JP4098127B2 - Packet tracking method and packet tracking program - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a packet tracking method and a packet tracking program for tracking a monitoring target packet flowing in a network, and in particular, a packet tracking method and a packet capable of performing packet tracking even in a network in which information included in the packet is rewritten. It is about a tracking program.
[0002]
[Prior art]
Conventionally, an IDS (Intrusion Detection System) has been used to detect suspicious packets in a network. When a suspicious packet is detected by this IDS and the packet is traced, the packet is traced using the source address as a key.
[0003]
Therefore, if the source address is spoofed, accurate packet tracking cannot be performed. In order to identify and trace such a spoofed packet from the sender, methods such as adding a mark to the packet and modifying the packet and examining the packet contents are considered. It was.
[0004]
However, the conventional method of adding information serving as a mark in the packet described above has a problem of infringing privacy because the contents are examined. In addition, if the information given by the third party for tracking in the packet is fraudulent information given or modified by a malicious third party, the packet shall be accurately tracked. I could not.
[0005]
Conventionally, a method of tracking in an existing network device such as a router has been considered. However, in order to realize this method, it is necessary to partially change the mechanism inside the target network device and the network configuration. For this reason, there has been a problem in that it is not possible to flexibly make configuration changes such as addition of devices and change of installation location.
[0006]
FIG. 33 is a block diagram showing an outline of the configuration of a conventional packet tracking system for solving the above problem. In the figure, local networks 50A, 50B, 50C and 50D are networks in an intranet. Therefore, in these local networks 50A, 50B, 50C and 50D, a local IP (Internet Protocol Address) address is used.
[0007]
In order to monitor these local networks 50A, 50B, 50C, and 50D, the packet printing apparatus 101 (101a, 101b, 101c) is connected between the local networks by logical connection such as an IP address using a technique such as tapping. It is connected by the connection method (stealth connection method) that does not have. Therefore, these packet printing apparatuses 101a, 101b, and 101c can hide their presence from other apparatuses in the monitored network.
[0008]
The packet printing apparatuses 101a, 101b, and 101c are also connected to a management network that exists independently of the monitoring target network. In this case, the packet printing apparatuses 101a, 101b, and 101c are different from the connection to the monitoring target network (stealth connection) by a connection method (for example, IP connection method) that can be recognized by other devices connected to the management network. It is connected.
[0009]
Each of these packet printing apparatuses 101a, 101b, and 101c monitors a connection link between local networks to which the packet printing apparatuses 101a, 101b, and 101c are connected, takes a copy of a packet that passes through each monitored network, and uniquely copies the copied packet. A packet print (PP) for specifying is generated and the packet print is stored.
[0010]
Here, the most common packet print is called a hash value. A one-way function called a hash function is used to generate the hash value. Based on this one-way function, variable-length character string data including characters, numbers, and the like included in the packet is summarized into fixed-length data. This summarized fixed-length data is called a hash value. Hereinafter, this packet print will be described as a hash value.
[0011]
The IDS 103 is connected to the local network 50C and the management network. The IDS 103 is a device that detects unauthorized access packets that have entered the monitored network. The tracking manager 102 is connected to the management network and communicates with the packet printing apparatuses 101a, 101b, and 101c via the management network. The configuration information storage unit 126 stores configuration information of the monitoring target network and the management network.
[0012]
In the above configuration, it is assumed that the IDS 103 detects an unauthorized access packet in the local network 50C. The detection of the unauthorized access packet is performed based on the unauthorized access determination criteria and rules defined by the user.
[0013]
For example, when a port scan is performed, the IDS 103 transmits an alarm for the port scan and a packet subjected to the port scan to the tracking manager 102 as a tracking target packet. Accordingly, when the tracking manager 102 receives the alarm from the IDS 103 and the tracking target packet, the tracking manager 102 generates a packet print (hash value) from the received packet.
[0014]
Next, the tracking manager 102 confirms the position of the packet printing apparatus and transmits a search request including the generated packet print (hash value). Here, it is assumed that a search request including the generated packet print (hash value) is transmitted to all of the packet printing apparatuses 101a, 101b, and 101c. At this time, the packet printing apparatuses 101a, 101b, and 101c search whether or not a packet print (hash value) that matches the received packet print (hash value) is stored.
[0015]
Then, each of the packet printing apparatuses 101a, 101b, and 101c transmits the search result to the tracking manager 102 when the search is completed. The tracking manager 102 obtains a packet path from the search results transmitted from the packet printing apparatuses 101a, 101b, and 101c and the network configuration information.
[0016]
For example, when a search result indicating that a matching packet print (hash value) is stored is received from the packet printing apparatuses 101b and 101c, the trace target packet has come from the local network 50D via the local network 50B. Becomes clear.
[0017]
In the configuration shown in FIG. 33, the management network for connecting the tracking manager 102, the IDS 103, and the like is assumed to exist independently of the monitoring target network, but is not limited to this connection form. It may be a communication line that is logically and physically the same as the target network, or may be a communication line that is physically the same and logically different.
[0018]
FIG. 34 is a block diagram illustrating a functional configuration of the packet printing apparatus 101. In the figure, a tapping device 111 creates a copy of a packet passing through a connected monitoring target network. The print control unit 112 instructs the packet print unit 113 in advance to generate a packet print (hash value) (hash function).
[0019]
The packet print unit 113 generates a packet print (hash value) of the packet copied by the tapping device 111 by the method (hash function) instructed by the print control unit 112. The cache control unit 114 recognizes the amount of packet print (hash value) stored in the PP storage unit 115.
[0020]
When the packet print (hash value) stored in the PP storage unit 115 is equal to or greater than a certain amount, the cache control unit 114 determines that the oldest packet print (hash value) stored in the PP storage unit 115 is used. Is discarded.
[0021]
If the packet print (hash value) stored in the PP storage unit 115 is below a certain amount, the cache control unit 114 adds a new hash value to the end of the information stored in the PP storage unit 115. Remember. In this way, the cache control unit 114 performs control so that the packet print stored in the PP storage unit 115 is always below a certain amount.
[0022]
The packet printing apparatuses 101a, 101b, and 101c perform the above-described operation for all packets that pass through the monitored network. The tracking agent unit 116 is connected to the management network and communicates with the tracking manager 102. The operation of the tracking agent unit 116 will be described in the operation of the tracking manager 102 described later.
[0023]
FIG. 35 is a block diagram illustrating a functional configuration of the tracking manager 102. In the figure, an alarm receiving unit 121 receives an alarm for an unauthorized access packet from the IDS 103, and a packet receiving unit 122 receives an unauthorized access packet (tracking target packet) from the IDS 103. The print control unit 123 instructs the packet print unit 124 in advance to generate a hash value (hash function).
[0024]
The method specified by the print control unit 112 of the packet printing apparatus 101 and the method specified by the print control unit 123 of the tracking manager 102 are always the same method. The packet printing unit 124 generates a packet print (hash value) of the packet received by the packet receiving unit 122 by the method (hash function) instructed by the print control unit 123.
[0025]
The tracking request unit 125 transmits a search request including the packet print (hash value) generated by the packet print unit 124 to the packet print devices 101a, 101b, and 101c, and the search results from the packet print devices 101a, 101b, and 101c. Receive.
[0026]
Based on the search results transmitted from these packet printing apparatuses 101a, 101b, and 101c and the configuration information storage unit 126 that stores the configurations of the monitoring target network and the management network, the passage route creation unit 127 passes the packet passage route. Create
[0027]
In this way, information on the passage route of the tracking target packet created by the passage route creation unit 127 is notified to the system administrator or the like. A system administrator or the like can determine from where the tracked packet has entered based on the information on the passage route, and can take measures against unauthorized access packets.
[0028]
[Patent Document 1]
JP 2000-124952 A
[Non-Patent Document 1]
Takei, “Unauthorized Access Detection and Tracking Method Using Traffic Patterns”, IEICE Technical Report, The Institute of Electronics, Information and Communication Engineers, November 18, 1999, Vol. 99 No. 436, p. 37-42
[Non-Patent Document 2]
Kokubo, “Model Review of Unauthorized Access Source Tracking System”, Proceedings of the 60th National Conference (3), Information Processing Society of Japan, March 14, 2000, p. 3-283-3-284
[Non-Patent Document 3]
Watanabe, “Examination of Packet Identification Information for Unauthorized Access Source Tracking”, Proceedings of the 60th National Conference (3), Information Processing Society of Japan, March 14, 2000, p. 3-289-3-290
[Non-Patent Document 4]
Watanabe, “Verification of validity of packet identification information in tracking illegal access sources”, Proceedings of the 61st (late 2000) National Convention (3), Information Processing Society of Japan, October 3, 2000, p. 3-259-3-260
[Non-Patent Document 5]
Ikeda, “Validation of architecture of unauthorized access source tracking system”, Proceedings of the 62nd (2001) National Convention, Information Processing Society of Japan, March 13, 2001, p . 3-285-3-286
[Non-Patent Document 6]
Alex C Snoeren, “Hash-Based IP Traceback”, BBN Technical Memorandum No.1284, February 7,2001
[0029]
[Problems to be solved by the invention]
Incidentally, as described above, in the conventional packet tracking system, the local IP address included in the tracking target packet does not change through the local networks 50A, 50B, 50C, and 50D shown in FIG.
[0030]
For this reason, in the conventional packet tracking system, it is possible to track using the packet print of the tracking target packet whose local IP address or the like does not change as a key.
[0031]
On the other hand, in a network to which NAT (Network Address Translation) or IP masquerading is applied, the IP address, port number, sequence number, etc. included in the tracked packet are rewritten in the middle of passage. There was a problem that the packet tracking system could not perform tracking.
[0032]
Here, NAT mutually converts a local IP address that can be used only within the company and an original global IP address that can be used to access a global network such as the Internet, and from a local network to which only a local IP address is assigned. , A technology that enables transparent access to the global network.
[0033]
IP masquerade uses different communication ports by converting not only the IP address conversion by NAT but also the TCP / UDP (Transmission Control Protocol / User Datagram Protocol) port number, sequence number, etc. This is a technology that allows a plurality of local IP nodes to communicate with the outside by using one global IP address.
[0034]
FIG. 36 illustrates a network configuration to which the above-described NAT or IP masquerade is applied. In the figure, a packet converter 210 is provided between the global network A and the local network B. The local network B is an internal network, and a local IP address is applied.
The global network A is an external network, and a global IP address is applied.
[0035]
The packet conversion device 210 is a device that converts an IP address, a port number, and the like of a passing packet by a function of NAT or IP masquerading. For example, a packet 250 flowing from the global network A to the local network B is converted into a packet 250 ′ by the packet converter 210.
[0036]
Specifically, DstIP: 210.162.74.2 (destination global IP address) of packet 250 is converted to DstIP: 192.168.1.5 (local IP address of destination) of packet 250 ′. Also, DstPort: 8080 (destination port number) of packet 250 is converted to DstPort: 80 (destination port number) of packet 250 ′.
[0037]
Here, when the conventional packet tracking system is applied to the network shown in FIG. 36, the packet printing is different before and after the packet converting apparatus 210, so that the tracking cannot be performed. In the example shown in the figure, the packet print PP corresponding to the packet 250 is 1A85DE81BC, whereas the packet print PP corresponding to the packet 250 ′ is C48EB4A58D.
[0038]
Similarly, a packet 260 flowing from the local network B to the global network A is converted into a packet 260 ′ by the packet conversion device 210. Specifically, SrcIP: 192.168.1.5 (source local IP address) of packet 260 is converted to SrcIP: 210.162.74.2 (source global IP address) of packet 260 ′.
[0039]
In the example shown in the figure, the packet print PP corresponding to the packet 260 is 8A5E616C8B, whereas the packet print PP corresponding to the packet 260 ′ is F58EA85C64, so the conventional packet tracking system cannot be used.
[0040]
The present invention has been made in view of the above, and an object of the present invention is to provide a packet tracking method and a packet tracking program that can perform packet tracking even in a network in which information included in a packet is rewritten.
[0041]
[Means for Solving the Problems]
In order to solve the above-described problems and achieve the object, the present invention performs transmission / reception of information between a plurality of packet printing apparatuses arranged at important points of a monitored network and these packet printing apparatuses. A packet tracking method applied to a packet tracking system including a tracking manager, for identifying a packet before rewriting in a packet conversion device that rewrites information included in the packet when passing through the network Packet specifying information storing step for generating and storing first packet specifying information and second packet specifying information for specifying the rewritten packet, and tracking target packet specifying information for specifying the tracking target packet Is received from the tracking manager, and the first packet specifying information is received. Retrieves the second packet identification information, characterized by comprising a search step of transmitting the search result to the tracking manager, a.
[0042]
According to the present invention, for a packet flowing through a network, the first packet specifying information for specifying a packet before rewriting in the packet conversion device and the second packet specifying information for specifying a packet after rewriting are provided. Since the search request including the packet identification information to be generated and stored is received, the first packet identification information or the second packet identification information is searched, and the search result is transmitted to the tracking manager. Packet tracking can also be performed in a network in which the included information is rewritten.
[0043]
The present invention also provides a plurality of packet generating information for generating and storing packet specifying information for specifying a packet flowing in a network having a packet conversion device which is arranged at a key point of a network to be monitored and rewrites information included in the packet when passing Packet tracking method applied to a packet tracking system comprising a packet printing apparatus of this type and a tracking manager that transmits and receives information between these packet printing apparatuses, and is a tracking target before rewriting in the packet conversion apparatus A packet specifying information generating step for generating first tracking target packet specifying information for specifying a packet and second tracking target packet specifying information for specifying the rewritten tracking target packet; Based on the position, the first tracking target packet specifying information or the second additional packet identification information. Notifies the target packet identification information to the packet printing apparatus, characterized in that it comprises a and a search request step of requesting retrieval of the packet identification information.
[0044]
According to the present invention, the first tracking target packet specifying information for specifying the tracking target packet before rewriting in the packet converter and the second tracking target packet specifying information for specifying the tracking target packet after rewriting Generating the first tracking target packet specifying information or the second tracking target packet specifying information to the packet printing apparatus based on the detection position of the tracking target packet, and requesting the search of the packet specifying information. Therefore, packet tracking can be performed even in a network in which information included in a packet is rewritten.
[0058]
Further, according to the packet tracking program of the present invention, since the computer executes the method described in any one of the above inventions, the packet tracking program can be read by the computer. Any one of the operations of the present invention can be executed by a computer.
[0059]
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, embodiments 1 to 7 of a packet tracking method and a packet tracking program according to the present invention will be described in detail with reference to the drawings.
[0060]
(Embodiment 1)
FIG. 1 is a block diagram showing the configuration of the first embodiment according to the present invention. The figure shows a packet tracking system for performing packet tracking even in a network having a function of converting information contained in a packet.
[0061]
The IDS 200 is a device that is connected to the global network A, the local network B, and a management network (not shown) and detects unauthorized access packets that have entered the monitored network.
[0062]
The local network B is an internal network, and a local IP address is applied. The global network A is an external network, and a global IP address is applied.
[0063]
The packet translation device 500 has the same function as the packet translation device 210 (see FIG. 36) described above, and is a device that translates the IP address, port number, and the like of a passing packet by the function of NAT or IP masquerade. is there. Specifically, the packet conversion apparatus 500 converts, for example, a packet 250 flowing from the global network A to the local network B into a packet 250 ′ based on the conversion table 501 in which the conversion rule (IP address conversion data) is described. .
[0064]
The tracking manager 300 has the same function as the tracking manager 102 (see FIG. 33), is connected to a management network (not shown), and communicates with the packet printing apparatuses 400A and 400B via the management network. is there.
[0065]
The packet printing apparatuses 400A and 400B are connected by a connection method (stealth connection method) that does not have a logical connection such as an IP address using a technique such as tapping. Therefore, these packet printing apparatuses 400A and 400B can hide their presence from other apparatuses in the monitored network.
[0066]
The packet printing apparatuses 400A and 400B are also connected to a management network that exists independently of the monitoring target network. In this case, the packet printing apparatuses 400A and 400B are connected by a connection method (for example, IP connection method) that can be recognized by other devices connected to the management network, unlike the connection to the monitoring target network (stealth connection). ing.
[0067]
The packet print device 400A monitors the connection link between the global network A and the packet conversion device 500, takes a copy of the packet passing through the monitored network, and uniquely identifies the copied packet. (Hash value) is generated and this packet print is stored.
[0068]
Here, the packet print device 400A generates a packet print (PPa_1) from the packet 250 before processing in the packet conversion device 500, generates a packet 250 ′ after processing from the packet 250, and prints a packet from this packet 250 ′. A function of generating (PPb_1). The packet 250 includes a global IP address. The packet 250 'includes a local IP address.
[0069]
That is, the packet print device 400A also functions as an emulator of the packet conversion device 500, generates two types of packet prints (PPa_1, PPb_1) before and after the processing of the packet conversion device 500, and outputs them to the first PP storage unit 406A. And the second PP storage unit 406B.
[0070]
On the other hand, the packet printing apparatus 400B uses the connection link between the local network B and the packet conversion apparatus 500 as a monitoring target, captures a copy of the packet passing through the monitoring target network, and uniquely identifies the copied packet. A packet print (hash value) is generated and the packet print is stored.
[0071]
Here, the packet printing apparatus 400B also generates a packet print (PPb_1) from the packet 250 ′ after processing in the packet conversion apparatus 500, and also generates a packet 250 before processing from the packet 250 ′. A function of generating (PPa_1) is provided.
[0072]
That is, the packet printing apparatus 400B also functions as an emulator of the packet conversion apparatus 500 in the same manner as the packet printing apparatus 400A, generates two types of packet prints (PPa_1, PPb_1) before and after the processing of the packet conversion apparatus 500, These are stored in the first PP storage unit 406A and the second PP storage unit 406B, respectively.
[0073]
FIG. 2 is a block diagram showing a configuration of the packet printing apparatus 400 (400A, 400B) shown in FIG. In the figure, a tapping device 401 creates a copy of a packet that passes through a connected monitoring target network.
[0074]
The print control unit 402 instructs the packet print unit 403 in advance to generate a packet print (hash value) (hash function). The conversion table 404 is the same table as the conversion table 501 of the packet conversion apparatus 500 shown in FIG. 1, and describes a conversion rule (IP address conversion data).
[0075]
The packet printing unit 403 of the packet printing device 400A generates the first PP (hash value) from the packet 250 (see FIG. 1) copied by the tapping device 401 by the method (hash function) instructed by the print control unit 402. To do. The first PP corresponds to PPa_1 and the like stored in the first PP storage unit 406A of the packet printing apparatus 400A shown in FIG.
[0076]
The packet printing unit 403 of the packet printing apparatus 400A refers to the conversion table 404, generates a packet 250 ′ from the packet 250 (see FIG. 1) from the tapping apparatus 401, and generates a second PP from the packet 250 ′. Is generated. This second PP corresponds to PPb_1 and the like stored in the second PP storage unit 406B of the packet printing apparatus 400A shown in FIG.
[0077]
The first PP storage unit 406A stores the first PP (hash value). The second PP storage unit 406B stores the second PP (hash value).
[0078]
The cache control unit 405 recognizes the amount of packet print stored in the first PP storage unit 406A and the second PP storage unit 406B, and if the packet print is equal to or greater than a predetermined amount, the cache control unit 405 Discard.
[0079]
If the packet print is less than a certain amount, the cache control unit 405 additionally stores the packet print. As described above, the cache control unit 405 performs control so that the packet prints stored in the first PP storage unit 406A and the second PP storage unit 406B are always below a certain amount.
[0080]
The tracking agent unit 407 is connected to the management network, receives a search request from the tracking manager 300, and returns the search result of the first PP storage unit 406A or the second PP storage unit 406B to the tracking manager 300 as a search response. It has a function.
[0081]
Further, the packet printing unit 403 of the packet printing device 400B uses the method (hash function) instructed by the print control unit 402 to transfer the second PP (hash value) from the packet 250 ′ (see FIG. 1) copied by the tapping device 401. ) Is generated. The second PP corresponds to PPb_1 stored in the second PP storage unit 406B of the packet printing apparatus 400B shown in FIG.
[0082]
Further, the packet printing unit 403 of the packet printing apparatus 400B refers to the conversion table 404, generates a packet 250 from the packet 250 ′ (see FIG. 1) from the tapping apparatus 401, and obtains the first PP from the packet 250. Generate. The first PP corresponds to PPa_1 and the like stored in the first PP storage unit 406A of the packet printing apparatus 400B shown in FIG.
[0083]
Next, the operation of the first embodiment will be described with reference to FIG. 3 and FIG. FIG. 3 is a flowchart for explaining the operation of the packet printing apparatus 400 (400A, 400B) shown in FIGS. FIG. 4 is a sequence diagram for explaining the operation of the first embodiment.
[0084]
In step SA1 shown in FIG. 3, the packet printing unit 403 (see FIG. 2) of the packet printing apparatus 400A determines whether or not the packet passing through the monitoring target network has been copied by the tapping apparatus 401. The result is “No” and the same determination is repeated.
[0085]
When the packet 250 (see FIG. 1) passes through the monitoring target network (between the global network A and the packet conversion device 500) of the packet printing apparatus 400A, the packet 250 is copied by the tapping device 401 of the packet printing apparatus 400A. . Thereby, the packet print unit 403 sets “Yes” as a result of the determination made at step SA1. In step SA <b> 2, the packet print unit 403 acquires the packet 250 copied from the tapping device 401.
[0086]
In step SA3, the packet print unit 403 generates a packet print PPa_1 (hash value) (see FIG. 1) from the packet 250. In step SA4, the packet print unit 403 refers to the conversion table 404 and converts the packet 250 into a packet 250 ′. In step SA5, the packet print unit 403 generates a packet print PPb_1 (see FIG. 1) from the packet 250 ′.
[0087]
In step SA6, the cache control unit 405 determines whether or not the number of packet prints stored in the first PP storage unit 406A and the second PP storage unit 406B of the packet printing apparatus 400A is equal to or larger than a certain amount. In this case, the determination result is “No”. In step SA7, the cache control unit 405 stores new packet prints PPa_1 and PPb_1 at the tail end of the first PP storage unit 406A and the second PP storage unit 406B of the packet printing apparatus 400A.
[0088]
On the other hand, when the determination result in step SA6 is “Yes”, in step SA8, the cache control unit 405 is stored in the first PP storage unit 406A and the second PP storage unit 406B of the packet printing apparatus 400A. After discarding the oldest packet print, the process of step SA7 is executed.
[0089]
The packet 250 shown in FIG. 1 passes through the monitoring target network (between the global network A and the packet conversion device 500), and is then converted into a packet 250 ′ by the packet conversion device 500 based on the conversion table 501.
[0090]
Further, when the packet 250 ′ (see FIG. 1) passes through the monitoring target network (between the packet conversion device 500 and the local network B) of the packet printing device 400B, the packet 250 ′ is copied by the tapping device 401 of the packet printing device 400B. Is done. Thereby, the packet print unit 403 sets “Yes” as a result of the determination made at step SA1. In step SA2, the packet print unit 403 acquires the packet 250 ′ copied from the tapping device 401.
[0091]
In step SA3, the packet print unit 403 generates a packet print PPb_1 (hash value) (see FIG. 1) from the packet 250 ′. In step SA4, the packet print unit 403 refers to the conversion table 404 and converts the packet 250 ′ into the packet 250. In step SA5, the packet print unit 403 generates a packet print PPa_1 (see FIG. 1) from the packet 250.
[0092]
In step SA6, the cache control unit 405 determines whether or not the number of packet prints stored in the first PP storage unit 406A and the second PP storage unit 406B of the packet printing apparatus 400B is equal to or greater than a certain amount. In this case, the determination result is “No”.
[0093]
In step SA7, the cache control unit 405 stores new packet prints PPa_1 and PPb_1 at the tail end of the first PP storage unit 406A and the second PP storage unit 406B of the packet printing apparatus 400B. Thereafter, every time a packet passes, two types of packet prints are generated by the packet printing apparatuses 400A and 400B and stored.
[0094]
When an unauthorized access packet is detected in the local network B by the IDS 200 in step SB1 shown in FIG. 4, the IDS 200 transmits the detected position information and the unauthorized access packet to the tracking manager 300 in step SB2. Here, it is assumed that the unauthorized access packet is the packet 250 ′ illustrated in FIG. The detected position information is information indicating the detected position of the unauthorized access packet (before or after the packet conversion device 500). The detection position in this case is after the packet converter 500.
[0095]
In step SB3, the tracking manager 300 calculates a packet print (hash value) from the unauthorized access packet (packet 250 ′). In step SB4, the tracking manager 300 selects, for example, the packet print device 400B closest to the IDS 200 as the search request destination packet print device from the packet print devices 400A and 400B.
[0096]
In step SB5, the tracking manager 300 confirms the position of the packet printing apparatus 400B, and then transmits a search request including the packet print of the unauthorized access packet (packet 250 ′) and the detected position information via the management network. That is, the tracking manager 300 performs tracking processing (search request transmission processing) in order from the packet printing device closest to the IDS 200 that detected the illegal packet.
[0097]
In step SB6, the tracking agent unit 407 (see FIG. 2) of the packet printing apparatus 400B receives a search request from the tracking manager 300, and based on the detected position information, the first PP storage unit 406A, the second PP as a search destination. One PP storage unit 406B is selected.
[0098]
Here, when the detected position information is after the packet converting apparatus 500, the second PP storage unit 406B corresponding to the packet 250 ′ is selected. On the other hand, when the detected position information is in front of the packet conversion apparatus 500, the first PP storage unit 406A corresponding to the packet 250 is selected.
[0099]
In this case, the tracking agent unit 407 selects the second PP storage unit 406B. In step SB7, the tracking agent unit 407 searches the second PP storage unit 406B using the packet print from the tracking manager 300 as a key. In this case, it is assumed that the search result is a hit. In step SB8, the tracking agent unit 407 notifies the tracking manager 300 of the search result (search result = hit).
[0100]
In step SB9, the tracking manager 300 determines the passage route of the unauthorized access packet from the search result. In step SB10, the tracking manager 300 determines whether it is necessary to continue the search based on the determination in step SB9. In this case, the tracking manager 300 determines that the search needs to be continued, and sets the determination result to “Yes”.
[0101]
In Step SB4, the tracking manager 300 selects, for example, the packet print device 400A as the next search request destination packet print device. Thereafter, the above-described operation is repeated. When the determination result in step SB10 is “No”, packet tracking is terminated in step SB11.
[0102]
As described above, according to the first embodiment, PPa_1 (first packet specifying information) for specifying the packet 250 before rewriting in the packet converting apparatus 500 and the rewritten data for the packet flowing through the monitoring target network. PPb_1 (second packet specifying information) for specifying the second packet 250 ′ is generated, stored in the first PP storage unit 406A and the second PP storage unit 406B, and a search request from the tracking manager 300 is generated. In response, the first PP storage unit 406A or the second PP storage unit 406B is searched and the search result is transmitted to the tracking manager 300. Therefore, packet tracking can be performed even in a network in which information included in the packet is rewritten. It can be carried out.
[0103]
(Embodiment 2)
In the first embodiment described above, an example in which two types of packet prints corresponding to the packets before and after the conversion of the packet conversion device 500 are generated on the packet print device side has been described. Two types of packet prints may be generated on the manager side. Hereinafter, this configuration example will be described as a second embodiment.
[0104]
FIG. 5 is a block diagram showing a configuration of the second embodiment according to the present invention. In this figure, parts corresponding to those in FIG. 5, a tracking manager 310 and packet printing apparatuses 410A and 410B are provided in place of the tracking manager 300 and the packet printing apparatuses 400A and 400B shown in FIG.
[0105]
The tracking manager 310 has the same function as the tracking manager 102 (see FIG. 33), is connected to a management network (not shown), and communicates with the packet printing apparatuses 410A and 410B via the management network. is there. Further, the tracking manager 310 generates two types of packet prints before and after conversion of the packet conversion device 500 based on the unauthorized access packet passed from the IDS 200.
[0106]
FIG. 6 is a block diagram showing a functional configuration of the tracking manager 310. In this figure, parts corresponding to those in FIG. 35 are given the same reference numerals. In the figure, an alarm receiving unit 121 receives an alarm for an unauthorized access packet from the IDS 200, and a packet receiving unit 122 receives an unauthorized access packet from the IDS 200. The print control unit 311 instructs the packet print unit 312 in advance to generate a hash value (hash function).
[0107]
The packet print unit 312 generates a first PP (hash value) from the packet from the packet reception unit 122 by a method (hash function) instructed by the print control unit 311. The packet print unit 312 refers to the conversion table 313, generates a converted packet from the packet from the packet reception unit 122, and generates a second PP from the packet. The conversion table 313 is the same as the conversion table 501 shown in FIG.
[0108]
The trace request unit 314 transmits a search request including any one of the two types of packet prints (hash values) generated by the packet print unit 312 to the packet print devices 410A and 410B, and the packet print devices 410A and 410B. Receive search results from.
[0109]
Based on the search results transmitted from the packet printing apparatuses 410A and 410B and the configuration information storage unit 126 that stores the configurations of the monitoring target network and the management network, the passage route creation unit 127 creates a passage route of the packet. To do.
[0110]
Returning to FIG. 5, the packet printing apparatus 410 </ b> A has the same configuration as the packet printing apparatus 101 (see FIG. 34), and monitors the connection link between the global network A and the packet conversion apparatus 500.
[0111]
That is, the packet printing apparatus 410A takes a copy of the packet 250 that passes through the monitored network, generates a packet print PPa_1 or the like (hash value) for uniquely identifying the copied packet 250, and also generates this packet print PPa_1 or the like. (Hash value) is stored in the PP storage unit 416.
[0112]
On the other hand, the packet printing apparatus 410B has the same configuration as the packet printing apparatus 101 (see FIG. 34), and the connection link between the packet conversion apparatus 500 and the local network B is a monitoring target.
[0113]
That is, the packet printing apparatus 410B takes a copy of the packet 250 ′ passing through the monitoring target network, generates a packet print PPb_1 and the like (hash value) for uniquely specifying the copied packet 250 ′, and generates this packet print. PPb_1 and the like (hash value) are stored in the PP storage unit 416.
[0114]
Next, the operation of the second embodiment will be described with reference to the sequence diagram shown in FIG. When an unauthorized access packet is detected in the local network B by the IDS 200 in step SC1 shown in FIG. 8, the IDS 200 transmits the detected position information and the unauthorized access packet to the tracking manager 310 in step SC2.
[0115]
Here, it is assumed that the unauthorized access packet is the packet 250 ′ illustrated in FIG. The detected position information is information indicating the detected position of the unauthorized access packet (before or after the packet conversion device 500). The detection position in this case is after the packet conversion apparatus 500.
[0116]
In step SC3, the packet print unit 312 (see FIG. 6) of the tracking manager 310 generates a packet print PPb_1 (hash value) from the unauthorized access packet (packet 250 ′). In step SC4, the packet print unit 312 converts the unauthorized access packet (packet 250 ′) into the packet 250 with reference to the conversion table 313.
[0117]
In step SC5, the packet print unit 312 generates a packet print PPa_1 (hash value) from the packet 250. In step SC6, the tracking manager 310 selects, for example, the packet print device 410B as the search request destination packet print device from the packet print devices 410A and 410B.
[0118]
In step SC7, the tracking request unit 314 of the tracking manager 310 confirms the position of the packet printing apparatus 410B, and then transmits the packet print PPa_1 or PPb_1 to the packet printing apparatus 410B via the management network.
[0119]
Here, if the detected position information is before the packet conversion device 500, the packet print PPa_1 corresponding to the packet 250 is selected by the tracking request unit 314 and then transmitted to the packet print device 410B.
[0120]
On the other hand, when the detected position information is after the packet conversion apparatus 500, the packet print PPb_1 corresponding to the packet 250 ′ is selected by the tracking request unit 314 and then transmitted to the packet print apparatus 410B. In this case, the packet print PPb_1 corresponding to the packet 250 ′ is transmitted.
[0121]
In step SC8, the packet print device 410B searches the PP storage unit 416 using the packet print PPb_1 from the tracking manager 310 as a key. In this case, it is assumed that the search result is a hit. In step SC9, the packet printing apparatus 410B notifies the tracking manager 310 of the search result (search result = hit).
[0122]
In step SC10, the tracking request unit 314 of the tracking manager 310 determines the passage route of the unauthorized access packet from the search result. In step SC11, the tracking manager 310 determines whether or not the search needs to be continued based on the determination in step SC10. In this case, the tracking manager 310 determines that the search needs to be continued, and sets the determination result to “Yes”.
[0123]
In step SC6, the tracking manager 310 selects, for example, the packet print device 410A as the next search request destination packet print device. Thereafter, the above-described operation is repeated. When the determination result in step SC11 is “No”, packet tracking is ended in step SC12.
[0124]
As described above, according to the second embodiment, the tracking manager 310 uses PPa_1 (first tracking target packet specifying information) for specifying the tracking target packet before rewriting in the packet conversion device 500, and PPb_1 (second tracking target packet specifying information) for specifying the tracking target packet is generated, and PPa_1 or PPb_1 is notified to the packet printing apparatus 410A and the packet printing apparatus 410B based on the detection position of the tracking target packet. Since the search for the packet specific information is requested, the packet tracking can be performed even in the network where the information included in the packet is rewritten.
[0125]
(Embodiment 3)
FIG. 8 is a block diagram showing a configuration of the third embodiment according to the present invention. In the third embodiment, a method for identifying packets before and after the packet converting apparatus 500 will be described.
[0126]
In the figure, a packet printing apparatus 420A takes a connection link between the global network A and the packet conversion apparatus 500 as a monitoring target, and takes in a copy of a packet 250 that passes through the monitoring target network.
[0127]
Further, the packet printing apparatus 420A generates and stores a PP (hash value) from the copied packet 250, and generates a common PP while masking information that changes before and after conversion of the packet conversion apparatus 500 in the packet 250. ·Store. Further, the packet printing apparatus 420A stores a correspondence table 421A that represents the correspondence between PPs and common PPs.
[0128]
On the other hand, the packet printing apparatus 420B takes a connection link between the packet conversion apparatus 500 and the local network B as a monitoring target, and takes in a copy of the packet 250 ′ passing through the monitoring target network.
[0129]
Further, the packet printing apparatus 420B generates and stores PP ′ (hash value) from the copied packet 250 ′, and is common in a state where information that changes before and after conversion of the packet conversion apparatus 500 is masked in the packet 250 ′. PP 'is generated and stored. Further, the packet printing apparatus 420B stores a correspondence table 421B representing the correspondence between PP ′ and common PP ′.
[0130]
As described above, in the third embodiment, by masking the changing information, the common PP and the common PP ′ have the same value, so that the packets can be identified before and after the packet conversion apparatus 500.
[0131]
FIG. 9 is a diagram illustrating mask portions of the packet 250 (250 ′) when the common PP and the common PP ′ illustrated in FIG. 8 are generated. In this figure, the shaded portion is information that is converted before and after the packet conversion apparatus 500 and is masked.
[0132]
In the third embodiment, the mask location may be changed depending on the direction in which the packet flows. FIG. 10 is a diagram illustrating mask portions when a packet flows from the global network A (outside) to the local network B (inside). In the example shown in the figure, the destination IP address and the destination port are mainly masked.
[0133]
FIG. 11 is a diagram illustrating mask portions when a packet flows from the local network B (inside) to the global network A (outside). In the example shown in the figure, the source IP address and the source port are mainly masked.
[0134]
Further, in some protocols (FTP (File Transfer Protocol), ICMP (Internet Control Message Protocol), SNMP (Simple Network Management Protocol)) among protocols used for packet communication, an IP address is also included in the packet payload. May be described and rewritten by the packet conversion device 500.
[0135]
Therefore, in the third embodiment, as shown in FIG. 12, a payload including an IP address rewritten by the packet conversion apparatus 500 may be used as a mask location.
[0136]
In the example shown in FIG. 8, the common PP and the common PP ′ are compared when identifying the packet between the packet printing apparatus 420A and the packet printing apparatus 420B, and the packet is identified if they match. In some cases, the values of the common PP and common PP ′ may collide and cannot be uniquely identified.
[0137]
For example, the collision occurs when there is a plurality of common PP ′ having the same value on the packet printing apparatus 420B side with respect to one common PP on the packet printing apparatus 420A side.
[0138]
Therefore, in the third embodiment, in order to increase the identification accuracy, supplemental information (identifier, TTL, TOS, packet) is generated from the packet 250 before generating the packet print on the packet printing apparatus 420A side as shown in FIG. The length, sequence ID, and Time (UTC)) may be acquired, and the PP, common PP, and supplemental information may be stored as the correspondence table 422A. Here, the supplemental information is information that is not reflected in the PP by the mask.
[0139]
Similarly, on the packet printing apparatus 420B side, additional information (identifier, TTL, TOS, packet length, sequence ID, Time (UTC)) is acquired from the packet 250 ′ before generating the packet print, and PP ′ The common PP ′ and the supplementary information may be stored as the correspondence table 422B.
[0140]
With this configuration, even if there is a plurality of common PP ′ having the same value on the packet printing apparatus 420B side (collision occurrence) with respect to one common PP on the packet printing apparatus 420A side, the supplementary information Packets can be identified by comparing each other.
[0141]
In the third embodiment, in the case of a packet having no data in the payload, there is a high possibility that the above-described collision occurs between the common PP and the common PP ′. Here, it is conceivable to completely synchronize the time between the packet printing apparatus 420A and the packet printing apparatus 420B shown in FIG. 8, and to identify the packet based on the time. It is difficult and difficult to realize.
[0142]
Therefore, in the third embodiment, as shown in FIG. 14, barrier packet generation devices 500A and 500B that generate barrier packets may be provided to improve packet identification accuracy.
[0143]
The barrier packet generator 500A is provided between the global network A and the packet converter 500, and is a barrier packet from the global network A to the local network B (from the outside to the inside) (in the figure, the barrier packet 510 (out)). ) Is generated and sent out.
[0144]
The barrier packet (out) is given an identification barrier No (out). For example, 168463 is assigned to the barrier packet 510 as the barrier No (out). The barrier packet 510 is converted into a barrier packet 510 ′ by the packet converter 500 in the same manner as a normal packet.
[0145]
On the other hand, the barrier packet generation device 500B is provided between the packet conversion device 500 and the local network B, and is a barrier packet from the local network B to the global network A (from inside to outside) (in the figure, barrier packet 520 ( in)) is generated and sent out.
[0146]
The barrier packet (in) is given an identification barrier No (in). For example, 348586 is assigned to the barrier packet 520 as the barrier No (in). This barrier packet 520 is also converted into a barrier packet 520 ′ by the packet converter 500 in the same manner as a normal packet.
[0147]
The packet printing apparatus 420A generates a PP and a common PP from the barrier packet 510 (out) in the same manner as a normal packet, and stores these and the barrier No (out) in the correspondence table 423A. Further, the packet printing apparatus 420A generates a PP and a common PP from the barrier packet 520 ′ (in) in the same manner as a normal packet, and stores these and the barrier No (in) in the correspondence table 423A.
[0148]
Note that the packet printing apparatus 420A also generates a PP and a common PP for normal packets in the same manner as described above (see FIG. 8), and stores these in the correspondence table 423A.
[0149]
On the other hand, the packet printing apparatus 420B also generates PP ′ and common PP ′ from the barrier packet 510 ′ (out) in the same manner as a normal packet, and stores these and the barrier No (out) in the correspondence table 423B. To do. Further, the packet printing apparatus 420B generates PP ′ and common PP ′ from the barrier packet 520 (in) in the same manner as a normal packet, and stores these and the barrier No (in) in the correspondence table 423B. .
[0150]
Note that the packet printing apparatus 420B also generates PP ′ and common PP ′ for normal packets in the same manner as described above (see FIG. 8), and stores these in the correspondence table 423B.
[0151]
In the above configuration, for example, when there is a plurality of common PP's having the same value on the packet printing apparatus 420B side (collision occurs) for one common PP on the packet printing apparatus 420A side, the corresponding table 423A side Packets can be identified by comparing two barrier numbers (168463 and 168464 in the figure) before and after sandwiching a common PP (not shown) with the barrier numbers in the correspondence table 423B.
[0152]
That is, when two barrier numbers that are the same as the two barrier numbers on the correspondence table 423A side (168463 and 168464 in the figure) exist in the correspondence table 423B, the common PP sandwiched between the two barrier numbers in the correspondence table 423B. It can be seen that 'and the common PP of the corresponding table 423A corresponding thereto are the same.
[0153]
FIG. 15 is a block diagram for explaining packet tracking using the barrier packet shown in FIG. In this figure, parts corresponding to those in FIGS. 1 and 14 are given the same reference numerals. In FIG. 15, the packet printing apparatus 420C generates a PP from a packet flowing between the local network B and the local network C, and stores it in the PP storage unit 421C.
[0154]
In the above configuration, when an unauthorized access packet is detected by the IDS 200, the tracking manager 300 inquires of the packet printing apparatus 420A about a normal PP1 ((1)). In this case, if PP1 is found from the correspondence table 423A, the tracking manager 300 acquires a common PP corresponding to PP1 ((2)).
[0155]
Next, the tracking manager 300 inquires of the packet printing apparatus 420B about the common PP ((3)), and then acquires PP2 corresponding to the common PP ((4)). Next, the tracking manager 300 inquires of the packet printing apparatus 420C about PP2 ((5)) and then receives a notification from the packet printing apparatus 420C that PP2 has been found ((6)).
[0156]
FIG. 16 is a block diagram for explaining a specific example when the tracking manager is enhanced in the third embodiment. In the configuration example shown in the figure, the tracking manager 320 determines the packet print device of the inquiry destination, the packet print type (normal packet print (PP), common packet print (common PP)) based on the detection position of the unauthorized access packet. A function for discriminating the order of inquiry is provided.
[0157]
The tracking manager 320 is provided with a correspondence table 321 as shown in FIG. This correspondence table 321 corresponds to the configuration diagram 321a of the packet printing apparatuses (PP1 to PP10), router (R), and packet conversion apparatuses (NAT1, NAT2) shown in FIG. The configuration diagram 321a and the correspondence table 321 are different from those in FIG. 16 as an example, but actually, the correspondence table 321 stores information corresponding to FIG.
[0158]
The correspondence table 321 stores information on packet print device numbers, adjacent packet print device numbers, and packet print types. The adjacent packet printing apparatus number is a packet printing apparatus number corresponding to a packet apparatus adjacent to the packet apparatus having the packet printing apparatus number. The packet print type is a packet print type (normal or common).
[0159]
The tracking manager 320 illustrated in FIG. 16 performs packet tracking based on the correspondence table 321. That is, when an unauthorized access packet is detected by the IDS 200, the tracking manager 320 inquires of the packet printing apparatus 420A about a normal PP1 ((1)). In this case, if PP1 is found, the tracking manager 320 acquires a common PP corresponding to PP1 ((2)).
[0160]
Next, the tracking manager 320 inquires of the packet printing apparatus 420B about the common PP ((3)) and then acquires PP2 corresponding to the common PP ((4)). Next, the tracking manager 320 inquires of the packet printing apparatus 420C about PP2 ((5)) and then receives a notification from the packet printing apparatus 420C that PP2 has been found ((6)).
[0161]
As described above, according to the third embodiment, for a packet flowing through a network, a packet in which information that is changed by rewriting in the packet conversion apparatus 500 is masked is specified, and contents common to the front and the back of the packet conversion apparatus 500 are specified. Generates and stores common PP (common packet specifying information) and PP (normal packet specifying information) for specifying a packet before masking, receives a search request, and based on the common PP and PP, converts the packet Since the packets before and after 500 are identified, packet tracking can be performed even in a network in which information included in the packets is rewritten.
[0162]
Further, according to the third embodiment, since the common PP is generated by changing the masking information in accordance with the direction of the packet flowing through the network, the packet can be traced according to the direction of the packet. it can.
[0163]
Further, according to the third embodiment, as shown in FIG. 14, when the information of the barrier packet transmitted to the network is stored and the packet cannot be identified by the common PP and PP, the information is based on the information of the barrier packet. Since the packet is identified, the packet identification accuracy can be improved.
[0164]
Further, according to the third embodiment, packet tracking can be performed even in a network in which information included in a packet is rewritten led by a tracking manager.
[0165]
(Embodiment 4)
In the above-described third embodiment (see FIG. 16), the example in which the tracking manager has a higher function has been described. However, the packet printing apparatus may have a higher function. Hereinafter, this configuration example will be described as a fourth embodiment.
[0166]
FIG. 18 is a block diagram showing a configuration of the fourth embodiment according to the present invention. In this figure, parts corresponding to those in FIG. 18, the tracking manager 330 has the same function as the tracking manager 300 (see FIG. 1).
[0167]
The packet printing apparatus 430A monitors packets flowing through the global network A, and generates and stores packet prints in the same manner as in the first to third embodiments. The packet print device 430B generates and stores a packet print with a packet (a packet 250 in the figure) flowing between the global network A and the packet conversion device 500 being monitored.
[0168]
The packet print device 430C generates and stores a packet print with a packet (packet 250 ′ in the figure) flowing between the packet conversion device 500 and the local network B being monitored. The packet print device 430D generates and stores a packet print with the packet flowing through the local network B as a monitoring target.
[0169]
Further, the packet printing apparatuses 430A, 430B, 430C, and 430D, based on the above-described correspondence table for realizing high functionality, the installation location of the own apparatus, the tracking path of the tracking target packet, the presence / absence of packet conversion, and the inquiry destination Etc.
[0170]
FIGS. 19A, 19B, 19C, and 19D are diagrams showing correspondence tables 431A, 431B, 431C, and 431D. These correspondence tables 431A, 431B, 431C and 431D are used in the packet printing apparatuses 430A, 430B, 430C and 430D.
[0171]
These correspondence tables 431A, 431B, 431C, and 431D store packet print device numbers, tracking start packet print device numbers, presence / absence of packet conversion devices, and information on inquiry destination packet print devices related to packet printing before conversion processing.
[0172]
In the above configuration, when the packet 250 is detected as an unauthorized access packet by the IDS 200, the tracking manager 330 creates a packet print PPa_1 from the packet 250, and inquires of the packet print apparatuses 430A to 430D about the presence or absence of the packet print PPa_1. (1) to (4)). Thereby, the packet printing apparatuses 430A to 430D appropriately interpret and respond to the inquiry contents of the tracking manager 330 based on each correspondence table.
[0173]
FIG. 20 is a block diagram illustrating a configuration example in which the first embodiment is applied to the above-described fourth embodiment (high performance of the packet printing apparatus). In the figure, parts corresponding to the parts in FIG.
[0174]
20, packet printing apparatuses 400A to 400D are provided instead of the packet printing apparatuses 430A to 430D shown in FIG. These packet printing apparatuses 400A to 400D have the same configuration as the packet printing apparatus 400 shown in FIG. 2 described in the first embodiment. Each of the packet printing apparatuses 400A to 400D stores a correspondence table similar to the above-described correspondence table (see FIG. 19).
[0175]
In the above configuration, when the packet 250 is detected as an unauthorized access packet by the IDS 200, the tracking manager 330 creates a packet print PPa_1 from the packet 250, and inquires of the packet printing apparatuses 400A to 400D about the presence or absence of the packet print PPa_1 ( (1) to (4)). Thereby, the packet printing apparatuses 400A to 400D appropriately interpret and respond to the inquiry contents of the tracking manager 330 based on each correspondence table.
[0176]
FIG. 21 is a block diagram showing a configuration example in which the third embodiment is applied to the above-described fourth embodiment (high performance of the packet printing apparatus). In the figure, parts corresponding to the parts in FIG.
[0177]
In FIG. 21, instead of the packet printing apparatuses 430A to 430D shown in FIG. 18, packet printing apparatuses 420A and 420B are provided. These packet printing apparatuses 420A and 420B have the same configuration as the packet printing apparatuses 420A and 420B shown in FIG. 8 described in the third embodiment.
[0178]
In the figure, the correspondence table 421A of the packet printing apparatus 420A stores PP (PPa_1 etc. in the figure) and common PP (Commonkey1 etc. in the figure).
[0179]
On the other hand, the correspondence table 421B of the packet printing apparatus 420B also stores PP (PPb_1 and the like in the figure) and common PP (Commonkey1 and the like in the figure).
[0180]
In the above configuration, when the packet 250 is detected as an unauthorized access packet by the IDS 200, the tracking manager 330 creates a packet print PPa_1 from the packet 250 and inquires of the packet print device 420A about the presence of the packet print PPa_1 ((1)). .
[0181]
Thereby, the packet printing apparatus 420A appropriately interprets and responds to the inquiry content of the tracking manager 330 based on the correspondence table (see FIG. 19). That is, the packet printing apparatus 420A determines from the correspondence table 421A that there is no need to inquire about another packet printing apparatus in advance, searches for PPa_1 ((2)), and finds PPa_1 ((3)). Next, the packet printing apparatus 420A notifies the search result (PPa_1).
[0182]
The tracking manager 330 also inquires of the packet print device 420B about the presence or absence of the packet print PPa_1 ((1) ').
[0183]
Accordingly, the packet printing apparatus 420B appropriately interprets and responds to the inquiry contents of the tracking manager 330 based on the correspondence table (see FIG. 19). That is, the packet printing apparatus 420B searches for PPa_1 from the correspondence table 421B ((2) ').
[0184]
In this case, the packet printing apparatus 420B determines that the search request originated from the packet printing apparatus 420A from the tracking manager 330 located outside the packet conversion apparatus 500. Further, since PPa_1 does not exist in the correspondence table 421B, the packet printing apparatus 420B first searches the correspondence table 421A for PPa_1 based on the correspondence table (see FIG. 19) ((3) '), and corresponds to PPa_1. Find CommonKey1 (Common PP) (4).
[0185]
Next, the packet printing apparatus 420B searches the correspondence table 421B using the CommonKey1 (common PP) from the correspondence table 421A as a key ((5) ') and finds the CommonKey1 (common PP) ((6)'). Then, the packet printing apparatus 420B notifies the search result (PPa_1) ((7) ').
[0186]
Further, in the fourth embodiment, as shown in FIG. 22, the inner packet printing apparatus 420B shown in FIG. 21 may have a plurality of units. In FIG. 22, three packet printing apparatuses 420B are used instead of the packet printing apparatus 420B shown in FIG. ₁ ~ 420B _Three Is provided.
[0187]
These packet printing apparatuses 420B ₁ ~ 420B _Three Has the same configuration as that of the packet printing apparatus 420B, and the correspondence table 421B. ₁ ~ 421B _Three Each is equipped.
[0188]
In the above configuration, when the packet 250 is detected as an unauthorized access packet by the IDS 200, the tracking manager 330 creates a packet print PPa_1 from the packet 250 and inquires of the packet print device 420A about the presence of the packet print PPa_1 ((1)). .
[0189]
Thereby, the packet printing apparatus 420A appropriately interprets and responds to the inquiry content of the tracking manager 330 based on the correspondence table (see FIG. 19). That is, the packet printing apparatus 420A searches for PPa_1 from the correspondence table 421A and finds PPa_1 ((2)). Next, the packet printing apparatus 420A notifies the search result (PPa_1) ((2) ').
[0190]
In addition, the tracking manager 330 also sends a packet printing device 420B. ₁ Also inquires about the presence or absence of the packet print PPa_1 ((3)). Thereby, the packet printing apparatus 420B ₁ Appropriately interprets and responds to the inquiry contents of the tracking manager 330 based on the correspondence table (see FIG. 19). That is, the packet printing apparatus 420B ₁ Corresponds table 421B ₁ PPa_1 is searched from (4).
[0191]
In this case, the packet printing apparatus 420B ₁ Is determined to be a search request starting from the packet printing device 420A from the tracking manager 330 located outside the packet conversion device 500. Also, the packet printing device 420B ₁ Corresponds table 421B ₁ Since there is no PPa_1, first, PPa_1 is searched from the correspondence table 421A based on the correspondence table (see FIG. 19) (5).
[0192]
Then, the packet printing device 420B ₁ In the same way as the tracking manager 330, the packet printing device 420B ₂ And 420B _Three Also, the presence / absence of the packet print PPa_1 is inquired in parallel. Thereafter, the packet printing apparatus 420B ₂ And 420B _Three But packet printing device 420B ₁ The same operation as is executed (after [6]).
[0193]
In the fourth embodiment, as shown in FIG. 22, the tracking manager 330 and the packet printing device 420A are provided outside the packet conversion device 500, and a plurality of packet printing devices 420B are provided inside. ₁ ~ 420B _Three 23, the tracking manager 330 and the packet printing apparatus 420B are provided inside the packet conversion apparatus 500, and a plurality of packet printing apparatuses 420A are provided outside. ₁ ~ 420A _Three It is good also as a structure which provides. These packet printing apparatuses 420A ₁ ~ 420A _Three The correspondence table 421A ₁ ~ 421A _Three Is provided.
[0194]
In the fourth embodiment, as shown in FIG. 21, the packet printing apparatus 420B searches for PPa_1 from the correspondence table 421A ((3) ') and finds PPa_1 and the corresponding CommonKey1 (common PP) ((4) ▼ ′) In the case of the configuration example, as shown in FIG. 24, the acquisition unit 422B periodically copies the correspondence table 421A, and the packet printing apparatus 420B side copies the correspondence table 421A ′ of the packet You may provide in the apparatus 420B.
[0195]
In this case, the packet printing apparatus 420B performs a search in its own apparatus using the correspondence table 421A ′. In the fourth embodiment, the acquisition unit 422B causes a capacity problem when all the data is copied. Therefore, only the difference between the correspondence table 421A and the correspondence table 421A ′ is copied from the correspondence table 421A to the correspondence table 421A ′. It may be.
[0196]
Further, in the fourth embodiment, as shown in FIG. 25, the inner packet print device 420B shown in FIG. In FIG. 25, three packet printing apparatuses 420B are used instead of the packet printing apparatus 420B shown in FIG. ₁ ~ 420B _Three Is provided.
[0197]
These packet printing apparatuses 420B ₁ ~ 420B _Three Is the same as the packet printing apparatus 420B shown in FIG. ₁ ~ 422B _Three , Correspondence table 421B ₁ ~ 421B _Three The correspondence table 422A ′, which is a copy of the correspondence table 421A, is provided.
[0198]
As described above, according to the fourth embodiment, packet tracking can be performed even in a network in which information included in a packet is rewritten by the packet printing apparatus.
[0199]
(Embodiment 5)
In the third embodiment described above, an example of generating a PP of a packet that is not masked and a common PP of a packet that is masked has been described. However, a mask may be applied even when a PP is generated. Good. Hereinafter, this configuration example will be described as a fifth embodiment.
[0200]
FIG. 26 is a block diagram showing a configuration of the fifth embodiment according to the present invention. In this figure, the packet printing apparatus 440A takes a connection link between the global network A and the packet conversion apparatus 500 as a monitoring target, and takes in a copy of the packet 250 passing through the monitoring target network.
[0201]
Further, the packet printing apparatus 440A generates and stores PPa_1 (hash value) and the like, PPb_1 (hash value), and the like from the copied packet 250.
[0202]
Specifically, as shown in FIG. 27A, the packet printing apparatus 440A applies a mask (shaded part) to the packet 250 with a normal pattern, generates a packet print PPa_1 from the remaining part 250a, 1 PP storage unit 441A (see FIG. 26).
[0203]
Further, as shown in FIG. 27B, the packet printing apparatus 440A masks the packet 250 with a NAT pattern (shaded portion), generates the packet print PPb_1 from the remaining portion 250b, and generates the second PP. The data is stored in the storage unit 441B (see FIG. 26).
[0204]
Similarly, packet print apparatus 440B shown in FIG. 26 generates and stores packet prints corresponding to the normal mask pattern and the NAT mask pattern.
[0205]
In the above configuration, when an unauthorized access packet (for example, packet 250) is detected by the IDS 200, the tracking manager 300 generates PPa_1 from the normal mask pattern from the packet 250 and PPb_1 from the NAT mask pattern.
[0206]
Next, the tracking manager 300 inquires of the packet printing apparatus 440A about PPa_1 in the first PP storage unit 441A ((1)). Accordingly, the packet printing apparatus 440A searches the first PP storage unit 441A using PPa_1 as a key ({circle around (2)}) and finds PPa_1 ({circle around (3)}). Next, the packet printing apparatus 440A notifies the tracking manager 300 that PPa_1 has been found.
[0207]
Further, the tracking manager 300 inquires of the packet printing apparatus 440B about PPb_1 in the second PP storage unit 441B ((1) '). Accordingly, the packet printing apparatus 440B searches the second PP storage unit 441B using PPb_1 as a key ({circle around (2)}) and finds PPb_1 ({circle around (3)}). Next, the packet printing apparatus 440B notifies the tracking manager 300 that PPb_1 has been found.
[0208]
(Embodiment 6)
In the fifth embodiment, the mask pattern may be changed depending on the direction in which the packet flows. Hereinafter, this configuration example will be described as a sixth embodiment. FIG. 28 is a block diagram showing a configuration of the sixth embodiment according to the present invention.
[0209]
In this figure, the packet print device 450A takes a connection link between the global network A and the packet conversion device 500 as a monitoring target, and takes a copy of a packet (for example, 250 (260 ′)) passing through the monitoring target network. .
[0210]
Further, the packet printing apparatus 450A generates and stores PPa1_1, PPb_1, PPc_1, and the like from the copied packet.
[0211]
Specifically, as shown in FIG. 29A, the packet printing apparatus 450A applies a mask (shaded part) to the packet P with a normal pattern and generates a packet print PPa_1 from the remaining part Pa. 1 PP storage unit 451A (see FIG. 28).
[0212]
In addition, when a packet flows from the global network A (outside) to the local network B (inside), the packet printing apparatus 450A mainly sends the destination changed by the packet conversion apparatus 500 as shown in FIG. The IP address is masked.
[0213]
In this case, the packet printing apparatus 450A applies (shaded part) to the packet P with the transmission source mask pattern, generates the packet print PPb_1 from the remaining part Pb, and stores it in the second PP storage unit 451B (see FIG. 28). Store.
[0214]
In addition, when a packet flows from the local network B (inside) to the global network A (outside), the packet print device 450A is mainly changed by the packet conversion device 500 as shown in FIG. The IP address is masked.
[0215]
In this case, the packet printing apparatus 450A applies (shaded part) to the packet P with the destination mask pattern, generates the packet print PPc_1 from the remaining part Pc, and stores it in the third PP storage unit 451C (see FIG. 28). Store.
[0216]
In the sixth embodiment, as shown in FIG. 30A, the packet print is generated from the remaining portion P ′ obtained by masking the packet P. However, as shown in FIG. In this way, the remaining part of the packet P that has been masked may be divided into parts P1, P2, and P3 to generate packet prints A, B, and C corresponding to the parts P1, P2, and P3.
[0217]
By combining these packet prints A, B, and C, as shown in FIG. 30C, packet prints, destination NAT mask packet prints, and source NAT mask packet prints may be used.
[0218]
The packet print is generated from a combination of packet print A, packet print B, and packet print C, and may be used in place of PPa_1 shown in FIG. The destination NAT mask packet print is generated from a combination of packet print A and packet print C, and may be used in place of PPb_1 shown in FIG.
[0219]
The sender NAT mask packet print is generated from a combination of packet print A and packet print B, and may be used in place of PPc_1 shown in FIG.
[0220]
In this way, by generating the divided packet prints A, B, and C, various packet prints can be generated in combination. Therefore, as shown in FIG. The PP storage unit 451A, the second PP storage unit 451B, and the third PP storage unit 451C) need not be provided, so that the configuration can be simplified.
[0221]
As described above, according to the sixth embodiment, as shown in FIG. 30, a packet masked with information that changes by rewriting in packet conversion apparatus 500 is divided into a plurality of parts, and each divided partial packet is identified. Since the common PP or the like is generated and stored by generating the packet print for the purpose and combining the packet prints of the partial packets, the generation efficiency of the common PP or the like can be increased.
[0222]
(Embodiment 7)
In the first to sixth embodiments described above, as shown in FIG. 31, the proxy device 600 is provided to proxy the functions of the tracking manager and the packet printing device, and the proxy is based on an instruction from the tracking manager 300. The apparatus 600 may be made to perform packet tracking.
[0223]
The proxy device 600 includes a tracking sub-manager 300S, a packet printing device 410B, a packet printing device 410C, and a matching device 601, and has the above proxy function. The tracking sub-manager 300S has the same function as the tracking manager 300.
[0224]
The packet printing apparatus 410B includes a PP storage unit 416, monitors packets flowing between the global network A and the packet conversion apparatus 500, and generates and stores PPa_1 and the like. The packet printing apparatus 410C includes a PP storage unit 416, monitors packets flowing between the packet conversion apparatus 500 and the local network B, and generates and stores PPb_1 and the like.
[0225]
The packet printing apparatus 410A includes a PP storage unit 416, monitors packets flowing through the global network A, and generates and stores PPa_1 and the like. In the matching device 601, the tracking sub-manager 300S makes a search request to the packet printing device 410B and the packet printing device 410C, and it is confirmed from the search result that the tracking target packet has passed both the packet printing device 410B and the packet printing device 410C. Provide the information and means necessary to make a decision. Further, the tracking sub-manager 300S acquires information of the conversion table 501 from the packet conversion device 500 as shown in FIG. 1, and provides the information to the packet printing device 410B and the packet printing device 410C. Further, the tracking sub-manager 300S performs the identification process of the common PP and the common PP ′ as shown in FIGS. 8 and 13 and the identification process additionally using the supplementary information, and the result is used as the packet printing apparatus 410B and the packet printing apparatus. 410C. Further, the tracking sub-manager 300S supports the identification process of the common PP and the common PP ′ using the barrier packet as shown in FIG. 14, and provides the result to the packet printing apparatus 410B and the packet printing apparatus 410C. Further, the tracking sub-manager 300S performs a common key (common PP) inquiry process for other packet printing apparatuses as shown in FIG. 21, and provides the result to the packet printing apparatus 410B and the packet printing apparatus 410C. Further, the tracking sub-manager 300S performs a periodic copy process of the common key (common PP) from the other packet printing apparatus as shown in FIG.
[0226]
In the above configuration, when the IDS 200 detects an unauthorized access packet (packet 250 ′), the tracking manager 300 generates PPb_1 corresponding to the unauthorized access packet and requests the tracking sub-manager 300S to perform tracking proxy (1). ). As a result, the tracking sub-manager 300S accesses the packet print device 410B or the packet print device 410C based on the detection position of the unauthorized access packet (before and after the packet conversion device 500) and searches for the packet print ((2) ).
[0227]
The tracking sub-manager 300S requests another packet printing device such as the packet printing device 410A to search for PPa_1 when further tracking is required after the packet printing device 410B and the packet printing device 410C have been searched. . The tracking sub-manager 300S notifies the tracking manager 300 of the progress and result of the packet tracking process ((1) '). In the seventh embodiment, the proxy device 600 includes a combination of functions disclosed in the first to sixth embodiments. In the seventh embodiment, a plurality of proxy devices 600 shown in FIG. 31 may be provided on the network, and a certain proxy device 600 may inquire to another proxy device 600 in multiple stages.
[0228]
As described above, according to the seventh embodiment, the tracking target load is traced to the proxy apparatus 600 having the functions of the tracking manager and the packet printing apparatus. Can be reduced. Further, according to the seventh embodiment, the tracking manager, the packet printing device, and the like are collected as one proxy device 600, which can be implemented as one hardware and can reduce the operation management cost. Communication between managers can be speeded up and confidentiality can be improved.
[0229]
Although Embodiments 1 to 7 according to the present invention have been described in detail with reference to the drawings, specific configuration examples are not limited to these Embodiments 1 to 7, and depart from the gist of the present invention. Even if there is a design change or the like within a range not to be included, it is included in the invention.
[0230]
For example, in the above-described first to seventh embodiments, a program for realizing the functions of the tracking manager and the packet printing apparatus is recorded on the computer-readable recording medium 800 shown in FIG. Each function may be realized by causing the computer 700 shown in FIG.
[0231]
A computer 700 shown in the figure includes a CPU (Central Processing Unit) 710 that executes the above program, an input device 720 such as a keyboard and a mouse, a ROM (Read Only Memory) 730 that stores various data, an operation parameter, and the like. RAM (Random Access Memory) 740, a reading device 750 for reading a program from the recording medium 800, an output device 760 such as a display and a printer, and a bus 770 for connecting each part of the device.
[0232]
The CPU 710 implements the above-described functions by reading a program recorded on the recording medium 800 via the reading device 750 and then executing the program. Examples of the recording medium 800 include an optical disk, a flexible disk, and a hard disk.
[0233]
【The invention's effect】
As described above, according to the present invention, for the packet flowing through the network, the first packet specifying information for specifying the packet before rewriting in the packet conversion device, and the second for specifying the packet after rewriting. Packet identification information is generated and stored, and a search request including the packet identification information to be tracked is received, the first packet identification information or the second packet identification information is searched, and the search result is transmitted to the tracking manager. Therefore, there is an effect that packet tracking can be performed even in a network in which information included in a packet is rewritten.
[0234]
Further, according to the present invention, the first tracking target packet specifying information for specifying the tracking target packet before rewriting in the packet converter and the second tracking target packet for specifying the tracking target packet after rewriting Specific information is generated, the first tracking target packet specifying information or the second tracking target packet specifying information is notified to the packet printing apparatus based on the detection position of the tracking target packet, and a search for the packet specifying information is requested. As a result, it is possible to perform packet tracking even in a network in which information included in a packet is rewritten.
[0242]
Further, according to the packet tracking program of the present invention, since the computer executes the method described in any one of the above inventions, the packet tracking program can be read by the computer. There is an effect that any one of the operations of the invention can be executed by a computer.
[Brief description of the drawings]
FIG. 1 is a block diagram showing a configuration of a first exemplary embodiment according to the present invention.
FIG. 2 is a block diagram showing a configuration of the packet printing apparatus 400 (400A, 400B) shown in FIG.
3 is a flowchart for explaining the operation of the packet printing apparatus 400 (400A, 400B) shown in FIGS. 1 and 2. FIG.
FIG. 4 is a sequence diagram for explaining the operation of the first embodiment.
FIG. 5 is a block diagram showing a configuration of a second embodiment according to the present invention.
6 is a block diagram showing a configuration of the tracking manager 310 shown in FIG. 5. FIG.
FIG. 7 is a sequence diagram for explaining the operation of the second embodiment.
FIG. 8 is a block diagram showing a configuration of a third embodiment according to the present invention.
9 is a diagram illustrating a mask state of a packet 250 (250 ′) when the common PP and the common PP ′ illustrated in FIG. 8 are generated. FIG.
FIG. 10 is a diagram illustrating mask portions when a packet flows from the global network A (outside) to the local network B (inside).
FIG. 11 is a diagram illustrating mask portions when a packet flows from the local network B (inside) to the global network A (outside).
12 is a diagram for explaining a case where a payload including an IP address rewritten by the packet conversion apparatus 500 is used as a mask location in the third embodiment. FIG.
FIG. 13 is a block diagram showing a configuration for increasing packet identification accuracy using supplementary information in the third embodiment.
FIG. 14 is a block diagram showing a configuration for improving packet identification accuracy using a barrier packet in the third embodiment.
FIG. 15 is a block diagram illustrating packet tracking using the barrier packet shown in FIG. 14;
FIG. 16 is a block diagram for explaining a specific example in the case where the tracking manager is enhanced in the third embodiment.
FIG. 17 is a diagram showing a correspondence table 321 and a configuration diagram 321a according to the third embodiment.
FIG. 18 is a block diagram showing a configuration of a fourth embodiment according to the present invention.
FIG. 19 is a diagram showing correspondence tables 431A, 431B, 431C, and 431D.
FIG. 20 is a block diagram illustrating a configuration example in which the first embodiment is applied to the fourth embodiment (high performance of the packet printing apparatus).
FIG. 21 is a block diagram showing a configuration example in which the third embodiment is applied to the fourth embodiment (enhancing the functionality of the packet printing apparatus).
FIG. 22 is a block diagram showing a configuration example when a plurality of inner packet printing apparatuses are used in the fourth embodiment.
23 shows a tracking manager 330 and a packet printing device 420B provided inside the packet conversion device 500 and a plurality of packet printing devices 420A outside the packet conversion device 500 in Embodiment 4. FIG. ₁ ~ 420A _Three It is a block diagram which shows the structural example provided.
24 is a block diagram showing a modified example of the configuration shown in FIG. 21 in the fourth embodiment. FIG.
FIG. 25 is a block diagram illustrating a configuration example when a plurality of inner packet printing apparatuses 420B illustrated in FIG. 24 are provided.
FIG. 26 is a block diagram showing a configuration of the fifth embodiment according to the present invention.
FIG. 27 is a diagram for explaining a mask pattern according to the fifth embodiment.
FIG. 28 is a block diagram showing a configuration of a sixth embodiment according to the present invention.
FIG. 29 is a diagram for explaining a mask pattern according to the sixth embodiment.
FIG. 30 is a diagram for explaining a modification of the sixth embodiment.
FIG. 31 is a block diagram showing a configuration of a seventh embodiment according to the present invention.
FIG. 32 is a block diagram showing a configuration of a modified example of the first to seventh embodiments according to the present invention.
FIG. 33 is a block diagram showing a configuration of a conventional packet tracking system.
34 is a block diagram showing a configuration of the packet printing apparatus 101 (101a, 101b, 101c) shown in FIG.
35 is a block diagram showing a configuration of the tracking manager 102 shown in FIG. 33. FIG.
FIG. 36 is a diagram illustrating a problem of a conventional packet tracking system.
[Explanation of symbols]
200 IDS
300 Tracking manager
310 Tracking Manager
400A packet printing device
410A packet printing device
420A packet printing device
430A packet printing device
500 packet converter

Claims (3)

A packet tracking method applied to a packet tracking system including a plurality of packet printing apparatuses arranged at important points of a monitored network and a tracking manager that transmits and receives information to and from these packet printing apparatuses. And
For packet flowing through the network, first packet specifying information for specifying a packet before rewriting in a packet conversion device that rewrites information included in the packet when passing, and second for specifying a packet after rewriting Packet specific information storing step for generating and storing packet specific information;
A search request including tracking target packet specifying information for specifying a tracking target packet is received from the tracking manager, the first packet specifying information or the second packet specifying information is searched, and a search result is sent to the tracking manager. Search process to send to,
The packet tracking method characterized by including. A plurality of packet printing devices for generating and storing packet specifying information for specifying a packet flowing in a network having a packet conversion device arranged at a key point of a monitored network and rewriting information included in the packet when passing; A packet tracking method applied to a packet tracking system comprising a tracking manager for sending and receiving information to and from these packet printing devices,
A packet for generating first tracking target packet specifying information for specifying a tracking target packet before rewriting in the packet conversion device and second tracking target packet specifying information for specifying a tracking target packet after rewriting Specific information generation process;
A search request for notifying the packet printer of the first tracking target packet specifying information or the second tracking target packet specifying information based on the detection position of the tracking target packet and requesting the search of the packet specifying information Process,
The packet tracking method characterized by including. Packet tracking program for executing the packet tracking method according to any one of claims 1-2 in a computer.

Images