KR101068946B1 - Apparatus and method for analyzing failed-session on multi-resolution windows - Google Patents

Abstract

 The present invention relates to an apparatus and method for measuring a failed session distribution on multiple observation windows in which the number of sessions failed to connect among sessions attempted by each host is measured on multiple observation windows. The present invention provides a method for measuring a failed session distribution on multiple observation windows within a limited resource. Therefore, according to the present invention, the function of finding a failed session and the distribution of failed sessions in various observation windows for each managed host can be measured at a time. In addition, a method for measuring the distribution of failed sessions on multiple observation windows can be implemented in hardware.

Network Intrusion Detection, Multiple Observation Window, Sliding Window, Failure Session

Description

Apparatus and method for analyzing failed-session on multi-resolution windows}

The present invention relates to a network traffic measurement technique, and more particularly, to measure failed session distribution in multiple observation windows, which measures the number of sessions that fail to connect among sessions attempted by each host on multiple observation windows. An apparatus and a method thereof are provided.

The present invention is derived from a study conducted as part of the IT growth engine technology development of the Ministry of Knowledge Economy and the Ministry of Information and Communication Research and Development. [Task Management Number: 2006-S-042-03, Task Name: Zero-Day Attack of Network Threats] Development of real-time attack signature generation and management technology for response]

Anomaly detection using a critical point is a common network intrusion detection technology. This is a method of measuring the flow of the network to be managed, and when the measured value exceeds the threshold of the abnormal symptom to be detected, it is determined that a network attack corresponding to the abnormal symptom has occurred. However, in the case of the detection method using the critical point, if the threshold is set incorrectly, a situation that is not an abnormal symptom may be determined as an abnormal symptom or an abnormal symptom may not be determined.

Thus, a new method of measuring in multiple observation windows has been proposed to reduce false detections. However, in the proposed method, it is difficult to predict the resources to be used for the measurement because the time required for the measurement on the multiple observation windows and the amount of memory for the measurement are proportional to the number of destinations that the managed host accesses.

In addition, the measurement on the general multiple observation window was only concerned with measuring network flow distribution. However, this method can detect false positives due to programs that tend to connect from one host to many hosts, such as peer-to-peer, games, the Internet, and mail. These programs even allow one program to try to connect to hundreds of hosts per minute, and keep changing the connected host during a network connection. Therefore, even when the measurement time is changed in the multiple observation window, it is difficult to distinguish between the normal operation in the network attack and the application program using the network.

SUMMARY OF THE INVENTION An object of the present invention is to provide an apparatus and method for measuring a failed session distribution in multiple observation windows capable of estimating resource usage of the observation window, in order to measure the distribution of failed sessions in multiple observation windows within a limited hardware resource. will be.

The purpose is to measure the SYN RTT (SYN Round Trip Time) which is the average time between the synchronization packet and the synchronization and acknowledgment packet transmitted to the management host and the basic observation to measure the distribution of the failure session of the host A failure session observation window configured to be a multiple of a period, and when a synchronization packet flows into the failure session observation window, it is registered as a failure session, and synchronization and acknowledgment corresponding to the synchronization packet within the observation section of the failure session observation window. When the packet flows in, the failed session is deleted, and when the observation section of the failed session observation window is changed before receiving the synchronization packet, the failure session is registered, and the synchronization and acknowledgment packet is received, the SYN RTT value is changed. In the multiple observation windows including a failure session distribution measuring unit for correcting the number of failure sessions by using Of it is achieved by the failed session distribution analyzer.

In addition, measuring the SYN RTT of the host to be managed, generating at least one failed session observation window of different sizes in multiples of the basic observation period, the basic observation for the first synchronization packet flowing into the basic observation period Increasing the number of failed session distributions of the period, and when the first synchronization and acknowledgment packet corresponding to the first synchronization packet arrives, decreasing the number of failed session distributions of the basic observation period in which the first synchronization packet is registered. Calculating the number of failed sessions of the failed session observation window by summing the number of failed session distributions measured in the basic observation period according to the size of the failed session observation window; observing the failed session using the SYN RTT. Failure session correction step of correcting the number of failed sessions of the window and the number of failed sessions of the corrected failed session observation window Applied to the bitmap algorithm, it is achieved by a method of measuring the distribution of the failed session in the multi-observation window including the step of measuring the actual number of failed session.

According to the present invention, a failed session distribution within a limited resource can be measured in multiple observation windows. Therefore, the function of finding a failed session and the distribution of failed sessions for each managed host can be measured at a time. In addition, a method for measuring a failed session on multiple observation windows can be implemented in hardware.

Hereinafter, with reference to the accompanying drawings will be described in detail a preferred embodiment of the present invention.

An apparatus and method for measuring a failed session distribution on a multi-observation window are related to an apparatus and method for analyzing a packet of a managed network to find a failed session of a specific host and measuring the distribution in the multi-observation window.

1A and 1B are conceptual views of how multiple observation windows to be measured at each time point are set in the failed session distribution measuring unit of the apparatus for measuring a failed session distribution on a multiple observation window, which is an embodiment of the present invention.

One observation window is the observation time that the user wants to measure the distribution of failed sessions. That is, the present invention measures the distribution of failed sessions through the analysis of the synchronization packet, the synchronization and the acknowledgment packet passing through the observation interval for each observation window in the network to be managed.

Each observation window (100, 110, 120, 130) is configured in multiples of unit time. The unit time is a reference time for measuring a distribution of failed sessions and is set in a failed session distribution measurement unit to be described later. For example, when the unit time for configuring the observation window is set to 10 seconds, the size of the observation window may be 10 seconds, 20 seconds, 100 seconds, etc., which are multiples of the unit time.

There are two ways to operate the observation window. First, when one observation window is finished, a new observation window is set. Another way is that the observation window slides by the reference time.

1A illustrates a method of operating an observation window using the former method. If the unit time is set to 10 seconds, when the size of the observation window is 10 seconds, a new observation window is generated every 10 seconds and the distribution of failed sessions is measured. When the size of the observation window is 30 seconds, the observation window 100 is generated and measures the distribution of the failed session for 30 seconds. After 30 seconds, a new observation window 110 is created to measure the distribution of failed sessions.

1B is a method of operating the observation window by the latter method. The latter is a method of measuring a value during the observation period of each observation window in the past from that point in time when the reference time passes. Therefore, if the unit time is set to 10 seconds, when the size of the observation window is 10 seconds, the former and the operating method is the same. However, when the size of the observation window is 30 seconds, after 10 seconds of the reference time, the observation window 130 overlaps a predetermined portion with the previous observation window 120.

The former is easy to implement because the corresponding windows do not overlap by observation time, but the observed values are separated by the size of the observation window. Therefore, if the observation time is long, it may miss the phenomenon that overlaps the two observation windows. The latter has the advantage of tighter observation time, but has a disadvantage of complex implementation.

2A and 2B are block flow diagrams illustrating a method for measuring a SYN RTT in a SYN RTT (SYN Round Trip Time) measurement unit of an apparatus for measuring a failure session distribution on a multiple observation window, which will be described below.

SYN RTT is the average of the time from the arrival of a synchronization packet to the arrival of a synchronization and acknowledgment packet. In the present invention, an arbitrary synchronization packet and a synchronization and acknowledgment packet are selected to obtain an RTT value, and an average of the values and a standard deviation as required.

2A is a method of processing when a synchronization packet arrives. It is checked whether the synchronization packet reaching the management host is registered in the investigation target list to wait for the synchronization and acknowledgment packet corresponding to the same synchronization packet that arrived first (S250). If the synchronization packet is registered, the synchronization packet arrival time is updated (259).

If the synchronization packet is not registered in the management target host, it is checked whether an empty item of the investigation target list for registering the synchronization packet remains (S252). If empty items remain in the investigation target list, it is determined whether the incoming synchronization packet is examined (254). The present invention uses a random sampling method as an example of the irradiation method. If it is decided to include the incoming packet, the session start time of the synchronization packet is registered in the investigation target list (S256).

Among the synchronization packets registered in the investigation target list, items for which the synchronization and acknowledgment packets do not arrive even after a predetermined time elapses are periodically deleted from the list (S258).

2B is a method of processing when a synchronization and acknowledgment packet arrives. The registration of the synchronization packet corresponding to the synchronization and acknowledgment packet is checked (S260), and the SYN RTT is calculated from the registration time of the synchronization packet and the arrival time of the synchronization and acknowledgment packet (S262). The SYN RTT calculated synchronization item is deleted from the investigation target list (S263).

The calculated SYN RTT is transferred to the time management unit of the failed session flow distribution measuring unit to be described later, and used to correct the number of failed sessions included in the basic observation window when calculating the failed session distribution value.

3 is a configuration diagram of a failed session distribution measuring unit of a failed session distribution measuring apparatus on a multi-view window, which is an embodiment of the present invention to be described below.

The failed session distribution measuring unit 300 includes a failed session distribution managing unit 310 and a time managing unit 320.

The failed session distribution measuring unit 300 measures a distribution of failed sessions for each basic observation time, and adds the measured values of the basic observation intervals belonging to the corresponding window for each observation window. In addition, the error caused by the round trip time (RTT) of the synchronization packet and the synchronization and acknowledgment packet is corrected.

The time management unit 320 sets a basic observation time and generates a time ID that is a value obtained by dividing the longest observation window time by the basic observation time. In addition, since the time ID is generated in a round robin format, the time ID is assigned again from the beginning after the maximum time ID is assigned. For example, if the size of the longest observation window is 500 seconds and the reference time is 10 seconds, the time ID is assigned 1 to 1 to 10 seconds and 50 to 491 to 500 seconds. 1,2 and 501 are allocated to 501 to 510 seconds and 521 to 530 seconds, respectively. The time manager 320 may be implemented as a system internal clock or implemented as separate software.

The time managing unit 320 receives the SYN RTT value generated by the SYN RTT measuring unit described above with reference to FIGS. 2A and 2B and transmits the received SYN RTT value to the failed session distribution managing unit 310. The delivered SYN RTT value is used to set the interval for correcting the failed session value for the synchronization packet flowing from the boundary of the observation window when measuring the number of failed sessions in the failed session distribution management unit 310. The SYN RTT value may be used as it is to set the correction interval, and the interval obtained by adding a predetermined multiple of the standard deviation value to the average value of the RTT values may be used.

A method for measuring a failed session in the failed session distribution manager 310 will be described later with reference to FIG. 4.

4 is an embodiment of a data structure used for measuring and managing a failed session in the failed session distribution managing unit 310 which is a component of the present invention.

The failure session distribution management unit 310 includes two hash tables 401 and 403 for detecting and managing failure sessions, and a window table 420 which stores the number of failure sessions for each basic observation time of the observation window.

Two hash tables store the information of the failed session distribution. The two hash tables include a first hash table 401 for registering synchronization packets flowing into the host, and a second hash table 403 for backing up the information of the first hash table 401.

The method of managing failed session distribution information is outlined as follows. If a synchronization packet is introduced, it is considered to have failed first and its distribution is added to the first hash table 401. After registering in the first hash table 401, if a corresponding synchronization and acknowledgment packet flows, the session is a successful session and the distribution of the session is deleted from the first hash table 401. In addition, when a session appears in several basic observation intervals, only the most recent observation interval reflects the distribution record for the session.

A failed session management method using the first hash table 401 and the second hash table 403 will now be described in detail.

After the first synchronization packet is registered in the first observation interval, when the same second synchronization packet as the first synchronization packet is introduced in the second observation interval, failure information of the first synchronization packet is transmitted from the first hash table 401. It is deleted. This is because the failure is measured only for the most recently received synchronization packet. Therefore, when the synchronization and acknowledgment packet corresponding to the second synchronization packet is introduced in the second observation section, the second synchronization packet is also determined to be a successful session and deleted from the first hash table 401. In this case, however, the first synchronization packet of the first observation interval should be registered and managed as a failed session.

In order to prevent such an error, the present invention uses a second hash table 403 that backs up the first hash table 401. Therefore, after the first synchronization packet is registered in the first observation interval, the first observation interval ends, and when the second synchronization packet equal to the first synchronization packet arrives in the second observation interval, the first synchronization packet is removed. After backing up to the second hash table 403 before deleting it from the first hash table 401, the second synchronization packet is processed. When the synchronization and acknowledgment packet corresponding to the second synchronization packet is introduced in the second observation interval, the synchronization packet registered in the second observation interval is deleted, and the backup of the first synchronization packet deleted in the first observation interval is deleted. The information is restored to adjust the number of failed sessions in the first observation section.

When the time ID is set back to 1 after the longest observation interval, the first hash table 401 changes the second hash table 403, the second hash table 403 initializes, and then the first hash. Used as table 401. At this time, some distribution information in the longest observation section is also present in the second hash table 403.

Each item of the hash table includes a correction packet target item 411 item and a time ID 413 item. The correction packet subject status 411 indicates whether the registered synchronization packet is a packet registered within the SYN RTT time from the basic observation interval boundary. The correction packet target item is used when the correction method described later in FIG. 6A is used. Also, the time ID item indicates the time ID of the most recently registered time of the synchronization packet. The time ID item is composed of log2 (maximum time ID) bits and indicates the time ID of the basic observation interval to which the most recently displayed synchronization packet belongs.

The window table 420 stores the number of entries in the hash table registered as synchronization packets that appear during each basic observation interval. Therefore, the maximum observation time is divided into the number of items divided by the basic observation time.

When a synchronization session is registered in several sections, it is included in only one of the most recently displayed sections. That is, after the first synchronization packet is registered in the first observation interval, if the second synchronization packet identical to the first synchronization is registered in the second observation interval, the window table is a session in which only the synchronization packet registered in the second observation interval has failed. Save it.

FIG. 5 illustrates an example of measuring a failure session distribution in each observation window before performing error correction due to SYN RTT.

If the reference time constituting the observation window is 10 seconds, the maximum observation window size is 100 seconds, and the size of each observation window is 10 seconds, 30 seconds, 100 seconds, the operation method of the observation window is as follows.

Since the maximum observation window size is 100 seconds and the reference time is 10 seconds, the window table 501 includes a total of 10 entries.

When 50 seconds have elapsed since the start of the observation (510), the number of destinations of the failed sessions that appeared for each 10 seconds are stored in w1 to w5. Therefore, after 50 seconds, the 10-second observation window can measure the failed session distribution by applying the stored value of w5 (41 seconds to 50 seconds) as a bitmap algorithm. The 30 second observation window can measure the failed session distribution from the values of w5, w4 and w3. Similarly, in the case of the 100 second observation window, the failed session distribution can be measured using the values of w5 to w1 measured so far.

If 100 seconds have elapsed since the start of the observation (520), the 10-second observation window is w10, w9, w8, and the 100-second observation window is w10, w9, w8, w7, Each failed session distribution can be measured using w6, w5, w4, w3, w2, w1.

If 100 seconds have elapsed since the start of the observation (530), the observed value between 100 and 110 seconds is stored in w1 in the form of round robin. Therefore, after 150 seconds have elapsed since the start of observation, the 10 second observation window is w5, the 30 second observation window is w5, w4, w3, and the 100 second observation window is w5, w4, w3, w2, w1, w10, w9, w8. , w7, w6 can be used to measure the distribution of each failed session.

6A and 6B are conceptual views illustrating an embodiment of a correction method for measuring a failed session distribution in the present invention.

The present invention first registers as a failed session when a synchronization packet arrives, and deletes a synchronization packet registered as a failed session when a synchronization and acknowledgment packet corresponding to the synchronization packet arrives. Therefore, when the synchronization packet arrives at the observation interval boundary portion, registration within the SYN RTT time needs to be corrected. This is because a successful observation within the SYN RTT time after the end of the observation interval does not affect the recording of the previous observation interval.

An embodiment of a correction method used in the present invention is as follows.

First, a method of correcting synchronization packets arriving in a SYN RTT (correction interval) on the basis of the termination point at each basic observation period end point. This is because some of the packets arriving in the correction interval may be successful, and is corrected in consideration of the probability of success. 6A shows an embodiment of the method.

Secondly, unlike the first method, the correction is performed after the SYN RTT at the end point, not at each end point of the basic observation interval. In other words, this method has a difference in that the correction interval of the SYN RTT is set after the basic observation interval, unlike the first method. In this case, since the synchronization and acknowledgment packets corresponding to the synchronization packets sent to each basic observation interval are sufficiently received, the measurement errors are reduced. 6b shows one embodiment of the method.

The first method is described in detail as follows. First, a probability α of receiving the synchronization and acknowledgment packet within the SYN RTT time among the synchronization packets shown in the correction section 601 is calculated. α is the sum or moving average of the number of destination addresses (b) of new unique synchronization packets within a correction interval of the basic observation interval in the past, and the number of synchronization and acknowledgment packets received among the synchronization packets belonging to b or After measuring moving average values, they can be calculated from their ratios.

If α and b are used to calculate the number of synchronization packets continuously registered as the failing packets among the synchronization packets registered in the correction interval, the number becomes (1-α) × b. Therefore, assuming that the number of synchronization packets not registered in the correction interval is a, the number of synchronization packets in which a + (1-α) × b has failed among the synchronization packets registered in the observation interval. For such correction, information on which synchronization packet entered the correction interval is needed. The target of the correction packet is set in the entry of the hash table to which the synchronization packet is registered. Basically, 1 bit value is used, and if the corresponding item is set to 1, it indicates that the synchronization packet is registered in the correction section.

The second method will be described in detail as follows. This method is to perform observation window measurement after correction interval.

In FIG. 6B, W1 651 to W4 657 represent basic observation windows, and the size of the basic observation window is set to 10 seconds. The size of the observation window is 30 seconds, and after 40 seconds, the distribution value measured in the observation window is obtained.

In the present invention, when the synchronization and acknowledgment packets arrive in the correction section after the end of the basic measurement section, among the synchronization packets entering the correction section before the end of the basic measurement section, they are reflected in the measured values of the previous basic measurement section. This reduces the error of the measured value than calculating the distribution with probability in FIG. 6A. The values corresponding to W1 651 to W4 656 reflecting this correspond to W1 ′ 661 to W4 ′ 667 at the bottom of FIG. 6B.

Therefore, in order to obtain the failed session distribution value of the 10-second observation window when 40 seconds have elapsed, the distribution number of the synchronization packets that have failed within the maximum observation window among the synchronization packets occurring in the W4 'value and the correction period 668 (C4) It is necessary to apply the bitmap algorithm to the value 668 that includes. In addition, the failed packet distribution value of the 30 second observation window can be obtained by applying a bitmap algorithm to the values of W2 '(663) + W3' (665) + W4 '(663) + C4 (668).

In order to implement such a correction method in hardware, two separate registers are required. One is a register for measuring the distribution information of the synchronization packet in the correction interval, and the other is a register for measuring the distribution information of the packet appearing in the previous observation interval of the synchronization packet in the correction interval. This is for accurate measurement of the basic observation section, and the measurement after the distribution value measured within the correction period is performed.

7 is a block diagram of a failed session distribution measuring apparatus according to an embodiment of the present invention.

The failed session distribution measuring apparatus 700 includes a SYN RTT measuring unit 701, a host manager 703, and a failed session distribution measuring unit 705.

The SYN RTT measurement unit 701 calculates the average SYN RTT time by measuring the time between any synchronization packet and the synchronization and acknowledgment packet by the method of measuring the SYN RTT of FIGS. 2A and 2B described above. The calculated SYN RTT is transferred to the failed session distribution measuring unit 705, and the failed session distribution measuring unit 705 uses the SYN RTT to calculate the correction interval.

The host manager 703 registers and manages a host for measuring a failed session distribution among a plurality of hosts connected to the managed network. Using the source address in the synchronization packet or the destination address of the synchronization and acknowledgment packet to specify the host, and transmits the management position of the stored data to the failed session distribution measuring unit 705 to manage the specific host.

The failed session distribution measuring unit 705 has been described above with reference to FIG. 3. The SYN RTT measurement unit 801 receives the measured SYN RTT value and the data location of the management host, manages the failed session on the multiple observation window, analyzes the distribution thereof, and updates the data structure described above with reference to FIG. 4. Further, according to the correction method selected by the user, the number of synchronization packets is corrected by the correction method described above with reference to FIGS. 6A and 6B.

8A and 8B are flowcharts illustrating a failed session distribution measuring method according to an embodiment of the present invention.

8A is a flowchart illustrating a processing method when a synchronization packet is received.

When the synchronization packet belonging to the investigation target is input, host information for measuring a failed session is extracted using header information of the synchronization packet (S901). The registration information of the previous synchronization packet is extracted from the extracted host information (S903). The registration information of the previous synchronization packet extracts whether there is an existing failure information as the relative host address of the corresponding session. At this time, if there is no registration information of the synchronization packet, a value set as an initial value is extracted.

It is checked whether there is a failed session within the maximum observation window period with respect to the input synchronization packet, that is, whether it is the first synchronization packet entered in the observation period (S905). This means that no ID of any observation interval is set in the entry value of the first hash table, no ID of any observation interval is set in the entry value of the second hashtable, or a value that is outside the longest observation interval is set. If yes.

If there is no existing failure information in the observation interval, it is checked whether there is backup information on the synchronization packet (S907). This backup information is deleted because it is useless information outside the observation section (S909). Thereafter, after updating the hash table with the current session information (S911), the number of failed sessions registered in the current basic observation section of the window table is increased (S913).

If the input synchronization packet is not the first synchronization packet entered in the observation interval, it is checked whether a previously registered synchronization packet occurs in the current basic observation interval (S915). This may be determined by whether the corresponding entry value of the first hash table has a time ID value of the current observation interval. If the session is in the same observation interval, no further work is required. If it occurs in another observation section, the existing session observation section is backed up (S917). The existing position observation information differs depending on the range of the existing session observation interval. If the time ID value is larger than the current observation interval information, it exists in the second hash table. In this case, no additional work for backing up the session information is necessary. On the contrary, if the time ID value is less than or equal to the current observation interval information, it exists in the first hash table. In this case, the value of the first hash table should be backed up to the second hash table. If the backup session information is updated, the current session information is updated in the first hash table (S919), and the window table values related to the current observation section and the previous observation section are increased (S921) or decreased (S923), respectively.

8B is a flowchart showing a processing method when a synchronization and acknowledgment packet is received.

When the synchronization and acknowledgment packet is introduced, the host information for the failed session measurement is extracted (S940), and the previous measurement record is extracted from the extracted information (S942).

At this time, if no synchronization packet corresponding to the incoming synchronization and acknowledgment packet is found (S944), no operation is performed. Here, the discovery does not mean that there is no time ID value within the maximum observation time as an entry associated with the counterpart host of the corresponding session of the first and second hash tables. This specifically means that there is no time ID value, no value exists in the first hash table, and a value smaller than the current time ID in the second hash table.

If a corresponding synchronization packet exists, it is checked whether the corresponding packet has occurred in the current observation section (S946). If it occurs in the current observation interval, the number of failed session distributions related to the current observation interval value of the window table is reduced (S948). If it is not the current observation interval, the number of failed session distributions related to the most recent observation interval value that is not the current value in the window table is reduced (S950). After each operation, it is checked whether there is backup information in addition to the applied observation section (S952). If there is no backup information, no corresponding synchronization packet remains, and therefore, the corresponding entries of the first table and the second table do not have any time ID information. That is, it is initialized (S954). If the backup information exists, the number of failed session distributions corresponding to the observation interval to be backed up in the window table is increased (S956), and the backup information is restored to the first and second hash tables (S958). Backup information to be restored is located in the second hash table, and if the value is larger than the current observation interval ID, no operation for restoration is required. In the opposite case, after moving the entry value of the second hash table to the first hash table, the entry of the second hash table is initialized.

While the preferred embodiments of the present invention have been shown and described, the present invention is not limited to the specific embodiments described above, and the present invention is not limited to the specific embodiments of the present invention, without departing from the spirit of the invention as claimed in the claims. Various modifications can be made by those skilled in the art, and these modifications should not be individually understood from the technical spirit or the prospect of the present invention.

1A is a conceptual diagram of a method of sequentially operating a multiple observation window in a failed session distribution measuring unit of a failed session distribution measuring apparatus on a multiple observation window according to an embodiment of the present invention;

1B is a conceptual diagram illustrating a method of operating a multiple observation window in a sliding manner in a failed session distribution measuring unit of a failed session distribution measuring apparatus on a multiple observation window according to an embodiment of the present invention;

2A is a block flow diagram of a method for measuring a SYN RTT when a synchronization packet is received from a SYN RTT (SYN Round Trip Time) measurement unit of an apparatus for measuring a failed session distribution on a multiple observation window according to an embodiment of the present invention;

2B is a block diagram illustrating a method for measuring SYN RTT when receiving a synchronization and acknowledgment packet from a SYN RTT (SYN Round Trip Time) measurement unit of an apparatus for measuring a failed session distribution on multiple observation windows according to an embodiment of the present invention; ,

3 is a configuration diagram of a failed session distribution measuring unit of a failed session distribution measuring apparatus on a multiple observation window according to an embodiment of the present invention;

4 is a conceptual diagram illustrating an embodiment for managing a failed session in a failed session distribution manager that is a component of the present invention;

5 is a conceptual diagram illustrating an embodiment of an observation window for measuring a failure session distribution in the present invention;

6A is a conceptual diagram illustrating an embodiment of a correction method for measuring a failed session distribution in the present invention;

6B is a conceptual diagram illustrating another embodiment of a correction method for measuring a failed session distribution in the present invention;

7 is a block diagram of a failed session distribution measuring apparatus according to an embodiment of the present invention;

8A is a flowchart of a measurement method when a synchronization packet is received in a failed session distribution measurement method according to an embodiment of the present invention;

8B is a flowchart illustrating a measurement method when a synchronization and acknowledgment packet is received in a failed session distribution measuring method according to an embodiment of the present invention.

Claims (10)

A SYN RTT measurement unit measuring a SYN round trip time (SYN RTT) which is an average time interval between synchronization and acknowledgment packets transmitted to the management host; And Set an observation window for detection of a synchronization packet and an acknowledgment packet transmitted and received by the host. When the synchronization packet is detected in the observation window, the number of failed sessions of the host is increased, and the acknowledgment packet is detected. And a failed session distribution measuring unit measuring the number of failed sessions of the host by reducing the number of failed sessions. The method of claim 1, And a host manager for registering the host and managing the failed session distribution information for each host to measure the distribution of failed sessions for each host. The method of claim 1, The observation window is an integer multiple of the basic observation interval, which is a preset time for detecting the packet, and includes one or more observation windows having different sizes, and a sliding observation window that moves according to the progress of the basic observation interval. Apparatus for measuring failed session distribution in multiple observation windows. The method of claim 3, The failed session distribution measuring unit may include: a registration hash table configured to register distribution of the failed sessions during the longest observation time of the observation window; A backup hash table for backing up duplicate information of the failed session deleted from the registration hash table; And a session distribution statistics table for storing the number of failed sessions registered in the registered hash table according to the observation window size for each basic observation section. And an entry of the registration hash table includes an identifier corresponding to a correction section of the failed session and an identifier of the basic observation section in which the entry is registered. The method of claim 1, The failed session distribution measuring unit, the failed session distribution measuring apparatus for multiple observation windows subtracting the number of the synchronization packets measured in the SYN RTT before the observation window ends from the number of failure sessions measured in the observation window. The method of claim 1, The failed session distribution measuring unit, the failed session distribution measuring apparatus in multiple observation windows for adding the SYN RTT to the observation window interval to measure the number of the failed sessions. A SYN RTT measurement unit measuring a SYN RTT which is an average time interval between synchronization and acknowledgment packets transmitted to a management target host; The failed session distribution measuring unit comprises: setting one or more observation windows having different sizes to be integer multiples of the basic observation interval, which is a preset time for detecting a packet;  Registering the synchronization packet passing through the observation window, and deleting the registered synchronization packet when detecting the acknowledgment packet; And The failed session distribution measuring unit calculates the number of failed sessions of the host by adding the number of registered packets according to the size of the observation window; failed session distribution measuring method in multiple observation windows. The method of claim 7, wherein The failed session distribution measuring unit registers the synchronization packet in a first basic observation section among integer multiples of the basic observation section and registers a synchronization packet overlapping the synchronization packet in a second basic observation section among integer multiples of the basic observation interval. If it is, backing up the synchronization packet registered in the first basic observation interval, deleting the synchronization packet in the first basic observation interval, and registering the duplicated synchronization packet in the second basic observation interval; And The failed session distribution measuring unit, when the acknowledgment packet is detected, deleting the duplicated synchronization packet in the second basic observation section and restoring the first basic observation section to the backed up synchronization packet. Failed session distribution measurement method in multiple observation windows. The method of claim 7, wherein The failure session distribution measuring unit calculates the number of failed sessions of the host, and subtracts the number of the synchronization packets measured in the SYN RTT before the observation window observation interval ends from the number of failed sessions. How to measure failed session distribution in observation windows. The method of claim 7, wherein And adding the SYN RTT to the observation window to detect the synchronization and acknowledgment packets.

Images