JP4538370B2 - Abnormal communication detector - Google Patents

Description

  The present invention relates to an abnormal communication detecting apparatus that can analyze data flowing through a line and extract communication that behaves abnormally.

  In recent years, the importance of network security has increased with the movement of the IP (Internet Protocol) network represented by the Internet and the establishment of the Personal Information Protection Law. For this reason, many companies and individuals use FW (Firewall) and IDS (Intrusion) as access points with other networks in order to prevent information leakage from PCs installed in their networks and attacks on servers. It is common to install an abnormal communication detection device such as Detect System to protect internal information resources.

  Anomaly communication detection devices are roughly classified into a signature type anomaly detection device and an anomaly type anomaly detection device. The former is a device that detects abnormal communication due to fraud by holding a pattern of abnormal communication or normal communication in advance in a database as a signature and comparing the communication data flowing through the line with the contents of the database. . In the latter case, abnormal communication and normal communication patterns are stored in advance in the database as statistical thresholds, and abnormal communication due to fraud is detected by comparing communication data flowing through the line with the contents of the database. Device. Both are roughly divided into the following three processes.

  First, packet data flowing through the line is analyzed to extract data such as the type of communication and the origin / destination of the communication. Next, the extracted communication data is stored in a storage unit such as a memory. Finally, for each accumulated communication data, a comparison process with various unauthorized communication and normal communication databases is performed to determine whether the communication is normal communication or abnormal communication due to fraud. Extract communications.

  As an example of abnormal communication detection that performs these three processes, each packet that flows through the line is analyzed one by one, and all communication data is extracted and stored, and abnormal communication detection is performed based on the accumulated communication data. (For example, refer to Patent Document 1). This method can detect abnormal communication with high accuracy. However, if the number of packets flowing through the line is large or the number of communications to be extracted is large, the capacity of the memory for storing the communication data is insufficient, or the CPU's ability to perform communication data extraction and database comparison processing Cause shortages.

In addition, a method of using a hash table for recording communication data and periodically deleting the communication data when communication is not observed or when the hash table is full (see, for example, Non-Patent Document 1) may be used. is there. In this method, processing to search for free space by performing re-hashing and processing to periodically delete unnecessary communication data must be performed, as in the previous method, when the number of packets flowing through the line is large, When the number of communications to be extracted is large, CPU capacity is insufficient.
For this reason, a method has been devised to avoid a shortage of memory capacity and a lack of CPU comparison processing capability.

  For example, the inspection target is limited in advance by a unit such as a user or a computer, and information such as the communication volume of the inspection target is held in the storage unit, and the bandwidth for the communication of the inspection target having a large communication volume when congestion occurs A method of performing restriction (for example, see Patent Document 2) is disclosed. A method (for example, refer to Patent Document 3) in which the inspection target is limited in advance for each network and abnormal communication is detected is also disclosed. In both cases, by limiting the inspection target in advance, the number of communication extractions and the amount of communication data to be stored are reduced, and the lack of CPU capacity and memory capacity are avoided.

  Also, by limiting the types of abnormal communications to be detected according to the types of servers that exist in the network to be inspected and narrowing down the database contents to be compared in advance, the CPU comparison processing amount can be reduced. A reduction method (for example, see Patent Document 4) is also disclosed. A method (for example, refer to Patent Document 5) in which the type of abnormal communication to be detected is limited in advance is also disclosed.

JP2002-252654

JP2001-217842 JP2004-312064 JP2003-223375 JP2005-039591 Peter Reiher Jelena Mirkovic, Greg Prier, “Attacking DDoS at the source.”, In Proceedings of the IEEE International Conference on Network Protocols10, Paris, France, November 2002.

The problem of the prior art will be described with reference to FIG. 2 showing an example of the Internet. Assume that three communication carriers construct networks 210, 220, and 230, respectively. The network 210 connects the router 211 at the connection point with the network 220, the router 212 at the connection point with the network 230, the router 213 at the connection point with the corporate user network 240, and the personal users' PCs 250 and 260. A router 214 is installed at the point. A corporate user has a server 242 installed on his network 240.
Normally, a corporate user installs an abnormal communication detection device 241 at a connection point with another network to protect the server 242 from abnormal communication such as a server attack.

  However, there are also attacks that cannot be protected by such abnormal communication detection devices. For example, when a personal PC 250 and a corporate server 242 are performing communication 270, a large number of packets are transmitted from the servers 221, 222, 223, and 224 to the router 213 on the communication path to Assume that an attack 281 for stopping the packet transfer function is performed. In this case, packets transmitted and received between the PC 250 and the server 242 are discarded 272 by the attacked router 213, and normal communication is not performed. In addition, if the personal PC 260 performs communication 282 using an application that continuously uses a large bandwidth such as P2P, the transfer function of the router 214 deteriorates, and transmission / reception is performed between the PC 250 and the server 242. Packets are frequently discarded 271 and the quality of communication 270 deteriorates. Furthermore, if an attack 283 is performed from the server 231, 232, 233, 234 toward the server 242 that intentionally increases the processing of the abnormal communication detection device 241, the abnormal communication detection device 241 can prevent abnormal communication. Instead, packets transmitted / received between the PC 250 and the server 242 are discarded 273 and normal communication is not performed.

  For this reason, carriers and ISPs (Internet Service Providers) and other telecommunications carriers are able to connect an unspecified number of PCs and servers that are connected to the telecommunications carrier's network from abnormal communications that cannot be protected by conventional corporate abnormal communication detection devices. It is required to defend.

  Therefore, the telecommunications carrier adds an abnormal communication detection function for high-speed lines that detects abnormal communication to the edge routers 211, 212, and 214 installed at connection points with other networks, and analyzes packets flowing through the network. However, there are various types of communication such as P2P (Peer to Peer) overload communication that causes communication failure, and unauthorized communication aimed at attacking routers and servers such as DoS (Denial of Service) and DDoS (Distributed Denial of Service). It is necessary to reliably detect and eliminate abnormal communication.

  However, when such abnormal communication detection is performed using the conventional method, there are various problems. For example, the conventional method (see, for example, Patent Document 1) analyzes all packets and extracts all communication data. Therefore, on the high-speed line used by the communication carrier, The number of communications to be extracted increases, and the CPU processing capacity is insufficient. In addition, in the network of telecommunications carriers that communicate with a large number of unspecified PCs and servers, the number of extracted communication data is large and dynamically changes, so there is not enough memory capacity to store communication data. To do. Moreover, since the conventional method (for example, refer patent document 2, 3) has limited the inspection object beforehand, it cannot protect many unspecified PCs and servers. Furthermore, the conventional method (see, for example, Patent Documents 4 and 5) has a problem in that a variety of abnormal communications cannot be detected because the types of abnormal communications to be detected are limited in advance.

  Therefore, in order to solve the above problems, the purpose of the present application is to simultaneously detect various types of abnormal communication on a high-speed line that protects a large number of unspecified PCs and servers. It is to provide an abnormal communication detection function realized by.

In order to solve the problem described in the column “Problems to be Solved by the Invention”, the abnormal communication detection apparatus of the present application has the following means.
Means for replicating a certain percentage of a plurality of received packets, a storage area for holding a cumulative number of packets in which a hash value of a combination of predetermined values in the packet becomes a predetermined hash value, and the received A storage having a storage area for storing the number of collisions obtained by integrating the number of times that the storage area of the hash value for storing the cumulative number of packets is already used to hold the cumulative number of packets having other combinations. And a storage area that, when receiving a packet, calculates a hash value based on a combination of predetermined values in the packet, and holds the cumulative number of packets having the combination based on the calculated hash value The combination of the packet corresponding to the accumulated number already held in the determined storage area and the combination of the packet It is determined whether or not they match. When it is determined that they match, the cumulative number of the storage areas is added. When it is determined that there is a collision without matching, the number of collisions corresponding to the storage area is further set to a predetermined value. It is determined whether or not the threshold value has been exceeded. If the threshold value has not been exceeded, the number of collisions is added. If the threshold value has been exceeded, the accumulated number already stored in the storage area is deleted and the received number is received. Means for overwriting the cumulative number of packets including a combination of packets.

  Problems other than those described above and problems to be solved by the present application will be clarified in the "Best Mode for Carrying Out the Invention" column and drawings of the present application.

Realizes simultaneous detection of various types of abnormal communication on high-speed lines that protect a large number of unspecified PCs and servers that conventional methods could not achieve due to insufficient memory capacity and CPU processing capacity.
The detection includes a method of overwriting and extracting old communication data with a small number of accumulated packets and new communication data of the present application, a method of recording the number of types of a plurality of packets as communication data, It is realized by an abnormal communication detection method based on sample analysis.

A network configuration assumed by the present invention will be described with reference to FIG. 2 showing an example of the Internet. Assume that three communication carriers construct networks 210, 220, and 230, respectively. The network 210 connects the router 211 at the connection point with the network 220, the router 212 at the connection point with the network 230, the router 213 at the connection point with the corporate user network 240, and the personal users' PCs 250 and 260. A router 214 is installed at the point. A corporate user has a server 242 installed on his network 240. A telecommunications carrier that manages the network 210 installs routers 211 to 214 equipped with an abnormal communication detection function to which the technology of the present application is applied at a network edge that is a connection point with another network.
The general operation of the routers 211 to 214 having the abnormal communication detection function of the present invention will be described with reference to FIG. FIG. 3 shows a router 300 having the abnormal communication detection function of the present invention.

  The router 300 having an abnormal communication detection function includes N interface units 310-i (i = 1 to N), N × L lines 310-ij (i = 1 to N, j = 1 to L), and The packet relay processing means 320 for connecting the N interface units 310-i, the abnormal communication detection unit 100 having the abnormal communication detection function, and the bandwidth control setting to be set based on the detection result 113 A set value search unit 331 that outputs a control command 339 and a control setting unit 340 that sets a communication band control unit 341 based on the command 339 are configured. The interface unit 310-i includes a packet data duplicating unit 311-i (i = 1 to N), and the packets input / output between the line 310-ij and the packet relay processing unit 320 are transmitted at a rate Rate specified in advance. The duplicated packet data 101 is transmitted to the abnormal communication detecting unit 100. The interface unit 310-i includes a communication band control unit 312-i (i = 1 to N), and controls the band for each packet characteristic as instructed by the control setting unit 340. Abnormal communication packets are subjected to bandwidth limitation control, and regular communication packets are subjected to bandwidth protection control. The set value search unit 331 may be installed as the set value search device 330 outside.

  In some cases, the abnormal communication detection function of the present invention is provided in the arithmetic device 430 installed outside the router as shown in FIG. In this case, the arithmetic device 430 includes a CPU 460, a memory 440, a connection unit 450, and an information transmission path 470 that couples them. The module 100 that performs abnormal communication detection processing is stored in the memory 440. The packet data 101 copied by the packet data replicating unit 311-i is input from the connection unit 450 to the arithmetic device 430. The detection result 113 is output from the connection unit 450. In this embodiment, the case where the abnormal communication detection unit 100 is provided inside the router will be described. However, the case where the abnormal communication detection unit 100 is provided outside the router can be similarly performed.

  FIG. 8 shows an example of the format of the copied packet data 101. In this format, Size 801 indicating the size of the packet data, InLine 802 indicating the input line number that is the identification number of the line to which the packet is input, Output line number OutLine 803 that is the identification number of the line that outputs the packet, SMAC 804 that represents the source MAC address that is the source address of the data link layer, DMAC 805 that represents the destination MAC address that is the destination address, priority L2-PRI 806 that represents the transfer priority of the data link layer, and the network Proto 807 that represents the layer protocol (higher application), SIP 808 that represents the source IP address that is the source address (the address of the sending terminal), and DIP that represents the destination IP address that is the destination address (the address of the receiving terminal) 809, Sport 810 representing the source port of the protocol TCP or UDP, Dport 811 representing the destination port, Flag 812 representing the TCP flag, and network layer transfer. And priority L3-PRI 813 representing a priority, the ratio Rate 814 the packet data replication unit 311-i has duplicates the packet, and a time Time 815 that duplicates the packets.

  Next, the detailed operation of the present invention will be described with reference to FIGS. 1, 5 to 7, and 9 to 72. FIG. 1 shows a block diagram of the abnormal communication detection unit 100. The abnormal communication detection 100 includes a packet sampling unit 119 that samples the received packet data 101 at a constant rate, and a packet data 102 that is sampled and output by the sampling unit from Size 801 to L3-PRI 813. An extraction unit 180 that determines which of the items is combined to extract communication data, a recording unit 181 that records the extracted communication data, and a communication error / Detection unit 182 that determines normality, setting unit 171 that performs various settings, setting value accumulation table 130 that accumulates setting values, and extraction / recording history accumulation table 140 that accumulates the history of the extraction unit 180 and the recording unit 181 And a communication data storage table 150 for storing communication data. Further, the extraction unit 180 includes a combination extraction unit 120, a combination alignment unit 121, an address generation unit 122, and a communication data extraction determination unit 123. A recording unit 181 includes a communication data recording unit 124, and the number of types recorded. The detection unit 182 includes a combination determination unit 126 and an abnormality / normality determination unit 127.

  9 to 12 show flowcharts of processing performed by the extraction unit 180. The processing of the extraction unit 180 includes a combination extraction process 900 (FIG. 9), a combination alignment process 1000 (FIG. 10), an address generation process 1100 (FIG. 11), and a communication data extraction determination process 1200 (FIG. 12). The The process 900 is executed by the combination extraction unit 120, the process 1000 is executed by the combination alignment unit 121, the process 1100 is executed by the address generation unit 122, and the process 1200 is executed by the communication data extraction determination unit 123.

  13 to 35 are flowcharts of processing performed by the recording unit 181. The processing of the recording unit 181 includes a communication data recording process 1300 (FIG. 13) and a type number recording process 1600 (FIG. 16). The process 1300 is executed by the communication data recording unit 124, and the process 1600 is executed by the type number recording unit 125. The communication data recording process 1300 includes a packet number selective integration process 1310 (FIG. 14) and a selection integration type recording process 1311 (FIG. 15). The type number recording process 1600 includes a packet type number subtraction process 1605 (FIGS. 17 to 22), a packet type count integration process 1606 (FIGS. 23 to 28) at the time of overwriting determination, It includes the number of types integrating process 1603 (FIGS. 29 to 35).

  36 to 72 show flowcharts of processing performed by the detection unit 182. The processing of the detection unit 182 includes a combination determination process 3600 (FIG. 36) and a normal / abnormal determination process 3800 (FIG. 38). The process 3600 is executed by the combination determination unit 126, and the process 3800 is executed by the normality / abnormality determination unit 127. The combination determination process 3600 includes a combination ID determination process 3604 (FIG. 37). The normal / abnormal determination processing 3800 includes normal / abnormal determination processing 3801 (FIGS. 40 to 72) corresponding to the combination ID, and abnormal communication data and white list transmission processing 3802 (FIG. 39).

  5 to 7 show formats of the setting value accumulation table 130, the extraction / recording history accumulation table 140, and the communication data accumulation table 150. Details of the format will be made clear in the following description.

  When the bandwidth monitoring unit 100 receives the duplicate packet data 101, the packet sampling unit 119 first samples the duplicate packet data 101. The sampling rate Rate 509 in the set value accumulation table 130 is read (136 in FIG. 1), sampling is performed at the read rate, and the sampling packet data 102 is output to the extraction unit 180. The format of the sampled packet data 102 is the same as that of the duplicate packet data, but the rate of packet duplication Rate 814 is changed to the value obtained by multiplying the original rate by the sampling rate Rate 509 in the setting value accumulation table 130. Is done. If the value of Rate 509 is 1.0, all duplicate packet data 101 is output as sampled packet data 102.

When the extraction unit 180 receives the sampled packet data 102, the combination extraction unit 120 first performs a combination extraction process 900. First, initial values (141 in FIG. 1) are written in all variables included in the extraction / record history accumulation table 140 (step 901). Next, among the 13 items from Size 801 to L3-PRI 813 in the sampled packet data 102, the combination ID that specifies which combination of items is to be extracted is 1 from 1 to 2 ^{13 in} order. generated are two ¹³ while increasing (step 902), repeats the processing 900-1200.

  SIP 808 if the first bit of the combination ID is 1, DIP 809 if the second bit of the combination ID is 1, and Sport 810 if the third bit of the combination ID is 1, the combination ID If the lower 4th bit is 1, Dport 811, if the lower 5th bit of the combination ID is 1, Flag 812, if the 6th lower bit of the combination ID is 1, InLine 802, Proto 807 if the 7th bit is 1, Size 801 if the lower 8th bit of the combination ID is 1, OutLine 803 if the lower 9th bit of the combination ID is 1, and the lower 10 bits of the combination ID If the first is 1, SMAC 804, if the 11th bit of the combination ID is 1, DMAC 805, if the 12th bit of the combination ID is 1, L2-PRI 806, and the lower 13 bits of the combination ID If the first is 1, specify the combination including L3-PRI 813. For example, if the combination ID is 5 (= 1 + 4), a combination including two items, SIP 808 and Sport 810, if the combination ID is 79 (= 64 + 8 + 4 + 2 + 1) Specify a combination that includes five items: SIP 808, DIP 809, Sport 810, Dport 811, and Proto 807.

When the generation of the combination ID is completed, it is determined whether or not the extraction of all combinations is completed (step 903). If the combination ID is ²¹³ , it is determined that extraction of all the combinations has been completed, and the sampling packet data 102 is transmitted to the recording unit 181 (107 in FIG. 1) (step 906). The repetition of the processes 900 to 1200 is ended, and the process 1300 of the recording unit 181 is entered. If the combination ID is not 2 ^13, it is determined whether to specify the extraction of the combination user (step 904). When the value of the combination ID is i (i = 1 to 2 ¹³ -1), the combination ID designation data ID-i (i = 1 to 2 ¹³ -1) 510-i in the set value accumulation table 130 is read (see FIG. 131 of 1), and when ID-i 510-i is 1, it is determined that the combination is specified by the user, and the packet data information 103 including the combination ID and the item specified by the combination ID is changed to the combination alignment unit 121. (Step 905). If ID-i is 0, it is determined that the combination is not specified by the user, the process returns to the combination ID generation process (step 902), the next combination ID (value obtained by adding 1) is generated, and the same process is repeated. . In this embodiment, the value of the combination ID designation data ID-i (i = 1 to 2 ⁸ −1) in the set value accumulation table 130 is always 1, and the combination ID designation data ID-i (i = 2 ⁸ to The case where the value of 2 ¹³ -1) is always 0 will be described. Therefore, the packet data transmitted to the combinational alignment unit 121 includes up to eight items of SIP 808, DIP 809, Sport 810, Dport 811, Flag 812, InLine 802, Proto 807, and Size 801, and the replication rate Rate 814. , Composed of duplication time Time 815.

  When step 905 of the combination extraction process 900 executed by the combination extraction unit 120 is completed, the combination alignment unit 121 performs the combination alignment process 1000 next. From the packet data obtained from the combination extraction unit 120, the replication rate Rate 814 and the hash value generation packet data 1020 excluding the replication time Time 815 are generated. Further, in the case of a combination including SIP 808 and DIP 809, when SIP 808 is smaller than DIP 809, the process of reversing the order of SIP 808 and DIP 809 (step 1010) is performed, and the combination including Sport 810 and Dport 811 is performed. In this case, when Sport 810 is smaller than Dport 811, processing for reversing the order of Sport 810 and Dport 811 (step 1011) is performed, and hash value generation sorted packet data 1030 is obtained. The aligned packet data 1030 is composed of 1 to 8 items among the aligned IP1 1031 and IP2 1032, the aligned Port1 1033 and Port2 1034, Flag 1035, InLine 1036, Proto 1037, and Size 1038. Finally, the sorted packet data 1030, the combination ID, and the information 104 composed of the packet data are transmitted to the address generation unit 122 (step 1040).

When the combination arrangement process 1000 executed by the combination arrangement unit 121 is completed, the address generation unit 122 performs an address generation process 1100 next. A hash value is calculated using the sorted packet data 1030 obtained from the combination sorting unit 121, and an address for recording the extracted combination data is generated (step 1101). Also, the generated address is recorded (142 in FIG. 1) in the generated address data storage unit ID-Address-i (i = 1 to 2 ¹³ -1) 610-i in the determination / record history storage table 140 (step 142). 1102). Further, the information 105 including the packet data, the combination ID, the sorted packet data 1030, and the generated address value is transmitted to the communication data extraction determination unit 123 (step 1103).

  When the address generation process 1100 executed by the address generation unit 122 ends, the communication data extraction determination unit 123 performs a communication data extraction determination process 1200 next. First, if both the first and second bits of the combination ID are 1, only the lower first bit is changed to 0, and if the first bit of the combination ID is 0 and the second bit is 1, Change bit 1 to lower 2 bit to 0, and if both lower 3rd bit and 4th bit of combination ID are 1, only lower 3rd bit is changed to 0 and lower 3rd bit of combination ID When is 0 and the 4th bit is 1, a comparison combination ID is created by changing the lower 3 bits to 1 and the lower 4 bits to 0. Next, the communication data 700-k (k = 1) recorded in the area in the communication data accumulation table 150 read based on the comparison combination ID, the sorted packet data 1030, and the generated address (152 in FIG. 1) To M) are determined (step 1201). Specifically, the combination ID for comparison and the IP1 1031, IP2 1032, Port1 1033, Port2 1034, Flag 1035, InLine 1036, Proto 1037, Size 1038 in the sorted packet data 1030 and the ID in the communication data 700-k Compare 700-k, IP1 701-k, IP2 702-k, Port1 703-k, Port2 704-k, Flag 705-k, Line 706-k, Proto 707-k, Size 708-k It is determined whether or not.

If they match, a match determination is performed (step 1203).
If they do not match, the overwriting determination method specification value Overwrite-Judge 520 in the setting value accumulation table 130 is read (132 in FIG. 1). When Overwrite-Judge 520 is specified to compare the number of overwriting judgments, the number of collisions Cnf731-k in the communication data 700-k exceeds the threshold for comparing the number of accumulations Overwrite-Num 523 in the set value accumulation table 130. It is determined whether or not to do so. In the case of ratio comparison specification, does the ratio between the number of collisions Cnf 731-k and the total number C1 711-k in the communication data 700-k exceed the ratio comparison threshold Overwrite-Ratio 522 in the set value accumulation table 130? Determine whether or not. In the case of time comparison specification, the difference between the duplication time Time 815 in the packet data and the collision start time CTime 762-k (k = 1 to M) in the communication data 700-k is the final recording time LTime761-k (i = 1 to M) and whether or not the difference between the recording start time FTime760-k (k = 1 to M) is exceeded (step 1202).

  If not exceeded, a collision determination is made (step 1204), and the reverse calculation value of the copied rate Rate 814 is added to the number of collisions Cnf 731-k in the communication data 700-k (151 in FIG. 1) (step 1205). . Further, when the integration to the collision count Cnf 731-k is the first time, the duplication time Time 815 in the packet data is recorded at the collision start time CTime 762-k (step 1205).

If it exceeds, the overwriting determination is performed (step 1206), and the overwritten communication data 700-k and the combination ID are overwritten communication data Old-Data-i (i = 1 to 2 ¹³ -1) 670-i and overwritten combination ID Overwrite-ID-i (i = 1 to 2 ¹³ -1) are recorded in 630-i (143 in FIG. 1) (step 1207).

When processing for each determination result (match, collision, overwriting) is completed, the determination result is recorded in Write-Kind-i (i = 1 to 2 ¹³ -1) 620-i in the extraction / record history accumulation table 140 ( 143 in FIG. 1 (step 1208). Further, the difference ΔT between the duplication time Time 815 in the packet data and the recording start time FTime 760-k (k = 1 to M) in the communication data 700-k gives the aging time ATime 521 in the set value accumulation table 130. If exceeded, the total number of packets C1 to 5 711 to 715-k (k = 1 to M) in the communication data 700-k and the total number of packets B1 to 5 721 to 725-k (k = 1) ~ M) and the number of collisions Cnf 731-k (k = 1 ~ M) is subtracted by multiplying by (ATime 521-ΔT) / ATime 521, or averaged by multiplying by ATime 521 / (ATime 521 + ΔT) (Step 1209). Finally, the completion of the extraction determination process is transmitted to the combination extraction unit 120 that performs the combination extraction process 900 (106 in FIG. 1) (step 1210), and the processes of the processes 900 to 1200 are repeated.

  By the processing 900 to 1200 of the extraction unit 180 described above, old communication data with a small number of accumulated packets is overwritten by new communication data with a large number of accumulated packets. Therefore, the larger the number of accumulated packets and the newer the start time, the harder it is to be overwritten and the easier it is to record in the communication data accumulation table 150. As a result, communication information necessary for detecting an abnormality can be obtained in a memory-saving manner.

When the repetition of the processes 900 to 1200 performed by the extraction unit 180 is completed and the extraction of all combinations is completed, the process performed by the recording unit 181 is entered next. When receiving the packet data 107, the recording unit 181 repeatedly generates the combination ID by 1 (step 1301), like the extraction unit 180 (step 1301), and alternately performs the communication data recording process 1300 and the type number recording process 1600. Do. When the combination ID is 2 ¹³ , it is determined that all combinations have been extracted (step 1302), and the packet data 101 is transmitted to the detection unit 182 (110 in FIG. 1) (step 1313). The repetition of the processing 1300 and 1600 in the recording unit 181 is ended, and the processing of the detection unit 182 starts. If the combination ID is not 2 ^13, it is determined whether the recording of the combination user has specified (step 1303). When the value of the combination ID is i (i = 1 to 2 ¹³ -1), the combination ID designation data Ri (i = 1 to 2 ¹³ -1) 511-i in the set value accumulation table 130 is read (in FIG. 1) 133), if Ri 511-i is 0, it is determined that the combination is not specified by the user, the process returns to the combination ID generation process (step 1301), and the next combination ID (value added by 1) is generated. Repeat the process. When Ri 511-i is 1, it is determined that the combination is specified by the user, and the determination result Write-Kind-i (i = 1 to 2 ¹³ -1) 620-i in the extraction / record history accumulation table 140 is read. (145 in FIG. 1), three types of processing are performed according to the determination result Write-Kind-i 620-i (step 1304).

When the determination result Write-Kind-i 620-i is overwritten (step 1306), the address ID-Address-i (i = 1 to 2 ¹³ -1) recorded in step 1102 in the extraction / record history accumulation table 140 The communication data 700-k (k = 1 to M) in the communication data accumulation table 150 in the area defined by) is initialized (153 in FIG. 1). Further, the communication data from SIP 701-k to Size 708-k is updated to the aligned packet data obtained by performing the same processing as in step 1000 (step 1307). For ID 700-k, if the first and second bits of the combination ID are both 1, only the lower first bit is changed to 0, and the second bit of the combination ID is 0 and the second bit. When 1 is 1, the lower 1st bit is changed to 1 and the lower 2nd bit is changed to 0, and when the lower 3rd bit and 4th bit of the combination ID are both 1, only the lower 3rd bit is changed to 0, When the third bit of the combination ID is 0 and the fourth bit is 1, the comparison combination ID in which the lower third bit is changed to 1 and the lower fourth bit is changed to 0 is recorded. Thereafter, the process is merged with the process in the case where the determination result Write-Kind-i 620-i matches (step 1305). After that, the back-calculated value of the rate 814 in the packet data is added to the packet count C1 711-k in the communication data 700-k, and the size Size 801 in the packet data is added to the byte count B1 721-k. The product of the backward calculation values of Rate 814 is integrated (step 1308).

Further, when the combination includes SIP / DIP or Sport / Dport (step 1309), the packet selection accumulation (step 1310) and the type of selection accumulation (step 1311) are recorded, and the communication data accumulation table 150 C2 to C5 712 to 715-k (k = 1 to M), B2 to B5 722 to 725-k (k = 1 to M), and the type of selective integration in the extraction / record history accumulation table 140 ICnt-Kind1- i (i = 1 to 2 ¹³ -1) and selection integration types I to III Cnt-Kind1 to 3-i (i = 1 to 2 ¹³ -1) 640 to 660-i are changed (as 144 in FIG. 1 153). Details are shown in the table in FIG. 14 and the table in FIG.

  In packet selective integration (step 1310), for example, when the packet data includes SIP, DIP, and Sport, if SIP> DIP, the packet integration number C2 712-k in the communication data 700-k is included in the packet data. The product of the back-calculated value of the rate Rate 814 is multiplied by the product of the size Size 801 in the packet data and the back-calculated value of the rate Rate 814 to the byte count B2 712-k. In the case of SIP ≦ DIP, the packet accumulated number C4 714-k in the communication data 700-k is set to the reverse value of the rate Rate 814 in the packet data, the byte accumulated number B4 724-k is the size in the packet data Size 801 And the product of the reverse calculation of the rate Rate 814. Therefore, C2 712-k and B2 722-k are the cumulative number and cumulative bytes of packets transmitted by IP1 using Port1 703-k as the source port, and C3 713-k and B3 723-k are Port1 703-k. C4 714-k and B4 724-k are the cumulative number and cumulative bytes of packets received by IP1 with Port1 703-k as the source port. C5 715-k and B5 725-k represent the accumulated number and accumulated bytes of packets received by IP1 with Port1 703-k as the destination port.

  As described above, by performing recording such as packet selective integration (step 1310), a maximum of four types of packet integration numbers can be obtained from one entry, and it becomes easy to detect various types of abnormal communication.

In the record of the type of selective integration (step 1311), C2 = 0, C3 = 0, C4 = 0, C5 = 0, C2 + C3 = 0, C4 + C5 = 0, or C2 When integrating for the first time from the state of + C5 = 0, C3 + C4 = 0, select the type of integration ICnt-Kind1-i (i = 1 to 2 ¹³ -1) 640-i in the extraction / record history accumulation table 140. 1, 2, 3 and 4, the selection integration type IICnt-Kind2-i (i = 1 to 2 ¹³ -1) 650-i to 5,10, the selection integration type IIICnt-Kind3-i (i = 1 ~ 2 ¹³ -1) Set 660-i to 7, 8 (144 in Fig. 1).

  Finally, in combination with the process when the determination result is a collision (step 1313), the combination ID and the packet data information 108 are transmitted to the type number recording unit 125 (step 1312), and the communication data recording unit 124 The communication data recording process 1300 to be executed is terminated.

Upon receiving the combination ID and packet data information 108 from the communication data recording unit 124, the type number recording unit 125 starts the type number recording process 1600. Here, the generated address ID-Address-i (i = 1 to 2 ¹³ -1) 610-i recorded in the extraction / record history accumulation table 140 is described in an area in the communication data accumulation table 150. The values of K0 to K23 (k = 1 to M) 734 to 757-k are changed. K0 734-k is a value for determining whether or not the number of types has been accumulated, K1 735-k is the number of communication partners with which IP1 sent and received packets, K2 736-k K3 737-k is the number of communication partners that sent packets back to IP1, K4 738-k is the number of communication partners that IP1 sent packets with Port1 as the source port, K5 739-k is the number of communication partners that IP1 sent packets with Port1 as the destination port, K6 740-k is the number of communication partners that sent packets to IP1 with Port1 as the source port, and K7 741-k is IP1 K8 742-k indicates the number of ports used for packet transmission / reception, K9 743-k indicates the number of ports used by IP1 for packet transmission / reception, K10 744 -k is the number of ports used by IP1 peers to send and receive packets, K11 745-k is used by IP1 to send packets The number of ports, K12 746-k is the number of ports used by IP1 peers to receive packets, K13 747-k is the number of ports IP1 used to receive packets, and K14 748-k is IP1 communications K15 749-k is the number of TCP flag numbers that IP1 used to send and receive packets, and K16 750-k is the number of TCP flag numbers that IP1 used to send packets. K17 751-k is the number of TCP flag numbers that IP1 used to receive packets, K18 752-k is the number of InLine types that IP1 used to send and receive packets, and K19 753-k The number of InLine types used for transmission, K20 754-k is the number of InLine types IP1 used to receive packets, K21 755-k is the number of protocols IP1 used to send and receive packets, K22 756-k k is the number of protocols that IP1 used to send packets, and K23 757-k is the number of protocols that IP1 used to receive packets Represent. When IP2 is specified, it represents the number of types when the communication partner of IP1 is specified as IP2. Three types of processing are performed according to the determination result Write-Kind-i (i = 1 to 2 ¹³ -1) 620-i corresponding to the combination ID read from the extraction / record history accumulation table 140 (146 in FIG. 1). (Step 1601).

  When the judgment result Write-Kind-i 620-i is overwritten (step 1604), after performing the subtraction processing (step 1605) of the number of packet types, the integration processing (step 1606) of the number of packet types is performed. Perform (154 in FIG. 1). If the determination result Write-Kind-i 620-i matches (step 1602), the number of packet types is integrated (step 1603) (154 in FIG. 1). If the determination result Write-Kind-i is a collision (step 1607), nothing is done. Regardless of the determination result, the communication data recording unit 124 is notified (109 in FIG. 1) that the recording of the number of types has ended (step 1608).

  Details of the subtraction processing (step 1605) of the number of packet types performed when the determination result Result Write-Kind-i 620-i is overwritten are shown in FIGS.

First, from the extraction / record history accumulation table 140, communication data Old-Data-i (i = 1 to 2 ¹³ -1) 670-i of the overwritten combination corresponding to the combination ID and overwritten combination ID Overwrite-ID-i (I = 1 to 2 ¹³ -1) 630-i is read (146 in FIG. 1).

Overwrite-ID-i If the second bit of Overwrite-ID-i is 1, and the overwritten combination includes both IP1 and IP2 (step 1701), processing 1100 is performed from the overwritten combination excluding IP2 to generate an address. (Step 1702), the combination described in the generation address destination matches the overwritten combination excluding IP2, and the communication data Old-Data-i (i = 1 to 2 ¹³ -1) of the overwritten combination of K0 in 670-i If the lower 2nd bit is 1 (step 1703), integration of overwritten combination in communication data Old-Data-i (i = 1 to 2 ¹³ -1) 670-i of overwritten combination corresponding to combination ID The process 1704 of FIG. 17 is performed using the values C1 to C5 711 to 715-k. Also, processing 1100 is performed from the overwritten combination excluding IP1, and an address is generated (step 1705). The combination described in the generated address destination matches the overwritten combination excluding IP1, and communication data Old-Data- i (i = 1 to 2 ¹³ -1) When the lower first bit of K0 in 670-i is 1 (step 1706), overwritten communication data Old-Data-i (i = 1) corresponding to the combination ID ˜2 ¹³ -1) The processing 1707 of FIG. 17 is performed using the integrated values C1 to C5 711 to 715-k in 670-i. By the above processing (steps 1701 to 1707), the subtraction processing of K1 to K7 735 to 741-k is performed.

Overwrite combination ID Overwrite-ID-i When the lower 1/2 bit and lower 3/4 bit are 1 and the overwritten combination includes IP1 and Port1 (step 1801), Processing 1100 is performed from the overwritten combination to generate an address (step 1802), and the combination described in the generated address matches the overwritten combination excluding Port1, and communication data Old-Data-i (i = 1 to 2 ¹³ -1) If the lower third bit of K0 in 670-i is 1 (step 1803), overwritten communication data Old-Data-i (i = 1 to 2 ¹³ -1) corresponding to the combination ID The processing 1804 in FIG. 18 is performed using the integrated values C1 to 5711 to 715-k of the overwritten combinations in 670-i.

Overwritten combination ID Overwrite-ID-i When the lower 1/2 bit and lower 4th bit are 1 and the overwritten combination includes IP1 and Port2 (step 1901), overwritten combination excluding Port2 1100 is performed to generate an address (step 1902), the combination described in the generated address matches the overwritten combination excluding Port2, and the overwritten combination communication data Old-Data-i (i = 1 to 2 ¹³⁾ -1) When the lower 4th bit of K0 in 670-i is 1 (step 1903), overwritten communication data Old-Data-i (i = 1 to 2 ¹³ -1) 670- corresponding to the combination ID The processing 1904 of FIG. 19 is performed using the integrated values C1 to C5 711 to 715-k of the overwritten combinations in i. By the above processing (steps 1801 to 1804 and steps 1901 to 1904), the subtraction processing of K8 to K14 742 to 748-k is performed.

Overwritten combination ID Overwrite-ID-i If the lower 1/2 bit and the lower 5th bit are 1, and the overwritten combination includes IP1 and Flag (step 2001), processing from overwritten combination excluding Flag 1100 To generate an address (step 2002), the combination described in the generation address matches the overwritten combination excluding Flag, and communication data Old-Data-i (i = 1 to 2 ¹³ -1) of the overwritten combination When the lower fifth bit of K0 in 670-i is 1 (step 2003), overwritten communication data Old-Data-i (i = 1 to 2 ¹³ -1) corresponding to the combination ID in 670-i Processing 2004 in FIG. 20 is performed using the integrated values C1 to C5 711 to 715-k. By the above processing (steps 2001 to 2004), the subtraction processing of K15 to 17 749 to 751-k is performed.

Overwritten combination ID Overwrite-ID-i If the lower 1/2 bit and the lower 7th bit are 1, and the overwritten combination includes IP1 and Proto (step 2101), processing from overwritten combination excluding Proto 1100 To generate an address (step 2102), the combination described in the generated address matches the overwritten combination excluding Proto, and the overwritten combination communication data Old-Data-i (i = 1 to 2 ¹³ -1) If the lower 7th bit of K0 in 670-i is 1 (step 2103), integrated value C1 in overwritten communication data Old-Data-i (i = 1 to 2 ¹³ -1) corresponding to the combination ID The process 2104 of FIG. 21 is performed using ~ C5 711 to 715-k. By the above processing (steps 2101 to 2104), the subtraction processing of K21 to 23755 to 757-k is performed.

Overwritten combination ID Overwrite-ID-i If the lower 1/2 bit and the lower 6th bit are 1, and the overwritten combination includes IP1 and InLine (step 2201), processing from overwritten combination excluding InLine 1100 To generate an address (step 2202), the combination described in the generation address destination matches the overwritten combination excluding InLine, and the overwritten combination communication data Old-Data-i (i = 1 to 2 ¹³ -1) When the lower 6th bit of K0 in 670-i is 1 (step 2203), integrated value C1 in overwritten communication data Old-Data-i (i = 1 to 2 ¹³ -1) corresponding to the combination ID The process 2204 of FIG. 22 is implemented using ~ C5. By the above processing (steps 2201 to 2204), the subtraction processing of K18 to 20752 to 754-k is performed.

  Thus, the packet type number subtraction process 1605 is completed, and then the packet type number accumulation process 1606 is performed. Details of the process of integrating the number of packet types (step 1606) performed when the determination result is “Overwrite” are shown in FIGS. It should be noted that in these drawings and the subsequent text describing the processing shown in these drawings, the combination represents a combination that has been aligned by the processing 1000.

When the combination of overwriting judgment includes IP1 and IP2 (step 2301), the judgment result Write-Kind-i (i = 1 to 2) of the combination excluding IP2 from the overwriting judgment combination from the extraction / record history accumulation table 140 ¹³ -1) Reads 620-i and determines the combination judgment result except IP2 Write-Kind-i (i = 1 to 2 ¹³ -1) If 620-i matches or is overwritten (step 2302), IP2 The processing 1100 is performed from the combination excluding the address to generate an address (step 2303), and the integration type ICnt-Kind1-i 640-i and the integration type IICnt-Kind2- Perform processing 2304 in Fig. 23 using i 650-i and accumulate the number of types of combinations K1 to K7 735 to 741-k (k = 1 to M) recorded in the generated address, excluding IP2 Perform the process. Also, from the extraction / record history accumulation table 140, the combination judgment result 620-i (i = 1 to 2 ¹³ -1) excluding IP1 from the overwriting judgment combination is read, and the judgment result Write- Kind-i (i = 1 to 2 ¹³ -1) If 620-i matches or is overwritten (step 2305), processing 1100 is performed from the combination except IP1 to generate an address (step 2306) and extraction / The processing 2307 of FIG. 23 was generated using the integrated type ICnt-Kind1-i 640-i and the integrated type IICnt-Kind2-i 650-i of the combination of overwriting judgment in the record history accumulation table 140. The number of types of combinations K1 to K7 735 to 741-k (k = 1 to M) recorded in the address, excluding IP1, is integrated.

When the overwrite determination combination includes IP1 and Port1 (step 2401), the extraction / record history accumulation table 140 determines the combination determination result Write-Kind-i (i = 1 to 2 ¹³ -1) When 620-i is read and the judgment result Write-Kind-i 620-i of the combination excluding Port1 matches or is overwritten (step 2402), processing 1100 is performed from the combination excluding Port1. An address is generated (step 2403), and the summation type I Cnt-Kind1-i 640-i and summation type III Cnt-Kind3-i 660-i of the overwriting judgment combination in the extraction / record history accumulation table 140 are used. Then, the process 2404 of FIG. 24 is performed, and a process of accumulating the number of types of combinations K8 to K14 742 to 748-k (k = 1 to M) except for Port 1 recorded in the generated address is performed.

When the combination of overwriting judgment includes IP1 and Port2 (step 2501), the judgment result Write-Kind-i (i = 1 to from the extraction / record history accumulation table 140 excluding Port2 from the overwriting judgment combination) 2 ¹³ -1) If 620-i is read and the judgment result Write-Kind-i 620-i except Port2 matches or is overwritten (step 2502), perform processing 1100 from the combination except Port2 An address is generated (step 2503), and using the integration type ICnt-Kind1-i 640-i and the integration type III Cnt-Kind3-i 660-i of the overwriting judgment combination in the extraction / record history accumulation table 140, The processing 2504 in FIG. 25 is performed, and the processing of accumulating the number of types of combinations K8 to K14 742 to 748-k (k = 1 to M) except for Port2 recorded in the generated address is performed.

When the combination of overwriting determination includes IP1 and Flag (step 2601), the determination result of the combination obtained by removing Flag from the combination of overwriting determination from the extraction / record history accumulation table 140 Write-Kind-i (i = 1 to 2 ¹³ -1) Reading 620-i, and if the judgment result Write-Kind-i 620-i except for Flag matches or is overwritten (step 2602), processing from the combination of overwriting judgment excluding Flag 1100 is performed to generate an address (step 2603), and the integration type ICnt-Kind1-i 640-i and the integration type IICnt-Kind2-i 650-i of the combination of overwriting judgment in the extraction / record history accumulation table 140 are set. 26, the process 2604 of FIG. 26 is performed, and a process of integrating the number of types of combinations K15 to K17 749 to 751-k (k = 1 to M) recorded in the generated address, excluding Flag, is performed.

When the combination of overwriting determination includes IP1 and Proto (step 2701), from the extraction / record history accumulation table 140, the determination result Write-Kind-i (i = 1 to 2 ¹³ -1) When 620-i is read and judgment result Write-Kind-i 620-i matches or is overwritten (step 2702), processing is performed from the overwriting judgment combination excluding Proto 1100 is performed to generate an address (step 2703), and the integration type ICnt-Kind1-i 640-i and the integration type IICnt-Kind2-i 650-i of the combination of overwriting judgment in the extraction / record history accumulation table 140 are set. 27, the process 2704 of FIG. 27 is performed, and a process of accumulating the number of types of combinations K21 to K23 755 to 757-k (k = 1 to M) recorded in the generated address, excluding Proto, is performed.

If the overwriting determination combination includes IP1 and InLine (step 2801), the extraction / record history accumulation table 140 determines the combination determination result Write-Kind-i (i = 1 to 2 ¹³ -1) Reading 620-i, if the judgment result Write-Kind-i 620-i except for InLine matches or is overwritten (step 2802), processing from the combination of overwriting judgment excluding InLine 1100 is performed to generate an address (step 2803), and the integration type ICnt-Kind1-i 640-i and the integration type IICnt-Kind2-i 650-i of the combination of overwriting judgment in the extraction / record history accumulation table 140 are set. 28, the process 2804 of FIG. 28 is performed, and the process of accumulating the number of types of combinations K18 to K20 752 to 754-k (k = 1 to M) recorded in the generated address, excluding InLine, is performed.

  Thus, the subtraction processing 1605 for the number of types of packets and the integration processing 1606 for the number of types of packets that are performed when the determination result is “Overwrite” are completed. If the determination results match, only the number of packet types is integrated (step 1603). Details are shown in FIGS. It should be noted that in these drawings and the subsequent text describing the processing shown in these drawings, the combination represents an aligned combination.

If the match judgment combination includes IP1 and IP2 (step 2901), processing 1100 is performed from the match judgment combination excluding IP2 to generate an address (step 2902), and the match is obtained from the extraction / record history accumulation table 140. Read the judgment result Write-Kind-i (i = 1 to 2 ¹³ -1) 620-i of the combination obtained by excluding IP2 from the judgment combination. When the judgment result Write-Kind-i 620-i of the match judgment combination excluding IP2 is overwritten (step 2903), the integrated values C1 to C5 711 to 715-in the communication data 700-k of the match judgment combination 29, the processing 2904 in FIG. 29 is performed, and the number of types of match determination combinations K1 to K7 735 to 741-k (k = 1 to M) recorded in the generated address is calculated. Perform the process. If the result of the match judgment combination excluding IP2 is Write-Kind-i 620-i (step 2905), it is judged whether the second bit of K0 734-k of the match judgment combination is 0 or not. (Step 2906). Since the number of types is not accumulated in the case of 0, the accumulated values C1 to C5 711 to 715-k in the communication data 700-k of the match determination combination are used as shown in FIG. Processing 2907 is executed, and processing for accumulating the number of types K1 to K7 735 to 741-k (k = 1 to M) of match determination combinations excluding IP2 recorded in the generated address is performed. In the case of 1, since the number of types has already been integrated, the integration type ICnt-Kind1-i 640-i and the integration type IICnt-Kind2-i 650-i of the combination determination combination in the extraction / record history accumulation table 140 Using i, execute the processing 2908 of Fig. 29 and add the number of types of match judgment combinations excluding IP2 K2 to K7 736 to 741-k (k = 1 to M) recorded in the generated address Perform the process of accumulating.

If the match judgment combination includes IP1 and IP2 (step 3001), processing 1100 is performed from the match judgment combination excluding IP1 to generate an address (step 3002), and a match is found from the extraction / record history storage table 140. Read the judgment result Write-Kind-i (i = 1 to 2 ¹³ -1) 620-i of the combination obtained by excluding IP1 from the judgment combination. If the judgment result Write-Kind-i 620-i except for IP1 is overwritten (step 3003), the accumulated values C1 to C5 711 to 715- in the communication data 700-k of the matching judgment combination 30 is executed using k, and the number of types of match determination combinations K1 to K7 735 to 741-k (k = 1 to M), excluding IP1, recorded in the generated address is integrated Perform the process. If the judgment result Write-Kind-i 620-i except for IP1 matches (step 3005), it is judged whether the lower first bit of K0 734-k of the matching judgment combination is 0. (Step 3006). If the value is 0, the number of types is not accumulated. Therefore, using the accumulated values C1 to C5 711 to 715-k in the communication data 700-k of the match determination combination, FIG. Processing 3007 is performed, and processing for accumulating the number of types K1 to K7 735 to 741-k (k = 1 to M) of match determination combinations excluding IP1 recorded in the generated address is performed. In the case of 1, since the number of types has already been accumulated, the integration type ICnt-Kind1-i i 640-i and the integration type IICnt-Kind2-i 650 of the combination determination combination in the extraction / record history accumulation table 140 -i is used to execute the processing 3008 of FIG. 30, and the number of types of match determination combinations K2 to K7 736 to 741-k (k = 1 to M), excluding IP1, recorded in the generated address Perform additional integration.

If the match determination combination includes IP1 and Port1 (step 3101), processing 1100 is performed from the combination that excludes port1 from the matching combination to generate an address (step 3102), and the match determination is made from the extraction / record history storage table 140 The combination determination result Write-Kind-i (i = 1 to 2 ¹³ -1) 620-i obtained by removing Port1 from the combination is read. If the judgment result Write-Kind-i (i = 1 to 213-1) 620-i is overwritten (step 3103) in the match judgment combination excluding Port 1, the match judgment combination communication data 700-k Using the integrated values C1 to C5 711 to 715-k, the processing 3104 of FIG. 31 is performed, and the number of types of match determination combinations excluding Port 1 recorded in the generated address K8 to K14 742 to 748-k A process of integrating (k = 1 to M) is performed. If the judgment result of the match judgment combination excluding Port1 is a match (Step 3105), it is judged whether or not the lower third bit of K0 734-k of the combination that has undergone the match judgment is 0 (Step 3106) In the case of 0, since the number of types is not accumulated, the process 3107 of FIG. 31 is performed using the accumulated values C1 to C5 711 to 715-k in the communication data 700-k of the match determination combination, A process of accumulating K8 to K14 742 to 748-k (k = 1 to M), which is a combination of coincidence determinations excluding Port1, recorded at the generated address is performed. In the case of 1, since the number of types has already been accumulated, the integration type ICnt-Kind1-i 640-i and the integration type IIICnt-Kind3-i 660- of the combination judgment combination in the extraction / record history accumulation table 140 31 is performed using i, and the number of types of match determination combinations K9 to K14 743 to 748-k (k = 1 to M) other than Port 1 recorded in the generated address is integrated Perform the process.

If the match judgment combination includes IP1 and Port2 (step 3201), processing 1100 is performed from the match judgment combination excluding Port2 to generate an address (step 3202), and a match is found from the extraction / record history accumulation table 140. Read the judgment result Write-Kind-i (i = 1 to 2 ¹³ -1) 620-i of the combination obtained by removing Port 2 from the judgment combination. When the judgment result Write-Kind-i (i = 1 to 213-1) 620-i is overwritten (step 3203) in the communication data 700-k of the coincidence judgment combination, except for the port 2 Using the integrated values C1 to C5 711 to 715-k, the processing 3204 of FIG. 32 is performed, and the number of types of match determination combinations excluding Port 2 recorded in the generated address K8 to K14 742 to 748-k A process of integrating (k = 1 to M) is performed. When the judgment result of the combination excluding Port2 is a match (Step 3205), it is judged whether or not the lower 4th bit of K0 734-k of the combination subjected to the match judgment is 0 (Step 3206). Since the number of types has not been accumulated, the process 3207 in FIG. 32 is performed using the accumulated values C1 to C5 711 to 715-k in the communication data 700-k of the match determination combination, and the generated address The process of accumulating K8 to K14 742 to 748-k (k = 1 to M) of the match determination combinations excluding Port 2 recorded in (1) is performed. In the case of 1, since the number of types has already been accumulated, the integration type ICnt-Kind1-i 640-i and the integration type IIICnt-Kind3-i 660- of the combination judgment combination in the extraction / record history accumulation table 140 32 is executed using i, and the number of types of match determination combinations K9 to K14 743 to 748-k (k = 1 to M) excluding Port 2 recorded in the generated address is integrated Perform the process.

If the match judgment combination includes IP1 and Flag (step 3301), processing 1100 is performed from the match judgment combination excluding Flag to generate an address (step 3302), and the match is obtained from the extraction / record history accumulation table 140. A combination determination result Write-Kind-i (i = 1 to 2 ¹³ -1) 620-i obtained by removing Flag from the combination of determinations is read. If the judgment result Write-Kind-i (i = 1 to 213-1) 620-i is overwritten (step 3303), the match judgment combination excluding the flag contains the match judgment combination communication data 700-k. Using the integrated values C1 to C5 711 to 715-k, the processing 3304 of FIG. 33 is performed, and the number of types of match determination combinations excluding Flag recorded in the generated address K15 to K17 749 to 751-k A process of integrating (k = 1 to M) is performed. If the determination result of the match determination combination excluding Flag is a match (step 3305), it is determined whether the lower fifth bit of K0 734-k of the match determination combination is 0 (step 3306). In this case, since the number of types has not been integrated, processing 3307 in FIG. 33 is performed using the integrated values C1 to C5 711 to 715-k in the communication data 700-k of the match determination combination. Processing for accumulating the number of types K15 to K17 749 to 751-k (k = 1 to M) of the combinations of match determinations excluding Flag recorded in the address is performed. In the case of 1, since the number of types has already been integrated, the integration type ICnt-Kind1-i 640-i and the integration type IICnt-Kind2-i 650-i of the combination determination combination in the extraction / record history accumulation table 140 Using i, execute processing 3308 in Fig. 33, and accumulate the number of types of match determination combinations K16 to K17 750 to 751-k (k = 1 to M), excluding Flag, recorded in the generated address Perform the process.

  If the match judgment combination includes IP1 and Proto (step 3401), processing is performed from the match judgment combination excluding Proto to generate an address (step 3402), and the match is obtained from the extraction / record history accumulation table 140. The determination result Write-Kind-i (i = 1 to 213-1) 620-i of the combination obtained by removing Proto from the determination combination is read. If the judgment result Write-Kind-i (i = 1 to 213-1) 620-i is overwritten (step 3403) in the communication data 700-k of the coincidence judgment combination except Proto Using the integrated values C1 to C5 711 to 715-k, the processing 3404 in FIG. 34 is executed, and the number of types of match determination combinations excluding Proto recorded in the generated address K21 to K23 755 to 757-k A process of integrating (k = 1 to M) is performed. When the judgment result of the combination excluding Proto matches (step 3405), it is judged whether or not the lower 7th bit of K0 734-k of the match judgment combination is 0 (step 3406). Since the number is not accumulated, processing 3407 in FIG. 34 is performed using the accumulated values C1 to C5 711 to 715-k in the communication data 700-k of the match determination combination, and recorded at the generated address The process of integrating K21 to K23 755 to 757-k (k = 1 to M), which is a combination of matching determinations excluding Proto, is performed. In the case of 1, since the number of types has already been integrated, the integration type ICnt-Kind1-i 640-i and the integration type IICnt-Kind2-i 650-i of the combination determination combination in the extraction / record history accumulation table 140 34, the process 3408 of FIG. 34 is performed using i, and the process of accumulating K22 to K23 756 to 757-k (k = 1 to M) of the match determination combinations excluding Proto recorded in the generated address I do.

  If the match judgment combination includes IP1 and InLine (step 3501), processing 1100 is performed from the match judgment combination excluding InLine to generate an address (step 3502), and a match is found from the extraction / record history accumulation table 140. The determination result Write-Kind-i (i = 1 to 213-1) 620-i of the combination obtained by removing InLine from the determination combination is read. When the determination result of the match determination combination excluding InLine is overwritten (step 3503), the integrated values C1 to C5 711 to 715-k in the communication data 700-k of the match determination combination are used as shown in FIG. Processing 3504 is performed, and processing for accumulating the number of types of matching determination combinations K18 to K20 752 to 754-k (k = 1 to M) excluding InLine is performed. If the judgment result of the match judgment combination excluding InLine matches (step 3505), it is judged whether the lower 6th bit of K0 734-k of the match judgment combination is 0 (step 3506). In this case, since the number of types is not integrated, the processing 3507 in FIG. 35 is performed using the integrated values C1 to C5 711 to 715-k in the communication data 700-k of the match determination combination, and InLine is Excluding the number of types of coincidence determination combinations K18 to K20 752 to 754-k (k = 1 to M) is integrated. In the case of 1, since the number of types has already been integrated, the integration type ICnt-Kind1-i 640-i and the integration type IICnt-Kind2-i 650-i of the combination determination combination in the extraction / record history accumulation table 140 Using i, the process 3508 of FIG. 35 is performed, and the process of integrating the number of types of combination determination K19 to K20 753 to 754-k (k = 1 to M) excluding InLine is performed.

  As described above, by performing recording such as the packet type number recording process 1600, a maximum of 23 types of statistical data can be obtained from one entry at a time, making it easy to detect various types of abnormal communication.

When all the repetitions of the processing 1300 and the processing 1600 performed by the recording unit 181 are completed and the recording of all the combinations is completed, the processing performed by the detection unit 182 is started next. As with the recording unit 181, the detection unit 182 repeatedly generates a combination ID by 1 (step 3601), and alternately performs a combination determination process 3600 and a normal / abnormal determination process 3800. If the combined ID becomes 2 ^13, it is determined that the detection of all the combinations has been completed (step 3602), repeating the processing 3600 and 3800 in the detection unit 182 is completed, all the processing is terminated. If the combination ID is not 2 ¹³ performs a whether the extraction of the combination user has specified, the determination of whether the combination of the determination results is a collision (step 3603). When the value of the combination ID is i a (i = 1~2 ¹³ -1), and the set value storage table 130 of the combined ID specified data ^{ID-i (i = 1~2 13} -1), extracted / recording history storage Judgment result Write-Kind-i (i = 1 to 2 ¹³ -1) 620-i in table 140 is read (135,147 in Fig. 1). If ID-i is 0 or the judgment result is a collision, the user is not specified. Or a combination that has not been extracted, the process returns to the combination ID generation process (step 3601), generates the next combination ID (value obtained by adding 1), and repeats the same process. If ID-i is 1 and the determination result is overwritten or matched, it is determined as a combination that has been specified by the user and has been extracted, and then it is determined whether the combination is to be determined as normal / abnormal. (Step 3604). When it is determined that the combination should be determined as normal / abnormal, the combination ID is transmitted to the normal / abnormal determination unit 127 (111 in FIG. 1) (step 3605), and the combination determination process 3600 ends.

  FIG. 37 shows details of step 3604 for determining whether or not the combination is to be determined as normal / abnormal. In this figure, the combination represents an aligned combination. Only the 10 combinations shown in steps 3701 to 3710 are judged as normal / abnormal.

  In the normal / abnormal determination process 3800, for each of the 10 combinations, it is determined whether the communication is normal or abnormal (step 3801). If it is determined to be abnormal, the abnormal communication obtained at the time of determination is determined. The data and the white list are output as detection information 113 outside the abnormal communication detection unit (step 3802). After step 3802 or when it is determined as normal, the normal / abnormal determination process is transmitted to the combination determination unit 126 (112 in FIG. 1), and the normal / abnormal determination process 3800 ends ( Step 3803).

  FIG. 39 shows the types of abnormal communication included in the abnormal communication data output in step 3802. The detection results of 33 types of abnormal communication are output from 10 combinations of normal / abnormal judgments.

  40 to 72 show details of normality / abnormality determination processing 3800 for detecting 33 types of abnormal communication shown in FIG. 39 by determining normality / abnormality of 10 combinations. In these drawings and the subsequent sentences describing the processing shown in these drawings, the combination represents an aligned combination. Before entering the detection process, the communication data 700-k in the communication data storage table 150 is read based on the address ID-Address-i 610-i corresponding to the combination in the extraction / record history storage table 140 ( Figure 134 and 155).

  FIG. 40 shows processing for detecting a Syn Flag TCP Flood type DoS attack. First, it is determined whether or not the combination includes IP1, IP2, and Flag (step 4001), and whether or not Flag is Syn (step 4002). If both are satisfied, the accumulated value C2 712-k + C3 713-k or C4 714-k + C5 715-k in the communication data 700-k in the communication data storage table 150 of this combination is set to the set value storage table 130. It is determined whether or not the value divided by the aging time ATime 521 exceeds the threshold Thr1 532-1 for Syn Flag TCP Flood type DoS attack detection (step 4003). If exceeded, read the communication data 700-k from the communication data accumulation table 150 using the address generated from the combination in which Flag is changed to Ack or the like (step 4004), and (C2 + C3) / ATime> Thr1 Indicates whether the integrated value (C4 + C5) of the communication data 700-k of the combination in which Flag is changed to Ack, etc. is 0. If (C4 + C5) / ATime> Thr1, change Flag to Ack, etc. It is determined whether the integrated value (C2 + C3) of the communication data 700-k of the selected combination is 0 (step 4005). In the case of 0, this means that the terminal receiving the Syn packet has not returned a data packet such as an Ack packet to the terminal transmitting the Syn packet, and is determined to be abnormal. In this case, it is determined as a Syn Flag TCP Flood type DoS attack.

  FIG. 41 shows processing for detecting a specific Flag TCP Flood type DoS attack. First, it is determined whether or not the combination includes IP1, IP2, and Flag (step 4101). If both are satisfied, divide the total number (C2 + C3) or (C4 + C5) in communication data 700-k in communication data storage table 150 of this combination by aging time ATime 521 in setting value storage table 130. It is determined whether or not the obtained value exceeds a threshold Thr2 532-2 for detecting a specific Flag TCP Flood type DoS attack (step 4102). If exceeded, read communication data 700-k from the communication data accumulation table 150 using the address generated from the combination in which Flag is changed to Ack or the like (step 4103), and (C2 + C3) / ATime> Thr2 Indicates whether the integrated value (C4 + C5) of the communication data 700-k of the combination in which Flag is changed to Ack, etc. is 0, and if (C4 + C5) / ATime> Thr2, change Flag to Ack, etc. It is determined whether or not the integrated value (C2 + C3) of the communication data 700-k of the selected combination is 0 (step 4104). In the case of 0, this means that the terminal receiving the specific Flag packet has not returned a data packet such as an Ack packet to the terminal transmitting the specific Flag packet, and is determined to be abnormal. In this case, it is determined as a specific Flag TCP Flood type DoS attack.

  FIG. 42 shows processing for detecting a Syn Flag TCP Flood type DDoS attack. First, it is determined whether or not the combination includes IP1 and Flag (step 4201), and whether or not Flag is Syn (step 4202). When both are satisfied, the value obtained by dividing the total number (C4 + C5) in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the setting value storage table 130 is Whether or not the threshold Thr3 532-3 for TCP Flood DDoS attack detection is exceeded, and whether or not the number of communication partners K3 737-k that sent the Syn packet exceeds the threshold SIP-N 583 for the number of senders Determination is made (step 4203). If exceeded, the communication data 700-k is read from the communication data accumulation table 150 using the address generated from the combination in which Flag is changed to Ack or the like (step 4204), and the communication data in the combination in which Flag is changed to Ack or the like Whether or not the number of reply destinations K2 736-k of the Ack packet in 700-k exceeds the product of the number of communication partners K3 737-k that sent the Syn packet and the threshold IThr3-1 540 in the setting value accumulation table 130 Is determined (step 4205). If the number does not exceed, it means that the number of communication partners that have transmitted Syn packets is greater than the number of communication partners that have returned data packets, which is abnormal. Further, the communication data storage table is searched, a Syn packet is transmitted to the IP included in the combination, the number of communication partners to which the IP included in the combination returns an Ack packet or the like is acquired (step 4206), and the number of acquired communication partners However, it is determined whether or not the communication partner number K3 737-k that has transmitted the Syn packet is smaller than the product of the threshold value IIThr3-2 541 in the set value accumulation table 130 (step 4207). If it is small, it means that the number of communication partners that have transmitted the Syn packet is larger than the number of communication partners that have transmitted the Syn packet and returned the data packet, which is abnormal. Further, the communication data storage table is searched, and the communication partner to which the IP included in the combination returns an Ack packet or the like is acquired as a white list (step 4208). The type of abnormal communication is a Syn Flag TCP Flood DDoS attack.

  FIG. 43 shows processing for detecting a specific Flag TCP Flood type DDoS attack. First, it is determined whether or not the combination includes IP1 and Flag (step 4301). If it is satisfied, the value obtained by dividing the total number (C4 + C5) in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the set value storage table 130 is the specific Flag TCP Whether or not the threshold Thr4 532-4 for flood-type DDoS attack detection is exceeded, and whether or not the number of communication partners K3 737-k that sent a specific flag packet exceeds the threshold SIP-N 583 for the number of senders Determination is made (step 4302). If exceeded, the communication data 700-k is read from the communication data accumulation table 150 using the address generated from the combination in which the flag is changed to Ack or the like (step 4303), and the communication data in the combination in which the flag is changed to Ack or the like. Whether the number of reply destinations K2 736-k of the Ack packet in 700-k exceeds the product of the number of communication partners K3 737-k that sent the specific Flag packet and the threshold IThr4-1 542 in the setting value accumulation table 130 It is determined whether or not (step 4304). If the number does not exceed, it means that the number of communication partners that have transmitted TCP packets having a specific flag number is greater than the number of communication partners that have returned data packets, which is abnormal. Further, the communication data accumulation table is searched, a specific flag packet is transmitted to the IP included in the combination, the number of communication partners to which the IP included in the combination returns an Ack packet or the like is acquired (step 4305), and the acquired communication partner is acquired. It is determined whether or not the number is smaller than the product of the number of communication partners K3 737-k that has transmitted the specific Flag packet and the threshold value IIThr4-2 543 in the set value accumulation table 130 (step 4306). If it is small, it means that the number of communication partners that have sent TCP packets with a specific flag number is greater than the number of communication partners that have sent TCP packets with a specific flag number and returned data packets. is there. Further, the communication data accumulation table is searched, and the communication partner to which the IP included in the combination returns an Ack packet or the like is acquired as a white list (step 4307). The type of abnormal communication is a specific Flag TCP Flood type DDoS attack.

  FIG. 44 shows processing for detecting a random Flag TCP Flood DoS attack. First, it is determined whether or not the combination includes IP1, IP2, and Proto (step 4401), and whether or not Proto is TCP (step 4402). If it is satisfied, the value obtained by dividing the total number (C2 + C3) in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the set value storage table 130 is a random Flag TCP Determine whether or not the threshold number Thr5 532-5 for flood-type DoS attack detection exceeds the threshold number Flag-N 580 for the flag number and the number K16 of the flag number of the packet sent by IP1 to IP2 Or, the value obtained by dividing the total number (C4 + C5) in the communication data 700-k by the aging time ATime 521 in the setting value accumulation table 130 is a threshold value Th5 532- for detecting a random Flag TCP Flood type DoS attack. It is determined whether or not the number of flag numbers K17 of the packet that exceeds 5 and IP1 receives from IP2 exceeds the threshold Flag-N 580 for the flag number (step 4403). If exceeded, read the communication data 700-k from the communication data accumulation table 150 using the address generated from the combination in which Flag is changed to Ack or the like (step 4404), and (C2 + C3) / ATime> Thr1 Indicates whether the integrated value (C4 + C5) of the communication data 700-k of the combination in which Flag is changed to Ack, etc. is 0, and when (C4 + C5) / ATime> Thr1, change Flag to Ack, etc. It is determined whether or not the integrated value (C2 + C3) of the communication data 700-k of the selected combination is 0 (step 4405). In the case of 0, this means that the terminal receiving the random flag packet has not returned a data packet such as an Ack packet to the terminal transmitting the random flag packet, and is determined to be abnormal. In this case, it is determined as a random Flag TCP Flood type DoS attack.

  FIG. 45 shows a process for detecting an ICMP Flood DoS attack. First, it is determined whether or not the combination includes IP1, IP2, and Proto (step 4501), and whether or not Proto is ICMP (step 4502). If it is satisfied, the value obtained by dividing the total number (C2 + C3) in communication data 700-k in communication data storage table 150 of this combination by aging time ATime 521 in setting value storage table 130 is the ICMP Flood type. Determine whether or not the threshold Thr6 532-6 for DoS attack detection is exceeded, or divide the total number (C4 + C5) in the communication data 700-k by the aging time ATime 521 in the set value accumulation table 130 It is determined whether or not the value exceeds a threshold Th6 532-6 for ICMP Flood type DoS attack detection (step 4503). When it exceeds, it is determined as abnormal. In this case, it is determined as an ICMP Flood type DoS attack.

  FIG. 46 shows processing for detecting a random port overload communication between specific IPs. First, whether or not the combination includes IP1, IP2, and Proto (step 4601), whether Proto is TCP / UDP, and the use of IP1 in communication data 700-k in communication data storage table 150 of this combination It is determined whether or not the number of ports K9 exceeds the port threshold value Port_N 581 and whether or not the number of ports K10 used by IP2 exceeds the port threshold value Port_N 581 (step 4602). If exceeded, the value obtained by dividing the accumulated byte (B2 + B3) in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the set value storage table 130 is the specific IP. Random port overload communication detection threshold Thr7 532-7 is judged whether or not exceeded, or the accumulated byte (B4 + B5) in communication data 700-k is aged in the set value accumulation table 130 It is determined whether or not the value divided by ATime 521 exceeds the threshold Thr7 532-7 for detecting random IP overload communication between specific IPs (step 4603). When it exceeds, it is determined as abnormal. In this case, it is determined as random port overload communication between specific IPs.

  FIG. 47 shows processing for detecting specific Proto-specific overload communication between specific IPs. First, it is determined whether or not the combination includes IP1, IP2, and Proto (step 4701). If exceeded, the value obtained by dividing the accumulated byte (B2 + B3) in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the setting value storage table 130 is the specific IP. Determine whether or not the threshold Thr8 532-8 for overload communication detection using specific Proto is exceeded, or the accumulated bytes (B4 + B5) in the communication data 700-k are aged in the set value accumulation table 130 It is determined whether or not the value divided by the time ATime 521 exceeds a threshold value Thr8 532-8 for detecting overload communication between specific IP specific Proto (step 4702). When it exceeds, it is determined as abnormal, and when it does not exceed, it is determined as normal. If there is an error, it is determined that the specific Proto use overload communication between specific IPs.

  FIG. 48 shows processing for detecting a random Flag TCP Flood type DDoS attack. First, it is determined whether or not the combination includes IP1 and Proto (step 4801). If it satisfies, whether Proto is TCP or not, and the number of flag numbers K17 751-k of the packet received by IP1 in the communication data 700-k in the communication data accumulation table 150 is for the flag in the setting value accumulation table 130 It is determined whether or not the threshold Flag-N 580 is exceeded (step 4802). If the value is satisfied, the value obtained by dividing the total number (C4 + C5) in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the set value storage table 130 is a random Flag TCP Whether or not the threshold Thr9 532-9 for flood-type DDoS attack detection is exceeded, and whether or not the number of communication partners K3 737-k that sent random Flag packets exceeds the threshold SIP-N 583 for the number of senders Judgment is made (step 4803). If exceeded, read the communication data 700-k from the communication data storage table 150 using the address generated from the combination of Proto changed to Flag Ack, etc. (Step 4804), and changed Proto to Flag Ack, etc. The number of reply destinations K2 736-k of the Ack packet in the communication data 700-k in the combination is the product of the number of communication partners K3 737-k that has transmitted the random Flag packet and the threshold value IThr9-1 544 in the setting value accumulation table 130. It is determined whether or not the threshold is exceeded (step 4805). If it does not exceed, it means that the number of communication partners that have transmitted random Flag packets is greater than the number of communication partners that have returned data packets, which is abnormal. Further, the communication data storage table is searched, a TCP packet is transmitted to the IP included in the combination, the number of communication partners to which the IP included in the combination returns an Ack packet or the like is acquired (step 4806), and the number of acquired communication partners It is determined whether or not the communication partner number K3 737-k that has transmitted the TCP packet is smaller than the product of the threshold value IIThr9-2 545 in the set value accumulation table 130 (step 4807). If it is small, it means that the number of communication partners that have transmitted random Flag packets is larger than the number of communication partners that have transmitted random Flag packets and returned data packets, which is abnormal. Further, the communication data storage table is searched, and the communication partner to which the IP included in the combination returns an Ack packet or the like is acquired as a white list (step 4808). The type of abnormal communication is a random Flag TCP Flood type DDoS attack.

  FIG. 49 shows processing for detecting a random port worm attack. First, it is determined whether or not the combination includes IP1 and Proto (step 4901). If it satisfies, whether Proto is TCP / UDP, the number of source port numbers K11 745-k of the packet sent by IP1 in the communication data 700-k in the communication data accumulation table 150, and the destination port number It is determined whether the number of types K12 746-k exceeds the threshold value Port-N 581 for Port in the set value accumulation table 130 (Step 4902). If it is satisfied, the value obtained by dividing the total number (C2 + C3) in communication data 700-k in communication data storage table 150 of this combination by aging time ATime 521 in setting value storage table 130 is the random port Worm It is determined whether or not the threshold value Thr10 532-10 for attack detection is exceeded and whether or not the communication partner number K2 736-k that transmitted the packet exceeds the threshold value DIP-N 584 for the number of destinations (step 4903). In the case where the number of communication partners K3 737-k that returned the packet is larger than Proto is TCP, the number of communication partners K2 736-k that transmitted the packet and the threshold IThr10-1 546 in the set value accumulation table 130 The number of port types K13 747-k used by the communication partner for reply is the number of port types K12 746-k used for reception by the communication partner and the threshold value in the set value accumulation table 130. Judge whether the product of IIThr10-2 547 is exceeded or not, and if Proto is UDP, set the number of communication partners K3 737-k that returned the packet as the number of communication partners K2 736-k that sent the packet Whether or not the product of the threshold value IIIThr10-3 548 in the value accumulation table 130 is exceeded, the number of port types K13 747-k used by the communication partner for reply is the number of port types K12 used by the communication partner for reception K12 746 It is determined whether or not the product of -k and the threshold value IVThr10-4 549 in the set value accumulation table 130 is exceeded (step 4904). When the number does not exceed, it means that the number of communication partners that have transmitted random port number packets is larger than the number of communication partners that have returned packets, which is abnormal. Further, the communication data storage table is searched, and the communication partner that has returned a packet having the same protocol to the IP included in the combination is acquired as a white list (step 4905). The type of abnormal communication is determined as a random port Worm attack.

  FIG. 50 shows processing for detecting a random Port DDoS attack. First, it is determined whether or not the combination includes IP1 and Proto (step 5001). If it satisfies, whether Proto is TCP / UDP, the number of source port numbers K13 747-k of the packet received by IP1 in the communication data 700-k in the communication data storage table 150, and the destination port number It is determined whether the number of types K14 748-k exceeds the threshold value Port-N 581 for the Port in the set value accumulation table 130 (Step 5002). If it is satisfied, the value obtained by dividing the total number (C4 + C5) in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the set value storage table 130 is the random Port DDoS It is determined whether or not the threshold Thr11 532-11 for attack detection is exceeded, and whether or not the number of communication partners K3 737-k that transmitted the packet exceeds the threshold SIP-N 583 for the number of senders (step 5003). ). If the number of communication partners K2 736-k that returned the packet is larger than Proto is TCP, the number of communication partners K3 737-k that transmitted the packet and the threshold value IThr11-1 550 in the set value accumulation table 130 In the set value accumulation table 130, the number of port types K11 745-k used for replying to the communication partner is the number of port types K14 748-k used for receiving from the communication partner. It is determined whether or not the product of the threshold value IIThr11-2 551 is exceeded. If Proto is UDP, the number of communication partners K2 736-k that returned the packet is equal to the number of communication partners K3 737-k that transmitted the packet. And the threshold IIIThr11-3 552 in the set value accumulation table 130, the number of port types used for reply to the communication partner K11 747-k is the number of ports used for reception from the communication partner. It is determined whether or not the product of the number of types K14 748-k and the threshold value IVThr11-4 553 in the set value accumulation table 130 is exceeded (step 5004). If the number does not exceed, it means that the number of communication partners that have transmitted random port number packets is greater than the number of communication partners that have returned packets, which is abnormal. Further, the communication data storage table is searched, and the communication partner to which the IP included in the combination returns the same Proto packet or the like is acquired as a white list (step 5005). The type of abnormal communication is a random Port DDoS attack.

  FIG. 51 shows a process for detecting an ICMP Flood type DDoS / Worm attack. First, it is determined whether or not the combination includes IP1 and Proto (step 5101). If satisfied, it is determined whether Proto is ICMP or not, and if satisfied, the communication partner number K3 737-k from which IP1 received the packet in the communication data 700-k in the communication data accumulation table 150 is set. Whether or not the transmission source threshold SIP-N 583 in the value accumulation table 130 is exceeded, or the number of communication partners K2 736-k to which IP1 has transmitted a packet is the threshold for the destination in the setting value accumulation table 130 It is determined whether or not DIP-N 584 is exceeded (step 5102). If exceeded, the value obtained by dividing the total number (C2 + C3) in communication data 700-k in communication data storage table 150 for this combination by aging time ATime 521 in setting value storage table 130 is ICMP Flood Type DDoS / Worm attack detection threshold Thr12 532-12 exceeded, the number of communication partners K3 737-k that sent ICMP packets is the number of communication partners K2 736-k that sent ICMP packets back and set value accumulation table 130 The value obtained by dividing the product of the threshold value IThr12-1 554 in the above by the aging time ATime 521 in the set value accumulation table 130, or the cumulative number (C4 + C5) is the ICMP Flood type DDoS / Worm The number of communication partners K2 736-k that transmitted an ICMP packet that exceeded the threshold Thr12 532-12 for attack detection is the number of communication partners K3 737-k that returned the ICMP packet and the threshold IThr12 in the set value accumulation table 130 It is determined whether or not the product of −2 555 is exceeded (step 5103). The type of abnormal communication is an ICMP Flood type DDoS / Worm attack.

  FIG. 52 shows processing for detecting a specific Proto-use Worm attack. First, it is determined whether or not the combination includes IP1 and Proto (step 5201). If satisfied, it is determined whether Proto ≠ TCP and Proto ≠ UDP. If satisfied, the number of communication partners K2 736 that transmitted the packet in the communication data 700-k in the communication data accumulation table 150 of this combination It is determined whether -k exceeds the threshold number DIP-N 584 of the number of destinations (step 5202). In the case of exceeding, the value obtained by dividing the cumulative number (C2 + C3) in the communication data 700-k by the aging time ATime 521 in the set value accumulation table 130 is a threshold value Thr13 532- It is determined whether or not 13 is exceeded (step 5203). Whether or not the number of communication partners K3 737-k that sent the specific Proto packet exceeds the product of the number of communication partners K2 736-k that sent back the specific Proto packet and the threshold IThr13-1 556 in the setting value accumulation table 130 Is determined (step 5204). When the number does not exceed, it means that the number of communication partners that transmitted the specific Proto number packet is larger than the number of communication partners that have returned the specific Proto number packet, which is abnormal. Further, the communication data storage table is searched, the IP included in the combination transmits a specific Proto packet, acquires the number of communication partners that have returned the specific Proto packet (step 5205), and the acquired number of communication partners is It is determined whether or not the communication partner number K2 736-k that has transmitted the specific Proto packet is smaller than the product of the threshold value IIThr13-2 557 in the set value accumulation table 130 (step 5206). If it is smaller, it means that the number of communication partners that transmitted the specific Proto number packet is larger than the number of communication partners that transmitted the specific Proto number packet and returned the specific Proto number packet, which is abnormal. Further, the communication data accumulation table is searched, and a communication partner that has returned a specific Proto packet or the like to the IP included in the combination is acquired as a white list (step 5207). The type of abnormal communication is a specific Proto-use Worm attack.

  FIG. 53 shows processing for detecting a specific Proto-use DDoS attack. First, it is determined whether or not the combination includes IP1 and Proto (step 5301). If satisfied, determine whether Proto ≠ TCP and Proto ≠ UDP, and if satisfied, the number of communication partners K3 that have transmitted packets in the communication data 700-k in the communication data storage table 150 of this combination It is determined whether or not 737-k exceeds the threshold SIP-N 583 of the number of transmission sources (step 5302). In the case of exceeding, the value obtained by dividing the total number (C4 + C5) in the communication data 700-k by the aging time ATime 521 in the set value accumulation table 130 is the threshold Thr14 532- for detecting a specific Proto DDoS attack It is determined whether or not 14 is exceeded (step 5303). If it exceeds, the number of communication partners K2 736-k that sent back the specific Proto packet is the product of the number of communication partners K3 737-k that sent the specific Proto packet and the threshold IThr14-1 558 in the setting value accumulation table 130. It is determined whether or not it exceeds (step 5304). When the number does not exceed, it means that the number of communication partners that have transmitted the specific Proto number packet is larger than the number of communication partners that have returned the specific Proto number packet, which is abnormal. Further, the communication data accumulation table is searched, the specific Proto packet is transmitted to the IP included in the combination, the number of communication partners to which the IP included in the combination returns the packet of the specific Proto is acquired (step 5305), and the acquired communication It is determined whether the number of partners is smaller than the product of the number of communication partners K3 737-k that has transmitted the specific Proto packet and the threshold value IIThr14-2559 in the set value accumulation table 130 (step 5306). If it is small, it means that the number of communication partners that have transmitted the specific Proto number packet is larger than the number of communication partners that have transmitted the specific Proto number packet and returned the data packet, which is abnormal. Further, the communication data storage table is searched, and the communication partner to which the IP included in the combination has transmitted the specific Proto packet or the like is acquired as a white list (step 5307). The type of abnormal communication is a specific Proto-use DDoS attack.

  FIG. 54 shows processing for detecting a random port use P2P overload communication. First, it is determined whether or not the combination includes IP1 and Proto (step 5401). If yes, determine whether Proto is TCP / UDP or not, if yes, set IP3 in communication data 700-k in communication data storage table 150 and the number of communication partners K3 737-k that received the packet Whether or not the transmission source threshold SIP-N 583 in the value storage table 130 is exceeded, and the number of communication partners K2 736-k that transmitted the packet is set to the destination threshold DIP-N 584 in the setting storage table 130. It is determined whether or not the number is exceeded (step 5402). If exceeded, the value obtained by dividing the accumulated byte B1 721-k in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the set value storage table 130 is the random port usage. It is determined whether or not the threshold value Thr15 532-15 for detecting P2P overload communication is exceeded (step 5403). If it exceeds, the ratio between the number of port types K10 744-k used by the IP1 communication partner in this combination of communication data 700-k and the number of port types K9 743-k used by IP1 is the set value accumulation table 130. It is determined whether or not it is between the minimum port self-others ratio Min-Port-N-Ratio 593 and the maximum port self-others ratio Max-Port-N-Ratio (step 5404). If it is in between, random port use P2P overload communication.

  FIG. 55 shows processing for detecting a random port-using client overload communication. First, it is determined whether or not the combination includes IP1 and Proto (step 5501). If yes, determine whether Proto is TCP / UDP or not, if yes, set IP3 in communication data 700-k in communication data storage table 150 and the number of communication partners K3 737-k that received the packet Whether or not the transmission source threshold SIP-N 583 in the value storage table 130 is exceeded, and the number of communication partners K2 736-k that transmitted the packet is set to the destination threshold DIP-N 584 in the setting storage table 130. It is determined whether or not it exceeds (step 5502). If exceeded, the value obtained by dividing the accumulated byte B1 721-k in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the set value storage table 130 is the random port usage. It is determined whether or not the threshold value Thr16 532-16 for detecting client overload communication is exceeded (step 5503). If it exceeds, the ratio between the number of port types K10 744-k used by the IP1 communication partner in this combination of communication data 700-k and the number of port types K9 743-k used by IP1 is the set value accumulation table 130. It is determined whether or not it is smaller than the minimum port self-others ratio Min-Port-N-Ratio 593 (step 5504). If it is small, random port use client overload communication.

  FIG. 56 shows a process for detecting a random port use server overload communication. First, it is determined whether or not the combination includes IP1 and Proto (step 5601). If yes, determine whether Proto is TCP / UDP or not, if yes, set IP3 in communication data 700-k in communication data storage table 150 and the number of communication partners K3 737-k that received the packet Whether or not the transmission source threshold SIP-N 583 in the value storage table 130 is exceeded, and the number of communication partners K2 736-k that transmitted the packet is set to the destination threshold DIP-N 584 in the setting storage table 130. It is determined whether or not the number is exceeded (step 5602). If exceeded, the value obtained by dividing the accumulated byte B1 721-k in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the set value storage table 130 is the random port usage. It is determined whether or not the server overload communication detection threshold Thr17 532-17 is exceeded (step 5603). If it exceeds, the ratio between the number of port types K10 744-k used by the IP1 communication partner in this combination of communication data 700-k and the number of port types K9 743-k used by IP1 is the set value accumulation table 130. It is determined whether or not it is larger than the maximum port self-other ratio Max-Port-N-Ratio (step 5604). If it is large, it becomes server overload communication using random port. If none of steps 5602 to 5604 is satisfied, it is determined as normal.

  FIG. 57 shows processing for detecting specific Proto use specific IP overload communication. First, it is determined whether or not the combination includes IP1 and Proto (step 5701). If the condition is satisfied, the number of communication partners K3 737-k in which IP1 in communication data 700-k in communication data accumulation table 150 has received a packet exceeds the threshold SIP-N 583 for the transmission source in setting value accumulation table 130 It is determined whether or not the communication partner number K2 736-k that transmitted the packet exceeds the threshold value DIP-N 584 for the destination in the set value accumulation table 130 (step 5702). If exceeded, the value obtained by dividing the accumulated byte B1 721-k in the communication data 700-k in the communication data storage table 150 of this combination by the aging time ATime 521 in the set value storage table 130 is used for the specific Proto It is determined whether or not the threshold value Thr18 532-18 for detecting a specific IP overload communication is exceeded (step 5703). If it exceeds, it is determined as abnormal, and the type of abnormal communication is specific Proto use specific IP overload communication. If any of Steps 5702 to 5703 is not satisfied, it is determined as normal.

  FIG. 58 shows a process of detecting overload communication between specific ports between specific IPs. First, it is determined whether or not the combination includes IP1, IP2, Proto, Port1, and Port2 (step 5801). If satisfied, IP1 in the communication data 700-k in the communication data accumulation table 150 is the accumulated byte B2 722-k of the packet transmitted with Port1 as the source port, or the accumulated byte B3 of the packet transmitted with Port1 as the destination port Aging time ATime in the set value accumulation table 130, 723-k, or accumulated byte B4 724-k of the packet received with Port1 as the source port, or accumulated byte B5 725-k of the packet received with Port1 as the destination port It is determined whether or not the value divided by 521 exceeds the threshold Thr19 532-19 for detecting overload communication between specific ports between specific IPs (step 5802). When it exceeds, it is determined as abnormal, and the type of abnormal communication is overload communication between specific ports between specific IPs. If step 5802 is not satisfied, it is determined as normal.

  FIG. 59 shows processing for detecting overload communication using a specific port between specific IPs. First, it is determined whether or not the combination includes IP1, IP2, Proto, and Port1 (step 5901). If satisfied, IP1 in the communication data 700-k in the communication data accumulation table 150 is the accumulated byte B2 722-k of the packet transmitted with Port1 as the source port, or the accumulated byte B3 of the packet transmitted with Port1 as the destination port Aging time ATime in the set value accumulation table 130, 723-k, or accumulated byte B4 724-k of the packet received with Port1 as the source port, or accumulated byte B5 725-k of the packet received with Port1 as the destination port It is determined whether the value divided by 521 exceeds the threshold Thr20 532-20 for the overload communication detection using the specific IP inter-specific port, and if so, for each, the destination port of the IP1 transmission packet Type K12 746-k, IP1 source packet source port type K11 745-k, IP1 received packet destination port type K14 748-k, IP1 received packet source port type K13 747-k , Setting value accumulation Exceeds the threshold Port-N 581 for ports Buru 130 it is determined whether the (step 5902). If it exceeds, it is determined as abnormal, and the type of abnormal communication is overload communication using specific ports between specific IPs. If step 5902 is not satisfied, it is determined as normal.

  FIG. 60 shows processing for detecting a specific port-source Worm attack. First, it is determined whether or not the combination includes IP1, Proto, and Port1 (step 6001). If it satisfies, it is determined whether Proto = TCP / UDP, and if satisfied, the communication partner that sent the packet using Port1 in communication data 700-k in the communication data storage table 150 of this combination as the port source It is determined whether or not the number K4 738-k exceeds the destination number threshold DIP-N 584 (step 6002). In the case of exceeding, the value obtained by dividing the cumulative number C2 712-k in the communication data 700-k by the aging time ATime 521 in the setting value accumulation table 130 is the threshold Thr21 532-21 for detecting the specific port source Worm attack It is determined whether or not the threshold is exceeded (step 6003). When Proto is TCP, the number of communication partners K7 741-k that IP1 has transmitted using Port1 as the destination port is the number of communication partners K4 738-k that has transmitted Port1 as the source port and the set value accumulation table 130 If Proto is UDP, the number of communication partners K7 741-k that sent IP1 with Port1 as the destination port is Port1 as the source port. It is determined whether or not the product of the number of communication partners K4 738-k and the threshold value IIIThr21-3 562 in the set value accumulation table 130 is exceeded (step 6004). When the number does not exceed, it means that the number of communication partners that transmitted the specific port number original packet is larger than the number of communication partners that have returned the packet addressed to the specific port number, which is abnormal. Further, the communication data accumulation table is searched, and the IP included in the combination transmits a packet with Port1 as the source port, and acquires the number of communication partners that have returned with Port1 as the destination port (step 6005). If Proto is TCP, whether the acquired number of communication partners exceeds the product of the number of communication partners K4 738-k that transmitted Port1 as the source port and the threshold value IIThr21-2 561 in the setting value accumulation table 130 If Proto is UDP, the acquired number of communication partners is the product of the number of communication partners K4 738-k that transmitted Port1 as the source port and the threshold value IVThr21-4 563 in the setting value accumulation table 130. It is determined whether or not the value exceeds (step 6006). If it is small, it means that the number of communication partners that sent a specific port number source packet is larger than the number of communication partners that sent a specific port number source packet and returned a packet addressed to a specific port number. . Further, the communication data storage table is searched, and a communication partner that has returned a packet with Port 1 as the destination port to the IP included in the combination is acquired as a white list (step 6007). The type of abnormal communication is a specific port former Worm attack.

  FIG. 61 shows processing for detecting a Worm attack addressed to a specific port. First, it is determined whether or not the combination includes IP1, Proto, and Port1 (step 6101). If satisfied, determine whether Proto = TCP / UDP, and if satisfied, the communication partner that sent the packet with Port1 in communication data 700-k in communication data accumulation table 150 of this combination as the destination port It is determined whether or not the number K5 739-k exceeds the destination number threshold DIP-N 584 (step 6102). If it exceeds, the value obtained by dividing the cumulative number C3 713-k in the communication data 700-k by the aging time ATime 521 in the setting value accumulation table 130 is the threshold Thr22 532-22 for detecting the Worm attack addressed to the specific port. It is determined whether or not the value exceeds (step 6103). When Proto is TCP, the number of communication partners K6 740-k that sent Port1 to IP1 as the source port is K6 740-k, and the number of communication partners K1 7 that sent IP1 with Port1 as the destination port is the set value accumulation table. It is determined whether or not the product of the threshold IThr22-1 564 within 130 is exceeded, and if Proto is UDP, the number of communication partners K6 740-k that sent Port1 as the source port to IP1 is IP1 It is determined whether or not the product of the number of communication partners K5 739-k that transmitted Port1 as the destination port exceeds the threshold value IIIThr22-3 566 in the set value accumulation table 130 (step 6104). When the number does not exceed, it means that the number of communication partners that have transmitted a packet destined for the specific port number is larger than the number of communication partners that have returned the specific port number source packet, which is abnormal. Further, the communication data storage table is searched, and the IP included in the combination transmits a packet with Port1 as the destination port, and acquires the number of communication partners that have returned with Port1 as the source port (step 6105). If Proto is TCP, whether the acquired number of communication partners exceeds the product of the number of communication partners K5 739-k that sent Port1 as the destination port and the threshold value IIThr22-2 565 in the setting value accumulation table 130 If Proto is UDP, the acquired number of communication partners exceeds the product of the number of communication partners K5 739-k that sent Port1 as the destination port and the threshold value IVThr22-4 567 in the setting value accumulation table 130. It is determined whether or not to perform (step 6106). If it is smaller, it means that the number of communication partners that have transmitted packets addressed to a specific port number is greater than the number of communication partners that have returned a specific port number source packet, which is abnormal. Further, the communication data accumulation table is searched, and a communication partner that has returned a packet with Port1 as the transmission source port to the IP included in the combination is acquired as a white list (step 6107). The type of abnormal communication is a Worm attack addressed to a specific port.

  FIG. 62 shows a process for detecting a specific Port source DDoS attack. First, it is determined whether or not the combination includes IP1, Proto, and Port1 (step 6201). If it is included, it is determined whether Proto = TCP / UDP. If it is satisfied, a packet is transmitted using the port included in this combination as the source port in the communication data 700-k in the communication data accumulation table 150. It is determined whether or not the communication partner number K6 740-k has exceeded the transmission source number threshold SIP-N 583 (step 6202). In the case of exceeding, the value obtained by dividing the cumulative number C4 in the communication data 700-k by the aging time ATime 521 in the setting value accumulation table 130 exceeds the threshold Thr23 532-23 for detecting a specific Port source DDoS attack. It is determined whether or not (step 6203). When Proto is TCP, the number K5 739-k of the communication partner that sent the packet with IP1 as the destination port of IP1 is K6 740-k, the number of the communication partner that sent the packet with Port1 as the source port. It is determined whether or not the product of the threshold value IThr23-1 568 in the accumulation table 130 is exceeded, and if Proto is UDP, the number of communication partners K5 739-k that sent IP1 with Port1 as the destination port is It is determined whether or not the product of the number of communication partners K6 740-k that has transmitted a packet as a transmission source port and the threshold value IIIThr23-570 in the setting value accumulation table 130 is exceeded (step 6204). If the number does not exceed, it means that the number of communication partners that have transmitted specific port number original packets is greater than the number of communication partners that have returned packets addressed to a specific port number, which is abnormal. Further, the communication data accumulation table is searched, a packet is transmitted to the IP included in this combination with Port as the source port, and the number of communication partners to which the IP included in this combination returns with Port as the destination port is acquired (step 6205). If Proto is TCP, does the acquired number of communication partners exceed the product of the number of communication partners K6 740-k that sent Port as the source port and the threshold value IIThr23-2 569 in the setting value accumulation table 130? If Proto is UDP, the acquired number of communication partners is the number of communication partners K6 740-k that has transmitted Port as the transmission source port and the threshold value IVThr23-4 571 in the set value accumulation table 130. It is determined whether or not the product of is exceeded (step 6206). If it is small, it means that the number of communication partners that have transmitted specific port number source packets is greater than the number of communication partners that have transmitted specific port number source packets and returned packets addressed to specific port numbers. . Further, the communication data storage table is searched, and the communication partner to which the IP included in the combination returns a packet with Port as the destination port is acquired as a white list (step 6207). The type of abnormal communication is a specific port source DDoS attack.

  FIG. 63 shows processing for detecting a DDoS attack addressed to a specific port. First, it is determined whether or not the combination includes IP1, Proto, and Port1 (step 6301). If it is included, it is determined whether Proto = TCP / UDP, and if it is satisfied, a packet is transmitted with the port included in this combination as the destination port in the communication data 700-k in the communication data accumulation table 150. It is determined whether or not the communication partner number K7 741-k exceeds the transmission source number threshold SIP-N 583 (step 6302). If exceeded, the value obtained by dividing the cumulative number C5 in the communication data 700-k by the aging time ATime 521 in the set value accumulation table 130 exceeds the threshold Thr24 532-24 for detecting DDoS attacks for specific ports. It is determined whether or not (step 6303). When Proto is TCP, the number of communication partners K4 738-k that sent packets with IP Port as the source port is K7 741-k, the number of communication partners that sent packets with Port as the destination port. It is determined whether or not the product of the threshold value IThr24-1 572 in the accumulation table 130 is exceeded, and if Proto is UDP, the number of communication partners K4 738-k that has transmitted packets with Port as the source port is IP Then, it is determined whether or not the product of the number of communication partners K7 741-k that has transmitted packets with Port as the destination port exceeds the threshold value IIIThr24-3 574 in the set value accumulation table 130 (step 6304). If the number does not exceed, it means that the number of communication partners that have transmitted packets addressed to a specific port number is greater than the number of communication partners that have returned specific port number source packets, which is abnormal. Further, the communication data accumulation table is searched, a packet is transmitted to the IP included in this combination with Port as the destination port, and the number of communication partners to which the IP included in this combination returns with Port as the source port is acquired (step 6305). If Proto is TCP, whether the acquired number of communication partners exceeds the product of the number of communication partners K7 741-k that sent Port as the destination port and the threshold value IIThr24-2 573 in the set value accumulation table 130 If Proto is UDP, the acquired number of communication partners is the product of the number of communication partners K7 741-k that has transmitted Port as the destination port and the threshold value IVThr24-4 575 in the set value accumulation table 130. It is determined whether or not the value exceeds (step 6306). If the number does not exceed, it means that the number of communication partners that have sent packets destined for a specific port number is greater than the number of communication partners that have sent packets destined for a specific port number and returned specific port number original packets. is there. Further, the communication data accumulation table is searched, and the communication partner to which the IP included in this combination has returned a packet with Port as the transmission source port is acquired as a white list (step 6307). The type of abnormal communication is a DDoS attack for a specific port.

  FIG. 64 shows processing for detecting P2P overload communication using a specific port. First, it is determined whether or not the combination includes IP1, Proto, and Port1 (step 6401). If it is included, it is determined whether Proto = TCP / UDP. If it is satisfied, the port included in this combination is set as the destination port or the source port in the communication data 700-k in the communication data accumulation table 150. Number of communication partners K2 736-k that transmitted packets exceeds the threshold DIP-N 584 for the number of destinations, or the number of communication partners K3 that transmitted packets using the port included in this combination as the destination port or source port It is determined whether or not 737-k exceeds the threshold SIP-N 583 of the number of transmission sources (step 6402). If both exceed, the accumulated byte B1 721-k in the communication data 700-k is It is determined whether or not the value divided by the aging time ATime 521 in the set value accumulation table 130 exceeds the threshold Thr25 532-25 for P2P overload communication detection for the specific port (step 6403). If exceeded, the sum of the accumulated byte B2 of the packet sent by IP using Port as the source port and the accumulated byte B5 of the packet received as the destination port and the packet sent by IP using Port as the destination port The ratio between the accumulated byte B3 and the sum of accumulated bytes B4 of packets received as the source port is the maximum bandwidth ratio threshold Max-B-Ratio 590 and the minimum bandwidth ratio threshold Min-B- in the set value accumulation table 130. It is determined whether the ratio is between 591 (step 6404). When it is satisfied, it is determined as abnormal, and the type of abnormal communication is P2P overload communication using a specific port.

  FIG. 65 shows processing for detecting client overload communication using a specific port. First, it is determined whether or not the combination includes IP1, Proto, and Port1 (step 6501). If it is included, it is determined whether Proto = TCP / UDP. If it is satisfied, the port included in this combination is set as the destination port or the source port in the communication data 700-k in the communication data accumulation table 150. Number of communication partners K2 736-k that sent packets exceeds whether or not the threshold DIP-N 584 for the number of destinations, and the number of communication partners K3 that sent packets with the port included in this combination as the destination port or source port Judge whether or not 737-k exceeds the threshold SIP-N 583 of the number of senders (step 6502). If both exceed, set the accumulated byte B1 721-k in the communication data 700-k It is determined whether or not the value divided by the aging time ATime 521 in the value accumulation table 130 exceeds the threshold Thr26 532-26 for detecting a specific port use client overload communication (step 6503). If exceeded, the sum of the accumulated byte B2 of the packet sent by IP using Port as the source port and the accumulated byte B5 of the packet received as the destination port and the packet sent by IP using Port as the destination port Whether or not the ratio of the accumulated byte B3 and the sum of accumulated bytes B4 724-k of the packet received as the source port is smaller than the minimum bandwidth ratio threshold Min-B-Ratio 591 in the set value accumulation table 130 Is determined (step 6504). When it is satisfied, it is determined as abnormal, and the type of abnormal communication is client overload communication using a specific port.

  FIG. 66 shows a process for detecting a server overload communication using a specific port. First, it is determined whether or not the combination includes IP1, Proto, and Port1 (step 6601). If it is included, it is determined whether Proto = TCP / UDP. If it is satisfied, the port included in this combination is set as the destination port or the source port in the communication data 700-k in the communication data accumulation table 150. Number of communication partners K2 736-k that sent packets exceeds whether or not the threshold DIP-N 584 for the number of destinations, and the number of communication partners K3 that sent packets with the port included in this combination as the destination port or source port Judge whether or not 737-k exceeds the threshold SIP-N 583 of the number of senders (step 6602), and if both exceed, set accumulated byte B1 721-k in communication data 700-k It is determined whether or not the value divided by the aging time ATime 521 in the value accumulation table 130 exceeds the threshold Thr27 532-27 for detecting overload communication with a specific port server (step 6603). If so, the sum of the accumulated byte B2 722-k of the packet sent by IP with Port as the source port and the accumulated byte B5 725-k of the packet received as the destination port, and the IP destined for the Port The ratio of the cumulative byte B3 723-k of the packet transmitted as the port and the sum of the cumulative byte B4 724-k of the packet received as the source port is the maximum bandwidth ratio threshold Max-B in the set value accumulation table 130 It is determined whether or not it is greater than -Ratio 590 (step 6604). If it is satisfied, it is determined as abnormal, and the type of abnormal communication is Server overload communication using a specific port.

  FIG. 67 shows processing for detecting random Proto overload communication between specific IPs. First, it is determined whether or not the combination includes IP1 and IP2 (step 6701). If included, the value obtained by dividing the accumulated bytes B2 + B3 by the aging time ATime 521 in the set value accumulation table 130 in the communication data 700-k in the communication data accumulation table 150 is the random Proto overload between specific IPs. Whether the number of Proto types K19 753-k used by the packet sent by IP1 to IP2 exceeds the threshold Proto-N 582 for the number of protocol types, exceeding the threshold Thr28 532-28 for communication detection Or the value obtained by dividing the accumulated byte B4 + B5 by the aging time ATime 521 in the set value accumulation table 130 exceeds the threshold Thr28 532-28 for detecting random Proto overload communication between specific IPs, Further, it is determined whether or not the Proto type number K20 754-k used by the packet transmitted by IP2 to IP1 exceeds the threshold Proto-N 582 for the number of protocol types (step 6702). It is judged as abnormal, and the type of abnormal communication is random Proto overload communication between specific IPs. To become.

  FIG. 68 shows a process for detecting a random Proto-based Worm attack. First, it is determined whether or not the combination includes IP1 (step 6801). If included, in the communication data 700-k in the communication data accumulation table 150, the number of Proto types K22 756-k used by the packet transmitted by IP1 exceeds the threshold Proto-N 582 for the number of protocol types (Step 6802), and if it exceeds, the value obtained by dividing the cumulative number C2 + C3 by the aging time ATime 521 in the set value accumulation table 130 is a threshold Thr29 for detecting a random Proto-use Worm attack It is determined whether or not the number of communication partners K2 736-k that has exceeded 532-29 and IP1 has transmitted a packet exceeds the threshold DIP-N 584 for the number of destinations (step 6803). If the communication partner number K3 737-k from which IP1 received the packet exceeds the product of the communication partner number K2 736-k from which IP1 sent the packet and the threshold value IThr29-1 576 in the set value accumulation table 130 Judgment is made (step 6804), and if it does not exceed, the packet received by IP1 is used Determine whether the number of Proto types K23 757-k exceeds the product of the number of Proto types K22 756-k used by the packet transmitted by IP1 and the threshold value IIThr29-2 577 in the set value accumulation table 130 (Step 6805) If not exceeded, the communication data storage table 150 is searched, and the communication partner that has returned the packet to the IP is acquired as a white list (Step 6806). The type of abnormal communication is a random Proto-use Worm attack.

  FIG. 69 shows a process for detecting a random Proto-use DDoS attack. First, it is determined whether or not the combination includes IP1 (step 6901). If included, in the communication data 700-k in the communication data accumulation table 150, the number of Proto types K23 757-k used by the packet received by IP1 exceeds the threshold Proto-N 582 for the number of protocol types (Step 6902), and if it exceeds, the value obtained by dividing the total number (C4 + C5) by the aging time ATime 521 in the set value accumulation table 130 is used for detecting a random Doto attack using Proto It is determined whether or not the communication partner number K3 737-k that has exceeded the threshold Thr30 532-30 and IP1 has received a packet exceeds the threshold SIP-N 583 of the number of transmission sources (step 6903). If both are exceeded, the number of communication partners K2 736-k to which IP1 has transmitted the packet is the product of the number of communication partners K3 737-k to which IP1 has received the packet and the threshold IThr30-1 578 in the set value accumulation table 130. It is determined whether or not it exceeds (Step 6904). If not, the number of Proto types K22 756-k used by the packet transmitted by IP1 is the number of Proto types K23 used by the packet received by IP1. It is determined whether or not the product of 757-k and the threshold value IIThr30-2 579 in the set value accumulation table 130 is exceeded (step 6905). If not, the communication data storage table 150 is searched, and the communication partner to which the IP has returned the packet is acquired as a white list (step 6906). The type of anomalous communication is a random Proto-use DDoS attack.

  FIG. 70 shows processing for detecting a specific IP source attack using random InLine. First, it is determined whether or not the combination includes IP1 (step 7001). If included, in the communication data 700-k in the communication data storage table 150, the number of input lines K19 753-k of the packet having IP1 as the transmission source is used for determining the number of input lines in the set value storage table 130. It is determined whether or not the threshold value InLine-N 585 is exceeded (step 7002). If exceeded, whether the cumulative number C2 712-k divided by the aging time ATime 521 in the set value accumulation table 130 exceeds the threshold Thr31 532-31 for detecting a specific IP source attack using random InLine Is determined (step 7003). When exceeding, it determines with it being abnormal. The type of abnormal communication is a random InLine specific IP source attack.

  FIG. 71 shows a process for detecting a random Proto use specific IP overload communication. First, it is determined whether or not the combination includes IP1 (step 7101). If it is included, in the communication data 700-k in the communication data accumulation table 150, the protocol type number K21 755-k of the packet transmitted / received by the IP is the threshold value Proto- It is determined whether or not N 582 is exceeded (step 7102). If exceeded, whether the value obtained by dividing the accumulated byte B1 721-k by the aging time ATime 521 in the set value accumulation table 130 exceeds the threshold Thr32 532-32 for detecting a specific IP overload communication using random Proto It is determined whether or not (step 7103). If the number exceeds the number of destinations in the set value accumulation table 130, the number of communication partners K2 736-k to which the IP transmitted the packet and the number of communication partners K3-737-k that received the packet in the communication data 700-k It is determined whether or not the threshold value DIP-N 584 and the transmission source number threshold value SIP-N 583 are exceeded (step 7104). When exceeding, it determines with it being abnormal. The type of abnormal communication is random Proto use specific IP overload communication.

  FIG. 72 shows processing for detecting a specific InLine use specific IP transmission / reception attack. First, it is determined whether or not the combination includes IP1 and InLine (step 7201). If it is included, both the cumulative numbers C2 712-k and C4 714-k use the specific InLine to check whether the packet with the same IP as the source and the packet with the destination are simultaneously input to the specific InLine. It is determined whether or not the threshold value Thr33 532-33 for detecting a specific IP transmission / reception attack is larger (step 7202). When both are large, it is determined as abnormal, and the type of abnormal communication is a specific IP transmission attack using specific InLine.

  As described above, by performing the normal / abnormal determination process 3801 described in the description of FIGS. 40 to 72, it is possible to detect many types of abnormal communication even when sampled communication data is used. Therefore, the number of packet data to be extracted and recorded can be reduced, and it becomes easy to detect various types of abnormal communication on a high-speed line.

  The setting unit 171 can change all values in the setting value accumulation table 130 by receiving a command 160 from the external terminal 170 (161 in FIG. 1). For example, when the command “ID-1 = 1” is received from the terminal 170, the value of ID-1 510-1 is changed to 1. To change two or more values, send the command “ID-1 = 1, Thr3 = 56” from the terminal 170 to set the values of ID-1 510-1 and Thr3 532-3 to 1,56, respectively. Can be changed. For abnormal communication that does not require detection, the value of the corresponding Thr1 to 33 532-1 to 33 may be set to infinity by sending a command from the external terminal 170. Thereby, it is possible to limit the types of abnormal communication to be detected. For example, detection of a Syn Flag TCP Flood type DoS attack can be prohibited by a command “ID-1 = ∞”.

  Further, the setting unit 171 can receive a command 160 from the external terminal 170, acquire (156 in FIG. 1) and arrange the data in the communication data accumulation table 150, and return the data to the terminal 170. For example, when a command “getvalue 128 C1” is received from the terminal 170, the upper 128 entries having a large C1 are extracted from the communication data storage table 150 and the aligned data is returned to the terminal 170. In C1, specify C1-5 711-715-k, B1-5 721-725-k, Cnf 731-k, K0-K23 734-757-k, etc. It is also possible to change to an alignment method based on.

  A method for overwriting extraction of communication data based on the number of accumulated packets and the old and new by processing 900 to 1200 of the extraction unit 180 described above, processing 1300 and 1600 of the recording unit 181 and processing 3600 and 3800 of the detection unit 182 In addition, a method for recording the number of types of a plurality of packets as communication data and a method for detecting abnormal communication based on packet sample analysis are realized. This makes it possible to simultaneously detect various types of abnormal communication on high-speed lines that protect a large number of unspecified PCs and servers that conventional methods could not be realized due to insufficient memory capacity and CPU processing capacity. .

Abnormal communication detection and control unit. The use environment of the router which added the detection and control function of the abnormal communication of this invention application. A router to which an abnormal communication detection / control function applied to the present invention is added. An external device and a router having an abnormal communication detection / control function applied to the present invention. Format of the set value accumulation table 130. Format of extraction / record history accumulation table 140. The format of the communication data accumulation table 150. The format of the duplicated packet data 101. The flowchart of the combination extraction process 900 which the combination extraction part 120 performs. The flowchart of the combination arrangement | sequence process 1000 which the combination arrangement | sequence part 121 performs. The flowchart of the combination arrangement | sequence process 1100 which the address generation part 122 performs. The flowchart of the communication data extraction determination process 1200 which the communication data extraction determination part 123 performs. The flowchart of the communication data recording process 1300 which the communication data recording part 124 performs. Details of the packet selective integration process 1310 included in the communication data recording process 1300. Details of the recording process 1311 of the type of selection integration included in the communication data recording process 1300. The flowchart of the kind number recording process 1600 which the kind number recording part 125 performs. A part of flowchart of the subtraction processing 1605 of the number of packet types when the determination result is overwriting. A part of flowchart of the subtraction processing 1605 of the number of packet types when the determination result is overwriting. A part of flowchart of the subtraction processing 1605 of the number of packet types when the determination result is overwriting. A part of flowchart of the subtraction processing 1605 of the number of packet types when the determination result is overwriting. A part of flowchart of the subtraction processing 1605 of the number of packet types when the determination result is overwriting. A part of flowchart of the subtraction processing 1605 of the number of packet types when the determination result is overwriting. A part of flowchart of the integration processing 1606 of the number of types of packets when the determination result is overwriting. A part of flowchart of the integration processing 1606 of the number of types of packets when the determination result is overwriting. A part of flowchart of the integration processing 1606 of the number of types of packets when the determination result is overwriting. A part of flowchart of the integration processing 1606 of the number of types of packets when the determination result is overwriting. A part of flowchart of the integration processing 1606 of the number of types of packets when the determination result is overwriting. A part of flowchart of the integration processing 1606 of the number of types of packets when the determination result is overwriting. A part of flowchart of the integration processing 1603 of the number of types of packets when the determination results match. A part of flowchart of the integration processing 1603 of the number of types of packets when the determination results match. A part of flowchart of the integration processing 1603 of the number of types of packets when the determination results match. A part of flowchart of the integration processing 1603 of the number of types of packets when the determination results match. A part of flowchart of the integration processing 1603 of the number of types of packets when the determination results match. A part of flowchart of the integration processing 1603 of the number of types of packets when the determination results match. A part of flowchart of the integration processing 1603 of the number of types of packets when the determination results match. The flowchart of the combination determination process 3600 which the combination determination part 126 performs. Details of the combination determination process 3604 included in the combination determination process 3600. The flowchart of the normal / abnormal determination process 3800 performed by the normal / abnormal determination unit 127. The relationship between the combination and the type of abnormal communication that is detected and output. Syn Flag TCP Flood type DoS attack detection process flowchart. The flowchart of the detection process of specific Flag TCP Flood type DoS attack. Syn Flag TCP Flood type DDoS attack detection process flowchart. The flowchart of the detection process of specific Flag TCP Flood type DDoS attack. The flowchart of the detection process of a random Flag TCP Flood type DoS attack. The flowchart of the detection process of an ICMP Flood type DoS attack. The flowchart of the detection process of random Port overload communication between specific IPs. The flowchart of the detection process of the specific Proto use overload communication between specific IP. Random Flag TCP Flood type DDoS attack detection processing flowchart. The flowchart of the detection process of a random Port Worm attack. The flowchart of the detection process of a random Port DDoS attack. Flow chart of ICMP Flood type DDoS / Worm attack detection process. The flowchart of the detection process of the specific Proto use Worm attack. The flowchart of the detection process of DDoS attack using specific Proto. The flowchart of the detection process of random port use P2P overload communication. Flowchart of detection processing of client overload communication using random port. Flowchart of detection processing of server overload communication using random port. The flowchart of the detection process of specific IP overload communication using specific Proto. The flowchart of the detection process of the overload communication between specific ports between specific IPs. The flowchart of the detection process of overload communication using specific port between specific IP. The flowchart of the detection process of the specific Port former Worm attack. The flowchart of the detection process of the Worm attack addressed to a specific port. The flowchart of the detection process of the specific Port origin DDoS attack. The flowchart of the detection process of the DDoS attack for specific ports. The flowchart of the detection process of P2P overload communication using specific Port. Flowchart of detection processing of client overload communication using specific port. Flowchart of detection processing of server overload communication using specific port. The flowchart of the detection process of random Proto overload communication between specific IPs. Flow chart of detection process of Worm attack using random Proto. The flowchart of the detection process of the random Doto use DDoS attack. The flowchart of the detection process of a specific IP former attack using random InLine. The flowchart of the detection process of specific IP overload communication using random Proto. The flowchart of the detection process of specific IP transmission attack using specific InLine.

Explanation of symbols

210,220,230 ... telecom operator network, 240 ... enterprise network, 250,260 ... personal PC, 241 ... abnormal communication detectors such as Firewall and IDS, 242 ... corporate server, 211,212,213,214 ... edge router, 221,222,223,224 ... attack source server, 231,232,233,234 ... Attack source server, router attack such as 281 ... DDoS, excessive communication such as 282 ... P2P, firewall attack such as 283 ... DDoS.

Claims (13)

Among the received packets, the abnormal communication detection device for determining the characteristics of the packet from the cumulative number of packets having a combination of predetermined values in the field in the packet,
A packet processor that replicates a certain percentage of the received packets;
A storage area that holds the cumulative number of packets in which a hash value of a combination of predetermined values in a packet becomes a predetermined hash value, and a storage area of the hash value that should store the cumulative number of received packets are in other combinations A storage unit associated with a storage area that holds the number of collisions obtained by integrating the number of times that has already been used to hold the cumulative number of packets having
When a packet is received, a hash value is calculated based on a combination of predetermined values in the packet, and a storage area that holds the cumulative number of packets having the combination is determined based on the calculated hash value. , It is determined whether the combination of the packet corresponding to the integration number already held in the determined storage area matches the combination of the packet, and if it is determined to match, the integration of the storage area When it is determined that there is a collision without a match, it is further determined whether or not the number of collisions corresponding to the storage area exceeds a predetermined threshold, and if not, the number of collisions If the number exceeds, the accumulated number already stored in the storage area is deleted, and the accumulated number of packets including the received packet combination is overwritten. Abnormal communication apparatus for detecting a processor.
The abnormal communication detection device according to claim 1,
An abnormality in which the processor determines whether the ratio of the number of collisions and the cumulative number exceeds a predetermined threshold instead of determining whether the number of collisions exceeds a predetermined threshold Communication detector. Among the received packets, the abnormal communication detection device for determining the characteristics of the packet from the cumulative number of packets having a combination of predetermined values in the packet,
A storage area that holds the cumulative number of packets that have the same combination of predetermined values in packets that are duplicates of received packets at a fixed rate, the cumulative start time that started the cumulative number of packets, and the cumulative total that was last accumulated A storage unit having a storage area that holds the last time in association with each other;
A storage area that holds the integrated value of the number of packets is uniquely determined from the combination of the predetermined values, and when the integrated final time is updated in the determined area, a difference between the integrated final time and the integrated start time is previously determined. An abnormality including a processor that performs a process of subtracting the accumulated number of packets and the number of collisions based on the increment value of the accumulated last time when it is determined whether or not the predetermined threshold is exceeded. Communication detector. An abnormal communication detection device according to any one of claims 1 to 3,
The storage unit holds the collision start time at which the accumulation of the number of collisions was started and the last collision last time accumulated,
Whether or not the ratio of the difference between the collision final time and the collision start time and the difference between the cumulative final time and the cumulative start time exceeds a predetermined threshold when the processor determines that the collision has occurred and updates the collision final time. If it does not exceed, the process of increasing the number of collisions of the storage area is performed, and if it exceeds, the cumulative number of packets of other combinations held in the storage area is deleted. Then, an abnormal communication detection apparatus, which performs a process of overwriting and integrating the integrated number of packets of a new combination. Among the received packets, the abnormal communication detection device for determining the characteristics of the packet from the cumulative number of packets having a combination of predetermined values in the packet,
A storage area that holds the cumulative number of packets that have the same combination of predetermined values in packets that are duplicates of received packets at a certain rate, and the integration of multiple packets that match some or all of the source and destination A storage unit that associates a storage area that holds a number;
An abnormal communication detection apparatus comprising: a processor that uniquely determines a storage area that holds an integrated value of the packet by arranging a transmission source and a destination included in a combination of the predetermined values or an input source and an output destination. The abnormal communication detection device according to claim 1, 3 or 5,
The storage unit holds the number of types of packets including the same combination held in another storage area in the storage area holding the accumulated number of packets,
When the processor newly overwrites and accumulates packets containing the same combination, the number of types of the packets is accumulated, and the cumulative number of packets including the same combination is overwritten and accumulated by packets not including the same combination. In this case, the abnormal communication detection apparatus subtracts the number of types of the packets. The abnormal communication detection device according to claim 5,
An abnormal communication detection apparatus, wherein a processor determines a characteristic of the packet by using a cumulative number of a plurality of packets in which a part or all of the transmission source and the destination match. The abnormal communication detection device according to claim 6,
An abnormal communication detection apparatus, wherein a processor determines a characteristic of the packet by using one or a plurality of types of packets including the same combination. Among the received packets, the abnormal communication detection device for determining the characteristics of the packet from the cumulative number of packets having a combination of predetermined values in the packet,
A storage unit that holds, in the same area, the cumulative number of packets that have the same combination of predetermined values in packets that are duplicates of received packets at a certain rate;
Total number of packets that have both a specific address number and port number as the source, a packet that has both the destination, a packet that has the former as the source and the latter as the destination, and a packet that has the former as the destination and the latter as the source An abnormal communication detection apparatus comprising a processor that uses a number to determine characteristics of a packet having a specific address number and port number as a source or destination. Among the received packets, an abnormal communication detection device that determines the characteristics of the packet from the cumulative number of packets having a predetermined combination of values in the packet, wherein the received packet is duplicated at a certain rate A storage unit that holds the accumulated number of packets having the same combination of predetermined values in the same area;
Packets with a specific address number and port number as the source, packets with the destination as the destination, packets with the former as the source and the latter as the destination, and packets with the former as the destination and the latter as the source An abnormal communication detection apparatus comprising a processor that uses a number to determine characteristics of a packet having a specific address number and port number as a source or destination. Among the received packets, the abnormal communication detection device for determining the characteristics of the packet from the cumulative number of packets having a combination of predetermined values in the packet,
A storage unit that holds, in the same area, the cumulative number of packets that have the same combination of predetermined values in packets that are duplicates of received packets at a certain rate;
Have a specific source or destination using the number of types of packets that have a specific destination and a specific TCP flag number, and the number of types of packets that have a specific source and a specific TCP flag number An abnormal communication detection apparatus comprising a processor for determining packet characteristics. Among the received packets, the abnormal communication detection device for determining the characteristics of the packet from the cumulative number of packets having a combination of predetermined values in the packet,
A storage unit that holds, in the same area, the cumulative number of packets that have the same combination of predetermined values in packets that are duplicates of received packets at a certain rate;
A specific address number is determined using the number of types of the source port and destination port of a packet having a specific address number as the source and the number of types of the source port and destination port of a packet having the specific address number as the destination. An abnormal communication detection apparatus including a processor that determines characteristics of a packet as a transmission source or a destination. Among the received packets, the abnormal communication detection device for determining the characteristics of the packet from the cumulative number of packets having a combination of predetermined values in the packet,
A storage unit that holds, in the same area, the cumulative number of packets that have the same combination of predetermined values in packets that are duplicates of received packets at a certain rate;
The source of a packet including a specific address number as a source, or the number of types of port numbers included in the destination of a packet including the address number as a destination, and the destination of a packet including the address number as a source, or the address number An abnormal communication detection apparatus comprising a processor that determines the characteristics of a packet having a specific address number as a transmission source or destination by using the number of types of port numbers included in the transmission source of the packet including the destination.

Images