JP6781109B2 - Traffic controls and methods - Google Patents

Description

The present invention relates to a traffic control technique for identifying and discarding non-regular traffic by analyzing received packets received from communication traffic.

In the current IP (Internet Protocol) network, an IP network relay device such as a switch or a router between a server and an end user terminal or between the servers analyzes a communication packet to perform efficient packet transfer. .. FIG. 15 is a configuration example of a general telecommunications carrier network. As shown in FIG. 15, the end-user terminal authenticated by the telecommunications carrier communicates with the transfer device of the telecommunications carrier via the user's home device and uses a desired service. A telecommunications carrier provides a global Internet connection service by authenticating users within its own network, performing appropriate traffic control, and interconnecting with other carriers via a network termination device.

It is widely known that in such a telecommunications carrier network, communication restrictions are imposed when communications are concentrated due to a disaster or the like, and congestion occurs in which services cannot be used. On the other hand, the factors that put pressure on the communication band are not only disasters, but also a certain percentage of traffic that is undesired for operators due to a large amount of frequent and frequent data generated by users with malicious intentions and repeated changes in service contract status. Such traffic may flow, and such traffic is called non-regular traffic. Non-regular traffic not only hinders the efficient network operation of the operator, but also impairs the convenience of the user. Therefore, it is desired to reduce the non-regular traffic.

Patent No. 3233594 Patent No. 501267

SDNet (Software Defined Specification Environment for Networking), http://japan.xilinx.com/support/documentation/backgrounders/j_sdnet-backgrounder.pdf S.Dharmapurikar, et al., "Deep Packet Inspection Using Parallel Bloom Filters", IEEE micro, January / February (vol.24 2004), Issue No.01, p.52-61

However, since such a conventional technology is an elemental technology that is effective only in a limited situation such as an emergency such as a disaster, a specific protocol, or a part of a packet, it is not possible to reduce non-regular traffic in a steady state. There was a problem that it was difficult.

For example, the technique proposed in Patent Document 1 is suitable for mobile communication in which a message is created according to a communication status such as a failure of a switchboard in a mobile communication network or network congestion, and the message is displayed on the transmitting mobile device. It is an exchange and communication network status notification system. Therefore, it does not correspond to a technical solution considering changes in data generated by a user with an illegal intention or a service contract status.

Further, the technique proposed in Patent Document 2 can avoid an event in which a call cannot be established when a detour is performed at the time of call connection in a communication system in which a call is connected via a plurality of relay nodes. It is said that it is possible to avoid the event that the call cannot be disconnected after the call is established. However, SIP (Session Initiation Protocol) is assumed as a call control protocol, and it does not correspond to a technical solution effective for other protocols.

Considering large and frequent data generated by users with malicious intentions and repeated changes in service contract status, to reduce non-regular traffic without depending on a specific protocol, especially for analyzing packets. Technology is an indispensable technology for businesses to continue to support safe and secure infrastructure by detecting and blocking abnormal traffic at an early stage and stabilizing it, which leads to reduction of security risks.

Conventionally, a packet classification technique has been known as one of the methods for analyzing such packets. In packet classification, by analyzing the header part of a packet, necessary information can be routinely extracted according to the protocol. It is typically mounted on a switch chip, network processor, or the like, but as shown in Non-Patent Document 1, there is also a packet processor that can be mounted on a programmable device represented by FPGA.

However, these packet classification techniques alone cannot always reduce non-regular traffic. This is because it is difficult to identify whether the information for identification exists in the header part or the data part of the packet if the prior knowledge is not sufficient.

On the other hand, DPI (Deep Packet Inspection) technology is known as another kind of method for analyzing packets. The DPI identifies the target application by collating the pattern specified as the classification condition in advance with the specific bit string at an arbitrary position in the user data portion of the received packet and determining whether or not they match. Conventionally, as shown in Non-Patent Document 2 as a method of analyzing a data part of a packet, a plurality of collation filters are configured in parallel according to the data length of the packet, and a traffic pattern is discriminated at high speed by hardware. A method has been proposed.

However, such a method of configuring the filter according to the data length to be checked is inefficient and causes a problem of mounting cost. Further, although it is possible to analyze a specific bit string at an arbitrary position, it is not suitable for application to routine processing having a fixed specification such as a packet header. Therefore, it is difficult to obtain the expected non-regular traffic reduction effect by using any of the above-mentioned techniques.

The present invention is for solving such a problem, and provides a traffic control technique capable of appropriately discarding and reducing non-regular traffic even if the disposal conditions are complicated and it is difficult to identify non-regular traffic. The purpose is to do.

To achieve the above object, a traffic control device according to the present invention, there is provided a traffic control device to discard to identify the non-regular traffic by analyzing the received packet received from the communication traffic, said non-normal the analysis range analysis range of waste condition when whether the data portion is a header portion is not clear, from the header analysis specification and the disposal conditions of the received packet, corresponding to the discard condition for discarding traffic The condition setting unit that specifies whether is the header part or the data part and the discard condition that is specified that the analysis range is the header part are registered in the discard table, and the header of the received packet is analyzed. The header analysis unit that collates the received packet whose analysis range is determined to be the header portion with the discard condition of the discard table, and the discard condition specified that the analysis range is the data portion are used as the discard filter. The data analysis unit that registers the received packet whose analysis range is determined to be the data portion is collated with the disposal conditions of the discard filter, and the collation results obtained by the header analysis unit and the data analysis unit. Based on this, it is provided with a discard control unit that discards packets related to the non-regular traffic.

Further, in one configuration example of the traffic control device according to the present invention, setting data related to the disposal condition is acquired from an externally connected integrated management device, and the setting data and the setting content regarding the disposal condition of the condition setting unit are obtained. It also has a higher-level setting control unit that synchronizes with.

Further, in one configuration example of the traffic control device according to the present invention, the condition setting unit inputs an analysis specification input unit for inputting a header analysis specification of the received packet and a disposal condition for inputting a disposal condition of the non-regular traffic. It includes an input unit and a specification matching determination unit that determines whether the analysis range of the disposal condition is a header portion or a data portion based on the header analysis specifications.

Further, in one configuration example of the traffic control device according to the present invention, the header analysis unit registers the disposal conditions set by the condition setting unit in the disposal table, and the header of the received packet. A reception header analysis unit that analyzes the received packet based on the header analysis specifications, and a specification match determination unit that determines whether the analysis range of the received packet is a header part or a data part based on the header analysis specifications. It is provided with a discard table search unit that collates the received packet whose analysis range is determined to be the header portion by the specification match determination unit with the discard condition searched from the discard table.

Further, in one configuration example of the traffic control device according to the present invention, the data analysis unit has obtained a disposal signature calculation unit for obtaining a disposal signature which is a hash value related to the disposal condition specified by the condition setting unit. A bit string of a predetermined position and length among the discard filter registration unit that registers the discard signature in the discard filter and the user data stored in the received packet whose analysis range is determined to be the data portion. It is provided with a data signature calculation unit for obtaining a data signature which is a hash value of the data, and a disposal filter collating unit for collating the data signature with the disposal signature registered in the disposal filter.

Further, in one configuration example of the traffic control device according to the present invention, the disposal control unit manages both the disposal table of the header analysis unit and the disposal filter of the data analysis unit, and the header. It is provided with a packet discarding unit that discards packets related to the non-regular traffic based on the collation result obtained by the analysis unit and the data analysis unit.

Further, in one configuration example of the traffic control device according to the present invention, the higher-level setting control unit uses the setting detection unit for detecting the reception of the setting data from the integrated management device and the detected setting data as the conditions. It has a setting synchronization unit to be registered in the setting unit.

Further, the traffic control method according to the present invention is a traffic control method that identifies and discards non-regular traffic by analyzing received packets received from the communication traffic, and the condition setting unit discards the non-regular traffic. said analysis range header analysis range of waste condition when whether the data portion is a header portion is not clear, from the header analysis specification and the disposal conditions of the received packet, corresponding to the discard conditions for The condition setting step for specifying whether the data is the data part or the data part, and the header analysis unit registers the discard condition specified that the analysis range is the header part in the discard table and analyzes the header of the received packet. The header analysis step of collating the received packet for which the analysis range is determined to be the header portion with the discard condition of the discard table, and the data analysis unit have specified that the analysis range is the data portion . The data analysis step of registering the discard condition in the discard filter and collating the received packet whose analysis range is determined to be the data portion with the discard condition of the discard filter, and the discard control unit are the header analysis unit. And, based on the collation result obtained by the data analysis unit, the discard control step of discarding the packet related to the non-regular traffic is provided.

Further, in one configuration example of the traffic control method according to the present invention, the upper setting control unit acquires the setting data related to the disposal condition from the integrated management device connected externally, and the setting data and the condition setting unit It further includes a higher-level setting control step that synchronizes with the setting contents related to the disposal condition.

According to the present invention, even in a case where the conditions for disposal are complicated and it is difficult to identify the non-regular traffic, the non-regular traffic can be identified more accurately, and the detection rate of the non-regular traffic is improved. As a result, unnecessary traffic can be appropriately disposed of from the telecommunications carrier network to reduce it, and as a result, efficient network operation of the telecommunications carrier can be realized and user convenience can be ensured. Become.

It is a block diagram which shows the structure of the traffic control device which concerns on 1st Embodiment. This is a configuration example of the condition setting unit. This is a configuration example of the header analysis unit. This is a configuration example of the discard table. This is the packet format used by RADIUS. It is a list of Attributes in RADIUS. This is a configuration example of the data analysis unit. This is a configuration example of a waste filter. This is a configuration example of the disposal control unit. It is a sequence diagram which shows the operation of the traffic control device which concerns on 1st Embodiment. It is a block diagram which shows the structure of the traffic control device which concerns on 2nd Embodiment. This is a configuration example of the upper setting control unit. This is a configuration example showing the setting data of the integrated management device. It is a sequence diagram which shows the operation of the traffic control device which concerns on 2nd Embodiment. This is a configuration example of a general telecommunications carrier network.

Next, an embodiment of the present invention will be described with reference to the drawings.
[First Embodiment]
First, the traffic control device 10 according to the first embodiment of the present invention will be described with reference to FIG. FIG. 1 is a block diagram showing a configuration of a traffic control device according to the first embodiment.

The traffic control device 10 is a device that is arranged on a telecommunications carrier network, identifies a non-genuine traffic that matches a predetermined disposal condition from the communication traffic flowing on the network, and discards the corresponding packet. ..
As shown in FIG. 1, the traffic control device 10 has a packet receiving unit 11, a condition setting unit 12, a header analysis unit 13, a data analysis unit 14, a disposal control unit 15, a disposal table 21, and a disposal table 21 as main functional units. A waste filter 22 is provided.

The packet receiving unit 11 has a function of receiving a packet from a communication traffic including a non-genuine traffic flowing on the communication carrier network.
The condition setting unit 12 has a function of specifying the analysis range corresponding to the disposal condition from the designated header analysis specifications and the disposal condition.

The header analysis unit 13 has a function of registering the discard condition specified in the discard table 21 that the analysis range specified by the condition setting unit 12 is within the header, and analyzes the header of the received packet received by the packet reception unit 11. It has a function of collating the received packet whose analysis range is determined to be in the header with the disposal condition registered in the disposal table 21.

The data analysis unit 14 has a function of registering the disposal condition specified by the condition setting unit 12 that the analysis range is outside the header in the disposal filter 22, and a received packet whose analysis range is determined to be outside the header. , Has a function of collating with the disposal conditions registered in the disposal filter 22.
The discard control unit 15 has a function of discarding packets related to non-regular traffic based on the collation results obtained by the header analysis unit 13 and the data analysis unit 14.

A feature of the present invention is that the packet analysis for identifying and discarding non-regular traffic is divided into a header part and a data part based on the analysis range of each disposal condition, and the disposal table 21 and the disposal filter 22 are used, respectively. It constitutes a hierarchical disposal condition.

In the background technology described above, a concrete example of diversification of factors that cause non-regular traffic will be shown. In the past, a large number of communication request retries under call restrictions during a disaster was the main cause of non-genuine traffic, but for example, conditions such as the source IP address, port, user ID, and password are intended by the user to be illegal. It can change at any time with or without. In addition, information such as passwords becomes more difficult to analyze and control due to encryption. The communication conditions that are the prerequisites for determining such non-regular traffic are not always included in the header for controlling the packet, and it is not known from which part of the user data the determination should be made, and the position thereof. Conditions such as headers and contents change from moment to moment.

In this way, in order to enable the identification of non-regular traffic even under various conditions, in the present invention, not only the disposal conditions specified by the user but also the header analysis specifications are given as inputs to narrow down the analysis range. .. The header analysis specifications typically conform to the protocol specifications specified in standard documents such as RFC. A known technique can be used as a method for defining the specifications. For example, the specifications may be described by the method shown in Non-Patent Document 1.

FIG. 2 is a configuration example of the condition setting unit. The condition setting unit 12 includes an analysis specification input unit 12A in which the network administrator inputs the header analysis specifications of the received packet, a disposal condition input unit 12B in which the user inputs the disposal conditions of non-genuine traffic, and a header analysis specification. Based on this, a specification matching determination unit 12C for determining whether or not the analysis range of the disposal condition is within the header is provided. As a result, the disposal conditions can be hierarchically configured in the disposal table 21 and the disposal filter 22. Whether or not the analysis range of the non-genuine traffic condition is the header can be clarified by inputting the specifications. Therefore, if the disposal condition can be specified by the header range, the non-genuine traffic packet can be obtained by searching and collating the disposal table 21. Can be discarded.

FIG. 3 is a configuration example of the header analysis unit. The header analysis unit 13 includes a discard table registration unit 13A that registers the discard conditions set by the condition setting unit 12 in the discard table 21, and a header of the received packet received by the packet reception unit 11 based on the header analysis specifications. The analysis range is inside the header by the reception header analysis unit 13B to be analyzed, the specification match determination unit 13C that determines whether the analysis range of the received packet is inside or outside the header based on the header analysis specifications, and the specification match determination unit 13C. A discard table search unit 13D for collating the received packet determined to be with the discard condition searched from the discard table 21 is provided.

FIG. 4 is a configuration example of the disposal table. Here, the disposal conditions are registered for each condition number unique to each disposal condition. When the user specifies a discard condition for discarding non-genuine traffic packets in the condition setting unit 12, the discard condition is registered as a new entry in the discard table 21 by the discard table registration unit 13A of the header analysis unit 13. Ru. For example, condition 1: discard the packet whose "source IP address" is "xxx.xxx.xxx.xxx", condition 2: discard the packet whose "source port number" is "yyy", ..., condition N: " It is possible to set a non-genuine traffic discard condition at the request of the network administrator, such as discarding a packet whose "user ID" is "zzz".

Next, as an example of the communication data to be controlled by the traffic control device 10 of the present invention, an embodiment in which the discard table 21 is set based on the user information such as the user ID will be described.
When a user uses a telecommunications carrier network, he / she first receives user authentication on the telecommunications carrier network. User authentication is typically performed by a client-server method using RADIUS disclosed in RFC 2138. FIG. 5 is a packet format used in RADIUS. In this packet format, the user ID itself can be examined by analyzing Attributes (RADIUS attribute).

FIG. 6 is a list of Attributes in RADIUS. Attribute is standardized in the so-called TLV format of Type, Length, and Value, and the network administrator may specify the User-Name Attribute shown in FIG. 6 according to the format. Further, in order to determine whether or not the user is a legitimate user who has been correctly authenticated by the password associated with the user ID, the authenticator of FIG. 6 may be specified.

According to the present invention, the analysis specification input unit 12A of the condition setting unit 12 is provided with specifications for enabling such designation, so that the header analysis unit 13 in the present invention can be used at the request of the network administrator. A series of processes can be carried out.

On the other hand, there are cases where the specifications related to such packet formats are not given by the network administrator, or there are cases where it is necessary to determine that it is non-genuine traffic and discard it based on information that is not specified in the specifications in the first place. Be done. In this case, the discard condition to be specified does not exist in the header and is embedded somewhere in the user data, so it is difficult to identify the non-regular traffic only by the header analysis unit 13. ..

Therefore, the present invention provides an analysis method effective for non-regular traffic that is difficult for the header analysis unit 13 to identify by a series of processing units provided in the data analysis unit 14.

FIG. 7 is a configuration example of the data analysis unit. The data analysis unit 14 includes a discard signature calculation unit 14A for obtaining a discard signature which is a hash value related to the discard condition specified by the condition setting unit 12, and a discard filter registration unit 14B for registering the obtained discard signature in the discard filter 22. And, among the user data stored in the received packet whose analysis range is determined to be outside the header by the header analysis unit 13, the data signature which is a hash value relating to a bit string of an arbitrary position and an arbitrary length determined in advance. A data signature calculation unit 14C for obtaining the data signature and a discard filter collating unit 14D for collating the obtained data signature with the discard signature registered in the discard filter 22 are provided.

Since many parts of the data analysis unit 14 can be implemented by applying the DPI technique shown in Non-Patent Document 2, details are omitted and structural differences from Non-Patent Document 2 will be described.
FIG. 8 is a configuration example of the waste filter. In order to identify the target bit string as non-regular traffic in the analysis of the user data part of the received packet, it is necessary to calculate the signature which is the hash value from the pattern to be detected in advance and register it in the discard filter 22.

The number of signatures that can be registered varies depending on the program, device, and system to be implemented, but when the number of signatures n and the memory bit width m of the hash table on the memory are determined, the false positive probability p is minimized. The number of hash operations k that can be converted is formulated and widely known. Details are omitted because they are shown in Non-Patent Document 2, but the relational expression between the hash operation number k, the signature number n, and the memory bit width m is expressed by the following equation (1), and the false positive probability at this time. p is expressed by the following equation (2).

By using such a discard filter 22, the number of hash operations k can be determined while increasing the efficiency m / n of the storage space by allowing the false positive probability p at a certain level.
In the method of Non-Patent Document 2, a method of configuring a plurality of collation filters BF (w) in parallel according to the data length of the user data portion of the packet to be analyzed and processing the discrimination of the traffic pattern at high speed by hardware. Although it has been proposed, there is a problem that the required hardware resources increase because the number of filter BFs (w) increases as the data length increases.

According to the present invention, in the first stage of the data analysis unit 14, the packet that can be identified as non-regular traffic by the header analysis unit 13 does not need to be analyzed again by the data analysis unit 14, so that the minimum required hardware resource is required. The data analysis unit 14 can be configured while limiting the limit. The discard signature of the data analysis unit 14 configured in this way is collated with the data signature calculated from the bit string at an arbitrary position included in the user data portion of the received packet, and the presence or absence of non-regular traffic is determined.

Most of the data analysis unit 14 can be implemented by applying the DPI technique shown in Non-Patent Document 2, but it is not possible until the layered disposal control, which is a configuration characteristic of the present invention, functions. Non-Patent Document 2 can be utilized for identifying the regular traffic. Therefore, even if a person skilled in the art having ordinary knowledge related to Non-Patent Document 2 attempts to identify non-regular traffic by diverting the technology shown in Non-Patent Document 2, a non-regular traffic as in the present invention It is difficult to show the effectiveness of the reduction.

FIG. 9 is a configuration example of the disposal control unit. The disposal control unit 15 relates to non-regular traffic based on the collation results obtained by the disposal condition management unit 15A that manages both the disposal table 21 and the disposal filter 22, and the header analysis unit 13 and the data analysis unit 14. It includes a packet discard unit 15B that discards received packets.
At this time, the packet discard unit 15B may discard the received packet received from the packet reception unit 11, the header analysis unit 13, or the data analysis unit 14, or process the transfer output to the subsequent stage, from the packet discard unit 15B. The packet receiving unit 11 may process the disposal or the transfer output to the subsequent stage by instructing the necessity of disposal.

[Operation of the first embodiment]
Next, the operation of the traffic control device 10 according to the present embodiment will be described with reference to FIG. FIG. 10 is a sequence diagram showing the operation of the traffic control device according to the first embodiment.

Prior to executing the process of monitoring the received packet received from the communication traffic and discarding the non-genuine traffic, the discard condition is registered in the discard table 21 and the discard filter 22.
First, in the condition setting unit 12, the analysis specification input unit 12A inputs the header analysis specification of the received packet in response to the instruction from the network administrator (step 100), and the discard condition input unit 12B receives an instruction from the user. The disposal conditions of the non-regular traffic are input according to (step 101). In response to this, the specification match determination unit 12C determines whether or not the analysis range of the disposal condition is within the header based on the header analysis specifications (step 102).

Here, when the analysis range is not in the header (step 102: NO), the discard signature calculation unit 14A of the data analysis unit 14 obtains the discard signature which is a hash value related to the discard condition specified by the condition setting unit 12 (step 102: NO). Step 103), the disposal filter registration unit 14B of the data analysis unit 14 registers the obtained disposal signature in the disposal filter 22 (step 104).

On the other hand, when the analysis range is within the header (step 102: YES), the discard table registration unit 13A of the header analysis unit 13 registers the discard condition specified by the condition setting unit 12 in the discard table 21 (step 105). ..
After that, the disposal condition management unit 15A of the disposal control unit 15 manages both the disposal table 21 and the disposal filter 22 (step 106).
As a result, a hierarchical disposal condition using the disposal table 21 and the disposal filter 22 is configured.

After that, every time a packet is received, the non-genuine traffic for the following received packets is discarded.
First, when the packet receiving unit 11 receives a packet from a communication traffic including a non-regular traffic flowing on the communication carrier network (step 110), the receiving header analysis unit 13B of the header analysis unit 13 receives the received packet. The header is analyzed based on the header analysis specifications (step 111).

Subsequently, the specification matching determination unit 13C of the header analysis unit 13 determines whether or not the analysis range is within the header based on the header analysis specifications (step 112).
Here, when the analysis range is not in the header (step 112: NO), the data signature calculation unit 14C of the data analysis unit 14 uses the user data stored in the received packet determined that the analysis range is outside the header. Among them, a data signature which is a hash value related to a bit string of a predetermined position and length is obtained (step 113), and the discard filter collating unit 14D sets the obtained data signature as the discard signature registered in the discard filter 22. Match (step 114).

On the other hand, when the analysis range is in the header (step 112: YES), the discard table search unit 13D of the header analysis unit 13 searches the discard table 21 for the received packet determined that the analysis range is in the header. Check against disposal conditions (step 115).
After that, the packet discard unit 15B of the discard control unit 15 discards the packet related to the non-regular traffic based on the collation results obtained by the header analysis unit 13 and the data analysis unit 14 (step 116).

[Effect of the first embodiment]
As described above, in the present embodiment, the condition setting unit 12 specifies the analysis range corresponding to the discard condition from the designated header analysis specifications and the discard condition, and the header analysis unit 13 determines that the analysis range is in the header. The discard condition is registered in the discard table 21, the received packet whose analysis range is determined to be inside the header is collated with the discard condition of the discard table 21, and the data analysis unit 14 determines that the analysis range is outside the header. Is registered in the discard filter 22, and the received packet whose analysis range is determined to be outside the header is collated with the discard condition of the discard filter 22, and the discard control unit 15 is obtained by the header analysis unit 13 and the data analysis unit 14. Based on the collation result based on the analysis result, packets related to non-regular traffic are discarded.

As a result, among the specified disposal conditions, the disposal conditions whose analysis range is in the header are registered in the disposal table 21, and the disposal conditions whose analysis range is outside the header are registered in the disposal filter 22. Disposal conditions will be established. Therefore, both the header of the received packet received from the communication traffic and the user data can be analyzed hierarchically to control the disposal.

Therefore, even in the case where the conditions for disposal are complicated and it is difficult to identify the non-regular traffic, the non-regular traffic can be identified more accurately, and the detection rate of the non-regular traffic is improved. As a result, unnecessary traffic can be appropriately disposed of from the telecommunications carrier network to reduce it, and as a result, efficient network operation of the telecommunications carrier can be realized and user convenience can be ensured. Become.

[Second Embodiment]
Next, the traffic control device 10 according to the second embodiment of the present invention will be described with reference to FIG. FIG. 11 is a block diagram showing a configuration of the traffic control device according to the second embodiment.

The traffic control device 10 is a device that is arranged on a telecommunications carrier network, identifies a non-genuine traffic that matches a predetermined disposal condition from the communication traffic flowing on the network, and discards the corresponding packet. ..
As shown in FIG. 11, the traffic control device 10 has a packet transmission / reception unit 11A, a condition setting unit 12, a header analysis unit 13, a data analysis unit 14, a disposal control unit 15, and a higher-level setting control unit 16 as main functional units. , A disposal table 21, and a disposal filter 22 are provided.

Further, the host processing device 30 is an external device in which the communication function for communicating with the traffic control device 10 is virtualized. Further, the integrated management device 40 is an external device that enables integrated setting control and operation management of the host processing device 30 and the traffic control device 10.

The packet transmission / reception unit 11A has a function of receiving a packet from a communication traffic including a non-regular traffic flowing on the communication carrier network and a function of transmitting / receiving a packet to / from the host processing device 30.
The condition setting unit 12 has a function of specifying the analysis range corresponding to the disposal condition from the designated header analysis specifications and the disposal condition.
The host setting control unit 16 has a function of exchanging setting data with the integrated management device 40 and synchronizing the setting contents.

The header analysis unit 13 has a function of registering the discard condition specified in the discard table 21 that the analysis range specified by the condition setting unit 12 is within the header, and analyzes the header of the received packet received by the packet transmission / reception unit 11A. It has a function of collating the received packet whose analysis range is determined to be in the header with the disposal condition registered in the disposal table 21.

The data analysis unit 14 has a function of registering the disposal condition specified by the condition setting unit 12 that the analysis range is outside the header in the disposal filter 22, and the received packet whose analysis range is determined to be outside the header. , Has a function of collating with the disposal conditions registered in the disposal filter 22.
The discard control unit 15 has a function of discarding packets related to non-regular traffic based on the collation results obtained by the header analysis unit 13 and the data analysis unit 14.

The feature of this embodiment is that the upper setting control unit 16 is added to the configuration according to the first embodiment described above, and the integrated management device 40 externally connected to the traffic control device 10 by the upper setting control unit 16. The setting content related to the disposal condition set in is detected, and the setting content related to the disposal condition in the traffic control device 10 is automatically synchronized with this setting content.

FIG. 12 is a configuration example of the upper setting control unit. By registering the setting detection unit 16A that detects the reception of the setting data having the format specified in advance from the external integrated management device 40 in the upper setting control unit 16 and the detected setting data in the condition setting unit 12. , The setting synchronization unit 16B that automatically synchronizes (matches) the setting contents of the condition setting unit 12 with the setting contents by the upper integrated management device 40 is provided.

FIG. 13 is a configuration example showing the setting data of the integrated management device. Here, an example in which the setting data is composed of an IP address and a user ID is shown. The setting data can be described in a text file, "setting data" is given as an object name, and can be uniquely distinguished from other setting data. Two sets of "User-Name" and "IP-Address" keys are specified as the contents of the "setting data", and the actual value is the IP address "mm.mmm." With the user ID "xxx". The IP address "nn.nnnn.nn.n" whose user ID is "yyy" is designated as "mm.m". The network administrator only needs to set such a key / value pair, and the setting detection unit 16A is configured to be able to process such a format in advance.

In this way, the setting data designated by the network administrator in the integrated management device 40 is automatically detected through the setting detection unit 16A and notified to the setting synchronization unit 16B. The setting synchronization unit 16B registers the setting data in the condition setting unit 12, and changes the operation of the traffic control device 10 so as to determine that the corresponding setting content is a non-regular packet. The setting data format shown in this embodiment is shown in the JSON (JavaScript Object Notation) format that is widely used for exchanging data for the sake of simplicity of explanation, but is a higher-level setting characteristic of the configuration of the present invention. Since the setting data used by the control unit 16 does not depend on a specific data format, other data formats may be used.

Other configurations such as the disposal table 21 and the disposal filter 22 in the traffic control device 10 according to the present embodiment are the same as those in the first embodiment, and detailed description thereof will be omitted here.

[Operation of the second embodiment]
Next, the operation of the traffic control device 10 according to the present embodiment will be described with reference to FIG. FIG. 14 is a sequence diagram showing the operation of the traffic control device according to the second embodiment.

Prior to executing the process of monitoring the received packet received from the communication traffic and discarding the non-genuine traffic, the discard condition is registered in the discard table 21 and the discard filter 22.
Here, when the network administrator has previously specified a set of setting data as shown in FIG. 13 regarding the disposal conditions in the integrated management device 40, the setting detection unit 16A in the upper setting control unit 16 performs integrated management. The setting data specified by the network administrator is detected from the device 40 (step 200), and the setting synchronization unit 16B automatically synchronizes the setting data related to the disposal conditions set in the condition setting unit 12 with the detected setting data. (Step 201).

Next, in the condition setting unit 12, the analysis specification input unit 12A inputs the header analysis specification of the received packet in response to the instruction from the network administrator (step 202), and the discard condition input unit 12B controls the upper setting. Setting of unit 16 Acquires the disposal condition of the non-regular traffic registered by the synchronization unit 16B (step 203). In response to this, the specification match determination unit 12C determines whether or not the analysis range of the disposal condition is within the header based on the header analysis specifications (step 102).

After that, steps 102 to 106 and steps 110 to 116 of FIG. 10 described above are executed, respectively. These processing contents are the same as those in FIG. 10, and detailed description here will be omitted.

[Effect of the second embodiment]
In recent years, the traffic control device 10 has come to be managed in a cloud environment composed of a huge number of servers, but it is necessary to manage the traffic control device 10 in addition to managing a huge number of servers. In that case, there is a problem that management becomes complicated and may lead to an accident such as a setting error. However, it is difficult to consistently and integrally set the settings of various devices desired by the network administrator.

In this embodiment, a higher-level setting control unit 16 is added, and the higher-level setting control unit 16 detects the setting contents related to the disposal conditions set in the integrated management device 40 externally connected to the traffic control device 10. Therefore, it is incorporated into the traffic control device 10. As a result, the setting contents regarding the disposal conditions in the traffic control device 10 are automatically synchronized with the setting contents set by the network administrator in the integrated management device 40.

Therefore, the network administrator can centrally manage the setting contents related to the disposal conditions in the integrated management device 40 without being bothered by the individual settings in the traffic control device 10. Therefore, even if the number of servers to be managed by the traffic control device 10 increases, it is possible to appropriately manage non-genuine packets without increasing the complexity and burden of management regarding disposal conditions.

The embodiments of the present invention have been shown and described above. In the description of the embodiment, what is described as "-part" may be "-circuit", "-device", "-equipment", or "-step", "-means", "-means". ~ Processing "may be used. Further, what is described as "~ part" in this embodiment may be realized by the firmware stored in the ROM and the hardware such as the reconfigurable device / element / board / wiring. Alternatively, it may be implemented in combination with software and hardware, and further in combination with firmware. The firmware and software are stored as programs on a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, or a DVD. The program is read and executed by the CPU. That is, the program causes the computer to function as the "-means" of the embodiment of the present invention. Alternatively, the computer is made to execute the procedure or method of "~ part" of the embodiment.

[Extension of Embodiment]
Although the present invention has been described above with reference to the embodiments, the present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the structure and details of the present invention within the scope of the present invention. In addition, each embodiment can be implemented in any combination within a consistent range.

10 ... Traffic control device, 11 ... Packet receiving unit, 11A ... Packet transmitting / receiving unit, 12 ... Condition setting unit, 12A ... Analysis specification input unit, 12B ... Discard condition input unit, 12C ... Specification matching judgment unit, 13 ... Header analysis unit , 13A ... Discard table registration unit, 13B ... Receive header analysis unit, 13C ... Specification match judgment unit, 13D ... Discard table search unit, 14 ... Data analysis unit, 14A ... Discard signature calculation unit, 14B ... Discard filter registration unit, 14C ... Data signature calculation unit, 14D ... Discard filter collation unit, 15 ... Discard control unit, 15A ... Disposal condition management unit, 15B ... Packet discard unit, 16 ... Upper setting control unit, 16A ... Setting detection unit, 16B ... Setting synchronization unit , 21 ... Disposal table, 22 ... Disposal filter, 30 ... Higher level processing device, 40 ... Integrated management device.

Claims (9)

A traffic control device that identifies and discards non-genuine traffic by analyzing received packets received from communication traffic.
If the or analysis range of disposal conditions for discarding non-regular traffic is either data portion is a header portion is not clear, from the header analysis specification and the disposal conditions of the received packet, corresponding to the discard condition a condition setting section that the analysis range to identify whether the data portion is a header portion,
The discard condition specified that the analysis range is the header portion is registered in the discard table, and the received packet whose analysis range is determined to be the header portion by analyzing the header of the received packet is discarded. A header analysis unit that collates with the table discard conditions,
Data analysis in which the disposal condition specified that the analysis range is the data portion is registered in the disposal filter, and the received packet determined that the analysis range is the data portion is collated with the disposal condition of the disposal filter. Department and
A traffic control device including a header analysis unit and a disposal control unit that discards packets related to the non-regular traffic based on the collation results obtained by the data analysis unit. In the traffic control device according to claim 1,
It is characterized by further including a higher-level setting control unit that acquires setting data related to the disposal condition from an externally connected integrated management device and synchronizes the setting data with the setting content related to the disposal condition of the condition setting unit. Traffic control device. In the traffic control device according to claim 1 or 2.
The condition setting unit
An analysis specification input unit for inputting the header analysis specifications of the received packet,
A disposal condition input unit for inputting the disposal conditions of the non-regular traffic,
A traffic control device including a specification matching determination unit that determines whether the analysis range of the disposal condition is a header portion or a data portion based on the header analysis specifications. In the traffic control device according to claim 1 or 2.
The header analysis unit
A disposal table registration unit that registers the disposal conditions set by the condition setting unit in the disposal table,
A receive header analysis unit that analyzes the header of the received packet based on the header analysis specifications,
A specification match determination unit that determines whether the analysis range of the received packet is a header portion or a data portion based on the header analysis specifications.
A traffic control device including a discard table search unit that collates the received packet whose analysis range is determined to be a header portion by the specification match determination unit with a discard condition searched from the discard table. In the traffic control device according to claim 1 or 2.
The data analysis unit
A discard signature calculation unit that obtains a discard signature that is a hash value related to the discard condition specified by the condition setting unit,
A waste filter registration unit that registers the obtained waste signature in the waste filter,
Among the user data to which the analysis range is stored in the received packet is determined to be data portion, a data signature computation unit for obtaining the data signature is a hash value of bit string of a predetermined position and length,
A traffic control device including a disposal filter collating unit that collates the data signature with the disposal signature registered in the disposal filter. In the traffic control device according to claim 1 or 2.
The disposal control unit
A disposal condition management unit that manages both the disposal table of the header analysis unit and the disposal filter of the data analysis unit,
A traffic control device including a packet discarding unit that discards packets related to the non-regular traffic based on a collation result obtained by the header analysis unit and the data analysis unit. In the traffic control device according to claim 2,
The upper setting control unit
A setting detection unit that detects the reception of the setting data from the integrated management device, and
A traffic control device including a setting synchronization unit that registers the detected setting data in the condition setting unit. It is a traffic control method that identifies and discards non-genuine traffic by analyzing received packets received from communication traffic.
Condition setting section, wherein, when analyzing the range of disposal conditions for discarding non-regular traffic whether data portion is a header portion is not clear, from the header analysis specification and the disposal conditions of the received packet, the a condition setting step of the analysis range corresponding to the discard condition is identified whether the data portion is a header portion,
The header analysis unit registers the discard condition specified that the analysis range is the header portion in the discard table, analyzes the header of the received packet, and determines that the analysis range is the header portion. A header analysis step that matches the packet with the discard condition of the discard table,
Data analysis unit, the analysis range to register the waste condition identified as being the data portion to the waste filter, the received packet is determined the analysis range is that the data part, disposal conditions of the waste filter Data analysis steps to match with
A traffic control method comprising a discard control step of discarding a packet relating to the non-regular traffic based on a collation result obtained by the header analysis unit and the data analysis unit. In the traffic control method according to claim 8,
The upper setting control unit acquires the setting data related to the disposal condition from the integrated management device connected externally, and synchronizes the setting data with the setting content related to the disposal condition of the condition setting unit. A traffic control method characterized by further provision.

Images