KR101428989B1 - Apparatus and method for analyzing traffic - Google Patents

Abstract

The present invention comprises: a flow storage unit to store traffic flow collected from a network; an abnormal order detection unit to determine the order of the traffic flow stored in the flow storage unit; an abnormal order settlement unit to control the order of the traffic order determined as the abnormal state in the abnormal order detection unit; and a traffic analysis unit to analyze a network traffic using the traffic flow controlled by the order by the abnormal order solution unit. The abnormal order detection unit provides a network traffic analysis apparatus to enable the client to define the traffic transmission direction transmitted to the server as a forward direction, to enable the server to define the traffic transmission direction transmitted to the client as a backward direction, and to determine the abnormal state by considering the traffic transmission direction of the traffic flow as the forward direction or the backward direction for the traffic flow between the client and the server.

Description

[0001] APPARATUS AND METHOD FOR ANALYZING TRAFFIC [0002]

The present invention relates to an apparatus and method for analyzing traffic.

Recently, the rapid development of the Internet has emphasized the importance of network traffic data analysis for efficient network management. Due to the increase of Internet users and the spread of high-speed networks, network traffic is rapidly increasing, and the kinds of traffic are also diversifying. Therefore, various traffic analysis methods are being developed to effectively manage rapidly increasing Internet traffic.

In particular, traffic analysis at the application level is essential for efficient operation of the network and stable service. Traffic classification methods based on flow statistics information are proposed for traffic analysis at application level. The statistical information includes the packet transmission order, the packet transmission direction, and the packet size.

However, due to differences in traffic collection points, traffic can lose the consistency of statistical information and result in unreliable analysis. Especially, when the packets are not collected in the order of transmission at the transmission point in the middle of the traffic, it can be wrongly used when they are used for statistical analysis.

Therefore, in order to guarantee the reliability of the traffic analysis result, it is necessary to solve the problem that the traffic becomes inconsistent due to the difference of the traffic collection points.

Korean Patent Registration No. 10-1228640 ("Fragment Filtering Method") discloses a configuration for re-ordering fragments received by a router.

Korean Patent Laid-Open No. 10-2012-0102722 ("Apparatus, assembly and method for operating a plurality of analyzing means for reading and ordering data packets") discloses an arrangement for outputting received packets in order.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems, and an object of the present invention is to provide a traffic analysis apparatus and method that guarantee correct packet order.

According to a first aspect of the present invention, there is provided an apparatus for analyzing network traffic, comprising: a flow storage for storing a traffic flow collected from a network; An abnormal sequence detection unit for determining whether an order of traffic flows stored in the flow storage is abnormal; An abnormal sequence resolution unit for adjusting an order of traffic flows determined to be abnormal by the abnormal sequence detection unit; And a traffic analyzer for analyzing the network traffic using the traffic flow whose order has been adjusted by the abnormal sequence resolving unit, wherein the abnormal sequence detecting unit detects, for the client-server traffic flow, (Forward) the traffic transmission direction to be transmitted to the client, and the traffic transmission direction that the server transmits to the client is defined as backward (backward), and whether the traffic transmission direction of the traffic flow is forward or backward is considered And judges whether or not there is an abnormality.

According to a second aspect of the present invention, there is provided a method for analyzing network traffic using an apparatus for analyzing network traffic, comprising the steps of: (a) determining whether an order of a traffic flow collected from a network is abnormal; (b) adjusting an order of traffic flows determined to be abnormal by the step (a); And (c) performing a network traffic analysis using the traffic flow adjusted by the step (b), wherein the step (a) includes the steps of: (Forward) a traffic transmission direction to be transmitted to the server, and a traffic transfer direction in which the server transmits to the client is defined as a backward word (backward), and the traffic transmission direction of the traffic flow is forward or backward And determines whether the abnormality is occurred.

The present invention obtains the effect of ensuring the reliability of the traffic analysis apparatus and method.

It is possible to guarantee the reliability of the statistical information based traffic classification result by maintaining the order consistency of the collected packets for traffic analysis. In particular, the present invention solves the cross-order problem, which is one of the abnormal operations of the TCP session in which the traffic feature value is changed according to the traffic collection point. The present invention obtains this effect by rearranging the collected traffic according to the transmission order in the transmission destination, for example, the transmission and reception order from the client.

FIG. 1 shows a structure of a traffic analysis apparatus according to an embodiment of the present invention.
2 shows an embodiment of a conventional traffic analysis method.
FIG. 3 shows a flow of a traffic analysis method according to an embodiment of the present invention.
FIG. 4 illustrates an embodiment of an abnormal sequence detection method according to an embodiment of the present invention.
Figure 5 illustrates an embodiment of an unordered order solution in accordance with an embodiment of the present invention.
FIG. 6 illustrates an example of normal determination by the abnormal sequence detection method according to an embodiment of the present invention.
FIGS. 7 to 9 show an example in which an abnormal sequence is determined by the abnormal sequence detection method according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, which will be readily apparent to those skilled in the art. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, when a part is referred to as being "connected" to another part, it includes not only "directly connected" but also "electrically connected" with another part in between . Also, when an element is referred to as "comprising ", it means that it can include other elements as well, without departing from the other elements unless specifically stated otherwise.

1 illustrates a structure of a traffic analysis apparatus according to an embodiment of the present invention.

The traffic analysis apparatus 10 according to an embodiment of the present invention includes a traffic analysis unit 100, an abnormal sequence detection unit 200, an abnormal sequence resolution unit 300, a main memory 400, and a flow storage 500, .

The flow store 500 stores traffic flows collected from the network, and the collected traffic flows are loaded into the main memory 400 and analyzed. The traffic analysis unit 100 performs the traffic analysis. However, since the collected traffic flows may not be collected according to the order transmitted from the transmission destination, before the traffic analysis unit 100 performs the traffic analysis, the abnormal flow order detection unit 200 first determines whether the order of the collected traffic flows is abnormal And the abnormal sequence resolving unit 300 adjusts the order of the traffic flows determined to be abnormal.

Details will be described below with reference to FIGS. 2 to 9. FIG.

FIG. 2 shows an embodiment of a conventional traffic analysis method.

Traffic analysis methods classify network traffic by application program, and various methods have been suggested for this purpose. These conventional technologies can be broadly divided into three categories: signature-based analysis, traffic correlation-based analysis, and machine learning-based analysis. Signature based analysis methods include statistical signature based analysis methods, which can be used in combination with machine learning based analysis methods.

The statistical signature-based traffic analysis method receives input of network traffic flow using TCP or UDP as a transmission protocol, and only packets having a payload excluding control packets in the flow are analyzed. We use these feature values for traffic analysis.

For example, it is expressed as an N-dimensional flow vector using the payload size, transmission direction, and order of the first N packets of the flow. In the flow vector, the payload size of a packet is represented by an integer. In the case of TCP, "positive" refers to a packet from a client to a server, and "negative" refers to a packet from a server to a client. Since UDP can not distinguish between client and server, the first packet to be generated is represented as "positive", and the succeeding packet can be expressed as "positive" if the direction is the same as the first packet, and "negative" if the direction is different.

The flow vector can be expressed as V (f) = {d1xs1, d2xs2, ..., dnxsn}. In this case, f is the flow, V (f) is the vector of the flow f, di is the transmission direction (positive or negative) of the i th packet in the flow f, si is the payload size of the i th packet, It is the transmission order of the packets in the flow.

For example, two end hosts A and B communicate with each other. When A sends two consecutive packets with a data size of 30 to B and one packet with a data size of 40 from B to A, The vector V (f) of f can be expressed as V (f) = {+30, +30, -40}.

The statistical signature based analysis method compares and analyzes the signature extracted using the N-dimensional flow vector expressed in this way.

The statistical signature based analysis using the packet transmission order, the packet transmission direction, the packet size, and the like as the feature value may suffer the reliability of the result due to the problem that the value of the packet sequence, which is one of the feature values, have.

For example, when two hosts are communicating with each other, TCP does not wait for a packet to be transmitted from one endpoint host but simultaneously generates a packet from the other host. At this time, the statistical information of the flow changes depending on the traffic collection point. That is, a traffic analysis methodology using statistical information as a feature value does not guarantee a certain feature value due to a difference in collection points and can not trust the analysis result. The packet order, one of these feature values, depends on the traffic collection point. This is defined herein as a cross-order.

For example, as shown in the figure, when two end hosts, that is, a client and a server communicate with each other, the order of packets differs according to the traffic collection points C1, C2, C3, and C4. And statistical information is different. For example, if the Seq value of the second packet transmitted by the client is 20 and the Ack value is 0, in the server, C4, and C3, the Seq value of the first packet transmitted by the server is 0 and the Ack value is 0 Packets, but are collected later in C2 and C1.

This problem of abnormal ordering causes a problem in that the value of feature value is changed in the same flow, resulting in incorrect analysis which is inconsistent. Accordingly, the traffic analysis apparatus 10 and method according to the embodiment of the present invention perform a process of reordering the order of packets collected before the traffic analysis according to the order of transmission (e.g., transmission / reception order from the client) .

That is, as shown, the traffic collection points C1, C2, C3, and C4 collect the same flows in different orders. It is an object of the present invention to rebalance the data in a consistent order to ensure consistency of the results of the traffic analysis.

If there is no clear criterion, it can not be determined which is the right order or the wrong order, so the present specification defines the transmission direction based on the client. Client criteria refers to the order in which clients send and receive packets. The reason for the client baseline is that most traffic starts as the client makes a request to the server, leading to a response from the server. That is, the traffic changes according to the client's request.

Therefore, the traffic analysis apparatus 10 according to an embodiment of the present invention rearranges on the basis of a client regardless of a traffic collection point. In the present specification, a forward packet is a packet transmitted from a client to a server, ) A packet is defined as a packet transmitted from a server to a client.

It is also used to refer to the intersection of two packets when the forward and backward packets between client and server are transmitted at the point of collection point. That is, either the forward packet or the backward packet starts to be transmitted first, and the packet in the opposite direction overlaps while transmitting the packet before the packet arrives at the other host.

For example, in the previous example, the second packet sent by the client is a forward packet, and because the first packet sent by the server was a backward packet and crossed before it was collected at C1 and C2, It is collected in a different order than the order that the client or server transmitted.

FIG. 3 shows a flow of a traffic analysis method according to an embodiment of the present invention.

For a series of traffic flows, the packet index n is added to 1 (S200) for each packet data (S100) until reaching the last packet (S800), and the following steps are repeated.

First, the anomaly detection unit 200 compares P (n) and P (n + 1) as an abnormal sequence detection step (S300) and determines whether the abnormal order is an order (S400). Where P (n) represents the nth packet. That is, comparing P (n) with P (n + 1) means comparing each packet in a series of traffic flows with the next packet.

Next, if it is determined to be an abnormal sequence, the abnormal sequence correcting unit 300 performs the abnormal sequence correcting step composed of the following series of steps.

(n) is decremented (S600) until n becomes 0 (S700), assuming that the traffic starts from 0, (S500). At this time, if it is determined that the order of the comparison of P (n) and P (n + 1) is not the order (S300), the process is stopped (S400).

The details will be described with reference to Figs. 4 to 5 showing the steps in more detail.

FIG. 4 illustrates an embodiment of an abnormal sequence detection method according to an embodiment of the present invention.

First, TCP traffic is preprocessed. That is, after detecting the TCP traffic that has removed the packet retransmission and out-of-order problem, only the packet having the payload is received as input. That is, the control packet is not subjected to the traffic analysis.

P (n) indicates the nth packet and P (n) (Seq) and P (n) (Ack) are the sequence numbers of the nth packet, number, that is, the Ack value.

The Seq value and the Ack value of P (n) are compared with the Seq value and the Ack value of P (n + 1), and the normal sequence and the abnormal sequence are determined according to four cases, respectively. In the present specification, the normal order is n.1 to n.4, and the abnormal order is a.1 to a.4.

The details of each case will be described later with reference to FIGS. 6 to 9, which shows a case of a normal sequence and a case of an abnormal sequence.

Figure 5 illustrates an embodiment of an unordered order solution in accordance with an embodiment of the present invention.

The figure shows an algorithm for resolving an abnormal sequence problem when it is detected. When the collected traffic is detected by the detection algorithm, the order of the nth packet and the (n + 1) th packet is changed by the resolution algorithm.

In the case where the intersection of the packet occurs only once, only the order of packets between the nth packet and the (n + 1) th packet is changed. However, when the intersection of the packets is continuous, If there is an intersection with packets earlier than the nth packet, the packet sequence should be changed not only with the nth packet but also with the previous packets.

Therefore, when the order of the nth packet and the (n + 1) th packet is detected to be abnormal, the order of the nth and n + 1th packets is replaced, and the backward packet of the nth sequence is compared with the If the abnormal sequence is detected, the backward packet having the n-1th sequence is compared with the (n-2) -th packet, and if the abnormal sequence is detected, the reverse sequence is performed until the abnormal sequence is no longer detected.

If the abnormal sequence is no longer detected, it returns to the (n + 1) th packet and performs the detection again. If the abnormal sequence is detected, it is repeated until the last flow of the entire traffic is performed.

FIG. 6 illustrates an example of normal determination by the abnormal sequence detection method according to an embodiment of the present invention.

When the nth packet and the (n + 1) th packet are in the same direction, the normal sequence 2, n.2, is the forward packet when the nth packet is a forward packet and the n + 1th packet is a backward packet .

It will be easily understood by those skilled in the art that the n-th packet and the (n + 1) -th packet are in the same order. Since the preprocessing process of removing retransmitted or sequenced TCP packets has been performed, the two packets sequentially transmitted in the same direction are transmitted in the order of transmission from the transmission destination in the intermediate points as well as the destination, that is, do.

The case where the nth packet is a forward packet is always in the normal order. As shown in the figure, all of the traffic collection points are collected in the same order as the reference at the client, even though they are different.

In order to change the order of the packets according to the traffic collection point, the forward packet and the backward packet are caused by one or more of the two packets starting to transmit before the packets in the opposite direction arrive and cross each other. This is because it is the object of the present invention to match the order of packets at all traffic collection points in the order of sending and receiving from the set clients.

When a forward packet is collected in the nth packet, crossing is always normal if the forward packet is collected nth, since a backward packet must be sent before the forward packet arrives and an intersection must occur.

Therefore, in all other cases except the normal sequence 1 and 2, the P (n) -th packet is a backward packet and the P (n + 1) -th packet is a forward packet.

In normal sequence 3, n.3 is a case where the nth packet is a backward packet but there is no intersection between the forward packet and the backward packet, and therefore the packet order is not affected regardless of where the traffic is collected.

In the case of n.4 as in normal sequence 4, the forward sequence and the backward sequence are crossed in packet comparison before n.4 is detected. That is, before n.4 occurs, a.1, which is one of the abnormal sequences, always occurs first. That is, the normal sequence 4 is a normal sequence that occurs after the abnormal sequence 1 occurs, where the nth packet is a backward packet and the (n + 1) th packet is a forward packet. In this case, normal sequence 4 and abnormal sequence 1 are determined as normal sequence and abnormal sequence by comparing seq value and ack value of each packet.

In this way, the normal order and the abnormal order can occur together and can be the same or different from the order of the client reference depending on the point of collection of the traffic.

FIGS. 7 to 9 illustrate an example in which an abnormal sequence is determined by the abnormal sequence detection method according to an embodiment of the present invention.

Fig. 7 shows a.1 and a.2 in abnormal sequence 1 and 2.

The abnormal sequence a.1 is a case in which one packet of a backward packet and a forward packet cross each other in the case where the nth packet is a backward packet and the (n + 1) th packet is a forward packet. In this case, it is not a problem when the traffic is collected in C1 and C2, but when the traffic is collected in C3, it is not the same as the order of the client reference.

The abnormal sequence cases except for the abnormal sequence a.1, that is, a.2, a.3 and a.4 all occur when the forward packet or the backward packet crosses several times.

Anomalous sequence 2, a.2, occurs when a backward packet transmits two or more packets before one forward packet arrives, resulting in an intersection. A.2 is detected in every back-word packet that is sent after the back-word packet in which the first crossover occurs and arrives at the intersection of the forward packet after the forward packet is sent. That is, a.2 may always occur after a.1 has been detected first.

Figure 8 shows a.3, an abnormal sequence 3.

In contrast to a.2, anomalous sequence 3, a.3, is detected when multiple forward packets transmit two or more packets before one backward packet arrives and crossing occurs. A.3 is detected in all forward packets that are sent after the forward packet where the first crossover takes place before the backward packet is sent and before it arrives and that intersect with the backward packet. That is, a.3 and a.1 may always occur after being detected first.

Fig. 9 shows a.4 in the abnormal sequence 4.

An abnormal sequence 4, a.4, is detected when two or more packets are crossed in both forward and backward packets. That is, a.4 may occur after all of a.1, a.2, and a.3 have occurred and is detected in the last forward and backward packets crossed.

One embodiment of the present invention may also be embodied in the form of a recording medium including instructions executable by a computer, such as program modules, being executed by a computer. Computer readable media can be any available media that can be accessed by a computer and includes both volatile and nonvolatile media, removable and non-removable media. In addition, the computer-readable medium may include both computer storage media and communication media. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Communication media typically includes any information delivery media, including computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave, or other transport mechanism.

While the methods and systems of the present invention have been described in connection with specific embodiments, some or all of those elements or operations may be implemented using a computer system having a general purpose hardware architecture. In describing an example of a computer system architecture that may be used to implement one or more components or operations of an embodiment of the invention, a hardware system includes a processor, a cache, a memory, and one or more software applications and drivers associated with the functions described above can do.

It will be understood by those skilled in the art that the foregoing description of the present invention is for illustrative purposes only and that those of ordinary skill in the art can readily understand that various changes and modifications may be made without departing from the spirit or essential characteristics of the present invention. will be. It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive. For example, each component described as a single entity may be distributed and implemented, and components described as being distributed may also be implemented in a combined form.

The scope of the present invention is defined by the appended claims rather than the detailed description and all changes or modifications derived from the meaning and scope of the claims and their equivalents are to be construed as being included within the scope of the present invention do.

10: Traffic analysis device
100: traffic analysis unit
200: abnormal sequence detection unit
300: abnormal sequence resolution unit

Claims (6)

A network traffic analyzing apparatus comprising:
A flow store for storing traffic flows collected from the network;
An abnormal sequence detection unit for determining whether an order of traffic flows stored in the flow storage is abnormal;
An abnormal sequence resolution unit for adjusting the sequence of traffic flows determined to be abnormal by the abnormal sequence detection unit; And
And a traffic analyzing unit for analyzing network traffic using the traffic flow whose order has been adjusted by the abnormal procedure resolving unit,
The abnormal sequence detection unit
The traffic forwarding direction transmitted by the client to the server is defined as forward and the traffic forwarding direction transmitted by the server to the client is defined as backward for the client-server traffic flow,
Whether or not the traffic flow direction of the traffic flow is forward or backward, and whether or not the order of the collected traffic flows coincides with the order of transmission and reception by the clients of the collected traffic flows,
Wherein the abnormal sequence resolving unit matches the order of the traffic flows determined to be abnormal with the order of transmission and reception of the collected traffic flows by the client. The method according to claim 1,
The abnormal sequence detection unit
And determining whether the TCP packet including the payload is abnormal by using Seq and Ack information included in the TCP packet. delete A network traffic analyzing method using a network traffic analyzing apparatus,
(a) determining whether the order of the traffic flows collected from the network is abnormal;
(b) adjusting an order of traffic flows determined to be abnormal by the step (a); And
(c) performing a network traffic analysis using the traffic flow adjusted by the step (b)
The step (a)
Defining, as forward, a traffic transmission direction that the client transmits to the server, and a traffic transmission direction that the server transmits to the client, as backward for the client-server traffic flow; And
Determining whether the traffic flow direction of the traffic flow is forward or backward and whether or not the order of the collected traffic flows matches the order of transmission and reception by the client of the collected traffic flow; ,
Wherein the step (b) includes matching the order of the traffic flows determined to be abnormal with the order of transmission and reception of the collected traffic flows by the clients. 5. The method of claim 4,
The step (a)
And determining whether the TCP packet including the payload is abnormal by using Seq and Ack information included in the TCP packet. delete

Images