JP2017098907A - System and method for traffic analysis - Google Patents

Abstract

PROBLEM TO BE SOLVED: To accurately perform traffic measurement in an environment in which a flow can be acquired only from a relay section of a network in which a tunneling protocol is used.SOLUTION: An analysis device 20 extracts tunnel packet information from flow packets including flow samples, in which tunnel traffic information is associated with all or a part of the sampled packets sampled from a network in which the tunneling protocol is used. The analysis device 20 then extracts internal packet information from all or the part of the sampled packets, to calculate a communication amount based on a predetermined condition, to preserve data in which the tunnel packet information, the internal packet information and the communication amount are associated.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a traffic analysis system and a traffic analysis method.

  In recent years, services using networks have been diversified, and the importance of providing stable networks is increasing. In such a situation, attacks on networks represented by DDoS (Distributed Denial of Service) attacks are diversified and large-scale, which is a great threat. The DDoS attack is one of denial-of-service attacks in which a cyber attack is aimed at a specific organization / corporate server, and a large amount of data is transmitted to the target server to invalidate the server function. .

  By monitoring communication, measuring traffic, and accurately and efficiently grasping the state of the network, it is possible to respond quickly when an attack on the network occurs. Conventionally, as a method for monitoring communication and measuring traffic, a method using SNMP (Simple Network Management Protocol) and a method for performing packet capture are known.

  The method using SNMP can count the number of bytes and packets that have passed through the interface, but cannot perform detailed analysis such as an IP (Internet Protocol) address unit or a protocol unit. In addition, the packet capture method can perform detailed analysis because all packets flowing in a specific section can be acquired, but the amount of data to be acquired becomes very large, so that it can be used regularly. It is unsuitable.

  For this reason, in recent years, traffic measurement methods using flows output from network devices such as NetFlow, sFlow, and IPFIX (Internet Protocol Flow Information Export) have become widespread. The flow is to output information such as transmission / reception IP address, port number, protocol, etc. in a dedicated format for the traffic flowing through the network device.

  According to the traffic measurement method using a flow, more detailed information than SNMP can be obtained with a smaller data amount than packet capture, and traffic analysis in units of IP addresses or protocols is facilitated.

  In particular, analysis using NetFlow is known as a general technique for detecting a threat on a network (for example, Non-Patent Document 1). By using NetFlow, technologies such as L2TP (Layer 2 Tunneling Protocol) and GRE (Generic Routing Encapsulation) that add a header for tunneling to the original IP packet, and MPLS (Multi-Protocol Label Switching) It is also known that even in a network in which a technique for adding a label to an original IP packet is used, it is possible to grasp what type of packet is flowing through the network (for example, Non-Patent Document 2).

“Worldwide Infrastructure Security Report” [online], [October 29, 2015 search], Internet (http://pages.arbornetworks.com/rs/arbor/images/WISR2014_EN2014.pdf) “NetFlow on Logical Interfaces: Frame Relay, Asynchronous Transfer Mode, Inter-Switch Link, 802.1q, Multilink Point to Point Protocol, General Routing Encapsulation, Layer 2 Tunneling Protocol, Multiprotocol Label Switching VPNs, and Tunnel” [online], [2015 Search October 29, 2009], Internet (http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd8045b422.pdf)

  However, the conventional analysis using NetFlow has a problem that traffic cannot be accurately measured in an environment where a flow can be acquired only from a relay section of a network in which a tunneling protocol is used.

  For example, there is a case where NetFlow cannot be acquired from a terminal device and NetFlow can be acquired only from a device in a relay section of the network due to the processing capability and communication of the terminal device extending over a plurality of networks. . At this time, information regarding the header portion of the encapsulated packet can be obtained from NetFlow, but information regarding the payload portion cannot be obtained. Therefore, information about the packet included in the payload portion cannot be obtained, and traffic cannot be measured accurately.

  The traffic analysis system of the present invention is a tunneling protocol for establishing an unencrypted tunnel, and a packet sampled from a network in which a tunneling protocol for adding and encapsulating a header to a user communication packet is used. Tunnel packet information that is information about the traffic is extracted from a flow packet having as an element a flow sample that associates information about the traffic included in the header added by the tunneling protocol with all or part of the sampled packet. An analysis unit that extracts internal packet information that is information about traffic inside the tunnel included in a header of the user communication packet from all or a part of the sampled packet; and A totaling unit that totals traffic based on a predetermined condition from tunnel packet information and internal packet information; and a storage unit that stores data associated with the tunnel packet information, internal packet information, and traffic It is characterized by that.

  Further, the traffic analysis method of the present invention is a tunneling protocol for establishing an unencrypted tunnel, which is a packet sampled from a network using a tunneling protocol for adding a header to a packet for user communication and encapsulating it. From the flow packet having as an element a flow sample that associates all or part of the sampled packet with information about the traffic included in the header added by the tunneling protocol, tunnel packet information that is information about the traffic An analysis step of extracting and extracting internal packet information that is information relating to traffic inside the tunnel included in a header of the packet of user communication from all or a part of the sampled packets; A totaling step of totaling traffic based on a predetermined condition from the tunnel packet information and the internal packet information; and a storage step of storing data associated with the tunnel packet information, the internal packet information and the traffic. It is characterized by including.

  According to the present invention, it is possible to accurately measure traffic in an environment where a flow can be acquired only from a relay section of a network in which a tunneling protocol is used.

FIG. 1 is a diagram illustrating an outline of a traffic analysis system according to the first embodiment. FIG. 2 is a block diagram illustrating a configuration of the analysis apparatus according to the first embodiment. FIG. 3 is a diagram illustrating an example of a packet of tunnel traffic. FIG. 4 is a diagram illustrating an example of a flow packet. FIG. 5 is a diagram illustrating an example of elements included in the flow sample. FIG. 6 is a diagram illustrating an example of elements included in the internal packet information. FIG. 7 is a diagram illustrating an example of elements included in tunnel packet information and non-tunnel packet information. FIG. 8 is a diagram illustrating an example of grouping of tunnel packet information and non-tunnel packet information. FIG. 9 is a diagram illustrating an example of elements included in tunnel traffic information and non-tunnel traffic information. FIG. 10 is a diagram illustrating an example of elements included in the internal traffic information. FIG. 11 is a diagram showing the relationship between tunnel traffic information and internal traffic information. FIG. 12 is a diagram illustrating an example of a tunnel traffic graph. FIG. 13 is a diagram illustrating an example of a tunnel traffic graph drilled down. FIG. 14 is a flowchart illustrating an example of analysis processing of the traffic analysis system. FIG. 15 is a flowchart illustrating an example of analysis processing of the traffic analysis system. FIG. 16 is a flowchart illustrating an example of the aggregation process of the traffic analysis system. FIG. 17 is a diagram illustrating an example of a computer in which a creation apparatus or an analysis apparatus is realized by executing a program.

  Embodiments of a traffic analysis system and a traffic analysis method according to the present application will be described below in detail with reference to the drawings. In addition, this invention is not limited by this embodiment.

[First Embodiment]
First, the outline of the traffic analysis system will be described with reference to FIG. FIG. 1 is a diagram illustrating an outline of a traffic analysis system according to the first embodiment. As shown in FIG. 1, the traffic analysis system 1 has an analysis device 20. The network 2 includes a user terminal 30, a CPE (Customer Premises Equipment) 40, a LAC (L2TP Access Concentrator) 50, a router 60, a creation device 10, and an LNS (L2TP Network Server) 70. The creation device 10 of the network 2 is connected to the router 60. The creation device 10 and the router 60 may be an integrated device.

  The user terminal 30 transmits a user communication packet. The CPE 40 performs conversion or the like on the packet transmitted from the user terminal 30 as necessary. The LAC 50 adds a header to the packet and encapsulates it. The router 60 relays the packet. The LNS 70 releases the encapsulation of the encapsulated packet. As a result, a tunnel 80 is formed between the LAC 50 and the LNS 70. The tunnel traffic packet 81 flows in the tunnel 80. In the network 2, traffic other than tunnel traffic may be generated.

  The tunnel 80 is a tunneling protocol that establishes an unencrypted tunnel, and is established by a tunneling protocol that adds a header to a user communication packet and encapsulates it. Examples of such tunneling protocols include L2TP and GRE. The tunnel 80 may be a tunnel established by IPv6 over IPv4 tunneling or IPv4 over IPv6 tunneling.

  The creation device 10 creates a flow packet 90 based on the packet relayed by the router 60 and transmits the created flow packet 90 to the analysis device 20. The analysis device 20 analyzes the flow packet 90 and stores the analysis result as tunnel traffic information and internal traffic information. The analysis device 20 can also output tunnel traffic information and internal traffic information as a graph.

[Configuration of First Embodiment]
First, the flow packet 90 to be analyzed by the traffic analysis system 1 will be described. Thereafter, the configuration of the analysis device 20 of the traffic analysis system 1 will be described, and the analysis method of the flow packet 90 will be described.

[Flow packet to be analyzed]
In the first embodiment, as an example, the flow packet 90 is created by the creation device 10 of the network 2 and transmitted to the analysis device 20. Note that the creation device 10 may be integrated with the router 60. Moreover, it is good also as a structure which gives the function similar to the production apparatus 20 to the apparatus containing the router 60 of the network 2. FIG. The apparatus and method for creating the flow packet 90 are not limited to those described here, and a known apparatus and method may be used.

  The creation device 10 samples packets from the router. The creation apparatus 10 samples the packets relayed by the router 60 according to a sampling rate that is a preset sampling rate. For example, when the sampling rate is set to 1/10000, the creation apparatus 10 samples the packets relayed by the router 60 at a ratio of 1 in 10,000.

  Furthermore, the creation apparatus 10 may further acquire the amount of packets such as the number and size of the packets relayed by the router 60 separately from the packet sampling. At this time, the creating apparatus 10 may acquire the number and size of packets relayed by the router 60 regardless of the sampling rate. The packets relayed by the router 60 include both encapsulated tunnel traffic packets and other non-tunnel traffic packets.

  Here, the tunnel traffic packet 81 extracted by the creation apparatus 10 will be described with reference to FIG. FIG. 3 is a diagram illustrating an example of a packet of tunnel traffic. As shown in FIG. 3, a tunnel traffic packet 81 includes an Ethernet (registered trademark) header 811, an IP header 812, a UDP header 813, an L2TP header 814, a PPP header 815, an IP header 816, a TCP (Transmission Control Protocol) / UDP. A (User Datagram Protocol) header 817 and data 818;

  The user communication packet transmitted from the user terminal 30 includes an IP header 816 and a TCP / UDP header 817 as headers and data 818 as a payload. The LAC 50 adds an Ethernet header 811, an IP header 812, a UDP header 813, an L2TP header 814, and a PPP header 815 to the user communication packet. In the example of FIG. 3, the tunneling protocol used in the network 2 is L2TP.

  In the following description, the Ethernet header 811, the IP header 812, the UDP header 813, the L2TP header 814, and the PPP header 815 are referred to as a tunneling protocol header 82a, and the IP header 816, the TCP / UDP header 817, and the data 818 are referred to as a tunneling protocol. Called the payload 82b. Further, the Ethernet header 811 and the IP header 812 are referred to as an IP header 83a, and the UDP header 813, the L2TP header 814, the PPP header 815, the IP header 816, the TCP / UDP header 817, and the data 818 are referred to as an IP payload 83b.

  The creation device 10 creates a flow packet 90. First, the flow packet 90 will be described with reference to FIG. FIG. 4 is a diagram illustrating an example of a flow packet. As shown in FIG. 4, the flow packet 90 includes a flow header 91 and n (n> 0) flow samples 92. The creation apparatus 10 includes the time when the flow packet 90 is generated, the sequence number of the flow packet 90, and the like in the flow header 91. Further, the creation device 10 creates a flow sample 92 based on the information of each header included in the extracted packet 81 of the tunnel traffic.

  Here, the flow sample 92 will be described with reference to FIG. FIG. 5 is a diagram illustrating an example of elements included in the flow sample. The creation apparatus 10 acquires, for example, “source IP address”, “destination IP address”, “protocol number”, and “ToS” in FIG. Further, the creation apparatus 10 acquires, for example, the “transmission source port number” and the “destination port number” in FIG. 5 from the UDP header 813. Further, the creation apparatus 10 directly acquires the “sending interface SNMP Interface Index” and the “receiving interface SNMP Interface Index” of FIG. 5 from the router 60.

  Furthermore, when acquiring the number and size of the packets 81 of the tunnel traffic, the creation device 10 creates a flow packet 90 that further includes the amount of packets. For example, the creation apparatus 10 sets the number and size of the acquired tunnel traffic packets 81 as “total number of packets in flow” and “total number of packets in flow”.

  Further, the creation device 10 includes all or part of the sampled packet in the flow packet 90. For example, the creating apparatus 10 sets the IP payload 83b as “all or part of the sampled packet” in FIG. As described above, since the creation device 10 includes not only the header portion of the packet but also information related to the payload portion in the flow packet 90, the analysis device 20 can perform analysis based on information obtained from the payload portion. .

  Further, the creation apparatus 10 may include template information having each element of the flow sample 92 as shown in FIG. At this time, the creation apparatus 10 creates the flow sample 92 by setting values for each item, for example. The number n of flow samples 92 is variable depending on the network environment. For example, the creation device 10 may set the number of flow samples 92 created during a predetermined time to n, or may set the number of flow samples 92 created up to the point when the disappearance of the flow is confirmed to be n. . Note that the creation device 10 may similarly create the flow sample 92 for non-tunnel traffic packets.

  The creation device 10 transmits the created flow packet 90 to the analysis device 20. The creation device 10 may transmit the flow packet 90 every time a time set in advance as a total interval elapses.

[Configuration of analyzer]
Next, the configuration of the analysis device 20 will be described with reference to FIG. FIG. 2 is a block diagram illustrating a configuration of the analysis apparatus according to the first embodiment. As illustrated in FIG. 2, the analysis device 20 includes a transmission / reception unit 21, an analysis unit 22, a totaling unit 23, a storage unit 24, a display unit 25, and a storage unit 26.

  The transmission / reception unit 21 of the analysis device 20 receives the flow packet 90 transmitted by the creation device 10. The transmission / reception unit 21 delivers the received flow packet 90 to the analysis unit 22.

  The analysis unit 22 of the analysis device 20 extracts tunnel packet information that is information about traffic from the flow packet 90, and information about traffic inside the tunnel included in the header of the packet of user communication from all or part of the sampled packets. The flow packet 90 is analyzed by extracting the internal packet information.

  Based on the “destination port number” and “protocol number” of the flow sample 92, the analysis unit 22 first relates to the packet of the tunnel traffic or the packet of the non-tunnel traffic. Determine whether. Then, the analysis unit 22 creates internal packet information, tunnel packet information, and non-tunnel packet information based on the flow packet 92.

  The analysis unit 22 creates internal packet information based on the flow sample 92 determined to be related to the tunnel traffic packet. Here, the internal packet information will be described with reference to FIG. FIG. 6 is a diagram illustrating an example of elements included in the internal packet information. As shown in FIG. 6, the internal packet information includes, for example, “ID”, “date and time”, “source IP address”, “destination IP address”, “source port number”, “destination port number”, “protocol” Number ”,“ ToS ”, and“ Packet size ”are included.

  The analysis unit 22 acquires, for example, the time when the flow packet included in the flow header 91 is generated as the “date and time” of the internal packet information. Further, the analysis unit 22 sets “ID” which is a value for identifying the internal packet information.

  Further, the analysis unit 22 uses the “source IP address” and “destination IP” of the internal packet information from the IP header 816 and the TCP / UDP header 817 acquired from “all or part of the sampled packet” of the flow sample 92. Address, source port number, destination port number, protocol number, and ToS are acquired. When TCP or UDP information is not included in “all or part of the sampled packet” of the flow sample 92, the analysis unit 22 selects “source port number” and “destination port number” in the internal packet information. Is set to a value indicating that no information is included.

When the flow sample 92 includes “total number of bytes of flow packet” and “total number of packets of flow”, the totaling unit 23 totalizes the communication amount based on these packet amounts. For example, the analysis unit 22 calculates the “packet size” of the internal packet information by the equation (1).

Packet size = total number of bytes in the flow / total number of packets in the flow (1)

  The analysis unit 22 determines the tunnel packet information and the non-tunnel packet information based on the flow sample 92 determined to be related to the tunnel traffic packet and the flow sample 92 determined to be related to the non-tunnel traffic packet. Create Here, tunnel packet information and non-tunnel packet information will be described with reference to FIG. FIG. 7 is a diagram illustrating an example of elements included in tunnel packet information and non-tunnel packet information.

  As shown in FIG. 7, the tunnel packet information and the non-tunnel packet information include, for example, “ID”, “date / time”, “source IP address”, “destination IP address”, “source port number”, “destination port” “Number”, “protocol number”, “SNMP interface index of transmission interface”, “SNMP interface index of reception interface”, “ToS”, “packet size”, and “tunnel flag”. When the flow sample 92 does not include TCP or UDP information, the analysis unit 22 includes information in “source port number” and “destination port number” of the tunnel packet information and the non-tunnel packet information. Set a value to indicate no.

  The analysis unit 22 issues “ID” which is a value for identifying the tunnel packet information and the non-tunnel packet information. At this time, the analysis unit 22 causes the “ID” to be the same for the internal packet information and the tunnel packet information created from the same flow packet sample 92.

  In addition, the analysis unit 22 extracts the “source IP address”, “destination IP address”, “source port number”, “destination port number”, “protocol number” of the tunnel packet information and the non-tunnel packet information from the flow sample 92. ”,“ SNMP Interface Index of transmission interface ”,“ SNMP Interface Index of reception interface ”, and“ ToS ”. The analysis unit 22 acquires “date and time” and “packet size” of the tunnel packet information and the non-tunnel packet information by the same method as in the case of the internal packet information.

  Further, the analysis unit 22 sets different values for the “tunnel flag” of the tunnel packet information and the non-tunnel packet information between the tunnel packet information and the non-tunnel packet information. For example, the analysis unit 22 sets “tunnel flag” of the tunnel packet information to “TRUE” and sets “tunnel flag” of the non-tunnel packet information to “FALSE”.

  The totaling unit 23 of the analysis device 20 totals the traffic based on predetermined conditions from the tunnel packet information and the internal packet information. In addition, the storage unit 24 of the analysis device 20 stores data in which the tunnel packet information, the internal packet information, and the communication amount are associated with each other in the storage unit 26. First, a method for creating tunnel packet information and non-tunnel packet information by the totaling unit 23 and the storage unit 24 will be described, and then a method for generating internal traffic information by the totaling unit 23 and the storage unit 24 will be described.

[How to create tunnel traffic information and non-tunnel traffic information]
First, a method for creating tunnel traffic information and non-tunnel traffic information will be described. The totaling unit 23 totals the communication traffic based on predetermined conditions for the tunnel packet information and the non-tunnel packet information. Here, the conditions are, for example, a unit of information such as a period for which traffic is desired to be confirmed, an aggregation interval, a transmission source IP address, a transmission source port number, and the like. These conditions may be set in advance as initial values for the setting of the analysis device 20.

  The aggregation unit 23 groups tunnel packet information and non-tunnel packet information that satisfy a predetermined condition. For example, the period condition is 0:00 to 1:00 on a predetermined day, the aggregation interval condition is 5 minutes, and the information unit condition is the protocol number. Hereinafter, each group grouped by the aggregation unit 23 is referred to as an aggregation group.

  The aggregation unit 23 groups, for example, tunnel packet information in which the predetermined elements included in the tunnel packet information are the same, and the predetermined elements included in the internal packet information include the same related tunnel packet information. Internal packet information that is the same is grouped, and the traffic is totaled.

  As an example, FIG. 8 shows an example in which the totaling unit 23 performs grouping using information unit conditions as protocol numbers. FIG. 8 is a diagram illustrating an example of grouping of tunnel packet information and non-tunnel packet information. In the example of FIG. 8, tunnel packet information and non-tunnel packet information having the same protocol number are in the same aggregation group.

After performing grouping, the totaling unit 23 calculates the communication amount for each of the totaling groups using Expression (2) and Expression (3). Note that the totaling unit 23 calculates the capacity according to Equation (2) and calculates the number of packets according to Equation (3).

Traffic [bps] = (total value of packet size elements of tunnel packet information or non-tunnel packet information belonging to the aggregation group / sampling rate) / aggregation interval (2)

Traffic [pps] = (number of tunnel packet information or non-tunnel packet information belonging to the total group / sampling rate) / total interval (3)

  For example, the total value of the packet size elements of tunnel packet information or non-tunnel packet information belonging to the aggregation group is 3M [b], the number of tunnel packet information or non-tunnel packet information belonging to the aggregation group is 3450, and the sampling rate is When 1/10000 and the aggregation interval is 5 minutes, that is, 300 seconds, the communication amount [bps] is 100 Mbps from the equation (2), and the communication amount [pps] is 11500 pps from the equation (3).

  The storage unit 24 stores the results of grouping and aggregation performed by the aggregation unit 23 in the storage unit 26 as tunnel traffic information 261 or non-tunnel traffic information 262. The tunnel traffic information 261 and the non-tunnel traffic information 262 will be described with reference to FIG. FIG. 9 is a diagram illustrating an example of elements included in tunnel traffic information and non-tunnel traffic information.

  As shown in FIG. 9, the tunnel traffic information 261 and the non-tunnel traffic information 262 include, for example, “traffic ID”, “period”, “source IP address”, “destination IP address”, “source port number”, “Destination port number”, “Protocol number”, “SNMP interface index of transmission interface”, “SNMP interface index of reception interface”, “ToS”, “communication amount [bps]”, “communication amount [pps]” and “ Internal traffic ID "is included. The elements included in the tunnel traffic information 261 and the non-tunnel traffic information 262 include “traffic ID”, “period”, “communication amount [bps]”, “communication amount [pps]”, “internal traffic ID”, totaling Only the element used as a unit (for example, the protocol number in the case of FIG. 5), that is, the element used for aggregation may be used.

  The storage unit 24 sets “traffic ID” which is a value for identifying the tunnel traffic information 261 and the non-tunnel traffic information 262. The storage unit 24 sets the period condition of the aggregation unit 23 as the “period” of the tunnel traffic information 261 and the non-tunnel traffic information 262.

  Further, the storage unit 24 includes “source IP address”, “destination IP address”, “source port number”, “destination port number”, “protocol number”, “protocol number”, and “non-tunnel traffic information 262”. The SNMP Interface Index of the transmission interface, the SNMP Interface Index of the reception interface, “ToS”, and the like are acquired from the tunnel packet information and the non-tunnel packet information.

  The storage unit 24 sets the “internal traffic ID” of the related internal traffic information 263 as the “internal traffic ID” of the tunnel traffic information 261 and the non-tunnel traffic information 262. At this time, the storage unit 24 sets one or more “internal traffic IDs” for the tunnel traffic information 261 and sets a value indicating that the non-tunnel traffic information 262 is not tunnel traffic information. A method for creating the internal traffic 263 will be described later.

[How to create internal traffic information]
Next, a method for creating internal traffic information will be described. The totaling unit 23 totals the communication traffic based on a predetermined condition for the internal packet information related to the tunnel packet information included in the above-described totaling group. Here, the condition may be different from, for example, the condition used for aggregation of tunnel traffic information and non-tunnel traffic information.

The aggregation unit 23 groups the internal packet information that satisfies a predetermined condition included in the same aggregation group. After performing the grouping, the totaling unit 23 calculates the communication amount for each group using Expression (4) and Expression (5). Note that the totaling unit 23 calculates the capacity according to Equation (4) and calculates the number of packets according to Equation (5).

Traffic [bps] = Total group traffic [bps] x (Total value of packet size elements of internal packet information belonging to own group / Total value of packet size elements of packet information belonging to total group) (4)

Communication volume [pps] = Total communication volume [pps] × (Number of internal packet information belonging to own group / Number of internal packet information belonging to total group) (5)

  For example, the communication amount [bps] of the aggregation group is 100 Mbps, the total value of the packet size elements of the packet information belonging to the own group is 22.5 GB, and the total value of the packet size elements of the packet information belonging to the aggregation group is 45 GB. In this case, the communication amount [bps] is 50 Mbps according to the equation (4).

  Further, when the communication amount [pps] is 115000 pps, the number of internal packet information belonging to the own group is 1200, and the number of internal packet information belonging to the aggregation group is 3450, the communication amount [pps] is obtained from the equation (5). ] Is 40,000 pps.

  The storage unit 24 stores the results of grouping and aggregation performed by the aggregation unit 23 in the storage unit 26 as internal traffic information 263. The internal traffic information 263 will be described with reference to FIG. FIG. 10 is a diagram illustrating an example of elements included in the internal traffic information.

  As shown in FIG. 10, the internal traffic information 263 includes, for example, “internal traffic ID”, “period”, “source IP address”, “destination IP address”, “source port number”, “destination port number”. , “Protocol number”, “ToS”, “communication amount [bps]”, and “communication amount [pps]”. The elements included in the internal traffic information 263 include “internal traffic ID”, “period”, “communication amount [bps]”, “communication amount [pps]”, elements serving as a unit of aggregation (for example, destination IP address) ), That is, only the elements used for aggregation may be used.

  The storage unit 24 sets “internal traffic ID” that is a value for identifying the internal traffic information 263. The storage unit 24 sets the period condition of the totaling unit 23 as the “period” of the internal traffic information 263.

  Further, the storage unit 24 stores the “source IP address”, “destination IP address”, “source port number”, “destination port number”, “protocol number”, “ToS”, etc. of the internal traffic information 263 in the internal packet. Obtain from information. Here, the storage unit 24 sets the set “internal traffic ID” also as the “internal traffic ID” of the related tunnel traffic information 261.

  Further, the tunnel traffic information 261 and the internal traffic information 263 are associated with each other by the “internal traffic ID”, so that the tunnel traffic information 261 and the internal traffic information 263 are represented by a data structure having a relationship of “tunnel traffic information has-a internal traffic information” as shown in FIG. . FIG. 11 is a diagram showing the relationship between tunnel traffic information and internal traffic information.

  As shown in FIG. 11, the “internal traffic ID” of the tunnel traffic information 261 whose “traffic ID” is “traffic A” is “traffic B”, “traffic C”, and “traffic D”. Therefore, the tunnel traffic information 261 whose “traffic ID” is “traffic A” includes internal traffic information 263 whose “internal traffic ID” is “traffic B”, internal traffic information 263 whose “traffic C”, and “traffic” D ”is associated with the internal traffic information 263.

  The display unit 25 of the analysis device 20 acquires internal packet information and traffic associated with the tunnel packet information by drilling down the tunnel packet information from the data stored by the storage unit 24, and includes the internal packet information. The corresponding traffic volume is displayed using a drill-down chart.

  A graph output from the display unit 25 will be described with reference to FIGS. 12 and 13. FIG. 12 is a diagram illustrating an example of a tunnel traffic graph. FIG. 13 is a diagram illustrating an example of a tunnel traffic graph drilled down.

  As shown in FIG. 12, the display unit 25 creates a graph for traffic A that is tunnel traffic or non-tunnel traffic. FIG. 12 shows a graph in a case where traffic having the protocol number “115” at 23:00 to 3:00 on a predetermined day is totaled in a cycle of 30 minutes. At this time, even if the traffic A is tunnel traffic, the internal traffic information 263 cannot be grasped from the graph of FIG.

  FIG. 13 is a graph when the traffic A in the graph shown in FIG. 12 is further drilled down. As shown in FIG. 13, when drill-down is performed, the internal traffic information 263 of the internal traffic B, the internal traffic C, and the internal traffic D can be represented in a graph using the relationship shown in FIG. To understand what kind of traffic was occurring.

[Process of First Embodiment]
The analysis process in the analysis device 20 of the traffic analysis system 1 will be described with reference to FIG. FIG. 14 is a flowchart illustrating an example of analysis processing of the traffic analysis system. First, as shown in FIG. 14, a condition for counting traffic is designated by an administrator or the like (step S21). The conditions may be specified in advance.

  Next, the analysis unit 22 extracts tunnel packet information and non-tunnel packet information that match the specified condition from the flow packet (step S22). Then, the totaling unit 23 groups the extracted information in units of totaling (step S23).

  Thereafter, the analysis device 20 performs a loop process for each group (step S24). First, the totaling unit 23 calculates the traffic for each group (step S25). Next, when the group is not for traffic information related to the tunnel (step S26, No), the storage unit 24 stores the traffic information as non-tunnel traffic information (step S29), and proceeds to the next loop. When the group is for traffic information related to the tunnel (step S26, Yes), the totaling unit 23 performs the internal traffic totaling process (step S27).

  Further, the traffic analysis system 1 may perform analysis processing by the method shown in FIG. FIG. 15 is a flowchart illustrating an example of analysis processing of the traffic analysis system. In the method shown in FIG. 14, the internal traffic counting process (step S27) is performed when the determination (step S26) of whether or not the group is for traffic information related to the tunnel is Yes. On the other hand, in FIG. 15, the internal traffic aggregation processing is not performed in the analysis processing, but is performed, for example, when tunnel traffic information is drilled down in a graph display.

  The internal traffic counting process will be described with reference to FIG. FIG. 16 is a flowchart illustrating an example of the aggregation process of the traffic analysis system. First, as shown in FIG. 16, the analysis unit 22 extracts internal packet information related to the tunnel being processed from the flow packet (step S271). Then, a condition for totaling traffic is designated by the administrator or the like (step S272). The conditions may be specified in advance.

  Then, the totaling unit 23 groups the extracted information in units of totaling (step S273). Thereafter, the analysis device 20 performs a loop process for each group (step S274). First, the totaling unit 23 calculates the traffic for each group (step S275). Next, the storage unit 24 stores the internal packet information and the calculation result of the totalization unit 23 in step S275 as internal traffic information (step S276), and proceeds to the next loop. The analysis device 20 repeats the above loop processing for all groups (step S277).

  Returning to FIG. 15, the analysis process will be described. When the internal traffic counting process is completed, the storage unit 24 stores the tunnel packet information and the calculation result of the totaling unit 23 in step S25 as tunnel traffic information (step S28), and proceeds to the next loop. The analysis device 20 repeats the above loop processing for all groups (step S30).

[Effect of the first embodiment]
In the first embodiment, the analysis unit 22 is a tunneling protocol (for example, L2TP or GRE) that establishes an unencrypted tunnel, and uses a tunneling protocol that adds a header to a user communication packet and encapsulates it. From a flow packet whose element is a flow sample that associates all or part of the sampled packet with information about the traffic contained in the header added by the tunneling protocol of the packet sampled from the network The tunnel packet information, which is information, is extracted, and the internal packet information, which is information related to the traffic inside the tunnel included in the header of the user communication packet, is extracted from all or part of the sampled packets. To. The totaling unit 23 totals the traffic based on a predetermined condition from the tunnel packet information and the internal packet information. Then, the storage unit 24 stores data that associates the tunnel packet information, the internal packet information, and the traffic.

  As described above, the traffic analysis system 1 according to the first embodiment can obtain information necessary for measuring traffic from all or a part of the sampled packets. Thus, according to the first embodiment, it is possible to accurately measure traffic in an environment in which a flow can be acquired only from a relay section of a network in which a tunneling protocol is used.

  The totaling unit 23 totals the traffic based on the packet amount acquired by the router 60 and the creation device 10. As a result, the amount of communication can be estimated more accurately, and the accuracy of traffic measurement can be improved.

  The totaling unit 23 groups the tunnel packet information in which the predetermined elements included in the tunnel packet information are the same, the related tunnel packet information is the same, and the predetermined elements included in the internal packet information are the same. Some internal packet information is grouped and the traffic is totaled. As a result, information necessary for traffic measurement is associated with the traffic information of the tunnel and the traffic information inside the tunnel, so that the efficiency of measurement is improved.

  Further, the display unit 25 acquires tunnel traffic information associated with the tunnel packet information and the traffic from the data stored by the storage unit 24, and drills down the tunnel traffic information to relate to the tunnel traffic information. The internal packet information and the internal traffic information associated with the traffic are displayed using a drill-down chart. As a result, the traffic information inside the tunnel can be visually recognized by the user.

[System configuration, etc.]
Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Further, all or any part of each processing function performed in each device is realized by a CPU (Central Processing Unit) and a program analyzed and executed by the CPU, or hardware by wired logic. Can be realized as

  In addition, among the processes described in the present embodiment, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

[program]
As one embodiment, the analysis device 20 can be implemented by installing a creation program or an analysis program for executing the creation or monitoring described above as package software or online software on a desired computer. For example, the information processing apparatus can function as the analysis apparatus 20 by causing the information processing apparatus to execute the creation program or the analysis program. The information processing apparatus referred to here includes a desktop or notebook personal computer. In addition, the information processing apparatus includes mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone System), and slate terminals such as PDA (Personal Digital Assistants).

  The analysis device 20 can also be implemented as a server device that uses a terminal device used by a user as a client and provides the client with the services related to the above creation or monitoring. For example, the analysis device 20 is implemented as a server device that provides an analysis service that receives a flow packet and outputs a graph. In this case, the analysis device 20 may be implemented as a Web server, or may be implemented as a cloud that provides a service related to the above creation or analysis by outsourcing.

  FIG. 17 is a diagram illustrating an example of a computer in which an analysis apparatus is realized by executing a program. The computer 1000 includes a memory 1010 and a CPU 1020, for example. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to a mouse 1110 and a keyboard 1120, for example. The video adapter 1060 is connected to the display 1130, for example.

  The hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the creation apparatus 10 or the analysis apparatus 20 is implemented as a program module 1093 in which a code executable by a computer is described. The program module 1093 is stored in the hard disk drive 1090, for example. For example, a program module 1093 for executing processing similar to the functional configuration in the creation device 10 or the analysis device 20 is stored in the hard disk drive 1090. The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).

  The setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 and executes them as necessary.

  The program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). The program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.

DESCRIPTION OF SYMBOLS 1 Traffic analysis system 2 Network 10 Creation apparatus 20 Analysis apparatus 21 Transmission / reception part 22 Analysis part 23 Total part 24 Storage part 25 Display part 26 Storage part 30 User terminal 40 CPE
50 LAC
60 routers 70 LNS
80 Tunnel 81 Tunnel traffic packet 90 Flow packet 261 Tunnel traffic information 262 Non-tunnel traffic information 263 Internal traffic information

Claims (7)

A tunneling protocol for establishing an unencrypted tunnel, and a header added by the tunneling protocol of a packet sampled from a network using a tunneling protocol for adding and encapsulating a header to a user communication packet The tunnel packet information, which is information related to the traffic, is extracted from the flow packet having as an element a flow sample that associates the information related to the traffic included in the sample with all or part of the sampled packet, and all the sampled packets are extracted. Or an analysis unit that extracts internal packet information that is information about traffic inside the tunnel included in a header of the packet of the user communication from a part;
A totaling unit for totaling traffic based on predetermined conditions from the tunnel packet information and the internal packet information;
A storage unit for storing data associated with the tunnel packet information, the internal packet information, and the traffic;
A traffic analysis system comprising:   The traffic analysis system according to claim 1, wherein the totaling unit totalizes the communication amount based on a packet amount included in the flow packet.   The aggregation unit groups the tunnel packet information in which the predetermined elements included in the tunnel packet information are the same, and the related tunnel packet information is the same and the predetermined packet included in the internal packet information The traffic analysis system according to claim 1, wherein the internal packet information having the same element is grouped and the communication amount is totaled.   By acquiring tunnel traffic information in which the tunnel packet information and the traffic are associated with each other from the data stored by the storage unit, and drilling down the tunnel traffic information, the internal packet related to the tunnel traffic information 4. The traffic analysis system according to claim 1, further comprising: a display unit configured to display internal traffic information in which the information and the communication amount are associated with each other using a drill-down chart.   The analysis unit includes information on the traffic and all of the sampled packets of packets sampled from a network using an unencrypted tunneling protocol such as L2TP, GRE, IPv6 over IPv4 tunneling, or IPv4 over IPv6 tunneling. Alternatively, the tunnel packet information is extracted from the flow packet having the flow sample associated with a part as an element, and the internal packet information is extracted from all or part of the sampled packet. The traffic analysis system according to any one of claims 1 to 4. The flow packet includes all or part of an IP payload as all or part of the sampled packet of the flow sample;
The traffic analysis system according to any one of claims 1 to 5, wherein the analysis unit extracts the internal packet information from all or a part of the IP payload. A tunneling protocol for establishing an unencrypted tunnel, and a header added by the tunneling protocol of a packet sampled from a network using a tunneling protocol for adding and encapsulating a header to a user communication packet The tunnel packet information, which is information related to the traffic, is extracted from the flow packet having as an element a flow sample that associates the information related to the traffic included in the sample with all or part of the sampled packet, and all the sampled packets are extracted. Or an analysis step of extracting internal packet information that is information about traffic inside the tunnel included in a header of the packet of user communication from a part,
A totaling step of totaling traffic based on predetermined conditions from the tunnel packet information and the internal packet information;
A storage step of storing data associated with the tunnel packet information, the internal packet information, and the traffic;
The traffic analysis method characterized by including.

Images