JP5287898B2 - Flow monitoring apparatus, flow monitoring method and program - Google Patents

Description

  The present invention relates to a flow monitoring apparatus, a flow monitoring method, and a program used for traffic management in a network.

  Data transmitted from one node to another on a communication network is called traffic. Here, the data is digital data such as characters, images, or sounds, for example, and the node can be a device on the network that functions as a server or a client, for example. It is important to manage this traffic in order to maintain overall network performance. The traffic management includes, for example, grasping how much data is transmitted from which node to which node.

  As one method of traffic management, traffic management in units of flows included in traffic has been proposed. Here, a flow is a set of packets having common characteristics such as a communication protocol, a transmission source, and a transmission destination. For example, in Japanese Patent Application Laid-Open No. H10-228707, among flows that flow through a link in a communication network, a relationship between a class and a flow characteristic is learned for a flow whose classification (class) is known, and a flow whose class is unknown is learned. A technique for estimating a class from a result is disclosed. By estimating the flow class, for example, it is possible to identify whether the newly detected flow is normal or abnormal.

Japanese Patent No. 4420850

  However, in recent years, as dynamic flows included in traffic have increased, it has become difficult to identify a flow class by the above-described method. The dynamic flow can occur in acquisition of a dynamic Web page using, for example, Ajax (Asynchronous JavaScript + XML) in acquisition of a Web page. In dynamic Web page acquisition, for example, a plurality of sessions are generated asynchronously to acquire differential data, and a dynamic flow can be generated by forming a separate flow for each of the plurality of sessions. . In dynamic Web page acquisition, for example, a control message for continuation of connection called “Keep-Alive” is transmitted, so that a dynamic flow is generated even when a lot of flows that do not have any particular meaning occur. Can occur. As described above, from the viewpoint of user experience, the flow is a series of flows related to acquisition of the same Web page, but in reality, a flow that is a separate flow is referred to as a dynamic flow.

  For such a dynamic flow, for example, when learning the relationship between the class of each flow and the characteristics of the flow as in the technique of Patent Document 1, the relevance of each flow is reflected in the learning result. Not. Therefore, for example, a state may occur in which dynamic flows corresponding to one user operation are classified into different classes. As a result, it becomes difficult to obtain significant information from the viewpoint of the user experience, for example, what Web page the user is browsing.

  Accordingly, the present invention has been made in view of the above problems, and an object of the present invention is to provide a new and improved flow monitoring that enables traffic management in response to a dynamic flow. To provide an apparatus, a flow monitoring method, and a program.

  In order to solve the above-described problem, according to an aspect of the present invention, for a flow passing through a link in a communication network, a transmission source IP address and port number, a transmission destination IP address and port number, and a communication protocol An acquisition unit that acquires flow information including information, and a similar one in which one of a transmission source and a transmission destination is identified as a server and the other as a client, and the server IP address and port number, the client IP address, and the communication protocol are common A flow monitoring apparatus comprising: an extraction unit that extracts a flow information group from flow information; and an identification unit that identifies a similar flow information group in which a client port number satisfies a predetermined condition as a dynamic flow information group Provided.

  According to such a configuration, it is possible to specify a dynamic flow information group included in the same dynamic flow from the flow information regarding each flow, and by treating the specified dynamic flow information group as a group of flow information. For example, information for more appropriate traffic management can be obtained.

  In the above flow monitoring apparatus, the predetermined condition may include that the port number of the client is substantially continuous for a predetermined number or more.

  In the above flow monitoring apparatus, the flow information includes communication state information, and the predetermined condition is flow information in which the communication state information indicates the end of communication in the flow information having a smaller client port number, and the client port number is larger. Then, the communication state information may include indicating that the communication is continued.

  In the above flow monitoring apparatus, the communication status information indicating the end of communication may be information indicating the normal end of communication.

  In the flow monitoring apparatus, the acquisition unit may acquire flow information in time series, and the extraction unit may extract a similar flow information group from flow information acquired at a plurality of times.

  In the flow monitoring apparatus, the identification unit may identify one or both of the start and end of the dynamic flow corresponding to the dynamic flow information group from a plurality of times.

  In the flow monitoring apparatus, the extraction unit is similar to the flow information acquired at another time when the similar flow information group extracted from the flow information acquired at one time is not identified as the dynamic flow information group. A flow information group may be extracted.

  In the flow monitoring apparatus, the extraction unit may use a condition that the server IP address belongs to a predetermined IP address group instead of the condition that the server IP address is common.

  The flow monitoring apparatus may further include a learning unit that generates learning data on the attribute features of the dynamic flow information group, and a classification unit that classifies newly acquired flow information based on the learning data. .

  In order to solve the above problem, according to another aspect of the present invention, for a flow passing through a link in a communication network, a source IP address and port number, a destination IP address and port number, and The flow information including communication protocol information is acquired, and one of the transmission source and the transmission destination is identified as a server and the other as a client. The server IP address and port number, the client IP address, and the communication protocol are common. A flow monitoring method comprising: extracting a similar flow information group from the flow information; and identifying a similar flow information group in which a client port number satisfies a predetermined condition as a dynamic flow information group. Provided.

  In order to solve the above problem, according to still another aspect of the present invention, for a flow passing through a link in a communication network, a source IP address and port number, a destination IP address and port number, A flow information including communication protocol information, one of a transmission source and a transmission destination is identified as a server, and the other as a client. The server IP address and port number, the client IP address, and the communication protocol are A process for causing a computer to execute a process of extracting a common similar flow information group from flow information and a process of identifying a similar flow information group in which a client port number satisfies a predetermined condition as a dynamic flow information group A program is provided.

  As described above, according to the present invention, it is possible to manage traffic corresponding to a dynamic flow.

It is a figure which shows arrangement | positioning of the flow monitoring apparatus which concerns on the 1st Embodiment of this invention. It is a block diagram which shows the function structure of the flow monitoring apparatus which concerns on the 1st Embodiment of this invention. It is a figure which shows an example of the flow information which concerns on the 1st Embodiment of this invention. It is a flowchart which shows operation | movement of the flow monitoring apparatus which concerns on the 1st Embodiment of this invention. It is a flowchart which shows operation | movement of the flow monitoring apparatus which concerns on the 2nd Embodiment of this invention. It is a block diagram which shows the function structure of the flow monitoring apparatus which concerns on the 3rd Embodiment of this invention.

  Exemplary embodiments of the present invention will be described below in detail with reference to the accompanying drawings. In the present specification and drawings, components having substantially the same functional configuration are denoted by the same reference numerals, and redundant description is omitted.

(First embodiment)
First, a first embodiment of the present invention will be described with reference to FIGS.

(Arrangement of flow monitoring device)
FIG. 1 is a diagram showing an arrangement of a flow monitoring apparatus 100 according to the first embodiment of the present invention. Referring to FIG. 1, in this embodiment, the flow monitoring apparatus 100 is connected to a router 20 on a link 10 of a communication network.

  The link 10 is a link in the communication network. At least a part of traffic between nodes on the network passes through the link 10. For example, link 10 may be the main link in the network through which a relatively large amount of traffic passes. As will be described later, the traffic passing through the link 10 is analyzed using the flow monitoring apparatus 100.

  The router 20 is a router provided on the link 10. The router 20 has a function of port mirroring, for example, and copies a packet passing through the link 10 and provides it to the flow monitoring apparatus 100. Instead of the router 20, an apparatus such as an optical coupler or a tap may be provided on the link 10, and a packet passing through the link 10 may be branched toward the flow monitoring apparatus 100. These devices may be included in the flow monitoring device 100. In this case, the flow monitoring device 100 may be provided on the link 10 instead of on a path branched from the link 10 as illustrated.

  The flow monitoring apparatus 100 is an apparatus that monitors a flow included in traffic passing through the link 10. As described above, a flow is a set of packets having common characteristics such as a communication protocol, a transmission source, and a transmission destination. The flow monitoring apparatus 100 identifies a dynamic flow information group corresponding to a dynamic flow among the flow information acquired by analyzing the packet provided from the router 20. For example, the flow monitoring apparatus 100 may output information related to traffic or classify newly acquired flows by learning the characteristics of the flow information group in units of the dynamic flow information group. . In the flow monitoring apparatus 100, the flow information of the dynamic flow is handled as a group of dynamic flow information in this way, so that, for example, from the viewpoint of user experience, compared to the case where the flow is monitored in units of individual flows. It becomes possible to acquire more significant information. Note that the flow monitoring apparatus 100 may have a flow monitoring function in units of individual flows for flows other than dynamic flows.

(Configuration of flow monitoring device)
FIG. 2 is a block diagram showing a functional configuration of the flow monitoring apparatus 100 according to the first embodiment of the present invention. Referring to FIG. 2, the flow monitoring apparatus 100 includes an acquisition unit 110, a storage unit 120, an extraction unit 130, and an identification unit 140.

  Note that the functions of the acquisition unit 110, the extraction unit 130, and the identification unit 140 can be realized by, for example, a CPU (Central Processing Unit) operating according to a program stored in the storage unit 120. This program may be provided by being stored in a storage medium and read into the storage unit 120 via a driver (not shown), or downloaded from a network (not shown) and stored in the storage unit 120. There may be. Further, a DSP (Digital Signal Processor) may be used instead of the CPU in order to realize the functions of the above-described units. The storage unit 120 can be realized as a RAM (Random Access Memory) or a ROM (Read Only Memory) using, for example, a semiconductor memory, a magnetic disk, or an optical disk.

(Acquisition Department)
The acquisition unit 110 acquires flow information including information on a transmission source IP (Internet Protocol) address and port number, a transmission destination IP address and port number, and communication protocol for a flow passing through the link 10. For example, the acquisition unit 110 reads the header information of the packet provided from the router 20, so that the source IP address and port number of each flow via the link 10, the destination IP address and port number, the communication protocol Get information such as communication status information. The acquisition unit 110 can store the flow information including these pieces of information in the storage unit 120, for example, every predetermined time or at the timing when one flow is completed.

(Example of flow information)
Here, an example of the flow information acquired by the acquisition unit 110 and stored in the storage unit 120 will be described with reference to FIG.

  FIG. 3 is a diagram illustrating an example of flow information according to the first embodiment of the present invention. Referring to FIG. 3, the flow information includes a source IP address (Source), a destination IP address (Destination), a source port number (Source Port), a destination port number (Dest Port), and a communication protocol. (Protocol) and information of TCP flag (TCP) which is communication state information. In addition to this, the flow information in the illustrated example includes application layer protocol (Application), DSCP (Differentiated Services Code Point), next hop (NextHop), packet size (Traffic in bytes), and number of packets (No. of packets). ) Information.

  In the illustrated example, the transport layer communication protocol (for example, TCP (Transmission Control Protocol), UDP (User Datagram Protocol), etc.), the source IP address and port number, and the destination IP address and port number are A set of common packets is one flow, and each record of the flow information corresponds to one flow.

  3A and 3B respectively show flow information acquired at a plurality of different times when the acquisition unit 110 acquires flow information in time series. For example, (a) in FIG. 3 may be flow information acquired at time t, and (b) may be flow information acquired at time t + Δt. The time Δt is an interval at which the acquisition unit 110 acquires flow information in time series.

  In the illustrated flow information, the source IP address, the destination port number, and the communication protocol are common among the records, but the source port number is different. Further, the IP address of the transmission destination is common in some records, but is different in other records. A set of packets having different source port numbers and different destination IP records are regarded as different flows, and thus a plurality of records of flow information are acquired.

  However, for example, when acquiring a dynamic Web page using Ajax or the like, the server IP address and port number, the client IP address, and the communication protocol are common to acquire one Web page, and the client port Dynamic flows with different numbers can occur. Considering such a dynamic flow, among a plurality of flows indicated by the flow information shown in the figure, the flows having the same source IP address, destination IP address and port number, and communication protocol are the same. It may be a flow included in a dynamic flow. The flow monitoring apparatus 100 realizes more appropriate management of traffic corresponding to the dynamic flow by identifying whether or not such a flow is included in the dynamic flow.

(Memory part)
Referring back to FIG. 2, the storage unit 120 stores various data used in the processing of the traffic monitoring device 100. For example, the flow information acquired by the acquisition unit 110 is stored in the storage unit 120 as described above. Further, as described above, the storage unit 120 may store a program that is executed by the CPU to realize the functions of the acquisition unit 110, the extraction unit 130, and the identification unit 140.

(Extractor)
In the flow information acquired by the acquisition unit 110 and stored in the storage unit 120, the extraction unit 130 identifies one of the transmission source and the transmission destination as a server and the other as a client. Further, the extraction unit 130 extracts a similar flow information group in which the IP address and port number of the server, the IP address of the client, and the communication protocol are common from the flow information.

  Here, four keys (server IP address and port number, client IP address, and communication protocol) used as extraction conditions by the extraction unit 130 are, for example, five tuples (5 for IP QoS (IP Quality of Service)) (5 -tuples: server IP address and port number, client IP address and port number, and communication protocol) minus the client port number. In the present specification, hereinafter, these four keys may be referred to as 4-tuples. As described above, the dynamic flow may include a plurality of flows having the same server IP address and port number, client IP address, and communication protocol, but different client port numbers. Such a plurality of flows can be extracted by extracting similar flow information groups using 4 tuples as keys as described above. Therefore, it can be said that the similar flow information group is a candidate flow information group corresponding to flows included in the same dynamic flow.

(Server and client identification)
Here, an example of a method for identifying which of the transmission source and the transmission destination is the server and which is the client from the transmission source and transmission destination information included in the flow information will be described.

  As an example of the first method, there is a method of identifying, as a server, one that is communicating with a specific port number from a transmission source or a transmission destination. The specific port may be, for example, a port number assigned in advance for a specific application. For example, in TCP and UDP, port number “80” is assigned to http (hypertext transfer protocol), and port number “443” is assigned to https (http over secure socket layer). According to this method, in the example of FIG. 3, the transmission destination port number (Dest Port) of each record of the flow information is “80”, so that the transmission destination can be identified as a server.

  As an example of the second method, there is a method of identifying, as a client, a transmission source or a transmission destination whose port number is indefinite. As described above, the server port number may be common and the client port number may be different among the flows included in the dynamic flow. Therefore, for example, if there are a plurality of records having the same IP address and port number of the transmission source, the IP address of the transmission destination, and the communication protocol and different port numbers of the transmission destination in the flow information, the transmission destination becomes the client. Can be identified. On the other hand, if there are a plurality of records having the same source IP address, destination IP address and port number, and communication protocol but different source port numbers, the source can be identified as a client. According to this method, in the example of FIG. 3, since there are a plurality of records having the same source IP address, destination IP address and port number, and communication protocol and different source port numbers, Can be identified as a client.

  For example, the extraction unit 130 identifies one of the transmission source and the transmission destination as a server and the other as a client using one or both of the first and second methods. For example, the extraction unit 130 may use the first method first, and if it cannot be identified, the second method may be used, or vice versa. In addition, the extraction unit 130 may confirm whether the results match by using both the first method and the second method. In any case, in the example of FIG. 3, the transmission source can be identified as the client and the transmission destination can be identified as the server.

(Identification part)
The identification unit 140 identifies, as a dynamic flow information group, a flow information group in which the client port number satisfies a predetermined condition among the similar flow information groups extracted by the extraction unit 130. For example, the identification unit 140 identifies similar flow information groups, that is, flow information groups having four tuples in common, when the client port numbers are substantially continuous by a predetermined number or more, and identifies these flow information groups as dynamic flow information groups. Yes.

  In this case, “port numbers are almost continuous” may include not only a case where the port numbers are continuous without interruption, but also a case where a part of the port numbers are missing. For example, in the example of FIG. 3, a 4-tuple (server IP address (Destination) / server port number (Dest Port) / client IP address (Source) / protocol in this order). 233.183.9 / 80 / 192.168.8.4.100 / TCP), the client port number changes as 1904, 1905, ... 1909, 1912, 1913, 1915 doing. In this case, the client port numbers are continuous between 1904 and 1909, but 1910, 1911, and 1914 are missing between 1909 and 1915. In the present embodiment, such a case where a part of the port number sequence is missing is also included in the case of “the port numbers are almost continuous”. How many omissions are included in “the port numbers are almost consecutive” includes, for example, the number of missing port numbers (in the above example, the maximum number of missing port numbers is 2), the ratio of omissions to continuity (above In the example, 3 out of 12 port numbers between 1904 and 1915 are missing, and the ratio can be defined by presetting a range of acceptable values, such as 3/12 = 0.25).

  The “predetermined number” here may be a value preset in the flow monitoring apparatus 100. For example, in the above example, it is determined that the client port numbers 1904, 1905,... 1909, 1912, 1913, 1915 are the flow information group “the client port numbers are substantially continuous for a predetermined number or more”. However, in this case, the predetermined number is 9 or less.

  The identifying unit 140 may identify a flow information group in which the client port number satisfies a predetermined condition and the communication state information satisfies a predetermined condition as a dynamic flow information group among the similar flow information groups. Good. For example, the identification unit 140 indicates that the communication status information indicates the end of communication in the flow information with the smaller client port number in the similar flow information group, and the communication status information indicates the communication in the flow information with the larger client port number. When indicating continuation, these flow information groups may be identified as dynamic flow information groups.

  Here, in the present embodiment, the communication state information included in the flow information is a TCP flag. The TCP flag is a flag for controlling a TCP connection, and there are six types of URG (Urgent), ACK (Acknowledgement), PSH (Push), RST (Reset), SYN (Synchronize), and FIN (Fin). is there. When communication is continued, the TCP flag is, for example, (ACK, PSH) or (ACK, PSH, SYN). When the communication is normally completed, the TCP flag is, for example, (ACK, PSH, FIN) or (ACK, PSH, SYN, FIN). When the communication is forcibly terminated, the TCP flag is, for example, (ACK, RST).

  Therefore, the identifying unit 140 identifies the dynamic flow information group for each flow information based on the relationship between the port number and the communication state indicated by the TCP flag. For example, in the example of FIG. 3A, the TCP flag (TCP) of the flow information in which 4 tuples are common (yyy.233.183.9 / 80 / 192.168.8.4.100 / TCP) (A (ACK), P (PSH)) or (A, P, S (SYN)), indicating that communication is continuing. In this case, the end of communication is not indicated by the communication state information even in the flow information having the smaller client port number among the pieces of flow information. Therefore, the identification unit 140 does not identify these flow information as a dynamic flow information group.

  On the other hand, in the example of FIG. 3B, the TCP flag (TCP) of the flow information common to the 4 tuples (yyy.233.183.9 / 80 / 192.168.8.4.100 / TCP) is the client (A, P, F (FIN)) or (A, P, S, F) in the flow information of port numbers 1904 to 1909 indicates that the communication has ended. The flow information of the client port numbers 1912, 1913, and 1915 indicates that the TCP flag is (A, P, S) and communication is continued. In this case, in the flow information in which the client port number is smaller in each flow information, the end of communication is indicated by the communication state information, and in the flow information in which the client port number is larger, the communication state information indicates the continuation of communication. Therefore, the identification unit 140 can identify these flow information groups as dynamic flow information groups.

  Further, the identification unit 140 may store information on the dynamic flow in the storage unit 120. For example, the identification unit 140 acquires information such as the IP address of the dynamic flow server, the duration from the start to the end, the number of packets, and the packet size from the identified dynamic flow information group. May be stored in the storage unit 120.

(Operation of flow monitoring device)
FIG. 4 is a flowchart showing the operation of the flow monitoring apparatus 100 according to the first embodiment of the present invention.

  First, the acquisition unit 110 acquires flow information, and stores the acquired flow information in the storage unit 120 (step S101). The acquisition unit 110 may acquire the flow information, for example, at regular time intervals or at the timing when one flow ends, and store the flow information in the storage unit 120. The subsequent steps after step S103 may be executed, for example, every time flow information is acquired, or may be executed every time flow information is acquired a plurality of times, or every predetermined time.

  Next, the extraction unit 130 extracts a similar flow information group from the acquired and stored flow information (step S103). The extraction unit 130 identifies one of the transmission source and the transmission destination included in the flow information as a server and the other as a client, and uses a 4-tuple including server and client information as a key to extract a similar flow information group from the flow information. Extract. In the present embodiment, the flow information to be extracted by the extraction unit 130 may be flow information acquired at a certain time t by the acquisition unit 110. That is, in the present embodiment, a similar flow information group is extracted from the flow information acquired by the acquisition unit 110 that acquires flow information in time series at one time t, and the dynamic flow information group can be identified.

  Next, the identification unit 140 determines whether or not the client port numbers are substantially continuous for a predetermined number or more for the extracted similar flow information group (step S105). As described above, the case where “port numbers are substantially continuous” may include a case where a part of the port number sequence is missing. Here, when it is determined that the client port numbers included in the similar flow information group are substantially continuous by a predetermined number or more, the following step S107 is executed. On the other hand, when it is determined that the client port numbers included in the similar flow information group are not substantially continuous by a predetermined number or more, the identification unit 140 determines that there is no flow information group corresponding to the dynamic flow information group. finish.

  Next, the identification unit 140 determines whether or not the TCP flag that is the communication state information satisfies a predetermined condition for the similar flow information group (step S107). As described above, the predetermined condition of the TCP flag is that “the flow information with the smaller client port number indicates the end of communication, and the flow information with the larger client port number indicates the continuation of communication”. It is possible. If it is determined that the TCP flag of the similar flow information group satisfies a predetermined condition, the following step S109 is executed. On the other hand, when it is determined that the TCP flag of the similar flow information group does not satisfy the predetermined condition, the identification unit 140 ends the process on the assumption that there is no flow information group corresponding to the dynamic flow information group.

  Next, the identification unit 140 identifies the similar flow information group as the dynamic flow information group (step S109). The identifying unit 140 may further store information on the identified dynamic flow information group in the storage unit 120.

(Modification 1 of the first embodiment)
In the first embodiment of the present invention described above, when the extraction unit 130 extracts a similar flow information group from the flow information, the extraction unit 130 uses the server IP address instead of the condition that the server IP address is common. A condition of belonging to a predetermined IP address group may be used.

  For example, when a virtual network or cloud computing is used, the IP address of the server may be different among the flows included in the dynamic flow. The extraction unit 130 uses the condition that the IP address belongs to a predetermined IP address group in place of the condition that the IP addresses of the servers in the four tuples are common, and thus the dynamic flow as described above is more appropriate. Can be detected.

  For example, the predetermined IP address group may be an IP address group included in the same address space. As an example, “yyy.233.183.1” and “yyy.233.183.9” of the destination IP address (Destination) in FIG. 3 are / 24 (255.255.255.0). ) Segment, it is an IP address group included in the same address space. The predetermined IP address group may be, for example, an IP address group registered in advance for the service. As an example, “zzz.125.19.10”, “yyy.233.183.1”, and “yyy.233.183.9” among the destination IP addresses (Destination) in FIG. If any of them is known to be an IP address of a virtual server used for a certain service, an IP address group including these IP addresses is registered in advance and stored in the storage unit 120 or the like. It may be used as an extraction condition.

(Modification-2 of the first embodiment)
In the first embodiment of the present invention described above, the identification unit 140 determines whether the TCP flag that is the communication state information of the flow information included in the similar flow information group satisfies the predetermined condition. In the flow information with a smaller port number, the TCP flag may indicate that the communication is normally terminated.

  As described above, the TCP flag indicating the end of communication includes (ACK, PSH, FIN) or (ACK, PSH, SYN, FIN) and the like (ACK, RST). Here, the TCP flag that indicates the end of communication by FIN indicates the normal end of communication, and the TCP flag that indicates the end of communication by RST may indicate the forced end of communication. In the present modification, the identifying unit 140 uses, among these TCP flags, a TCP flag whose communication end is indicated by FIN as “communication state information indicating the end of communication” for identifying a dynamic flow group.

  The above configuration is effective for excluding flow information generated by communication for port scanning from flow information identified as a dynamic flow group, for example. The communication for port scanning is similar to the dynamic flow group in that four tuples of flow information are common for a plurality of flows, and the port number on the client side changes continuously. However, in the TCP flag in the flow information of a plurality of flows in communication for port scan, there are a large number of RSTs with respect to SYN, the end of communication by FIN is not seen, or a specific flag continues. There is a feature to do. In this modification, by limiting the “communication status information indicating the end of communication” in the dynamic flow information group to the TCP flag including FIN indicating the normal end of communication, the continuous flow information group and the port scan Information generated by communication can be identified.

(Second Embodiment)
Next, a second embodiment of the present invention will be described with reference to FIG. The second embodiment of the present invention differs from the first embodiment described above in terms of the operation of the flow monitoring apparatus, but the other configurations are the same as those in the first embodiment described above (modified example). The detailed description is omitted here.

(Operation of flow monitoring device)
FIG. 5 is a flowchart showing the operation of the flow monitoring apparatus 100 according to the second embodiment of the present invention.

  First, the acquisition unit 110 acquires flow information, and stores the acquired flow information in the storage unit 120 (step S201). The acquisition unit 110 can acquire the flow information at regular intervals, for example, at the timing when one flow is completed, and store the flow information in the storage unit 120. The subsequent steps after step S203 may be executed, for example, every time flow information is acquired, or may be executed every time flow information is acquired a plurality of times, or every predetermined time.

  Next, the extraction unit 130 extracts a similar flow information group from the flow information acquired at time t among the acquired and stored flow information (step S203). The extraction unit 130 identifies one of the transmission source and the transmission destination included in the flow information as a server and the other as a client, and uses a 4-tuple including server and client information as a key to extract a similar flow information group from the flow information. Extract.

  Next, the identification unit 140 determines whether or not the client port numbers are substantially continuous for a predetermined number or more for the extracted similar flow information group (step S205). As described above, the case where “port numbers are substantially continuous” may include a case where a part of the port number sequence is missing. Here, if it is determined that the client port numbers included in the similar flow information group are substantially continuous by a predetermined number or more, the following step S207 is executed. On the other hand, when it is determined that the client port numbers included in the similar flow information group are not substantially continuous by a predetermined number or more, the identification unit 140 determines that there is no flow information group corresponding to the dynamic flow information group. finish.

  Next, the identification unit 140 determines whether or not the TCP flag that is communication state information satisfies a predetermined condition for the similar flow information group (step S207). As described above, the predetermined condition of the TCP flag is that “the flow information with the smaller client port number indicates the end of communication, and the flow information with the larger client port number indicates the continuation of communication”. It is possible.

  If it is determined in step S207 that the TCP flag of the similar flow information group satisfies a predetermined condition, the identification unit 140 then identifies the similar flow information group as a dynamic flow information group (step S209). The identifying unit 140 may further store information on the identified dynamic flow information group in the storage unit 120.

  On the other hand, when it is determined in step S207 that the TCP flag of the similar flow information group does not satisfy the predetermined condition, the identification unit 140 updates the time t (step S211). The updated time t can be, for example, a time t + Δt after a time Δt from the time t. The time Δt may be an interval at which the acquisition unit 110 acquires flow information in time series. Subsequently, using the updated time t, the processes after step S203 are repeatedly executed.

  For example, when the similar flow information group extracted from the flow information acquired at a certain time t is not identified as the dynamic flow information group by the operation of the flow monitoring apparatus 100 as described above, another time (for example, time t + Δt) The similar flow information group is extracted from the flow information from the flow information acquired in (1). In a dynamic flow, for example, there is a case where communication is continued in most of a plurality of flows at a certain timing, and thereafter communication is ended from a flow having a smaller client port number. According to the configuration of the present embodiment, in such a case, the extraction of the similar flow information group and the identification of the dynamic flow information group are executed not only at one time but also at other times, thereby Can be detected more reliably.

  For example, in the example of FIG. 3, it is assumed that the flow information (a) is acquired at time t and the flow information (b) is acquired at time t + Δt. In this case, in the flow information of (a) acquired at time t, the similar flow information group in which the 4 tuples are common in (yyy.233.183.9 / 80 / 192.168.8.4.100 / TCP), Since there is no flow information whose TCP flag indicates the end of communication, the identification unit 140 does not identify these flow information groups as dynamic flow information groups. In the present embodiment, here, the time t to be extracted from the similar flow information group is updated. For example, the flow information (b) acquired at time t + Δt becomes the next processing target. In the flow information of (b) acquired at time t + Δt, the client port for the similar flow information group in which the 4 tuples are common in (yyy.233.183.9 / 80 / 192.168.8.4.100 / TCP) In the flow information with numbers 1904 to 1909, the TCP flag is (A, P, S, F) or (A, P, F), indicating the end of communication. Therefore, the identification unit 140 identifies these flow information groups as dynamic flow information groups.

  Further, by the operation of the flow monitoring apparatus 100 as described above, for example, the start or end of a dynamic flow can be identified. For example, for a flow information group that is common for a certain value of four tuples, the time point when the first flow information group is detected can be identified as the start of a dynamic flow. In addition, for example, when communication ends in order from flow information with a smaller client port number and communication ends until the flow information with the largest port number can be identified as the end of the dynamic flow. When identifying the end of the dynamic flow, after step S209 in FIG. 5, for example, a determination process of “has the dynamic flow ended?” Is added, and step S211 and step until it is determined that the dynamic flow has ended. The processing of S203 to S209 may be repeated.

(Third embodiment)
Next, a third embodiment of the present invention will be described with reference to FIG. The third embodiment of the present invention differs from the first and second embodiments described above in terms of the functional configuration added to the flow monitoring apparatus, but the other configurations are the same as those described in the first embodiment. Since it is substantially the same as the second embodiment (including the modification), detailed description thereof is omitted here.

(Configuration of flow monitoring device)
FIG. 6 is a block diagram showing a functional configuration of a flow monitoring apparatus 200 according to the third embodiment of the present invention. Referring to FIG. 6, the flow monitoring apparatus 200 includes an acquisition unit 110, a storage unit 120, an extraction unit 130, an identification unit 140, a learning unit 250, and a classification unit 260.

  Note that the functions of the learning unit 250 and the classification unit 260 can be realized by the CPU operating according to a program stored in the storage unit 120, for example. This program may be provided by being stored in a storage medium (not shown), or may be downloaded from a network (not shown). Further, a DSP may be used in place of the CPU in order to realize the functions of the above-described units.

  Further, since the acquisition unit 110, the storage unit 120, the extraction unit 130, and the identification unit 140 have substantially the same functional configuration as the similar parts in the flow monitoring apparatus 100 according to the first embodiment described above, the details are described here. Description is omitted.

(Learning Department)
The learning unit 250 generates learning data regarding the attribute features of the dynamic flow information group identified by the identifying unit 140. The learning unit 250 may store the generated learning data in the storage unit 120. For example, the learning unit 250 uses the IP address of the dynamic flow server acquired from the dynamic flow information group identified by the identifying unit 140, the duration from the start to the end, the number of packets, the packet size, and other features. The learning data may be generated.

(Classification part)
The classification unit 260 classifies the flow information newly acquired by the acquisition unit 110, for example, based on the learning data generated by the learning unit 250. For example, the classification unit 260 may use a classifier such as a naive Bayes classifier to classify the flow information. In this case, the classification unit 260 may use the learning data generated by the learning unit 250 for supervised learning of the classifier. For example, when the learning data includes the IP address of the server, the duration from start to end, the number of packets, and the packet size, the classification unit 260 sets the IP address of the server from the start for the newly acquired flow information. Flow information corresponding to the dynamic flow similar to the previously acquired dynamic flow information group when the duration until the end, the number of packets, and the packet size show the same characteristics as the learning data Can be classified as

  With the configuration of the flow monitoring apparatus 200 as described above, for example, a dynamic flow that is difficult to detect an abnormality due to a long flow duration or encrypted communication is not classified anywhere by the classification unit 260, for example. It is possible to detect an abnormality based on such a criterion.

(Supplement)
The preferred embodiments of the present invention have been described in detail above with reference to the accompanying drawings, but the present invention is not limited to such examples. It is obvious that a person having ordinary knowledge in the technical field to which the present invention pertains can come up with various changes or modifications within the scope of the technical idea described in the claims. Of course, it is understood that these also belong to the technical scope of the present invention.

10 link 20 router 100, 200 flow monitoring device 110 acquisition unit 120 storage unit 130 extraction unit 140 identification unit 250 learning unit 260 classification unit

Claims (11)

An acquisition unit that acquires flow information including information on a source IP address and port number, a destination IP address and port number, and a communication protocol for a flow that passes through a link in the communication network;
One of the transmission source and the transmission destination is identified as a server and the other as a client, and a similar flow information group having the same IP address and port number of the server, a client IP address, and a communication protocol is extracted from the flow information. An extractor to perform,
An identification unit that identifies the similar flow information group in which the port number of the client satisfies a predetermined condition as a dynamic flow information group;
A flow monitoring apparatus comprising:   The flow monitoring apparatus according to claim 1, wherein the predetermined condition includes that a port number of the client is substantially continuous for a predetermined number or more. The flow information includes communication state information,
The predetermined condition is that the communication status information indicates the end of communication in the flow information having a smaller port number of the client, and the communication status information indicates that communication is continued in the flow information having a larger port number of the client. The flow monitoring apparatus according to claim 2, comprising: indicating.   The flow monitoring apparatus according to claim 3, wherein the communication state information indicating the end of the communication is information indicating a normal end of the communication. The acquisition unit acquires the flow information in time series,
The flow monitoring apparatus according to claim 1, wherein the extraction unit extracts the similar flow information group from the flow information acquired at a plurality of times.   The flow monitoring apparatus according to claim 5, wherein the identification unit identifies one or both of a start and an end of a dynamic flow corresponding to the dynamic flow information group from the plurality of times.   When the similar flow information group extracted from the flow information acquired at one time is not identified as the dynamic flow information group, the extraction unit extracts the similarity from the flow information acquired at another time. 6. The flow monitoring apparatus according to claim 5, wherein a flow information group is extracted.   The said extraction part uses the condition that the IP address of the said server belongs to the predetermined IP address group instead of the condition that the IP address of the said server is common, The any one of Claims 1-7 characterized by the above-mentioned. The flow monitoring apparatus according to item 1. A learning unit that generates learning data about the characteristics of the attributes of the dynamic flow information group;
A classifying unit for classifying newly acquired flow information based on the learning data;
The flow monitoring apparatus according to claim 1, further comprising: Obtaining flow information including information on a source IP address and port number, a destination IP address and port number, and a communication protocol for a flow passing through a link in the communication network;
One of the transmission source and the transmission destination is identified as a server and the other as a client, and a similar flow information group having the same IP address and port number of the server, a client IP address, and a communication protocol is extracted from the flow information. And steps to
Identifying the similar flow information group in which the port number of the client satisfies a predetermined condition as a dynamic flow information group;
The flow monitoring method characterized by including. Processing for obtaining flow information including information on a source IP address and port number, a destination IP address and port number, and a communication protocol for a flow passing through a link in the communication network;
One of the transmission source and the transmission destination is identified as a server and the other as a client, and a similar flow information group having the same IP address and port number of the server, a client IP address, and a communication protocol is extracted from the flow information. Processing to
Processing for identifying the similar flow information group in which the port number of the client satisfies a predetermined condition as a dynamic flow information group;
A program that causes a computer to execute.

Images