JP2018101926A - Network device and abnormality detection system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To collect statistical information according to the nature of an attack even when the capacity of memory that stores the statistical information of a network is small.SOLUTION: A network device that manages the statistical information of a network includes: a reception unit that receives a packet from the network; and a management unit. The management unit performs control so as to: manage the statistical information of the packet received by the reception unit, in units of entries of a first table; manage the replacement rule of entries of the first table and the transmission condition of the statistical information of an entry to be replaced, by using a second table; replace the entry of the first table on the basis of the replacement rule managed by the second table; and transmit the statistical information of the entry of the first table on the basis of the transmission condition managed by the second table.SELECTED DRAWING: Figure 10

Description

  The present invention relates to a device on a network and an abnormality detection system.

  One important challenge in Internet security is detecting a Distributed Denial of Service attack (DDoS) attack. Particularly in recent years, attacks called resource consumption type DDoS have appeared. While general DDoS compresses the line bandwidth by sending a large amount of traffic to the attack target, resource-consuming DDoS divides large data that spoofs a Hypertext Transfer Protocol (HTTP) header into smaller pieces. The transmission is made to the attack target at an interval, or the transmission control protocol (TCP) window size is made extremely small to be sent to the attack target.

This is an attack that prolongs the connection time of the TCP connection, consumes the number of connection connections of the server to be attacked, and interferes with the service. In resource-consuming DDoS, seemingly normal traffic is transmitted at a low rate, so it is difficult to identify attacks.
As an approach for detecting resource-consuming DDoS, there is a method of detecting an attack by collecting network statistics with a communication device on the network and analyzing the collected statistics with an analysis server.

  However, since resource consuming DDoS is a very low rate attack, it is necessary to collect it comprehensively without missing network statistics. On the other hand, if the traffic on the network is comprehensively collected, the size of the flow table for managing the flow statistics becomes large, and the memory consumption becomes a problem.

  As a technique for managing a flow table while efficiently using a memory, there is a technique described in Patent Document 1. In Patent Document 1, information about a specified flow or a flow with a high reference frequency is arranged in a high-speed memory with a small capacity, and other flows are arranged in a low-speed memory with a large capacity, thereby processing related to the flow table. A technique for managing a flow while efficiently using a memory is disclosed.

US Patent Application Publication No. 2016/0182373

  In the technique disclosed in Patent Document 1, the priority of arrangement in the memory is determined in the order of specifying the flow itself or referring to the flow information in descending order. Therefore, unlike the resource-consuming DDoS, the flow statistics cannot be specified in advance, and the flow statistics are low, so the flow statistics with low frequency of reference to the information have low priority, and the flow table presses down on the memory capacity. May be lost, and statistical information for detecting resource-consuming DDoS may not be collected.

  Therefore, an object of the present invention is to enable collection of statistical information according to the nature of the attack even when the capacity of a memory for storing statistical information of the network is small.

  A representative network device according to the present invention is a network device that manages network statistical information, a receiving unit that receives a packet from the network, and a statistical information of a packet received by the receiving unit in a first table. The entry replacement rule of the first table and the transmission condition of the statistical information of the entry to be replaced are managed by the second table, and the replacement rule managed by the second table is used. And a management unit that controls to replace the entry of the first table based on and transmit the statistical information of the entry of the first table based on the transmission condition managed by the second table. It is characterized by that.

  According to the present invention, it is possible to collect statistical information according to the nature of the attack even when the capacity of the memory storing the statistical information of the network is small.

1 is a diagram illustrating an example of a configuration of a system including a network in Embodiment 1. FIG. It is a figure which shows the example of a structure of an analysis server and a router. It is a figure which shows the example of abnormality detection management information. It is a figure which shows the example of a traffic statistics process part. It is a figure which shows the example of a statistics table. It is a figure which shows the 1st example of the flow table in Example 1. FIG. It is a figure which shows the 2nd example of the flow table in Example 1. FIG. It is a figure which shows the 3rd example of the flow table in Example 1. FIG. It is a figure which shows the example of the example of a table of a set associative. It is a figure which shows the 1st example of the entry update method management information in Example 1. FIG. FIG. 3 is a diagram illustrating an example of an operation sequence in the system according to the first embodiment. It is a figure which shows the example of the flowchart of entry update. It is a figure which shows the example provided with the statistics collection server. It is a figure which shows the 2nd example of the entry update method management information in Example 1. FIG. It is a figure which shows the example of competition management information. FIG. 10 is a diagram illustrating an example of a configuration of a system including a network according to a second embodiment. 10 is a diagram illustrating an example of a flow table in Embodiment 2. FIG. It is a figure which shows the example of the entry update method management information in Example 2. FIG. FIG. 10 is a diagram illustrating an example of an operation sequence in the system according to the second embodiment.

(System configuration)
An example of the configuration of a system including a network in the first embodiment is shown in FIG. In the system of the first embodiment, a plurality of terminals 10 connected to a network and performing communication (terminals 10a, 10b, and 10n are referred to as terminals 10 in a representative manner without distinguishing each of the terminals 10a, 10b, and 10n), and other codes are also used. And the server 20, the router 100 arranged in the network, and the analysis server 200 connected to the router 100.

  The router 100 collects network traffic statistics of the terminal 10 and the server 20 that pass through each router 100 for each flow and notifies the analysis server 200 of the statistics. In the example of FIG. 1, since the router 100c is connected to the analysis server, the routers 100a and 100b may notify the analysis server 200 via the router 100c. Further, the routers 100a and 100b may also notify the analysis server 200 through a line (not shown).

  The analysis server 200 accumulates and learns statistics notified from the router 100, and abnormally determines a statistical value outside the range of learned values. In the configuration of the first embodiment, the analysis server 200 also operates as a management terminal, and the administrator can set the parameters of the router 100 and the analysis server 200 via the analysis server 200. However, the analysis server 200 and the management terminal are not necessarily mounted on the same device, and may be arranged as separate devices.

(Configuration of analysis server 200 and router 100)
An example of the configuration of the analysis server 200 and the router 100 is shown in FIG. The analysis server 200 includes a collector processing unit 220, an abnormality detection unit 210, and an input unit 230. The collector processing unit 220 receives the statistical packet transmitted from the router 100 and accumulates statistical information. The input unit 230 operates as a management terminal, receives setting information for the router 100 and the analysis server 200 input by the administrator, and within the analysis server 200, setting information for the abnormality detection unit 210 and setting information for the router 100 To be notified.

  The abnormality detection unit 210 analyzes the statistical information collected by the collector processing unit 220 by machine learning, and determines normal communication and attack communication. For the machine learning, Support Vector Machine (SVM) or cluster analysis may be used. However, the contents of these machine learnings are not the features of the first embodiment, but are generally known and implemented, and thus will be described in detail. Is omitted. In addition, the abnormality detection unit 210 holds abnormality detection management information 1001 for managing an abnormality detection analysis unit.

  An example of the abnormality detection management information 1001 is shown in FIG. The abnormality detection management information 1001 has correspondence information between the detection target 1011 and the detection condition 1012. In the detection target 1011, for example, an attack type such as resource consumption type DDoS is stored. The detection condition 1012 stores statistical information items used for machine learning and abnormality determination, and weighting parameters.

  One of the types stored in the detection target 1011 is specified by the administrator via the input unit 230, and the abnormality detection unit 210 performs abnormality detection to be executed according to the detection condition 1012 corresponding to the specified detection target 1011. Set the conditions.

  In the example of FIG. 3, the number of different flow tables A, B, and C (flow tables identified by names A, B, and C), which will be described later, as detection conditions 1012 for detecting the resource consumption type DDoS of the detection target 1011 It also indicates that the number of packets whose packet transmission interval (packet reception interval at the router 100) is equal to or greater than the threshold and the statistics collection time are used as machine learning inputs. Further, in the example of FIG. 3, it is expressed by explanation of words so that it can be easily understood. However, the actual abnormality detection management information 1001 may be a program representing the contents thereof, or may be a value held as a table. There may be a specific value representing the content of the contents.

  Note that these statistical information is an example of statistical information that is particularly effective for detecting resource-consuming DDoS, but as other inputs for machine learning, the number of packets, the total packet size, the count number of TCP flags, One or a plurality of statistical information such as a distribution of packet sizes and a distribution of packet transmission intervals (reception intervals) may be included as the detection condition 1012.

  The collector processing unit 220, the abnormality detection unit 210, and the input unit 230 of the analysis server 200 illustrated in FIG. 2 may be realized by dedicated hardware, or execute a processor program as a computer of the analysis server 200. It may be realized by the processing. Further, it may be realized by a combination of dedicated hardware and processing for executing a processor program.

  The router 100 includes a control unit 110, a received packet processing unit 120, a search processing unit 160, a routing table 170, a transmission packet processing unit 130, a traffic statistical processing unit 140, and a statistical table 150. Including a general router process for relaying a packet, the reception packet processing unit 120 receives the packet via the input port and outputs the packet header information to the search processing unit 160.

  The search processing unit 160 searches the routing table 170 using the input header information, determines the next hop and the output port, and notifies the received packet processing unit 120 of it. The reception packet processing unit 120 outputs the next hop, the output port, and the packet to the transmission packet processing unit 130.

  The transmission packet processing unit 130 rewrites the media access control (MAC) header of the packet and the time to live (TTL) of the (Internet Protocol) IP header, and transmits the packet from the determined output port. The above is the operation as a general router. However, other general router processing may be included.

  The control unit 110 exchanges route information of the routing table 170 with another router 100 based on the routing protocol, or communicates with the analysis server 200 to receive setting information input by the administrator. Then, the control unit 110 changes various parameters set by the administrator to the reception packet processing unit 120, the transmission packet processing unit 130, the search processing unit 160, and the traffic statistics processing unit 140.

  The traffic statistics processing unit 140 receives packet header information from the received packet processing unit 120 and generates traffic statistical information based on the input header information. The statistical table 150 holds statistical information generated by the traffic statistical processing unit 140 in a flow table format described later.

  An example of the traffic statistics processing unit 140 is shown in FIG. The traffic statistics processing unit 140 includes a header information accumulation unit 142, a statistics table management unit 143, and a statistics packet generation unit 141. Various parameters for executing the processing of each unit are set in advance via the control unit 110.

  The header information storage unit 142 receives packet header information from the received packet processing unit 120 and outputs the packet header information to the statistics table management unit 143. The statistics table management unit 143 includes entry update method management information 3001 described later, and updates the statistics table 150 according to the header information and the entry update method management information 3001 input from the header information storage unit 142.

  When the entry of the statistical table 150 satisfies the condition for generating the statistical packet, the statistical table management unit 143 outputs the statistical information of the entry that satisfies the condition to the statistical packet generating unit 141. The statistical packet generation unit 141 converts the statistical information of the input entry into a format for transmission, and outputs it to the transmission packet processing unit 130 of the router 100.

  Note that the address of the analysis server 200 that is the destination of the statistical packet and the conditions for generating the statistical packet are set in advance by the administrator via the control unit 110. Examples of conditions for generating statistical packets include thresholds for specific items included in statistical information, elapsed time since statistical information began to be collected, elapsed time since statistical information was last updated, etc. Also good.

  An example of the statistics table 150 is shown in FIG. The statistical table 150 includes at least one flow table 5001 for managing traffic statistical information for each flow. The flow table 5001 included in the statistical table 150 is preset by an administrator via the control unit 110. The Names (identification information) such as A are assigned to the flow table 5001a, B is assigned to the flow table 5001b, C is assigned to the flow table 5001c, and N is assigned to the flow table 5001n.

  Examples of the flow table 5001 are shown in FIGS. The flow table 5001 includes a 5-tuple (namely, a source IP address (S-IP), a destination IP address (D-IP), a source port number (S-PT), and a destination port number (D-). PT) and a protocol number (PCL) are combinations arbitrarily selected from five, and the table is set by the administrator.

  For example, as shown in FIGS. 6A to 6C, as a combination of key items, a flow table 5001 includes a flow table 5001a (S-IP, PCL), a flow table 5001b (S-IP, D-IP, PCL), and a flow table. C5001c (S-IP, D-IP, PCL, S-PT, D-PT) and the like are defined.

  If even one key item content (value) is different, that is, two flows having the same source IP address value and destination IP address value in the flow table 5001b, different protocol numbers are used. It becomes. The statistical table management unit 143 searches for an entry for each flow table based on the header information received from the header information storage unit 142, and updates the statistical information of the entry having a matching key item.

  The statistical information held by each flow table 5001a, 5001b, 5001c includes the number of packets, the sampling time until the condition for generating statistical packets is satisfied, the number of differences, and the number of packets whose transmission interval (reception interval) is greater than or equal to the threshold value. Etc. are included. In addition to statistical information from the transmission source to the transmission destination, statistical information from the transmission destination to the transmission source may be included.

  The number of differences is the number of unique combinations of items that are not included in the key items in 5-tuple. For example, the different number in the flow table 5001a is the number of unique combinations of a destination IP address, a source port number, and a destination port number that are not included in the key items (source IP address and protocol number).

  The different number in the flow table 5001b is the number of unique combinations of the source port number and the destination port number that are not included in the key items (source IP address, destination IP address, protocol number). Since the flow table 5001c includes five items of 5-tuple as key items, there is no different number.

  The statistical information is not limited to the examples shown in FIGS. 6A to 6C. Other statistical information includes the total packet size, the TCP flag count, the packet size distribution, and the packet transmission interval (reception). One or more of the (space) distributions may be included. Also, management information for the Last Recently Used (LRU) for replacing and discarding the flow information may be included.

  In the first embodiment, the flow table 5001 is in the form of set associative. An example of the format of a table composed of set associative is shown in FIG. The set associative table 6001 holds N entry numbers (N is an integer of 1 or more) per line number (there are N storage fields). In this embodiment, an example in which the entry number is held in FIG. 7 will be described. However, the contents of the entries shown in FIGS. 6A to 6C may be held.

  In the example of FIG. 7, four entry numbers are held per line number, and such a table is called a 4-way set associative table. The set associative table 6001 according to the first embodiment is provided for each of the flow tables 5001 distinguished by the flow table 5001a and the flow table 5001b.

  When the value of the key item is specified and the flow table 5001 is updated, in order to narrow down the entry number in the set associative table 6001, first, the value of the specified key item is input to the hash function, and the hash value is calculated. Is done. Here, the hash function may be a general redundancy check (CRC), a city-hash, a farm-hash, or the like that allows a certain amount of hash value collisions but is light in calculation processing.

  As the calculated hash value, as the line number, 1 to 4 entry numbers corresponding to the line number are acquired from the table 6001, and the values of the key items respectively corresponding to the acquired 1 to 4 entry numbers in the flow table 5001 are obtained. To be acquired. If any of the acquired key item values matches the specified key item value and there is an entry with the same key item value, the statistical information of the corresponding entry is updated in the flow table 5001.

  If there is no entry having the same value key item and there are vacant spaces in the four storage fields of the entry number of the table 6001, an entry number is newly assigned, and the entry is registered in the flow table 5001. A newly assigned entry number is added to the vacancy, and if there is no vacancy, the entry number is replaced.

  In the set associative configuration, LRU or pseudo LRU is generally used for replacement of entry numbers. In the LRU, among the plurality of entry numbers for each line, the entry number with the longest unused time is preferentially replaced.

  In addition, since the LRU has a long processing time, a pseudo LRU with simplified processing is often used in a set associative configuration. In addition, a method of preferentially replacing entries with a small number of accesses is also common.

  However, when the flow table 5001 or the set-associative table 6001 is updated by replacement processing such as LRU, a flow entry with a small traffic volume such as a resource consumption type DDoS is likely to be a replacement target and is necessary for abnormality detection. Statistical information may be lost. Therefore, the statistical table management unit 143 includes entry update method management information 3001.

  An example of the entry update method management information 3001a is shown in FIG. The entry update method management information 3001a includes information on an entry replacement rule 3021 corresponding to the type of the detection target 3011, information on a statistical packet generation condition 3031 at the time of entry replacement, and a flow table 3041 to which these rules are applied. A name for identifying the flow table 5001a, 5001b, 5001c. Note that a condition for generating a statistical packet at the time of entry update may be provided.

  The statistical table management unit 143 uses the rule 3021 corresponding to the detection target 3011 type designated in advance by the administrator, the generation condition 3031, and the applied flow table 3041 for updating the entry. Unlike the statistical packet generation condition described above, the statistical packet generation condition 3031 shown in the entry update method management information 3001a of FIG. 8 is applied only at the time of entry replacement. Details will be described later with reference to an entry update flowchart.

  As an example of the entry replacement rule 3021 for the resource consumption type DDoS as the detection target 3011, a rule is set so that the packet transmission interval (reception interval) is preferentially replaced from a packet with a small number of packets having a threshold value or more. As an example of the statistical packet generation condition 3031 at the time of entry replacement, a rule is set such that the number of packets whose packet transmission interval (reception interval) is equal to or greater than a threshold value at the time of entry replacement. As an example of the flow table 3041 to be applied, the names of the flow table 5001 are set as A, B, and C.

  Thereby, it is possible to preferentially leave statistical information necessary for detecting the resource consumption type DDoS and notify the analysis server 200 without missing the statistical information. In addition to the example shown in FIG. 8, a plurality of items included in the statistical information and combinations thereof may be set as information on the entry replacement rule 3021 and the statistical packet generation condition 3031.

  In addition, when the type of the detection target 3011 is not specified by the administrator (when it is set as “no specification”), the statistical table management unit 143 uses a general process such as a pseudo LRU to store the table 6001. The entry number may be replaced, and the information of the entry update method management information 3001a may be either a program or a table value.

(System operation sequence)
An example of an operation sequence in the system of the first embodiment is shown in FIG. First, the administrator designates the detection target (type) for the abnormality detection management information 1001 of the analysis server 200 via the input unit 230 of the analysis server 200, and sets the flow table 5001 and the entry update method management information 3001. Information and setting information such as the address of the analysis server 200 are accepted and transmitted to the router 100 (step S501).

  The router 100 that has received the setting information sets the statistical packet generation unit 141 and the statistical table management unit 143 of the traffic statistical processing unit 140 via the control unit 110, and starts the statistical collection processing (step S502). If the statistics collection of the traffic is continued and the condition for generating the statistics packet is satisfied during the statistics collection processing, the router 100 transmits the statistics packet including the statistics information to the analysis server 200 (step S503).

  When receiving the statistical packet, the analysis server 200 accumulates statistical information included in the statistical packet (step S504). The analysis server 200 receives the learning instruction given from the administrator as a trigger, inputs the accumulated statistical information to machine learning, and creates a determiner that determines whether it is normal or abnormal (step S505).

  Thereafter, the router 100 continues to collect traffic statistics, and when the conditions for generating statistical packets are satisfied during the statistical collection processing, the router 100 transmits statistical packets including statistical information to the analysis server 200 (step S506). ). When receiving the statistical packet from the router 100, the analysis server 200 inputs the statistical information included in the statistical packet to the determination unit, and determines whether it is normal or abnormal (step S507).

(Flow chart for updating entries in the statistics table 150)
An example of a flowchart in which the statistics table management unit 143 updates the statistics table 150 is shown in FIG. When the statistical table management unit 143 receives the header information of the packet from the header information storage unit 142, the statistical table management unit 143 starts an entry update process of the statistical table 150 (step S701). Note that when the received packet processing unit 120 receives the packet, the header information of the received packet is output to the traffic statistical processing unit 140, and in the traffic statistical processing unit 140, the header information storage unit 142 receives the header information.

  The statistical table management unit 143 extracts 5-tuple information corresponding to the key item of each flow table 5001 from the header information of the packet, and inputs it to the hash function to calculate the line number (step S702). Then, the entry number is obtained by accessing the line of the set associative table 6001 based on the calculated line number, and the flow table 5001 is accessed based on the entry number to search for an entry having the same key item information. (Step S703).

  If there is a matching entry and is found by the search in step S703, the statistical table management unit 143 updates the statistical information of the found entry (step S704). If there is no matching entry, the statistical table management unit 143 determines whether there is a vacancy in the line with the line number calculated in step S702 (step S705). The number is added, the entry with the added entry number is added to the flow table 5001 (step S706), and the statistical information of the added entry is updated (step S704).

  After updating the statistical information of the entry in step S704, the statistical table management unit 143 determines whether the updated entry satisfies the statistical packet generation condition at the time of entry update (not shown in FIG. 8) (step S707). ). When it is determined that the generation condition is satisfied, the statistical table management unit 143 notifies the statistical packet generation unit 141 of packet generation (step S708), and ends the entry update process (step S709).

  When a packet is generated according to step S708, the entry used for generating the packet is deleted from the flow table 5001, and the entry number of the deleted entry is deleted from the set associative table 6001. If it is determined in step S707 that the generation condition is not satisfied, the entry update process of the statistical table management unit 143 is terminated as it is (step S709).

  If it is determined in step S705 that there is no space in the line, the statistical table management unit 143 replaces the entry based on the entry replacement rule 3021 set in the entry update method management information 3001 (step S710). The statistical information is updated (step S711).

  That is, an entry number is identified from lines determined to be free in the set associative table 6001 based on the entry replacement rule 3021, and the entry with the identified entry number is deleted from the flow table 5001. The identified entry number is deleted from the set associative table 6001, and a new entry number and entry are added to the empty column after deletion. Then, the statistical information of the added entry is updated.

  Thereafter, the statistical table management unit 143 determines whether the entry to be replaced satisfies the statistical packet generation condition 3031 at the time of entry replacement (step S712). If it is determined that the condition is satisfied, the statistical table generation unit 141 generates a packet. (Step S708), and the entry update process is terminated (step S709). Flag information indicating that the statistical packet generation condition 3031 at the time of entry replacement is satisfied is added to the statistical packet generated at this time.

  When a packet is generated according to step S708, the entry used for generating the packet is deleted from the flow table 5001, and the entry number of the deleted entry is deleted from the set associative table 6001. If it is determined in step S712 that the generation condition is not satisfied, the entry update processing of the statistical table management unit 143 is terminated as it is (step S709).

  In step S710, the statistical table management unit 143 may notify the statistical packet generation unit 141 so as to generate a statistical packet of an entry to be deleted as a replacement target. In addition, it may be determined whether the information of the entry to be deleted meets a preset condition, and may be notified to the statistical packet generation unit 141 when it is determined that the information meets the condition.

(Variation of traffic statistics processing unit 140 and statistics table 150)
In the above description, the process to the entry of the flow table 5001 has been described with the flow table 5001 of the statistical table 150 being set associative. However, the present invention is not limited to the above-described form. As another form of the flow table 5001, a plurality of line number candidates are obtained using a plurality of hash functions when obtaining a line number from a key item. A target entry may be obtained from the list.

  In addition, an example in which the traffic statistical processing unit 140 and the statistical table 150 are mounted inside the router 100 has been described with reference to FIG. 2, but the traffic statistical processing unit 140 and the statistical table 150 are arranged outside the router 100. The statistics collection server 300 may be implemented. An example of a configuration including the statistics collection server 300 is shown in FIG.

  The control unit 110, the search processing unit 160, the routing table 170, and the analysis server 200 of the router 100 are as described with reference to FIG. 2, but the received packet processing unit 120 of the router 100 duplicates the received packet. To the statistics collection server 300. In addition, the transmission packet processing unit 130 transmits the statistical packet received from the statistics collection server 300 to the analysis server 200.

  Here, the received packet processing unit 120 may transmit the header information of the received packet to the statistics collection server 300. For this purpose, the received packet processing unit 120 creates a new packet using the header information of the received packet as data, and performs statistics. You may transmit to the collection server 300.

  The traffic statistics processing unit 140 and the statistics table 150 of the statistics collection server 300 are as described with reference to FIGS. 2, 4 to 10, and the traffic statistics processing unit 140 stores the header information of the packet received by the statistics collection server 300. The statistics information is input from the statistics collection server 300 to the router 100.

  Note that the statistics collection server 300 may also be connected to the analysis server 200, receive a duplicated packet from the router 100, and directly transmit / receive setting information and statistical information to / from the analysis server 200. The statistics collection server 300 may be a general computer including a processor 310 and a memory 320. The statistics table 150 and the program 330 are stored in the memory 320, and the processor 310 executes the program 330, thereby the traffic statistics processing unit 140 and The program 330 may include a program that realizes the processing described with reference to FIG. The router 100 may be replaced with a general switch of the network or a general router.

(Application to attacks other than resource-consuming DDoS)
In the above description, the lack of statistical information in the detection of resource consumption type DDoS is taken as a problem, and the embodiment for solving this has been described. However, it is not limited to detection of resource consumption type DDoS, and it is also possible to detect attacks other than resource consumption type DDoS, and in particular, detection of command and control (C & C) server communication, scanning activity, flooding, etc. It can be.

  By the way, when a plurality of detection targets are monitored within the same time, the operation of each detection target is different, and the contents of the entry replacement rule 3021 are different. In some cases, entries necessary for the detection target are set as replacement targets, and statistics regarding all detection targets cannot be collected without omission.

  In order to prevent this, the statistical table management unit 143 of the router 100 holds the conflict management information 7001 shown below, and detects the detection target for which the content of the entry replacement rule 3021 conflicts according to the information of the conflict management information 7001. A flow table 5001 is created every time. As a result, even if the contents of the entry replacement rule 3021 for the first type of the detection target 3011 are applied to the first flow table 5001, the second flow table 5001 for the second type of the detection target 3011 is applied. It does not affect.

  FIG. 12 shows an example of entry update method management information 3001b when a plurality of detection targets are used. In this example, the entry replacement rule 3021 of the resource consumption type DDoS and the C & C server has the same content and does not conflict with each other, but the entry replacement rule 3021 is different from the flooding rule. There is a possibility of contention in A and B of the table.

  Since such a conflict may occur, the statistical table management unit 143 refers to the conflict management information 7001 in order to determine whether or not the entry replacement rule 3021 conflicts. An example of the conflict management information 7001 is shown in FIG. In the conflict management information 7001, information about which other detection target does not conflict with each detection target is registered. In the example of FIG. 13, the resource consumption type DDoS and the C & C server communication do not compete with each other, but the flooding may compete.

  When the administrator sets the entry update method management information 3001b and the conflict management information 7001, or the entry update method management information 3001b and the conflict management information 7001 are preset, and the administrator detects the detection target 3011 of the entry update method management information 3001b. When the type is designated, the statistical table management unit 143 searches the conflict management information 7001 to determine a conflict.

  If it is determined that there is no conflict as a result of the determination, the statistical table management unit 143 applies the rule of each content of the entry replacement rule 3021 to the common flow table 5001 for the plurality of types of the detection target 3011; Statistical information is processed using a common flow table 5001.

  As a result of the determination, if it is determined that there is a possibility of conflict, the statistical table management unit 143 matches the name of the flow table 3041 to be applied corresponding to the type of the detection target 3011 that has been determined to have a possibility of conflict. The flow table 5001 with the name determined to match is created. Here, you may change so that the name of the flow table 3041 to apply can be identified only for the preset period.

  For example, when it is determined that there is a possibility that the resource consumption type DDoS of the detection target 3011 and the flooding may compete, the A and B of the flow table 3041 to be applied corresponding to the resource consumption type DDoS are changed to A1 and B1, respectively. , A and B of the flow table 3041 to be applied corresponding to flooding may be changed to A2 and B2, respectively, and four flow tables 5001 having names A1, B1, A2 and B2 may be created.

  Then, the statistics table management unit 143 applies the rule of the contents of the entry replacement rule 3021 and the condition of the contents of the statistics packet generation condition 3031 at the time of entry replacement for each flow table 5001. The conflict management information 7001 may be information by a program as long as it is in a searchable information form, and values may be held as a table.

  As described above, even if there is no memory having a capacity capable of storing a flow table including statistical information without omission and the capacity of the memory storing the flow table is small, the flow statistics like the resource consumption type DDoS It is possible to collect information. Conversely, the capacity of the memory for storing the flow table can be reduced.

(System configuration)
In the first embodiment, an example in which an abnormality is detected by the analysis server 200 has been described. In the second embodiment, an example in which traffic is censored by a general packet analysis device will be described. An example of the configuration of a system including a network in the second embodiment is shown in FIG. The difference from the example of FIG. 1 described in the first embodiment is that the router 100c is newly connected to the packet analysis device 400. Therefore, the terminal 10, the server 20, and the routers 100a and 100b are as described with reference to FIG. 1, but the router 100c and the analysis server 200 are different from those described with reference to FIG.

  Specifically, the packet analysis device 400 is an analysis device such as a forensic server or a deep packet inspection (DPI) device. While the analysis server 200 detects anomalies using statistical information notified from the router 100, the packet analysis device 400 receives and censors packets transmitted from the router 100 by mirroring or policy-based routing.

  The packet analysis device 400 can analyze more detailed information than the analysis server 200. However, since the capacity of the line bandwidth between the router 100c and the packet analysis device 400 is limited, a large amount of information passing through the router 100 can be obtained. Cannot be received and monitored by the packet analysis device 400.

  The analysis server 200 shown in FIG. 14 according to the second embodiment comprehensively analyzes the statistical information of traffic, performs primary screening, selects a flow to be transmitted to the packet analysis device 400, and transmits traffic to the packet analysis device 400. Narrow down. Thereby, the limited line bandwidth capacity between the router 100 and the packet analysis device 400 is efficiently used, and traffic worth censoring is monitored.

  Thus, in order to monitor the resource consumption type DDoS by the packet analysis device 400, the analysis server 200 detects the statistical information of traffic suspected of resource consumption type DDoS in a short time from the start of the traffic, and the packet It is necessary to instruct the router 100c to transmit a packet to the analysis device 400.

  However, since the resource consumption type DDoS has a low communication rate, and it takes time until the condition for generating the statistical packet described in the first embodiment is satisfied, the packet analysis apparatus 400 receives the packet after the resource consumption type DDoS is started. It takes time until censorship starts after receiving. For this reason, in the second embodiment, information to be described later is added to the flow table and entry update method management information of the traffic statistics processing unit 140 to achieve early detection of resource consumption type DDoS.

(Configuration of flow table 5001d)
An example of a flow table 5001d in the second embodiment is shown in FIG. A difference from the flow tables 5001a to 5001c described with reference to FIG. 6 of the first embodiment is that information of a notified flag 5011 having a value of 0 or 1 is added for each entry as statistical information. The statistical information other than the notified flag, the entry number, and the key items are as described above. In the example shown in FIG. 15, the key item corresponds to FIG. 6A, but may be the key item corresponding to FIGS. 6B and 6C.

  The value of the notified flag 5011 is 0 when the initial value is 0 and an early detection packet generation condition described later is satisfied. Once the notified flag 5011 becomes 1, the early detection packet related to the entry that has become 1 is not transmitted even if the conditions for generating the early detection packet are satisfied.

(Configuration of entry update method management information 3001c)
An example of the entry update method management information 3001c in the second embodiment is shown in FIG. The difference from the entry update method management information 3001a described with reference to FIG. 8 of the first embodiment is that an early notification packet generation condition 5012 is added. The detection target 3011, the entry replacement rule 3021, the statistical packet generation condition 3031 at the time of entry replacement, and the applied flow table 3041 are as described above.

  As a condition for the detection target 3011 to be the contents of the early notification packet generation condition 5012 for the resource consumption type DDoS, for example, the number of packets whose packet transmission interval (reception interval) is equal to or greater than a threshold is set to a certain number or more. Here, in order to determine the number of packets, the threshold value of the transmission interval (reception interval) may be compared with a certain number (threshold value) unrelated.

  Then, by setting a sufficiently small value as this fixed number (threshold value), the possibility of resource-consuming DDoS traffic can be determined in a short time from the start of the traffic, and the packet to the packet analysis device 400 can be determined. Can be instructed to the router 100c. Further, the false negative rate can be reduced by sufficiently reducing the certain number (threshold value). The fixed number (threshold value) is preferably a smaller value than that of the entry replacement rule 3021 with a small number of packets.

  The early notification packet generation condition 5012 is used in step S707 of the flowchart shown in FIG. In the second embodiment, the statistical table management unit 143 determines whether or not the entry updated in the same manner as in the first embodiment in step S707 satisfies the generation condition of the statistical packet at the time of entry update. It is determined whether the condition of the contents of the generation condition 5012 is satisfied.

  If it is determined in step S707 that the condition of the content of the early notification packet generation condition 5012 is satisfied, the statistical table management unit 143 changes the notified flag 5011 of the determined entry of the flow table 5001d to 1, and The generation unit 141 is notified of the generation of the early notification packet.

  In response to this notification, the statistical packet generation unit 141 includes, in addition to the statistical information, a flag indicating that it is an early notification packet and detection target information in the early notification packet. In the generation of the early notification packet described above, the entry used for notification is not deleted from the flow table 5001d even after the early notification packet is generated. As a result, statistical information such as the number of differences can be collected by the analysis server 200 enough to detect an abnormality.

(Explanation of system operation sequence)
An example of an operation sequence in the system of the second embodiment is shown in FIG. As shown in FIG. 15, the operation sequence of the packet analysis device 400 is added to the operation sequence shown in FIG. In addition, since description of step S901-S905 is the same description as step S501-505 of FIG. 9 in Example 1, description is abbreviate | omitted.

  If the router 100 starts the traffic statistics collection process in step S903 and then continues to collect traffic statistics and determines that the early notification packet generation condition 5012 is satisfied, the router 100 sends the early notification packet to the analysis server 200. Transmit (step S906).

  When the analysis server 200 receives the early notification packet, the analysis server 200 instructs the router 100 to mirror the flow that matches the key item included in the early notification packet or a flow that includes a part of the key item to the packet analysis device 400. Notification is made (step S907). When receiving the setting instruction, the router 100 controls the reception packet processing unit 120 and the transmission packet processing unit 130 to mirror the flow specified by the setting instruction to the packet analysis apparatus 400 (step S908).

  For this mirroring, a circuit for mirroring may be provided in the reception packet processing unit 120 and the transmission packet processing unit 130, or a route that the control unit 110 mirrors in the routing table 170 may be set. When receiving the packet transmitted from the router 100, the packet analysis device 400 censors the packet and determines whether it is abnormal or normal (step S909).

  As described above, it is possible to detect the start of a resource-consuming DDoS attack at an early stage, narrow down the flow, and analyze it with the packet analysis device 400, and the line bandwidth capacity between the router 100 and the packet analysis device 400 It is possible to monitor traffic without omission while efficiently using.

100 router 200 analysis server 300 statistics collection server 400 packet analysis device 110 control unit 120 received packet processing unit 130 transmission packet processing unit 140 traffic statistical processing unit 150 statistical table 141 statistical packet generation unit 143 statistical table management unit

Claims (15)

A network device for managing network statistical information,
A receiver for receiving packets from the network;
Managing statistical information of packets received by the receiving unit in units of entries in the first table;
The second table manages the replacement rule of the entry of the first table and the transmission condition of the statistical information of the entry to be replaced,
The entry information of the first table is replaced based on the replacement rule managed in the second table, and the statistical information of the entry in the first table is determined based on the transmission condition managed in the second table. A network device comprising: a management unit that controls transmission. The network device according to claim 1,
The network device according to claim 1, wherein the entry of the first table is identified by a value included in a 5-tuple of a packet of the network. The network device according to claim 2, wherein
The management unit
When the receiving unit receives the first packet,
Due to the match between the value contained in the 5-tuple of the first packet and the value contained in the 5-tuple from which the entry in the first table is identified, the entry corresponding to the first packet becomes the first A network device for determining whether or not a table exists. The network device according to claim 3, wherein
The statistical information managed in the first table is
Including, for each entry, information on the reception interval of the second packet already received by the receiver and information on the number of packets received at a preset time;
The management unit
If it is determined that the entry corresponding to the first packet is in the first table,
The network apparatus, wherein the information of the reception interval and the number of packets of the entry determined to be present in the first table are updated with the information of the first packet. The network device according to claim 4, wherein
The management unit
If it is determined that there is no entry corresponding to the first packet in the first table,
Determining the availability of entries in the first table;
When it is determined that there is no free space, the network device is replaced based on a replacement rule managed by the second table. The network device according to claim 5, wherein
The management unit
In order to perform replacement based on the replacement rule managed in the second table, the reception interval information and the packet count information included in the statistical information managed in the first table are managed in the second table. A network apparatus characterized by specifying an entry to be replaced by applying to a replacement rule to be replaced. The network device according to claim 6, wherein
The replacement rule managed in the second table is:
A network device characterized by including information that a reception interval is equal to or greater than a preset threshold and an entry having a small number of packets is replaced. The network device according to claim 7, wherein
The management unit
The network apparatus, wherein the entry identified as being replaced is replaced with information included in a 5-tuple of the first packet, information about a reception interval of the first packet, and information about the number of packets. The network device according to claim 7, wherein
The transmission conditions managed in the second table are:
Including information that the reception interval is equal to or greater than a preset threshold and the number of packets is equal to or greater than a predetermined number;
The management unit
Determining whether the information of the reception interval and the number of packets of the entry specified when the replacement is satisfied satisfies the transmission condition managed in the second table;
When it is determined that the transmission condition is satisfied, control is performed so as to transmit statistical information including information on the reception interval of the specified entry and information on the number of packets when replaced. The network device according to claim 9, wherein
The statistical information managed in the first table is
The network apparatus further includes one or more information of the number of TCP flags, the number of different flags, the collection time, the packet size, the packet size distribution, and the packet reception interval distribution. The network device according to claim 10, comprising:
The second table is:
Including multiple types of detection target information, replacement rule information and transmission condition information associated with each detection target,
The management unit
In the combination of different types of detection targets, the combination in which the replacement rule included in the second table conflicts is managed in the third table,
Accept multiple designations of detection targets,
Determine whether the accepted designation is a combination of the third table;
When it is determined that the combination is a combination, the first table is generated for each detection target included in the combination. An anomaly detection system using network statistics,
An analysis server that receives statistical information and analyzes it by machine learning to generate a determinator for detecting an abnormality, a receiving unit that receives a packet from the network, and first statistical information of a packet received by the receiving unit And the replacement rule of the entry in the first table and the transmission condition of the statistical information of the entry to be replaced are managed in the second table, and the replacement is managed in the second table. Management for replacing an entry in the first table based on a rule, and controlling to transmit statistical information of the entry in the first table to the analysis server based on a transmission condition managed in the second table A network device comprising:
An anomaly detection system comprising: An anomaly detection system according to claim 12,
A packet analysis device;
The network device further includes a transmission unit that transmits a packet received by the reception unit of the network device,
The management unit of the network device includes:
Further managing the early detection information notification conditions in the second table,
Control to notify the analysis server of early detection based on the notification condition managed in the second table,
The analysis server
When early detection is notified, the network device is notified of a mirroring setting instruction,
When the mirroring setting instruction is notified, the transmission unit of the network device transmits the packet received by the reception unit to the packet analysis device. The anomaly detection system according to claim 13,
The management unit of the network device includes:
Further managing the information that has been notified of early detection in the first table,
When it is determined that the notified information of early detection managed in the first table indicates that notification has not been made, early detection is notified to the analysis server based on the notification condition managed in the second table. The abnormality detection system is characterized in that the information that has been notified of early detection managed in the first table is changed to notification. An anomaly detection system using network statistics,
A router including a receiving unit that receives a packet from the network and outputs a packet header of the received packet; and a transmitting unit that transmits the received packet to a routing destination;
A storage unit that inputs and stores packet headers, and manages statistical information of packets received by the reception unit in units of entries in the first table based on the stored packet headers, and entries in the first table The replacement rule and the transmission condition of the statistical information of the entry to be replaced are managed in the second table, and the entry in the first table is replaced based on the replacement rule managed in the second table, A statistics collection server comprising: a management unit that controls to transmit the statistical information of the entry of the first table based on a transmission condition managed in the second table;
An abnormality detection system comprising: an analysis server that receives statistical information, analyzes the machine information by machine learning, and generates a determination unit for detecting the abnormality.

Images