JP2019092039A - Attack detection method, attack detection device, and communication system - Google Patents

Abstract

To accurately detect the occurrence of unauthorized access attacks such as DoS/DDoS attacks.SOLUTION: A communication system transfers packets transmitted from a source device by one or more communication devices. A transfer unit 21 of an attack detection apparatus 20 transfers a packet. A traffic information management unit 22 classifies, into a subtraffic, the traffic of a packet transferred by the transfer unit 21 on the basis of an identifier of the communication device, which is added by the communication device at the time of transferring of the packet or an identifier of the communication device that is a transfer destination, which is added to the packet by the higher-level communication device of the communication system. An attack detection procedure execution unit 23 detects the presence or absence of an attack on the basis of the subtraffic classified by the traffic information management unit 22.SELECTED DRAWING: Figure 4

Description

  The present invention relates to an attack detection method, an attack detection device, and a communication system.

  With the rise of IoT (Internet of Things) services etc., it is expected that many sensor devices will be connected to the carrier network in the future. On the other hand, it is expected that the number of DDoS (Distributed Denial of Service) attacks that hijacked those devices and become a springboard will further increase in the future.

  The detection of DoS (Denial of Service) / DDoS attacks is important. Although many methods have been considered up to now, detection accuracy has been an issue. It is difficult to detect particularly low rate attack packets from a large amount of traffic. In the present specification, in a DoS or DDoS attack, a packet transmitted from an attack source host to an attack target is referred to as an “attack packet”.

  In the conventional method, a hash function is applied to the sender / receiver address of a packet, traffic is divided into subtraffic, and a detection technique is applied for each subtraffic, or comparison between subtraffic is performed (e.g. Patent Document 1). As a result, detection accuracy is aimed to be improved by the following two effects.

  The first effect is the reduction of the number of data. The division reduces the number of data to be detected, and facilitates detection of buried characteristics.

The second effect is the manifestation of characteristics for each sub traffic. DoS / DDoS attack packets are sent from a specific host (or network) and often have a specific target host (or network). By using this characteristic and applying a hash function to the sender / receiver address (or network mask), the traffic characteristic of each host (or network) can be revealed and detection becomes easy.
In addition, since comparisons between sub-traffic can also be made, improvement in detection accuracy can be expected.

Kensuke Fukuda, "Anomaly Detection in Internet Backbone Traffic", Computer Software, Vol. 30 (2), p. 23-32, 2013

  However, many attack packets spoof the source address. Therefore, it is rare that clear characteristics are produced for each sub-traffic as described in the second effect described above, and there is a possibility that improvement in detection accuracy can not be expected.

  In view of the above circumstances, the present invention aims to provide an attack detection method, an attack detection device, and a communication system capable of accurately detecting the occurrence of an unauthorized access attack such as a DoS / DDoS attack.

  One aspect of the present invention is a method of detecting an attack in a communication system in which a packet is transferred by one or more communication devices, the step of transferring the packet, and the traffic of the packet transferred in the step of transferring Traffic information management step of classifying into sub-traffic based on the identifier of the communication device given when transferring the packet or the identifier of the communication device of the transfer destination given to the packet by the communication device on the upper side of the communication system And an attack detection step of detecting the presence or absence of an attack based on the subtraffic classified in the traffic information management step.

  One aspect of the present invention is the attack detection method described above, wherein, in the traffic information management step, information related to the packet is managed in association with an identifier of the communication device assigned to the packet, and the attack detection In the step, the presence or absence of an attack is detected based on the information on the packet for each sub traffic.

  One aspect of the present invention is the attack detection method described above, further comprising a conversion step of converting the identifier attached to the packet to be transferred by the communication device, wherein the traffic information management step Classifying the traffic into subtraffic based on the identifier transformed in the transforming step.

  One aspect of the present invention is the attack detection method described above, further including a transfer source identifier assignment step in which the communication device in an edge area in the communication system assigns the identifier of the communication device to the packet and transfers the packet. .

  One aspect of the present invention is the attack detection method described above, wherein the communication device that performs the transfer source identifier assignment step is a subscriber line termination device, and the communication device that performs the conversion step is a subscriber line It is an end station device.

  One aspect of the present invention is an attack detection device that detects an attack in a communication system in which packets are transferred by one or more communication devices, and a transfer unit that transfers the packet, and the packet transferred in the transfer unit The traffic is classified into sub-traffic based on the identifier of the communication device given when the packet is transferred by the communication device, or the identifier of the communication device of the transfer destination, which is assigned to the packet by a communication device above the communication system. A traffic information management unit, and an attack detection procedure execution unit that detects the presence or absence of an attack based on the subtraffic classified by the traffic information management unit.

  One aspect of the present invention is a communication system in which a packet is transferred by one or more communication devices, and a transfer unit that transfers the packet, and the communication device transmits a packet traffic of the packet transferred in the transfer unit. A traffic information management unit for classifying into sub-traffic based on an identifier of the communication device given at the time of forwarding or an identifier of the communication device at the forwarding destination given to the packet by a communication device on the upper side of the communication system; And an attack detection procedure execution unit that detects the presence or absence of an attack based on the subtraffic classified by the information management unit.

  According to the present invention, it is possible to accurately detect the occurrence of an unauthorized access attack such as a DoS / DDoS attack.

It is a figure for explaining an outline of an embodiment of the present invention. It is a figure which shows the structure of the communication system by 1st Embodiment. It is a figure which shows the subtraffic classification by the embodiment. It is a functional block diagram which shows the structure of the attack detection apparatus by the same embodiment. It is a figure which shows an example of the traffic information by the embodiment. It is a flowchart which shows the attack detection method by the embodiment. FIG. 7 illustrates sub-traffic classification according to the second embodiment; It is a figure which shows the structure of the communication system by 3rd Embodiment. It is a figure which shows an example of the attack detection part by the embodiment. It is a figure which shows an example of the traffic information by the embodiment.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
The source of DoS / DDoS attack packets, and the destination (ie, DDoS attack target), are expected to have geographical locality. That is, a large amount of attack traffic is transmitted from a specific area, or a large amount of attack packets are transmitted to a specific area. For example, in 2016, DDoS attacks that occurred on devices infected with malware Mirai occurred, but it has been reported that the number of infected devices is biased by country.

  FIG. 1 is a view for explaining an outline of an embodiment of the present invention. The terminal 11 of the user, the sensor device 12 (hereinafter referred to as “sensor 12”), the home gateway 13 and the like are connected from the edge communication device 14 of the carrier network 19 by themselves when connecting to the carrier network 19. It is common to connect with the edge communication device 14 at a close position. Edge communication device 14 is a communication device (e.g., a mobile base station) that is in the edge region of carrier network 19. When a DoS / DDoS attack occurs, it is expected that the traffic flowing through the edge communication device 14 strongly reflects the geographical locality described above.

  Therefore, if subtraffic classification is performed by linking to an identifier indicating transfer destination or transfer source edge communication device 14 assigned to traffic, clear characteristics appear for each subtraffic, and detection accuracy is improved. Conceivable. Furthermore, since the above-mentioned identifier is given in the carrier network 19, it is considered that it is difficult for malicious attackers to rewrite, unlike the source IP address and the like used in the prior art.

  In the following, an embodiment in which an optical access network is used as an example as an edge region of the carrier network 19 will be described. Further, in the present embodiment, only a DDoS attack in which a plurality of attack sources exist and detection is more difficult is assumed, but the present invention is also applicable to a DoS attack in which a single attack source is used.

First Embodiment
In this embodiment, in the edge area of the carrier network 19, an OLT (Optical Line Terminal; an intra-office optical termination device) which is a subscriber line termination point device and an ONU (Optical Line Terminal: optical termination device) which is a subscriber line termination device And a PON (Passive Optical Network). PON is an example of an optical access network. An ONU is used as the edge communication device 14 described above. In this embodiment, for classification of sub-traffic, LLID (Logical Link ID) or VID (Virtual Local Area Network ID) which is an identifier of ONU is used.

  FIG. 2 is a diagram showing the configuration of the communication system 100 according to the first embodiment. The communication station includes one or more OLTs 112 connected to the switch 111. Hereinafter, N (N is an integer of 1 or more) OLTs 112 will be described as OLT # 1 to OLT # N. In the figure, the case of N = 2 is shown as an example. The switch 111 is connected to the host device.

The ONU 113 and home gateway are located in the user's home or in the enterprise. One or more ONUs 113 are connected to the OLT 112. Although the PON in which a single OLT 112 and a plurality of ONUs 113 are connected is shown in the figure as an example, a SS (Single Star) configuration in which the OLT 112 and the ONUs 113 are connected one by one may be adopted. Hereinafter, the ONU113 the OLT # n _{K n} stand (n is an integer 1 or more N) is connected to the _{(K n} is an integer of 1 or more), wherein the ONU # n-1~ONU # n- K n Do. The switch 111, the OLT 112, and the ONU 113 constitute a carrier network.

  A LAN (Local Area Network) in the home and a LAN 115 as the LAN in the company are laid in the user's home and in the company. The LAN 113 connects the ONU 113 and the home gateway to the terminal 117 and the sensor device 118 (hereinafter referred to as “sensor 118”).

FIG. 3 is a diagram showing the sub traffic classification associated with the ONU 113. As shown in FIG. Malware infection occurs in the LAN 115 of the user's home or company. Often, a plurality of terminals 117 and sensors 118 in the LAN 115 are infected with malware and become a DDoS platform. It is assumed that due to this infection, a plurality of terminals 117 and sensors 118 in the LAN 115 simultaneously transmit DDoS attack packets in the upstream direction (from the ONU 113 to the carrier network). In this case, even if the transmission rate of attack packets per terminal 11 and sensor 118 is low, the traffic transmitted from ONU # n-k connected to the gateway of LAN 115 is compared with the traffic at normal times to, or other ONU # n-j (k ≠ j, j is an integer 1 or K _n) as compared to the traffic from, are expected to remarkable characteristic appears.

  Although the example in which the LAN 115 connected to the ONU 113 is the transmission source of the DDoS attack has been described above, the same applies to the case where the target is an attack target. DDoS attacks are often targeted at specific users with weak security measures and companies. When a DDoS attack occurs, the traffic sent to the ONU 113 connected to the LAN115 of the user or company targeted by the attack has remarkable characteristics compared to the transmission traffic destined for the other ONU 113. Expected to appear.

  If the subtraffic classification associated with the ONU 113 is performed using the above characteristics, it is possible to expect improvement in the detection accuracy of DDoS attack. For example, it is assumed that the OLT 112 and the ONU 113 constitute an EPON (Ethernet (registered trademark) PON). In EPON, the ONU 113 assigns an LLID (Logical Link ID) of the own device to an upstream packet received from a lower device such as the terminal 117 or the sensor 118, and transmits the packet to the OLT 112. LLID is an identifier of ONU. Several methods of user (ONU) identification in the upper layer communication apparatus can be considered. For example, according to the technology described in Japanese Patent Laid-Open No. 2007-208944, the OLT 112 performs one-to-one conversion of LLIDs assigned to upstream packets. After conversion to VID (VLAN ID), it is transferred to the upper communication device. On the other hand, the upper-level apparatus, which is a communication apparatus above the OLT 112, adds a VID as an identifier of the ONU 113 to the packet in the downstream direction (the direction from the carrier network to the ONU 113) and transmits the packet. The OLT 112 converts the VID assigned to the downlink packet into an LLID by one-to-one conversion, and transfers the LLID to the ONU 113. Sub-traffic classification for each ONU 113 can be realized by using these identifiers. Furthermore, since the above-mentioned identifiers such as LLID and VID are assigned by the communication device of the carrier network, they are robust against rewriting by malicious attackers. In addition, the application of the present embodiment does not press the communication band anew.

  FIG. 4 is a functional block diagram showing a configuration of the attack detection apparatus 20 according to the present embodiment, and only functional blocks related to the present embodiment are extracted and shown. The attack detection apparatus 20 includes a transfer unit 21, a traffic information management unit 22, and an attack detection procedure execution unit 23. While forwarding the packet, the forwarding unit 21 outputs, to the traffic information management unit 22, a sub-traffic identifier that is an LLID or VID attached to the forwarded packet and part or all of information about the packet. The information about the packet indicates the behavior of the packet such as the arrival frequency as well as the information attached to the packet, such as the destination port number (the number contained in the TCP / UDP header to specify the application of the destination) and the protocol number. It may be the transfer direction of information or packet, the input / output port of packet, or the like. The traffic information management unit 22 includes a storage unit 221. The traffic information management unit 22 links and stores the sub traffic identifier received from the transfer unit 21 by the storage unit 221 and the information on the packet, and manages the information. The storage unit 221 may be provided outside the traffic information management unit 22.

  FIG. 5 is a diagram showing an example of traffic information stored in the storage unit 221. As shown in FIG. Although the traffic information shown in FIG. 5 is prepared for each transfer direction, here, for simplicity, it is assumed that an upstream DDoS attack in the direction from ONU to OLT occurs, and only traffic information in the upstream direction is shown. . The traffic information management unit 22 counts the number of packets for each destination port number for each ONU 113 specified by the sub traffic identifier, and writes the count result in the storage unit 221. The traffic information management unit 22 receives the destination port number as information on the packet from the transfer unit 21 together with the sub traffic identifier. In the traffic information shown in the figure, the number of packets for each destination port number is held in the counter for each ONU 113 specified by LLID or VID.

  The attack detection procedure execution unit 23 periodically inquires of the traffic information management unit 22 and acquires the traffic information held in the storage unit 221 by the traffic information management unit 22. The attack detection procedure execution unit 23 performs DDoS attack detection using traffic information set in association with each ONU 113 as sub-traffic information. For example, the attack detection procedure execution unit 23 performs DDoS attack detection based on information on packets for each sub traffic, such as the number of packets for each destination port number. Although any DDoS attack detection method can be used in this embodiment, an example is anomaly detection. In the anomaly detection, a communication pattern at the normal time is defined, and the communication deviated therefrom is judged as abnormal, that is, as a DDoS attack.

  FIG. 6 is a flowchart showing an attack detection method in the attack detection procedure execution unit 23. The attack detection procedure execution unit 23 acquires traffic information from the traffic information management unit 22 (step S10). Subsequently, the attack detection procedure execution unit 23 performs the processing of the following steps S20 to S40 with the traffic information for each ONU 113 as the target sub-traffic.

  First, the attack detection procedure execution unit 23 acquires a normal communication pattern which is a determination reference of abnormality detection (step S20). As a normal communication pattern to be acquired, the past communication pattern of the target sub traffic, other sub traffic, and the like can be considered. The attack detection procedure execution unit 23 performs an abnormal state determination process by a process such as cluster analysis (step S30). When the attack detection procedure execution unit 23 detects abnormal traffic in the sub traffic (step S30: YES), it extracts information (for example, destination port number) for identifying the abnormal traffic. This information is described as abnormal traffic identification information. Furthermore, the attack detection procedure execution unit 23 adds the abnormal traffic identification information to the abnormal traffic identification information list (step S40). The abnormal traffic identification information list is a list having a combination of the sub traffic identifier and the abnormal traffic identification information as one element.

  After the DDoS detection, the attack detection procedure execution unit 23 can deal with the abnormal traffic blocking process and the like to suppress the damage of the DDoS attack. In the case of FIG. 4, as an example, the attack detection procedure execution unit 23 sends the abnormal traffic identification information list to the transfer unit 21. Based on the sent information, the transfer unit 21 uses, for example, an ONU identified and identified by a sub traffic identifier as a transmission source, and upstream traffic having abnormal traffic identification information (for example, destination port number) as abnormal traffic. Recognize and shut off. In the present embodiment, an example of detection for upstream traffic is shown, but detection for downstream traffic transferred from an OLT to an ONU can also be performed by the same method.

  In the functional block diagram shown in FIG. 4, the transfer unit 21, the traffic information management unit 22, and the attack detection procedure execution unit 23 are described in the same case of the attack detection apparatus 20 for simplicity. However, some functions of the attack detection apparatus 20 may exist in another housing. For example, the transfer unit 21 and the transfer unit 21 that performs the blocking process may be provided in a separate case. In addition, the attack detection apparatus 20 may be an apparatus integrated with the OLT 112. Further, part of the transfer unit 21, the traffic information management unit 22, and the attack detection procedure execution unit 23 may be provided in the OLT 112, and another functional unit may be provided in a different case.

  Furthermore, in the present embodiment, sub-traffic classification is performed only by the identifier of the ONU 113. However, classification may be performed in combination with other information (for example, IP address of packet) or the like.

Second Embodiment
In the first embodiment, an example in which subtraffic classification is performed using an LLID or a VID linked to an ONU as an identifier has been described. In the present embodiment, classification into sub traffic is performed using the identifier of the OLT.

  FIG. 7 is a diagram showing sub-traffic classification according to the present embodiment. The configuration of the communication system of this embodiment is the same as that of the communication system 100 shown in FIG. In the figure, sub traffic classification is performed for each OLT 112 using VID as an identifier. The functional blocks and processing flow of the attack detection device 20 are the same as in the first embodiment. That is, the transfer unit 21 acquires the identifier of the OLT 112 as a sub traffic identifier from the packet. The transfer unit 21 outputs the sub traffic identifier and part or all of the information on the packet to the traffic information management unit 22. The same information as in the first embodiment can be used for the information on the packet. The traffic information management unit 22 associates the sub traffic identifier received from the transfer unit 21 with the information on the packet in the storage unit 221, and stores and manages the information. The traffic information management unit 22 counts traffic by the OLT 112 indicated by the sub traffic identifier or by the combination of information related to the OLT 112 and the packet. The attack detection procedure execution unit 23 uses the traffic information for each OLT 112 or for each combination of information related to the OLT 112 and packets as sub-traffic information, and performs DDoS attack detection for each sub-traffic.

  When the detection accuracy is low due to the amount of traffic flowing through the ONU 113 being low, the detection accuracy is improved by performing statistical traffic multiplexing to a certain amount of statistical multiplexing and stabilizing the traffic amount and performing sub-traffic classification The effect of can be expected.

Third Embodiment
In this embodiment, the transfer unit, and the traffic information management unit and the attack detection procedure execution unit are separated and aggregated. The functional block diagram of the attack detection apparatus 20 according to the first embodiment shown in FIG. 4 describes that the transfer unit 21, the traffic information management unit 22, and the attack detection procedure execution unit 23 exist in the same case. However, some of the functional units of the transfer unit 21, the traffic information management unit 22, and the attack detection procedure execution unit 23 may exist in different positions.

  The communication system 100 of the second embodiment shown in FIG. 7 shows an example of performing sub-traffic classification with the OLT 112 as the transfer unit 21, but a communication device installed in a communication section accompanied by an identifier of the ONU 113 is shown. , And can be regarded as the transfer unit 21. Also, the traffic information management unit 22 and the attack detection procedure execution unit 23 can be arranged at a place different from the communication device.

  FIG. 8 is a diagram showing the configuration of the communication system 100a of the present embodiment. The figure shows, as an example, the case where the traffic information management unit 22 and the attack detection procedure execution unit 23 are arranged in a software-defined network (SDN) controller 180. The SDN controller software-controls and manages communication devices in the central office. In the present embodiment, the traffic information management unit 22 and the attack detection procedure execution unit 23 are executed as an application of the SDN controller 180, and information on the communication device as the transfer unit 21 is acquired using a protocol such as OpenFlow.

  FIG. 9 is a diagram showing the configuration of the attack detection unit 20a included in the communication system 100a of the present embodiment. As shown in the figure, the attack detection unit 20a according to this embodiment manages a plurality of transfer units 21 with a single or a small number of traffic information management units 22 and an attack detection procedure execution unit 23. Therefore, the computational resource capacity reduction effect of the traffic information management unit 22 and the attack detection procedure execution unit 23 is expected by the aggregation effect. In addition, it is possible to simultaneously issue a shutoff command to a plurality of transfer units 21 also in the shutoff process. However, in addition to the same management as in the first and second embodiments, the traffic information management unit 22 needs to manage information for each transfer unit 21 that has acquired information.

  FIG. 10 is a diagram illustrating an example of traffic information stored in the storage unit 221. In the figure, the traffic information of the first embodiment shown in FIG. 5 is managed for each OLT 112 as the transfer unit 21.

According to the embodiment described above, the communication system transfers packets by one or more communication devices. The communication devices are, for example, the switch 111, the OLT 112, and the ONU 113. The communication system transfers the packet in the transfer step, and transfers the packet traffic transferred in the transfer step to the packet assigned by the communication device at the time of transferring the packet, or to the packet assigned by the upper communication device of the communication system. A traffic information management step of classifying into sub-traffic based on the identifier of the previous communication device, and an attack detection step of detecting the presence or absence of an attack based on the classified sub-traffic are performed.
In the traffic information management step, information on the packet is managed in association with the identifier of the communication device added to the packet, and in the attack detection step, the presence or absence of an attack is detected based on the information on the packet for each subtraffic. You may
Also, the communication device may convert the identifier assigned to the packet to be transferred, and in the traffic information management step, may classify traffic into sub traffic based on the converted identifier. In that it is an identifier of the communication apparatus, the identifiers before and after conversion can be used as equivalent information even if conversion is performed.

  All or part of the functions of the attack detection apparatus 20 and the attack detection unit 20a described above may be implemented using hardware such as an application specific integrated circuit (ASIC), a programmable logic device (PLD), or a field programmable gate array (FPGA). It may be realized. The attack detection apparatus 20 and the attack detection unit 20a include a central processing unit (CPU), a memory, an auxiliary storage device, and the like connected by a bus, and by executing an attack detection program, the transfer unit 21 and the traffic information management unit 22 and all or part of the function of the attack detection procedure execution unit 23 may be realized. The attack detection program of the attack detection apparatus 20 and the attack detection unit 20a may be recorded on a computer readable recording medium. The computer readable recording medium is, for example, a portable medium such as a flexible disk, a magneto-optical disk, a ROM, a CD-ROM, or a storage device such as a hard disk built in a computer system. The attack detection program may be transmitted via a telecommunication line.

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes design and the like within the scope of the present invention.

  The present invention is applicable to a network that transfers packets sent and received between devices.

11 terminal 12 sensor 13 home gateway 14 edge communication device 19 carrier network 20 attack detection device 20a attack detection unit 21 transfer unit 22 traffic information management unit 23 Attack detection procedure execution unit, 100 ... communication system, 100a ... communication system, 111 ... switch, 112 ... OLT, 113 ... ONU, 115 ... LAN, 117 ... terminal, 118 ... sensor

Claims (7)

An attack detection method in a communication system in which packets are transferred by one or more communication devices,
Forwarding the packet;
The identifier of the communication device given by the communication device at the time of transferring the packet, or the communication device of the communication destination of the transfer destination given by the upper communication device of the communication system, the traffic of the packet transferred in the transfer step. Traffic information management step of classifying into sub traffic based on the identifier;
An attack detection step of detecting the presence or absence of an attack based on the sub traffic classified in the traffic information management step;
Attack detection method having. In the traffic information management step, information on the packet is managed in association with an identifier of the communication device assigned to the packet,
In the attack detection step, the presence or absence of an attack is detected based on information on the packet for each of the sub traffics.
The attack detection method according to claim 1. The communication apparatus further includes a conversion step of converting the identifier assigned to the packet to be transferred.
In the traffic information management step, the traffic is classified into sub traffic based on the identifier converted in the conversion step.
The attack detection method according to claim 1 or 2. The communication device in the edge area in the communication system further includes a transfer source identifier assigning step of assigning the identifier of the communication device to the packet and transferring the packet.
The attack detection method according to claim 3. The communication device for performing the transfer source identifier assignment step is a subscriber line termination device,
The communication device performing the conversion step is a subscriber line terminal device.
The attack detection method according to claim 4. An attack detection device for detecting an attack in a communication system in which packets are transferred by one or more communication devices, comprising:
A transfer unit that transfers the packet;
The identifier of the communication device assigned by the communication device at the time of transferring the packet, or the communication device of the transfer destination assigned by the upper communication device of the communication system to the packet traffic transferred by the transfer unit A traffic information management unit that classifies into sub traffic based on the identifier;
An attack detection procedure execution unit that detects the presence or absence of an attack based on the sub traffic classified by the traffic information management unit;
Attack detection device comprising: A communication system for transferring packets by one or more communication devices, comprising:
A transfer unit that transfers the packet;
The identifier of the communication device assigned by the communication device at the time of transferring the packet, or the communication device of the transfer destination assigned by the upper communication device of the communication system to the packet traffic transferred by the transfer unit A traffic information management unit that classifies into sub traffic based on the identifier;
An attack detection procedure execution unit that detects the presence or absence of an attack based on the sub traffic classified by the traffic information management unit;
A communication system comprising

Images