KR20080001303A - Traffic analysis system of the ip network using flow information and method thereof - Google Patents

Abstract

A traffic analysis device using a flow in an IP(Internet Protocol) network and a method therefor are provided to generate a flow by collecting packets from a physical line, and to generate statistical data by an analysis item by analyzing an application type of the flow, thereby offering detailed analysis on traffic for the IP network. A splitter connects a physical line between a switch(100) and an IP network(200). Traffic collectors(400) collect packets in real time by mirroring the physical line of the splitter, generate flows by analyzing traffic of the collected packets, and analyze applications of the flows to send the results to a traffic analyzer(500). The traffic analyzer(500) generates/stores statistical data by an analysis item for the analyzed results, and outputs the statistical data through a screen of a manager PC(Personal Computer)(600).

Description

Traffic analysis system using flow in IP network and method thereof {Traffic analysis system of the IP network using flow information and method

1 is a schematic configuration diagram of a traffic analysis apparatus using a flow in an IP network according to an embodiment of the present invention.

FIG. 2 is a detailed block diagram of the traffic collector shown in FIG. 1.

3 is a detailed block diagram of the traffic analyzer illustrated in FIG. 1.

4 is a datagram of a netflow applied to an embodiment of the invention.

5 is a flowchart illustrating a process of analyzing traffic using a flow in an IP network according to an embodiment of the present invention.

The present invention relates to a traffic analysis apparatus and method using a flow in an IP network to measure the flow in the Internet Protocol (IP) network and analyze its characteristics to manage each logical port.

In general, traffic is itself a major asset of a network operator, a means of monitoring network status, and is a very important factor in generating network design data.

In order to analyze the traffic on the IP network, a network called SNMP (Simple Network Management Protocol) is used to collect the total amount of bytes transmitted and received by each port of a router or switch, which is the main equipment of the network, and to manage each NMS (Network Management). System).

However, with the diversification of services through the network, and efforts to analyze traffic based on the exact nature of IP traffic and network traffic, attention is focused on traffic analysis based on flow, which is a collection of IP packets. have.

A flow is a unidirectional collection of packets with the same characteristics.

Currently used, and referenced by standardization bodies such as the Internet Engineering Tack Force (IETF), Netflow is developed and used by Cisco.

Net flow basically has seven main fields: source IP, destination IP, application port number, IP protocol format, service type and AS number.

Currently, the traffic measurement method is mainly used to monitor the traffic amount of each line belonging to the device by using SNMP Simple Network Management Protocol Management Information Base (MIB) information in the device.

Traffic measurement methods are classified into active measurement methods and passive measurement methods. Active measurement methods generate test packets or application services and observe network performance.

Manual measurement method collects the traffic flowing through the network without generating additional packets and analyzes the characteristics of the traffic.It collects data from network devices such as routers and switches, and collects data from the circuit by inputting measurement equipment. Separated by.

ISP (Internet Service Provider) provider that provides Internet access service is applying operation management system to monitor network operation status in order to provide smooth service, and use it to monitor traffic status and expand traffic management. Allows you to generate supporting data for

Most operation management systems collect and process traffic data by polling using SNMP protocol at the port of router or switch equipment and report it to the operator.

And, in the case of a network device that supports net flow, the net flow is set in the corresponding device, and the flow data is collected and processed remotely and reported to the operator.

However, the flow-based traffic analysis in such an operation management system has a limitation in the result point.

The reason is that because of the flexibility of IP traffic itself, there is too much traffic that does not use the standard port and protocol values published by the Internet Organization's Internet Assigned Numbers Authority (IANA). Because there is no way to confirm this.

Therefore, the network usage status does not properly reflect the actual application service or application usage status.

For example, in the case of web traffic that is the most common service, the logical port values published by IANA are "80", "8080", etc. However, when analyzing the traffic, the service using these "80" ports is the mode HTTP (Hyper). It turns out that this is not web traffic using the Text Transfer Protocol protocol.

Due to the nature of the IP protocol, even when using the FTP (File Transfer Protocol) service using the "80" port, no problem occurs regarding the transmission of traffic.

This means that if an appointment is made between the server operator and the user, it can communicate using any logical port to pass through the firewall used inside the corporate intranet or to develop and use a specific P2P. There is actually a lot of abnormal traffic.

In addition, there are many cases where an application developed by a specific company arbitrarily interprets a reserved port in a standard and uses it as a band of a port itself.

The present invention has been invented to solve the problems described above, the flow is collected by the packet mirroring of the traffic using the physical optical tap for the purpose, the flow is generated by analyzing the generated flow in the conventional router-based flow measurement It analyzes traffic that is not analyzed to provide efficiency in management of limited logical port.

Traffic analysis apparatus using the flow in the IP network according to the present invention for achieving the above object, Splitter for connecting the physical line between the switch and the IP network; A traffic collector configured to mirror the physical circuit of the splitter to collect packets in real time, generate a flow by analyzing traffic of the collected packets, and analyze an application for each flow and transmit the result to a traffic analyzer; It generates and stores statistical data for each analysis item for the analysis result of the application for each flow provided from the traffic collector, and includes a traffic analyzer for outputting the statistical data through the screen of the manager PC.

In addition, the traffic analysis method using the flow in the IP network according to the present invention, (a) collecting and storing the packets distributed in the physical circuit; (b) gathering the stored packets to create a flow; (c) analyzing an application format of the generated flow; (d) inserting an ID according to the analyzed application format; (e) analyzing the flow into which the ID is inserted to generate statistical data; (f) generating the statistical data as a report and providing the administrator with the storage and managing the file as a file.

DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the spirit or scope of the present invention. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and like reference numerals designate like parts throughout the specification.

In addition, when a part is said to "include" a certain component, which means that it may further include other components, except to exclude other components unless otherwise stated.

In addition, the term module described herein refers to a unit for processing a specific function or operation, which may be implemented in hardware or software, or a combination of hardware and software.

Now, a traffic analysis apparatus and method using a flow in an IP network according to an embodiment of the present invention will be described in detail with reference to the accompanying drawings.

1 is a schematic configuration diagram of a traffic analysis apparatus using a flow in an IP network according to an embodiment of the present invention.

As shown in the figure, the switch 100 includes an IP network 200, a splitter 300, a traffic collector 400, a traffic analyzer 500, and a manager PC 600.

The switch 100 is installed in an ISP to accommodate a giga-class line.

The splitter 300 is disposed between the router 210 included in the IP network 200 and the switch 300 to connect a physical line, which is an optical transmission line that accommodates the IP network 200.

The traffic collector 400 is connected to the physical circuit of the splitter 300 in a tap manner, collects packets in real time by mirroring the physical circuit of the splitter 300, analyzes the traffic of the collected packets, and generates a flow. The flow-specific application is analyzed and the result is transmitted to the traffic analyzer 500.

The traffic analyzer 500 is connected to the traffic collector 400, stores the analysis result of the flow-specific application provided from the traffic collector 400 in the database, and stores the flow-specific application stored in the database DB. Analyze and manage traffic by analyzing

As a result of analyzing the flow, traffic that is classified as unknown traffic or classified as a service different from the actual service is tracked.

The manager PC 600 displays the results analyzed by the traffic analyzer 500 to the manager through the screen so that abnormal traffic is not generated at each port by the manager, thereby improving reliability of service access and speed of service provision. Be sure to

FIG. 2 is a detailed block diagram of the traffic collector shown in FIG. 1.

As shown in FIG. 2, the traffic collector 400 includes a packet manager 410, a flow manager 420, an application manager 430, and a config manager 440.

The packet manager 410 collects and manages packets in real time from the physical circuit by pre-configuring the physical circuit of the splitter 300.

The flow manager 420 analyzes the collected packets provided by the packet manager 410 to generate and transmit a flow.

The application manager 430 determines a corresponding application in units of flows for each flow generated and transmitted by the flow manager 420.

Application types are classified into simple L4 based, complex L4 based, L7 based and session based.

A simple L4-based application is an application group that uses the logical port value registered in IANA as it is called "A type". For example, http (80), ftp (20,21), telnet (23), etc. .

Also, among the simple L4-based applications, the application that does not keep the logical port value registered in IANA, but uses the logical port analyzed through traffic analysis, is called "B type".

Complex L4-based and L7-based applications are applications that use ports that are not registered or in use by IANA in any band and are referred to as "type C".

The "C type" is a traffic flow that can be classified as an accurate application only by analyzing a portion of a payload of a packet, and is an application that uses random port bands sequentially or randomly, rather than using a single port.

Session-based application is similar to L7-based, but it is not possible to distinguish the characteristics of traffic through one flow traffic, and it is an application that can be accurately analyzed only by analyzing the correlation of several input / output flow traffic. It is called "D type".

The context manager 440 manages each option applied by the application manager 430, manages various options related to generation and transmission of the flow by the flow manager 420, and manages the options with the traffic analyzer 500. Manage options related to interworking.

The packet manager 410 includes a packet collecting module 411, a buffer 412, and a sampling module 413.

The packet collecting module 411 is responsible for collecting packet data without loss from the network card and storing the packet data in a memory space.

In addition, when each packet is collected and a flow is generated, a payload determined as an option managed by the context management unit 440 is cut into the flow pool by a corresponding size and inputted to the flow pool.

In the management of the payload, a start time and size except for header information of an IP are set in advance before collecting traffic.

The buffer 412 is a predetermined memory space and stores packet data collected by the packet collection module 411.

The number and size of the buffers 412 are determined by the management options of the config management unit 440, and can be modified and changed.

The sampling module 413 samples the packet data stored in the buffer 412 in order to provide efficient traffic analysis in consideration of traffic capacity from the physical circuit to which high-speed data transmission is provided and capacity of the system.

Sampling of the packet data performs random sampling and random location sampling according to the management option of the configured configuration manager 440.

In addition, the flow manager 420 includes a flow generation module 421, a flow pool 422, a flow end monitoring and transmission module 423, and an unclassified flow management module 424.

The flow generation module 421 accesses the packets that have been sampled and stored in the packet management unit 410 one by one, generates them as flows, and then stores them in the flow pool 422.

In storing the generated flow in the flow pool 422, it is added in the case of a newly generated flow, and in the case of a previously stored flow, the corresponding flow is found and the value of "packet amount, byte amount" is updated.

The flow pool 422 is a memory space for storing the flow generated by the flow generating module 421 and stores the generated flow until the flow is transmitted to the traffic analyzer 500.

  The flow end monitoring and transmission module 423 monitors the generated flow and transmits the generated flow to the traffic analyzer 500 when the generation is completed, deletes the corresponding flow from the flow pool 422 after completing the transmission, and then outputs the result to the traffic analyzer. To 500.

The flow end monitoring and transmission module 423 sends a 'Srclp', 'dsclp', 'protocol ID', 'logical port value', and payload to the application determination unit 430 at the end of the flow transmission. 'Value is sent, and the result is returned and the corresponding application ID value is added to the flow creation result value.

The unclassified flow management module 424 stores the information and the payload information in the pull pool 422 as a file for the flow that is determined to be "not determined" by the application determination unit 430, and later the traffic analyzer 500 ) To be used as data for post-mortem analysis.

In addition, the application determining unit 430 includes a port analysis module 431, a payload analysis module 432 and a session analysis module 433.

The port analysis module 431 determines an application classified as using a certain logical port value or band in the flow.

The port analysis module 431 reflects the contents of the previous traffic analysis result to the bandwidth value of each application stored in the DB of the traffic analyzer 500 and a corresponding logical port of the config management unit 440. It is downloaded through interworking and applied to the identification of the application.

The payload analysis module 432 analyzes the payload of packets stored together when the flow cannot be determined through the port analysis module 431 to determine an application.

The payload analysis module 432 determines the application of the flow by downloading the characteristic information of the payload for each application stored in the DB of the traffic analyzer 500 through interworking of the config management unit 440.

In the case where the flow cannot be determined through the payload analysis module 432, the session analysis module 433 stores a predetermined number of flows, collects them at once, tries to determine them, and determines a corresponding application according to an analysis rule.

For the flow in which the application cannot be determined through the session analysis module 433, an application cannot be analyzed. The result is included in the flow and transmitted to the traffic analyzer 500, and the log information thereof is recorded and stored.

In addition, the context management unit 440 includes a rule management module 441, a flow management module 442, and an interworking management module 443.

The rule management module 441 manages a rule applied to the application analysis in conjunction with the traffic analyzer 500 in order to analyze accurate flow traffic.

Rules managed by the rule management module 441 include a starting point and a size of a flow to be stored without a header for payload analysis applied by the packet manager 410, and the number of buffers of the packet manager 410. And size, the total number of rules applied, and the number of rules applied for session-based application analysis.

The flow management module 442 is responsible for managing the contents of the settings related to the flow.

Detailed functions of the flow management module 442 include a sampling rate applied by the packet manager 410, a size of the flow pool 422 applied by the flow manager 420, and a flow in the flow pool 422. It manages active time and time difference between packets recognized as a new flow.

The interworking management module 443 is in charge of data interworking with the traffic analyzer 500.

The information associated with the traffic analyzer 500 is a variety of options used in the rule application module 441 and the flow management module 442, system failure information notified to the traffic analyzer 500, traffic collection start / end, etc. Operation information for notifying.

3 is a detailed block diagram of the traffic analyzer illustrated in FIG. 1.

As shown, the traffic analyzer 500 includes a system manager 510, a traffic profile manager 520, a traffic statistics processor 530, a report manager 540, and a screen manager 550.

The system manager 510 performs processor management, log and backup management, and data file management according to the operation of the traffic analyzer 500.

The traffic profile manager 520 periodically manages IDs by interworking protocols and logical ports in IANA, analyzes the traffic collected from the network, and reflects the results, and various rules required for traffic analysis. Manage.

The traffic statistics processing unit 530 collects and analyzes the flow traffic from the traffic collector 400 and analyzes the generation of statistical data for each item and the statistical information.

The report manager 540 generates and manages a report of the statistical data for each item analyzed by the traffic statistics processor 530, stores the file as a file, and manages the schedule for generating the report.

The screen manager 550 manages various operations in displaying statistical data of the traffic analysis result on the screen of the manager PC 600.

The system manager 510 includes a process management module 511, a log and backup management module 512, and a data management module 513.

The process management module 511 monitors the execution status of the main processes and reports the results on the management screen, and reports the result on the management screen when down due to memory exhaustion or down due to an unknown process cause. Fault management function saves as log data, and if the main processor is down or there is no data sent and received, it executes the relevant process again and executes automatic execution function to save the result as log data.

The log and backup management module 512 manages the log items for each traffic collector and the log analyzer of the traffic analyzer, manages the backup target table and backup cycle, and stores the table at a set time using system time. DB backup function that saves in the form and transmits to the designated directory or remote location, backs up values corresponding to various system environment variables in traffic collector and analyzer, saves by version and automatically sets all environment variables of system by reading future version. Performs a system environment variable backup function that eliminates the need for administrator input.

The data management module 513 manages the data transmission cycle and mode, and stores the flow data determined as the analysis failure as it is and transmits the data to a remote FTP.

In addition, the traffic profile manager 520 includes an ID management module 521, an application management module 522, and a rule management module 523.

The ID management module 521 periodically downloads and analyzes information on protocols and logical ports managed by IANA, and then updates information on protocol formats and logical ports currently used, and updates the information on the traffic collector 400. Notify

In addition, when the traffic analysis result is determined to be "unavailable" and the payload of the flow delivered from the traffic collector 400 is determined to be a new application, and a new application is input at the administrator's decision, the new application is registered. And give it an ID.

The application management module 522 defines the notation of the application displayed as the traffic analysis result and the application to be analyzed, and reads and stores the ID from the rule management module 523.

That is, even if the contents of the logical port registered in the IANA and the traffic of the actual IP packet are the same, the identification is deteriorated. Therefore, the application name is added in addition to the description information of the IANA.

In addition, even if an application uses a fixed logical port, there is an application that violates the registered value of IANA. Therefore, the application name is added to the logical port.

In addition, an application name required for payload analysis of flows is added, and an application name for analyzing several flows simultaneously instead of one flow is added.

The rule management module 523 stores and manages a rule corresponding to each application ID.

The value managed by the rule management module 523 includes a rule ID, an application ID of a corresponding flow, a protocol ID of packets constituting the flow, a source IP of a sender of a flow, a destination IP of a destination of a flow, a source port, Destination port, start point excluding signature IP header, text or byte value recognized as signature, flow format, up / down direction division, number of signature occurrences in the payload of the flow, and the like.

In addition, the traffic statistics processing unit 530 includes a flow information collection module 531, a statistical information processing module 532, and a statistical information analysis module 533.

The flow information collection module 531 stores a flow packet collected from a traffic collector located at a remote location in a buffer (not shown) which is a memory space.

The buffer is generated as many as the number of traffic collectors, and the size is adjusted by the process management module 511 of the system manager 510.

The statistical information processing module 532 collects each flow stored in the buffer and generates statistical data for each traffic collector 400 and for each registered analysis item.

The statistical data is generated for each traffic collector 400 based on the protocol ID value as byte amount, packet amount, flow amount, and the like, and transmits the generated statistical data to the report manager 540.

Statistical data is generated based on the logical port value, the originating IP, the destination IP, the application type, the application ID, and the like based on the byte amount, the packet amount, the flow amount, and the like.

Statistical information analysis module 533 stores the statistical information for each analysis item for each traffic collector 400 generated by the statistical information processing module 532 in each database table, and the secondary information required for generating a full report Generate statistical data.

In addition, the report manager 540 includes a report generation module 541, a report item management module 542, and a schedule module 543.

The report generation module 541 generates statistical data for each hour based on the statistical data generated by the statistical information processing module 532 and stores the statistical data for each time in the database.

In addition, the statistical data stored in the database at the time point registered in the schedule module is searched to generate daily, weekly and monthly statistical data, and the contents are stored in a file.

The report item management module 542 stores and manages report items registered by the administrator for each traffic collector 400 through the screen manager 550.

In storing the report item, since the buffer and statistical processing is performed for each report item, registration is managed in consideration of the load and capacity of the system.

The schedule management module 543 manages schedules for generating reports according to schedules for each traffic collector 400, daily, weekly, monthly, and yearly registered and managed.

The screen manager 550 includes a user management module 551, a real time inquiry module 552, and a report inquiry module 553.

The user management module 551 processes the creation and deletion of a user and the authority management for the traffic analysis result inquiry and report inquiry according to the authority of the registered user.

The real-time inquiry module 552 processes the detailed traffic result in a set time, preferably 5 minutes, reads the value stored in the buffer by processing the statistical information processing module 532 of the traffic statistics processing unit 530 and displays it in the form of a graph or a table. Do it.

The report inquiry module 553 reads the statistical result value stored in the database and displays the result in the form of a graph or a table.

An operation of traffic analysis of the traffic analysis apparatus using the flow in the IP network according to the embodiment of the present invention including the above-described function will be described with reference to FIG. 5.

5 is a flowchart illustrating a traffic analysis using a flow in an IP network according to an embodiment of the present invention.

When the traffic analysis apparatus according to the present invention is activated, the packet collection module 411 in the packet management unit 410 of the traffic collector 400 collects and buffers packets distributed from the splitter 300 connected to the physical circuit. The contents are stored in step 412 (S101).

At this time, if the sampling option set by the config management unit 440 is set for the collected packet, the sampling module 413 samples and stores the packet stored in the buffer 412 at a set rate in consideration of the capacity of the system. .

When the sampled packet is stored in the buffer 412 in the packet manager 410 as described above, the flow generation module 421 in the flow manager 420 accesses the stored packets to generate one flow (S102).

For example, when the generated flow is a net flow, the flow has a data format as shown in FIG. 4.

Then, it is checked whether the same flow as the generated flow is stored in the flow pool 422, and if the flow is stored, the update of the flow is executed. If the flow is not stored, the flow management is executed. (S103).

The flow end monitoring and transmission module 423 monitors the flow pool 422 to determine whether the terminated flow is detected (S104).

If the flow is not detected by the determination of S104, the flow returns to the step S101 to repeatedly execute the above-described operation. If the flow is detected, the flow is removed from the flow pool 422 and transmitted to the application determination unit 430. do.

The application determining unit 430 determines the application with respect to the flow transmitted from the packet management unit 410 to classify the application type (S105) (S106).

The classification of the determined application type is determined by analysis of the logical port using the port analysis module 431, analysis of the payload using the payload analysis module 432, and session analysis using the session analysis module 433.

If the type of the application in the step S106 can not distinguish the characteristics of the traffic through a single flow traffic, and the "D format" that can be accurately analyzed only by analyzing the correlation of several input and output flow traffic, the session is stored (S107) It is determined whether the operation has ended (S108).

If it is determined in S106 that the format of the application is a "D" format, but analysis is not possible, a log file for analysis cannot be generated and information on the transmission is transmitted by FTP (S109).

If it is determined in step S108 that the session is terminated, an application ID is inserted into the flow (S110).

In addition, in S106, the format of the application is "A type" using the logical port value registered in IANA as it is or "B type" using the logical port analyzed through traffic analysis, although the logical port value registered in IANA is not kept. Or, if it is determined that the "C format" that is not registered in the IANA or the port being used as an arbitrary band, the application ID is inserted into the flow (S110).

When the insertion of the application ID is completed in the flow in S110 is transmitted to the traffic analyzer 500 is installed in the remote (S111).

The flow information collection module 531 of the traffic statistics processing unit 530 in the traffic analyzer 500 collects flows transmitted from the traffic collector 400 and temporarily stores the flows in a buffer, which is a memory space, and the statistical information processing module 532. Accesses the flow stored in the buffer of the flow information collection module 531 and generates statistical data for each analysis item of the traffic (S112).

The criteria of the analysis item of the traffic are divided into protocols, logical ports, source IP address, application, application type, and the like.

In addition, the analysis of the flow traffic and the generation of statistical data are executed according to the rules provided by the traffic profile manager 52.

The traffic statistics processing unit 530 transmits the data generated for each analysis item to the report management unit 540.

Accordingly, the report generation module 541 in the report management unit 540 automatically generates and manages a report for each item set in the report item management module 542 according to the period registered in the schedule module 543 and displays the generated report file. The management unit 550 is transmitted and displayed in the form of graphs and tables through the screen of the manager PC 600 under the control of the screen management unit 550 (S113).

In addition, the report management unit 540 stores the automatically generated report file in the database to analyze the detailed properties of the traffic, through which it is possible to efficiently manage the operation of the logical port (S114).

The embodiments of the present invention described above are not implemented only through the apparatus and the method, but may be implemented through a program for realizing a function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded. Implementation may be easily implemented by those skilled in the art from the description of the above-described embodiments.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

According to the above-described configuration, an embodiment of the present invention collects a packet from a physical circuit to generate a flow, analyzes an application format of the generated flow, and generates statistical data for each analysis item, thereby providing details of traffic on an IP network. It has the effect of providing an analysis.

In addition, it can analyze traffic such as P2P that is not registered in IANA or provide efficiency in the management of logical ports. Accordingly, the high speed service of IP network can be expected.

In other words, it can be expected to manage the logical port that is abnormally used to effectively utilize the resources of the limited IP network.

Claims (30)

A splitter for connecting a physical line between the switch and the IP network; A traffic collector configured to mirror the physical circuit of the splitter to collect packets in real time, generate a flow by analyzing traffic of the collected packets, and analyze an application for each flow and transmit the result to a traffic analyzer; Traffic analysis apparatus using the flow in the IP network including a traffic analyzer for generating and storing statistical data for each analysis item for the analysis results of the application for each flow provided from the traffic collector, and outputs the statistical data through the screen of the manager PC. The method of claim 1, The traffic collector is a traffic analysis device using the flow in the IP network to connect the physical circuit of the splitter in a tap method. The method of claim 1, The traffic collector is a traffic analysis device using a flow in the IP network to track and manage traffic classified as unknown traffic or classified as a real service and other services as a result of the application analysis of the flow. The method of claim 1, The traffic collector includes a packet manager for collecting packets in real time from the physical circuit of the splitter; A flow manager configured to generate and transmit a flow by analyzing the packets collected by the packet manager; An application determination unit for determining an application type of each flow generated by the flow management unit; And a config management unit configured to manage options related to packet collection in the application manager, generation and transmission of flow in the flow manager, and interworking with a traffic analyzer. The method of claim 4, wherein The application format of the flow determined in the application, "A type" using the logical port value registered in IANA as it is; "Type B", which does not keep the logical port value registered in IANA, but uses the logical port analyzed through traffic analysis; "Type C" for any band that is not registered with the IANA or is in use; Traffic analysis device using flow in IP network that can not be distinguished by one flow traffic and can be analyzed accurately by analyzing correlation of several I / O flow traffic. The method of claim 4, wherein The packet manager includes a packet collecting module for collecting packet data from a physical line; A buffer for storing packet data collected by the packet collection module; Traffic analysis apparatus using the flow in the IP network including a sampling module for sampling the packet data collected according to the option of the configuration management unit. The method of claim 6, The buffer is a traffic analysis device using the flow in the IP network, the number and size of the buffer is determined by the option of the configuration management unit according to the capacity and load of the system. The method of claim 6, The sampling module is a traffic analysis device using the flow in the IP network to perform a random sampling and a random location sampling according to the management option of the configuration management unit. The method of claim 4, wherein The flow management unit includes a flow generation module for generating a flow by accessing the packets stored in the packet management unit one by one; A flow pool for storing the flow generated by the flow generation module until it is transmitted to the traffic analyzer; A flow termination monitoring and transmission module for monitoring the generation of the flow and inserting an application ID into the generated flow and transmitting the flow to the flow analyzer when generation of the complete flow is completed; The flow analysis apparatus using the flow in the IP network comprising a non-classified flow management module for storing and managing the information in the flow pool and the payload information in the file for the flow that is determined "not determined" by the application determination unit. The method of claim 9, The flow pool is a traffic analysis device using the flow in the IP network for storing the newly generated flow as it is, and update the information of the "packet amount, byte amount" for the flow if the existing flow is stored. The method of claim 4, wherein The application determining unit comprises a port analysis module for determining an application by analyzing a port used as a logical port or a band in the flow; A payload analysis module for determining an application by analyzing a payload of packets stored together when the flow cannot be determined through the port analysis module; When the flow cannot be determined through the payload analysis module, the traffic using the flow in the IP network includes a session analysis module that stores a predetermined number of flows, collects them at once, and determines the corresponding applications according to analysis rules. Analysis device. The method of claim 11, The port analysis module is a traffic analysis device using the flow in the IP network to download the content applied to the previous traffic analysis by the connection management unit in conjunction with the application of the application management when the system is running. The method of claim 11, The payload analysis module is a traffic analysis device using the flow in the IP network to download the characteristic information of the payload for each application through application of the configuration management unit to apply to the application of the flow. The method of claim 11, The session analysis module is a traffic analysis device using the flow in the IP network to determine the analysis impossible for the flow that can not determine the application, the result is loaded into the flow and transmitted to the traffic analyzer. The method of claim 4, wherein The call manager may include: a rule management module managing a rule applied to an application analysis in association with the traffic analyzer; A flow management module for managing setting contents related to flows; Traffic analysis apparatus using the flow in the IP network including a linkage management module for managing data linkage with the traffic analyzer. The method of claim 15, The rules managed by the rule management module are the starting point and size of the flow to be stored except for the header for payload analysis applied by the packet management unit, the number and size of the buffers of the packet management unit, the number of rules to be applied and the application. Traffic analysis apparatus using the flow in the IP network including the number of rules applied for analysis. The method of claim 15, The flow management module is an IP network that manages a sampling ratio applied to the packet manager, a size of a flow pool applied to the flow manager, an active time in a flow pool, and a time difference between packets recognized as a new flow. Traffic analysis device using the flow in the. The method of claim 1, The traffic analyzer includes a system manager that performs processor management, log and backup management, and data file management according to an operation; A traffic profile manager that periodically manages IDs by interworking IANA protocols and logical ports, analyzes traffic collected from IP networks, reflects the results, and manages various rules required for traffic analysis; A traffic statistics processing unit for collecting and analyzing flow traffic to analyze generation and statistical information of each item; A report manager configured to generate and store statistical data for each item analyzed by the traffic statistics processor as a report according to a schedule; Traffic management apparatus using the flow in the IP network including a screen management unit for managing the display of the statistical data for traffic analysis on the screen of the manager PC. The method of claim 18, The system manager includes a process management module that provides a process monitoring function, a failure management function, and an automatic execution function; A log and backup management module that provides a log management function, a DB backup function, and a system environment variable backup function; Traffic analysis apparatus using the flow in the IP network including a data management module for managing the transmission period and mode of the data, and transmits the flow data determined as the analysis failure by FTP. The method of claim 18, The traffic profile management unit downloads the information of the protocol and the logical port managed by the IANA to update the information of the protocol format and the logical port currently in use, and informs the traffic collector about this information; An application management module for defining and managing applications for each type; Traffic analysis apparatus using the flow in the IP network including a rule management module for storing and managing rules corresponding to the application ID for each type. The method of claim 20, The value managed by the rule management module includes a rule ID and an application ID of a flow, a protocol ID of packets constituting the flow, a source IP as a source of a flow, a destination IP as a receiver of a flow, a source port, a destination port, and a signature. An apparatus for analyzing traffic using a flow in an IP network including a start point excluding an IP header, a text or byte value recognized as a signature, a flow format, a division of a direction, and the number of occurrences of signatures in a flow. The method of claim 18, The traffic statistics processing unit includes a flow information collection module for storing the flow packet collected from the traffic collector in a memory space; A statistical information processing module for collecting the stored flows and generating statistical data for each traffic collector and registered analysis item; Traffic analysis apparatus using the flow in the IP network comprising a statistical information analysis module for generating secondary statistical data of the entire report by applying the statistical data generated by the statistical information processing module. The method of claim 18, The report manager may include: a report generation module generating statistical data generated by the statistical information processing module as an hourly report; A report item management module for managing a report under a condition registered by an administrator; Traffic analysis device using the flow in the IP network including the schedule management module for managing the report generation schedule. The method of claim 18, The screen management unit includes a user management module that manages user registration and manages the rights of registered users; A real time inquiry module for displaying a detailed traffic result at a set time interval; Traffic analysis apparatus using the flow in the IP network including a report inquiry module for reading and displaying the statistical result value stored in the database. (a) collecting and storing packets distributed in the physical circuit; (b) gathering the stored packets to create a flow; (c) analyzing an application format of the generated flow; (d) inserting an ID according to the analyzed application format; (e) analyzing the flow into which the ID is inserted to generate statistical data; (f) Traffic analysis method using the flow in the IP network comprising the step of generating the statistical data as a report to the administrator and at the same time save and manage as a file. The method of claim 25, Traffic analysis method using the flow in the IP network further comprising the step of sampling the packet collected and stored in the step (a) at a set sampling rate. The method of claim 25, The flow generated in the step (b) is stored in the flow pool, the newly generated flow is stored as it is, and if the same flow, the traffic analysis method using the flow in the IP network is updated new information. The method of claim 25, The analysis of the application type in the step (c) is a traffic analysis method using the flow in the IP network is determined by analysis of the logical port, payload analysis and session analysis. The method of claim 25, In the step (e), the statistical data is a traffic analysis method using a flow in an IP network generated according to protocols, logical ports, destination IP addresses, and application types. The method of claim 25, If the type of the application analyzed in step (c) is "D format" and it is determined that the analysis is impossible, generating and managing a log file, and transmitting the information about the FTP by using the flow in the IP network Analytical Method.

Images