JP5812282B2 - Traffic monitoring device - Google Patents

Description

  The present invention relates to a traffic monitoring device, and in particular, the traffic monitoring device monitors whether the traffic is encrypted and decrypted in a node or terminal device of a data communication network such as the Internet. The present invention relates to an apparatus for performing identification estimation and also identifying and estimating an application used.

  Understanding how the network is being used by subscribers and what communications are being performed in each flow is important for network operators to make capital investment decisions, control flow, and monitor abnormalities. Useful. However, in today's communications, the encrypted traffic increases and it is becoming difficult to understand what kind of communication is being performed in the ciphertext. From the viewpoint of privacy protection, There is a demand for estimating the contents using the statistical information of the packet length and the arrival interval without observing the contents.

  Patent Document 1 has been proposed in order to satisfy this requirement and realize rapid processing. Patent Document 1 is an encrypted communication feature extraction device, an encrypted communication feature extraction program, and a recording medium. The encrypted communication feature extraction device sends in advance a ciphertext encrypted by a known encryption method from the external communication unit of this device, and collects this test communication cipher data at the ciphertext data collection unit. Ask for. Next, the cipher determination function unit obtains feature information for the communication information whose traffic type is unknown, the feature information of the unknown communication information of the obtained type, and the known ciphertext feature information obtained previously. Compare If the comparison results match, it can be estimated that this unknown type of traffic is a text encrypted by any known encryption method.

  If this method is used, the combination of the communication application, encryption communication software, and encryption protocol to be used can be shown as the type of encryption communication. Available encryption protocols include WEB service, HTTPS (Hypertext Transfer Protocol over Secure Socket Layer), VPN (Virtual Private Network), DES (Data Encryption Standard), 3DES, AES (Advanced Encryption Standard), etc. There is.

As a means for extracting features,
(1) Communication session occurrence interval,
(2) Packet generation interval during communication session,
(3) Packet size during communication session,
(4) Total number of packets in the communication session,
(5) Packet transmission / reception direction relationship during communication session,
(6) Direction ratio of packet transmission / reception during communication session
(7) Protocol occupancy during communication session,
(8) Each packet size at the start of the communication session,
(9) Total number of packets at the start of the communication session,
(10) Total data size at the start of the communication session,
(11) Long-term source / destination IP distribution,
(12) Long-term destination port distribution,
(13) Long-term inquiry to DNS server, and
(14) The presence / absence of data transmitted when no communication is performed from the communication application side.

  The encryption determination unit compares the extracted communication state information with the information read from the feature database (DB) of the storage unit of the encrypted communication feature extraction device for the extracted feature type, and extracts the extracted communication state information And the fixed pattern information in the side channel table, and the two match, the cipher determination unit refers to the combination ID (IDentification) associated with the fixed pattern information and sets the same combination ID. It is determined that the combination in the combination condition table is applied to the communicating host.

  The cipher determination unit applies correlation analysis to communication state information that can be graphed, communication state information obtained from collected ciphertext data, communication state information recorded in the feature DB, and If the degree of correlation between the two is high, the type of encrypted communication may be determined from the test conditions at this time.

JP 2006-146039 A JP 2010-204289 A

  By the way, Patent Document 1 discloses only correlation analysis using any one of the 14 types of feature information described above, and does not assume anything about correlation analysis using a plurality of feature information.

  If a plurality of feature information is used, the determination accuracy may be improved. However, when a different determination result is obtained for each feature information, it does not disclose or suggest how to estimate the application. For this reason, correlation analysis using a plurality of feature information cannot be performed in Patent Document 1.

  As means for using a plurality of feature information, naive Bayes, that is, using a conditional probability model called a naive Bayes discriminator has been proposed, but accuracy is limited.

  In view of such problems, the present invention provides a traffic monitoring device that can increase the number of types of teacher data used for determination, that is, can accurately determine the type of feature using a plurality of feature information. Objective.

  In order to solve the above-mentioned problems, the present invention is a traffic monitoring apparatus that monitors traffic of network communication, extracts the characteristics of the traffic to be monitored, and estimates the encryption scheme and the type of application used. This device inputs traffic, classifies the input traffic into traffic to be observed, teacher traffic, and control signals, and sequentially outputs input means and a plurality of feature amounts extracted from traffic to be observed and teacher traffic. Feature acquisition means for acquiring feature information and teacher information, teacher information acquisition means for inputting teacher information, and converting the teacher information into evaluation teacher information, and using a plurality of feature quantities as feature vectors At the same time, the type is estimated based on the feature information and the teacher information for evaluation, and classified according to the estimated type. Classification means for outputting traffic information, classification storage means for storing the classified traffic information and outputting corresponding information according to a control signal, and measurement control means for controlling processing of each element used for measurement of the apparatus And output means for outputting the classified traffic information, the teacher traffic, and the control signal.

  According to the present invention, the measurement control unit controls the measurement of the traffic monitoring device, and the traffic input by the input unit is classified into the traffic to be observed, the teacher traffic, and the control signal, and the traffic to be observed by the feature acquisition unit. A plurality of feature amounts extracted from both traffics input by the feature acquisition means, respectively, as feature information and teacher information, and feature information as classification means and teacher information as teacher information acquisition means. The teacher information input by the teacher information acquisition means is converted into teacher information for evaluation and output to the classification means. The classification means uses a plurality of feature quantities as feature vectors, and the feature information and evaluation information The type is estimated based on the teacher information, and the traffic information classified by the estimated type is output to the classification storage means and supplied by the classification storage means. By storing the classified traffic information, outputting the corresponding information according to the control signal, that is, the classified traffic, to the output means, and outputting not only the classified traffic from the output means, but also the teacher track and the control signal, the network It is technically possible for carriers and ISPs (Internet Service Providers) to use them as reference information for capital investment, and to transfer agreed-upon users with different priorities for each flow.

It is an arrangement view showing a connection form of a traffic monitoring system in which a measurement function unit to which a traffic monitoring device according to the present invention is applied is arranged. FIG. 1B is a block diagram showing a schematic configuration of a measurement function unit applied to FIG. 1A. It is a layout view showing another connection form of a traffic monitoring system in which a measurement function unit to which the traffic monitoring device according to the present invention is applied is provided. FIG. 2B is a main block diagram showing a newly added configuration of the measurement function unit applied to FIG. 2A. FIG. 2B is a block diagram showing a configuration of a traffic classification function unit applied to FIG. 2B. 2B is a graph showing the relationship between the distribution of teacher data and measured data and the determination curve in the measurement function unit of FIG. 2A.

  Next, an embodiment of a traffic monitoring apparatus according to the present invention will be described in detail with reference to the accompanying drawings. Referring to FIG. 1A, the embodiment of the traffic monitoring apparatus according to the present invention is a case of the traffic monitoring system 10 applied to the measurement function unit 18. As shown in FIG. 1B, the measurement function unit 18 controls the measurement of the measurement function unit 18 by the measurement control unit 34, and the traffic 38 input by the traffic input unit 22 is to be observed, the teacher traffic and the control signal. The traffic 40 to be observed and the teacher traffic 42 to be observed are output to the feature acquisition unit 24, and a plurality of feature amounts extracted from both the traffics 40 and 42 input in the feature acquisition unit 24 are feature information 48 and teacher information, respectively. 50, the characteristic information 48 is output to the traffic classification function unit 28, the teacher information 50 is output to the teacher information acquisition unit 30, and the teacher information 50 input by the teacher information acquisition unit 30 is used as teacher information 58 for evaluation. And is output to the traffic classification function unit 28. The traffic classification function unit 28 uses a plurality of feature quantities as feature vectors, estimates the type based on the feature information 48 and the evaluation teacher information 58, and The classified traffic information 60 is output to the classification information storage unit 32, the classified traffic information supplied from the classification information storage unit 32 is stored, and the corresponding information according to the control signal, that is, the classified traffic information 62 Is output to the traffic output unit 36, and not only the traffic information 62 classified from the traffic output unit 36 but also the teacher traffic 56 and the control signal 64 are output as the output signal 66. With the above configuration, the network usage status can be understood, and carriers and ISPs can use it as reference information for capital investment, and technically enable agreed-upon users to be transferred with different priorities for each flow. Yes.

  The illustration and description of parts not directly related to the present invention are omitted. In the following description, the signal is indicated by the reference number of the connecting line in which it appears.

  An IP (Internet Protocol) carrier A on the Internet has a traffic monitoring system 10 that grasps traffic usage information regarding its own network 10a operated by itself or traffic flowing between its own network 10a and the external network 10b. A configuration example is shown in FIG. 1A. The system 10 includes routers 12a, 12b and 12c, a gateway device (GW) 14, terminal devices 16a, 16b and 16c, measurement function units 18a, 18b and 18c, and a control function unit 20.

  The routers 12a, 12b, and 12c are communication devices for general subscribers to perform communication services, and construct an internal network of carriers. The router 12c is connected to an external network via a gateway device. The external network includes other IP carriers that provide Internet services, IX (Internet eXChange) operators that have a function of connecting ISPs, server service operators, and the like. Subscriber terminal devices 16a, 16b and 16c are connected to each router 12a, 12b and 12c. Although not shown, an access device such as a PON (Passive Optical Network) or ADSL (Asymmetric Digital Subscriber Line) is often connected between the router and the subscriber terminal device.

  The gateway device 14 is a device that relays connections between networks, and the terminal devices 16a, 16b, and 16c are, for example, personal computers (PCs).

  The measurement function units 18a, 18b and 18c, and the control function unit 20 are installed as devices having a function of grasping the traffic usage state. The control function unit 20 may be incorporated in the measurement function units 18a, 18b, and 18c. There are three measurement function units 18a, 18b, and 18c depending on the connection method.

  The first connection is a case where the measurement function 18a is connected to the router 12a in the same manner as the terminal device 16a of a general subscriber. The second connection is a case where the measurement function unit 18b is installed inline before the router 12b and the flowing traffic flows inside the apparatus. The third connection is a case such as a measurement function unit 18c connected so as to obtain a copy of the flowing traffic by a mirror port of the router 12c or a tap. The traffic indicates information in network communication.

  The measurement function unit 18b is functionally equivalent to the measurement function unit 18c if it is configured to place a tap inside and input a copy even if it looks like an inline type. The measurement function unit 18a is used only for calibration, which will be described later, because general subscriber traffic does not flow.

  Next, the internal configuration of the measurement function unit 18 to which the traffic monitoring apparatus according to the present invention is applied will be described with reference to FIG. 1B. The measurement function unit 18 collectively refers to the measurement function units 18a, 18b, and 18c shown in FIG. 1A. As shown in FIG. 1B, the measurement function unit 18 includes a traffic input unit 22, a feature acquisition unit 24, a teacher traffic transmission / reception unit 26, a traffic decomposition function unit 28, a teacher information acquisition unit 30, a classification information storage unit 32, and a measurement control unit. 34, and a traffic output unit 36.

  The traffic input unit 22 has a function of inputting traffic from the outside, that is, information in the network, and transferring the inputted traffic classification and sequentially classified information such as traffic and control signals. Specifically, the traffic input unit 22 classifies the input traffic 38 into the subscriber's traffic 40 to be observed, the teacher traffic 42, and the control signal 44. The traffic 40 is classified into the feature acquisition unit 22, the teacher traffic 42, respectively. Are transferred to the feature acquisition unit 22 and the teacher traffic transmission / reception unit 26, and the control signal 44 is transferred to the measurement control unit 34.

  The feature acquisition unit 24 has a function of classifying and storing input traffic according to flows and extracting feature amounts from the stored traffic. The feature acquisition unit 24 has a traffic storage unit 46. The traffic storage unit 46 stores traffic 40 and 42 classified by flow. The feature acquisition unit 24 extracts a feature amount from the stored traffic. A plurality of feature quantity parameters can be used, for example, 14 types described in the prior art can be used. As is clear from the above description of the input, the feature quantity obtained here is composed of the subscriber traffic 40 and the teacher traffic 42 whose encryption method and application are known and used for calibration. The feature amount, feature data, or feature information 48 extracted from the former is supplied to the traffic classification function unit 28, and the feature amount, teacher data, or teacher information 50 extracted from the latter is sent to the teacher information acquisition unit 30.

  Although not shown, the teacher traffic transmitting / receiving unit 26 receives a command from the measurement control unit 34, and communicates plaintext and various ciphertexts by various applications (applications) between the other measurement function units 18b and 18b. Have Further, the teacher traffic transmitting / receiving unit 26 includes an input unit 52 having a traffic input function and an output unit 54 having a traffic output function. Therefore, the teacher traffic transmitting / receiving unit 26 inputs plaintext and various ciphertexts including the control signal of the created application to the input unit 52 via the traffic input unit 22, and the traffic output unit via the output unit 54. Output to 36.

  The traffic classification function unit 28 has a function of estimating the former encryption type and application type based on the subscriber traffic characteristic information 48 and the evaluation teacher information 58 supplied from the teacher information acquisition unit 30. The traffic decomposition function unit 28 receives the feature information 48 and the teacher information 58, estimates the type based on the information 48 and 58, and classifies the subscriber traffic information 60 classified by the estimated type into a classification information storage unit Output to 32. The traffic decomposition function unit 28 uses a plurality of feature quantities as feature vectors, determines the class in estimating the contents, uses supervised learning to obtain the determination condition, and determines the determination condition that maximizes the output quality To operate. By using the determination condition obtained by this operation, the determination accuracy of content estimation is improved. In addition, the traffic decomposition function unit 28 uses a plurality of feature quantities as feature vectors, makes a class determination, explicitly outputs the determination conditions, and estimates and classifies the contents using the obtained determination conditions. You may ask for.

  Further, in the present embodiment, only one traffic decomposition function unit 28 is illustrated, but a plurality of traffic decomposition function units 28 may be provided. It is desirable to output the obtained feature information as the content of the estimated traffic.

  It is preferable that the traffic decomposition function unit 28 prepares a plurality of feature information as candidates, selects a combination of feature information with the highest estimation accuracy using the teacher traffic, and does not use any other feature information.

  The traffic decomposition function unit 28 sets N pieces of feature information as candidates, and estimates the content of the traffic using the remaining Na pieces of feature information obtained by reducing a piece of feature information and the teacher traffic. Then, the top α of the feature information with good results obtained in the estimation is left, and then this α feature information is set as a candidate. From this candidate, Nab pieces of b feature information are reduced. Estimate the traffic contents using feature information and teacher traffic, leave the top β feature information with good results, and reduce the feature information to c, d, etc. for each subsequent estimation ..,... May be set, and the feature information may be repeated until the feature information is 1 or less, and the feature information having the best grade may be used.

  The traffic classification function unit 28 selects the feature information by changing the combination method one after another by means of a genetic algorithm or annealing method, and the combination of feature information with the highest estimation accuracy within the evaluable time. And the obtained feature information may be used for determination.

  Further, the traffic classification function unit 28 continues the above-described repetition, and uses the best-performing feature information and selects the feature information one after another by a genetic algorithm or annealing method repetition method. In addition, the feature information obtained by using both the case where the combination of feature information having the highest estimation accuracy in the evaluable time is obtained and the obtained feature information is used for the determination is acceptable. Evaluation may be performed using teacher traffic during calculation time, and the best evaluation result may be used for evaluation.

  The measurement function unit 18 searches the optimal determination process and feature information by changing the determination process and feature amount information during operation to estimate the traffic content and select the feature information to be used. If found, update to this process.

  The measurement function unit 18 is one of the estimation in the order of the encryption method and the application type in the estimation of the traffic content, the estimation in the reverse order of this order, and the estimation of the encryption method and the application divided into multiple stages. Realize one.

  As the teacher information, the feature information generated by the encryption is estimated from the feature information of the plaintext data, and the measurement function unit 18 may estimate the content of the traffic using the estimated feature information.

  The measurement function unit 18 uses, as the teacher data used for evaluation, the teacher data observed in the past that has the closest external condition of the acquired parameter, and periodically acquires and updates the teacher data. .

  The teacher data is specified by means for specifying a pair of measurement function units 18 that are close to the subscriber terminal device pair, including the server that is carrying the traffic to be evaluated, and this specifying means is the network to which the subscriber terminal device belongs ( AS) is estimated from the IP address, route information is acquired from TraceRoute, the pair of measurement function units 18 that maximizes the duplication of the communication route is selected, and the selected pair is used.

  The measurement function unit 18 measures the distance from other elements in each traffic data of the group estimated as the same encryption method and application in the N-dimensional vector space, and the distribution of the distance from the center is the teacher traffic. This element group is assumed to be a new element group according to the difference between the distribution in the past and the conventional distribution, and the distribution of the set excluding the new element group is different from the distribution in the teacher traffic or the conventionally observed subscriber traffic. If they match, this assumption is judged to be true, and the new element group is estimated from the set obtained by adding the new element group to the subsequent flow content estimation.

  The teacher information acquisition unit 30 has a function of converting the input feature quantity or teacher information (teacher data) 50 into evaluation teacher information 58 used for classification of subscriber traffic. The teacher information acquisition unit 30 outputs the converted teacher information 58 for evaluation to the traffic classification function unit 28.

  The classification information storage unit 32 has a function of inputting and storing the traffic information 60 of the subscriber classified by the traffic classification function unit 28, and outputting the stored corresponding information according to a control signal (not shown). The classified information storage unit 32 receives the classified traffic information 60 of the subscriber and outputs the accumulated information 62 to the traffic output unit 36.

  The measurement control unit 34 has a function of controlling and monitoring the measurement of the measurement function unit 18. The measurement control unit 34 has a function of controlling and monitoring all (SVM) components and functions of the measurement function unit 18, although signal lines for sending signals for controlling the respective internal functions are omitted. The measurement control unit 34 has a function of controlling a measurement operation in response to an instruction from the control function unit 20 that controls the entire measurement system, that is, a control signal 44. Further, the measurement control unit 34 outputs a control signal 64 based on the monitoring result to the traffic output unit 36.

  Returning to FIG. 1A, the control function unit 20 transmits / receives teacher traffic to each of the measurement function units 18a, 18b, and 18c, acquires teacher information, estimates subscriber traffic information, accumulates estimated information, and totals And a function of instructing transmission to the control function unit 20. The control function unit 20 may be implemented as a single device, or may be distributed within each of the measurement function units 18a, 18b, and 18c. Furthermore, the control function unit 20 may operate all the control operations without being arranged, and each of the measurement function units 18a, 18b, and 18c may operate autonomously.

  The traffic output unit 36 has a function of outputting the output information 66 from the measurement function unit 18 to the outside. The traffic output unit 36 receives the teacher traffic 56, the accumulated traffic information 62, and the control signal 64 in this embodiment, and outputs them together as output information 66 to the network.

  Next, the operation of the measurement function unit 18 will be described. In response to an instruction from the measurement control unit 34, the teacher traffic transmission / reception unit 26 communicates plaintext and various ciphertexts by various applications with other measurement function units. The plaintext and various ciphertexts including the generated application control signal are input / output via the traffic input unit 22 and the traffic output unit.

  Further, the measurement function unit 18 classifies the communication traffic 38 and inputs it to the feature acquisition unit 24, extracts the teacher information 50 according to the feature information 48 and the communication contents, accumulates, organizes, and converts the teacher data 50 for evaluation. The content of the subscriber's flow is estimated by comparing the teacher information 58 with the feature information 48 of the subscriber's traffic by the traffic classification function unit 28. The traffic output unit 36 inputs the teacher traffic 56 from the teacher traffic transmitting / receiving unit 26, the subscriber traffic information 62 from the classification information storage unit 32, and the control signal 64 from the measurement control unit 34, and these are output as output information 66. Output to the net. The teacher traffic output as the output information 66 is input from the traffic input unit 22 of the communication function measuring units 18b and 18c.

  Furthermore, when described as the operation of the communication destination, the traffic input unit 22 inputs as the traffic 38, classifies it into the subscriber's traffic 40 to be observed, the teacher traffic 42, and the control signal 44, and acquires the characteristics of the traffic 40 in order. The teacher traffic 42 is copied to the unit 24 and sent to both the feature acquisition unit 24 and the teacher traffic transmitting / receiving unit 26, and the control signal 44 is transferred to the measurement control unit 34.

  Of the traffic described above, the teacher traffic 42 sent to the teacher traffic transmitter / receiver 26 is used for communication with the teacher traffic transmitter / receiver 26 of the transmission source. The teacher traffic 42 copied and sent to the feature acquisition unit 24 is classified by flow and stored in the traffic storage unit 46. The feature acquisition unit 24 extracts feature amounts from the classified and stored traffic. This feature amount extraction will be described in more detail later.

  By the way, the extracted feature amount is converted into teacher information for evaluation used for classifying the traffic of the subscriber by the teacher information acquisition unit 30, and is output to the traffic classification function unit.

  On the other hand, the subscriber's traffic input from the traffic input unit 22 is also classified by flow by the feature acquisition unit 24, stored in the traffic storage unit 46, and extracted. The feature amount of the subscriber's traffic is sent to the traffic classification function unit 28 together with the teacher information for evaluation, and the encryption type and application type of the user traffic are estimated and output.

  Regarding this estimated portion, Patent Document 1 discloses only using one feature amount or simply classifying it. In the present embodiment, a discriminating method using supervised learning that can classify a plurality of feature quantities as feature vectors, in particular, a mechanism for maximizing the output quality of training examples, such as SVM (Support vector machine). By using things that improve accuracy, or by using things that can explicitly grasp the judgment conditions, such as C4.5 decision trees, even if there is no improvement in accuracy, Judgment is made to obtain convincing. Moreover, when a conclusion is derived by a plurality of methods and the answers are different, a method of determining majority by weighting each condition can be used.

  Moreover, in the existing technology, the determination is made once using the correlation analysis. However, if the determination is performed in a plurality of times, the accuracy may be improved. For example, an encryption algorithm can be estimated first, and then an application can be estimated for each encryption algorithm. This is because the accuracy may be improved by using different indexes for the first separation information and the second separation type. Furthermore, when only the encryption method needs to be understood or when only the application type needs to be understood, an optimal determination method may be used according to these applications. This can be realized by storing the best determination method and feature information according to each case and obtaining the feature information using the teacher traffic, and using the stored feature information.

  The classification information storage unit 32 stores the above-described subscriber traffic encryption method and application information, and outputs the stored information to the outside in accordance with a control signal from the measurement control unit.

  The measurement control unit 34 performs monitoring and control related to the above series of operations. The measurement control unit 34 operates in response to an instruction from the control function unit 20 of the entire measurement system as a control signal 44. The control function unit 20 transmits / receives teacher traffic to / from each of the measurement function units 18a, 18b, and 18c, acquires teacher information, estimates subscriber traffic information, accumulates estimated information, aggregates, and transmits to the control function unit 20 Instruct.

  Here, the feature amount extraction will be described. When information related to communication traffic is used as a feature amount, if all feature amounts are used for determination, there is a possibility that information irrelevant to app identification may be included, and conversely the determination accuracy may be lowered. . Therefore, it is desirable to select a feature vector that is feature data using only the feature quantity that maximizes the discrimination accuracy. In general, when there are N types of feature quantities, the optimal feature vector candidates are

It can be expressed as For example, 14 types of features described in the prior art can be used as the feature parameter. Of the number of parameters N = 14 described in the invention of the prior art, the number of parameters k to be used is one, that is, 14 candidates are used, that is, 14 candidates.

  Thus, when the number of parameters N is large, it is actually difficult in terms of time to evaluate all of the parameters and select the optimum one. Therefore, as an optimal feature vector selection method, instead of evaluating all combinations, for example, one of the following three methods may be used, and the optimal solution may be searched approximately by reducing the number of calculations.

  The first method is a method of selecting the optimum combination by gradually reducing the feature amount of the feature vector from all candidates. First, the flow used for learning, that is, the learning data understood by the cipher and the application is randomly divided into two groups. Next, supervised learning is performed with all N feature vectors using one group as teacher data, and the remaining learning data is used as evaluation determination data as the other group, and evaluation is performed to obtain accuracy. At this time, it is preferable to change the group of usable data used for the teacher data and the evaluation determination data again with random numbers and check whether there is a difference in accuracy because the variation in determination accuracy can be evaluated.

  Next, the number of feature data is evaluated by a combination of N-a and a reduced by a, and among the evaluations, α having the best grade is left. Next, evaluation is performed by a combination of the number of feature data to be used reduced to N-a-b from α N-a.

  However, the combination using the feature data excluded in the previous stage is not used in this stage. These processes are repeated to select the best feature amount combination, that is, a feature vector.

  Here, the number of types of feature data to be reduced, a, b, c, ... and the number α, β, γ, ... are selected by calculating the evaluation time required for each stage from the time available for calculation. It is preferable to do. The reverse method of increasing the number of feature data from one type by a, b, and c may be used.

  Patent Document 2 discloses a combination of the number of types of feature data to be reduced a = b = c = ... = 2 and the number α = β = γ = ... = 1. In other words, it reduces by two at a time, leaving the best one next. This embodiment is excellent in that the number to be reduced is generalized and a combination that maximizes the measurement accuracy is used based on the time that can be calculated.

  The second method is to find the optimum feature vector by changing the method of combination one after another by an iterative method such as genetic algorithm or annealing method, and within the evaluable time. It is a method to ask for.

  The third method is a method of selecting a plurality of methods from the first and second methods, evaluating them within an allowable calculation time, and selecting the one with the best evaluation result.

  Note that it is even better if all three methods use a method that updates the feature vector used for evaluation when a better combination is obtained by changing the conditions or repeating the evaluation during operation. Needless to say.

  A method for obtaining evaluation teacher information (teacher data) used for ciphertext encryption method and application estimation is described. There are mainly three methods for obtaining teacher information for evaluation. The first method uses plain text teacher information as it is. Although this method can estimate an application, it cannot determine the encryption method, and the estimation accuracy of the application may be lowered.

  The second method is a method of obtaining the ciphertext teacher information using the ciphertext evaluation traffic, and is expected to have high estimation accuracy. However, in this method, it is necessary to flow traffic for teachers several times the number of types of ciphers, which may increase the load on the network or take time to obtain teacher information.

In the third method, instead of actually measuring the feature amount using the encrypted data, the feature amount generated by the encryption is estimated from the feature amount of the plaintext data, and evaluated using this. To illustrate this method, the N feature amounts of plaintext Ta is set to C _N, sets the plaintext Ta to encrypted text Ua = S (Ta). Sa is an encryption process. Under this setting, when the feature vector of the plain Ta is P _N (Ta) and the feature vector of the sentence Ua is P _N (Ua), the feature vector P _N (Ua) = F (P _N (Ta) of the sentence Ua ) Is obtained from a set of plaintext and ciphertext, and is estimated using this.

  By using this method, it is possible to obtain a feature vector of a ciphertext only by obtaining a plaintext feature vector without actually measuring it. This method is preferable because a feature vector can be easily obtained when calibration is performed many times.

  By applying this configuration, it becomes possible to estimate the subscriber traffic encryption method or application with higher accuracy than before or with which the user can understand the determination criteria. In addition, it is possible to more easily acquire feature information for teachers.

  Furthermore, since it is possible to dynamically add / delete virtual node resources or construct or delete new virtual nodes according to traffic request conditions, communication with appropriate network service quality can be provided. In addition, power can be saved by releasing unused resources.

  Next, another embodiment of the traffic monitoring system 10 will be briefly described with reference to FIG. 2A. The traffic monitoring system 10 is provided with IP carrier networks 10d, 10e and 10f as external networks through the gateway device 14 connected to the IP carrier network 10a described in the previous embodiment. Terminal devices 16d, 16e and 16f and measurement function units 18d and 18e are connected to the external IP carrier networks 10d, 10e and 10f. In such a connection form, the traffic monitoring system 10 is a case where the traffic type of communication including encryption communication with a server or a terminal device is grasped.

  As for the internal configuration of the measurement function unit 18 to which the traffic monitoring apparatus according to the present invention is applied, the main configuration is described in FIG. That is, the measurement function unit 18 basically includes the constituent elements of the previous embodiment and newly includes a teacher measurement selection unit 68.

  In this configuration, encrypted communication is performed between a specific terminal device and the measurement function unit 18 used for identification, and this information is used as feature data used for identification. However, the traffic characteristic information in the network varies greatly depending on the environment such as date and place, and there is a possibility that it cannot be handled by specific information.

  Therefore, the following three methods are used. The first method is to use different teacher data used for evaluation depending on the date and time, and use them under the same conditions as much as possible. In addition, the teacher data is acquired once for each date and time, and instead of continuing to use the acquired teacher data for a long time, the optimal teacher data is always used by regularly acquiring and updating the teacher data.

  The second method is a measure related to the location factor in the first method. In the second method, the teacher measurement selection unit 68 flows the teacher traffic between the two measurement functions closest to the pair of subscriber terminal devices to be evaluated in order to obtain more appropriate teacher data. , Has a function of measuring and selecting teacher data. The teacher measurement selection unit 68 inputs the teacher traffic 70 from the traffic input unit 22 to measure and select the teacher data, measures whether the input teacher traffic is appropriate, and determines that the teacher is appropriate. The traffic for traffic 74 is copied and output to the teacher information acquisition unit 30, and the input traffic for teacher is output to the traffic output unit 36 as the traffic 72 for teacher.

  In the third method, the cause of the change in the traffic aspect is not due to the change due to the place of the date and time or the background of the time, but corresponds to a new encryption method or application that has not existed before. . In the third method, as shown in FIG. 3, the traffic classification function unit 28 includes an unexpected encryption / application detection function unit 76 in the third method. The unexpected encryption / application detection function unit 76 has a function of detecting whether or not an unexpected encryption / application is included in the flow information.

  In order to realize this function, the unexpected encryption / application detection function unit 76 includes a divergence degree evaluation function unit 78, a non-threshold collection function unit 80, and an exclusion determination function unit 82.

  The divergence degree evaluation function unit 78 is a function for obtaining the degree of divergence by comparing the feature quantity of each flow with a teacher data set of feature quantities determined to be a certain encryption method or application. The out-of-threshold collection function unit 80 has a collection function that determines whether the divergence is greater than or equal to a certain threshold value and accumulates the corresponding flow information if the determination is true. The exclusion determination function unit 82 has a function of determining and outputting whether or not an unexpected encryption method or application is misunderstood from information stored outside the threshold. The traffic classification function unit 28 outputs the classified subscriber traffic information 60 including the unexpected presence / absence information to the classification information storage unit 32.

  Briefly describe the operation. The teacher traffic for obtaining the teacher feature information is preferably transmitted from the measurement function units 18d and 18e in the vicinity of the terminal devices (PC) 16d, 16e and 16f of the external networks 10d, 10e and 10f of the communication destination .

  This is based on the assumption that the feature information of the packet of the teacher traffic that flows along the longest matching route with the subscriber packet is the closest. This is based on the idea that if the routes are similar, the influence on the intermediate transmission path and router is similar. However, installing the measurement function unit in all of the myriad external networks causes a large increase in cost burden.

  Therefore, it is arranged not in the entire external network but in a part of the external network. Then, the traffic for teachers may be flowed between the measurement function unit of the external network having the longest overlapping portion of the communication path between the communication destination PC and the PC of the own IP carrier network to obtain feature information.

  The measurement function units 18d and 18e are equipped with a function equivalent to UNIX (Trademark) "traceroute", extending the lifetime of ICMP (Internet Control Message Protocol) one by one toward the subscriber PC of the sender. And receive the response at the reception function unit to obtain route information. Although it is not always the case with respect to the return path, it is considered that a certain degree of accuracy can be obtained by throwing a packet from the measurement function units in various places of the network. Using the characteristic information for education between the longest matching pairs in the path information obtained in this way, the subscriber traffic encryption method and application are estimated.

  In addition, as shown in FIG. 2A, not only the position on the network is close, but also the feature information for teachers in the closest state with respect to various situations such as date and time, event, and total traffic volume may be used.

  Next, a description will be given of a method in which the unexpected encryption / application detection function unit 76 finds unexpected encryption or application traffic and excludes it from the evaluation.

  Since the divergence degree evaluation function unit 78 and the out-of-threshold collection function unit 80 are substantially the same in operation as described above, the operation of the exclusion determination function unit 82 will be described in detail here. The exclusion determination function unit 82 accesses the out-of-threshold collection function unit 80, and checks whether or not there is a flow having the same tendency in the feature amount among the collected flow information. If the amount of flows with the same tendency is a threshold tendency, these flows are set as candidates for unexpected encryption or application flows. Next, the entire flow group determined to be a specific cipher or application and the flow group excluding the unexpected flow candidate group are compared with the flow of the teacher traffic. If the latter is closer to the teacher data than the former by a certain threshold or more, this candidate is determined to be another cipher or application.

  By the way, all methods of C4.5 decision tree, naive Bayes estimation, and SVM (Support Vector Machine), which have been performed so far, estimate one encryption method and application used compared to teacher data. And asked. In fact, even if it is a little different, we have forcibly chosen the one that seems to be the closest.

  In this embodiment, in the traffic data of the group estimated as the same encryption method and application in the N-dimensional vector space, the distance to other elements is measured, and the distribution of the distance from the center is conventional. When they are different, the element group is not one, but a new element group is actually created. For example, when there is a distribution of traffic teacher data of two types of applications communicated by two types of encryption methods as shown in FIG. 4, the measurement function unit 18 converts the teacher data into a two-dimensional feature vector, That is, it is determined by plotting the average packet interval against the stream arrival time interval distribution. When measured, four groups, indicated by squares (application 1, encryption method A), indicated by circles (application 2, encryption method A), indicated by inverted triangles (application 1, encryption method B), and indicated by triangles (application 2) And plotted in cryptosystem B).

  This determination assumes, as a first assumption, that the use of decision curves 84 and 86 is optimal. Elements in the vicinity of the boundary in FIG. 4 (a) are elements that cannot be avoided.

  When the feature vectors of many streams obtained by actual measurement have the distribution shown in FIG. 4 (b), as a second assumption, the element group surrounded by the curve 88 is (Application 2, encryption method A) or It is assumed that communication is not based on (application 1, encryption method B) but a new application (application 3, encryption method B).

  The measurement function unit 18 performs classification based on this assumption, and compares the four distributions of elements excluding the group considered as (application 3, encryption method B) with the distribution of teacher data. When the distribution of the target element is close to the distribution of the teacher data, the subsequent determination is performed assuming that the second assumption is correct.

  With this configuration, learning data can be acquired and updated as appropriate by any method.

  The measurement function unit 18 loads a program that realizes the functions of the above-described components as a computer, and by having each component, the network communication traffic encryption method and the type of application are identified and the traffic is accurately detected. Can be monitored.

10 Traffic monitoring system
12a, 12b, 12c router
14 Gateway device
16a-16f Subscriber's terminal equipment
18, 18a-18e Measurement function
20 Control function
22 Traffic input section
24 Feature Acquisition Department
26 Teacher traffic transceiver
28 Traffic classification function section
30 Teacher Information Department
32 Classification information storage
34 Measurement controller
36 Traffic output section

Claims (12)

A traffic monitoring device that monitors network communication traffic, extracts features of the traffic to be monitored, and estimates the type of encryption and the type of application used.
Input means for inputting the traffic, traffic to be observed was input traffic, to force out classified into teacher traffic and control signals,
Feature acquisition means for acquiring a plurality of feature amounts extracted from the traffic to be observed and the teacher traffic as feature information and teacher information, respectively;
Teacher information acquisition means for inputting the teacher information and converting the teacher information into teacher information for evaluation;
Traffic using a plurality of feature quantities as feature vectors, estimating the type of encryption and the type of application for the traffic to be observed based on the feature information and the teacher information for evaluation, and classifying the traffic by the estimated type A classification means for outputting information;
Classification storage means for storing the classified traffic information and outputting corresponding information according to the control signal ;
Traffic monitoring device which comprises an output means for outputting the classified traffic information output from the classification storing means, the teacher tiger arsenide click and the control signal.   The apparatus according to claim 1, wherein the classification unit uses a plurality of feature quantities as feature vectors, uses class supervision to obtain a judgment condition in estimating the contents, and obtains a judgment condition. A traffic monitoring apparatus characterized in that a determination condition for maximizing a value is obtained or a class is determined, the determination condition is explicitly output, and the estimated classification is performed using the obtained determination condition.   2. The apparatus according to claim 1, wherein the classification means has a plurality, and the feature information handled by the classification means is multiplied by a weight and then the probabilities of the same class are totaled to obtain the largest probability. Is output as the estimated traffic content.   The apparatus according to claim 1, wherein the classification unit prepares a plurality of feature information as candidates, selects a feature information combination having the highest estimation accuracy using the teacher traffic, and uses the combination. Traffic monitoring device.   5. The apparatus according to claim 4, wherein the classification unit sets N pieces of feature information as candidates, and among them, a feature information is reduced, and the remaining Na pieces of feature information; and Estimate the traffic content using the teacher traffic, leave the top α of feature information with good results obtained in the estimation, then set the α feature information as candidates, from the candidates, Traffic content is estimated using the Na-b feature information obtained by reducing the b feature information and the teacher traffic, and the top β of the feature information having good results is left, Each time, the feature information is reduced to c, d,..., The number of the top feature information to be retained is set to .gamma., .Delta. , Characterized by using the feature information that has the best results Traffic monitoring device.   5. The apparatus according to claim 4, wherein the classification means selects the feature information by using a genetic algorithm or an annealing method repeatedly, and changes the combination one after another, so that the best estimation is possible in the evaluable time. A traffic monitoring device characterized by obtaining a combination of feature information with high accuracy and using the obtained feature information for determination.   6. The apparatus according to claim 5, wherein the classification means continues the repetition and uses the feature information that has obtained the best results, and the selection of the feature information uses a genetic algorithm or an annealing method repetition method. The combination method was changed one after another, and the combination of feature information with the highest estimation accuracy in the evaluable time was obtained, and the obtained feature information was used for both judgments. A traffic monitoring apparatus that performs evaluation using characteristic information and the teacher traffic within an allowable calculation time, and uses a result obtained with the best evaluation result for evaluation. The apparatus according to any one of claims 1 to 7 , wherein the apparatus is configured to estimate the content of the traffic in an order of an encryption method and an application type, an estimation in a reverse order of the order, and the A traffic monitoring apparatus characterized in that estimation of an encryption method and an application is estimated by any one of estimations divided into a plurality of stages. 9. The apparatus according to claim 1 or 8 , wherein the teacher information estimates feature information generated by encryption from feature information of plaintext data, and the device uses the estimated feature information to determine the content of the traffic. A traffic monitoring device characterized by estimating 10. The apparatus according to any one of claims 1 to 9 , wherein the apparatus uses, as the teacher data used for evaluation, one having the closest external condition of the acquired parameter among the teacher data observed in the past. In addition, the traffic monitoring apparatus is characterized in that the teacher data is periodically acquired and updated. 11. The apparatus according to claim 10 , wherein the teacher data is specified by means for specifying a pair of the devices close to a subscriber terminal device pair carrying the traffic to be evaluated, and the specifying means includes the subscriber terminal device. A traffic monitoring apparatus characterized by estimating a network to which a network belongs from an IP address, acquiring path information, selecting a pair of the apparatus that maximizes duplication of communication paths, and using the selected pair. 12. The apparatus according to claim 11 , wherein the apparatus measures, in an N-dimensional vector space, a distance between the same encryption method and the application and another element in each traffic data of the estimated group, and a center thereof. If the distribution of the distance from is different from the distribution in the teacher traffic and the conventional distribution, the element group is assumed to be a new element group, and the distribution of the set excluding the new element group is the distribution in the teacher traffic or The traffic is characterized in that if it matches with the conventionally observed subscriber traffic, the assumption is true and the new element group is estimated from the set added to the subsequent flow content estimation. Monitoring device.

Images