sources, and transmission in which the aggregation value is less than or equal to the first threshold A ratio difference calculation step that calculates the difference between the total of the original traffic and the total traffic,
When the difference calculated by the ratio difference calculating step is larger than a second threshold value, an excluding step of excluding the traffic of the transmission source whose aggregate value is larger than the first threshold value from the analysis in the analyzing step; The traffic analysis method characterized by including.   A traffic analysis program for causing a computer to function as the traffic analysis device according to any one of claims 1 to 5.

Images