WO2015194604A1 - ネットワークシステム、制御装置、通信装置、通信制御方法および通信制御プログラム - Google Patents
ネットワークシステム、制御装置、通信装置、通信制御方法および通信制御プログラム Download PDFInfo
- Publication number
- WO2015194604A1 WO2015194604A1 PCT/JP2015/067519 JP2015067519W WO2015194604A1 WO 2015194604 A1 WO2015194604 A1 WO 2015194604A1 JP 2015067519 W JP2015067519 W JP 2015067519W WO 2015194604 A1 WO2015194604 A1 WO 2015194604A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- communication
- control
- information
- analysis
- unit
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/64—Routing or path finding of packets in data switching networks using an overlay routing layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Definitions
- the present invention relates to a network system, a control device, a communication device, a communication control method, and a communication control program.
- a user NW such as a home NW (Network) or a small and medium-sized company NW introduces only an inexpensive device having a minimum function, and this device and a function outside the user NW cooperate with each other. Realization of various security measures, that is, outsourcing of the security of the user NW is expected.
- all communication traffic (including communication packets and communication flows) between a user NW and an external NW is routed or mirrored via an external function arranged in a data center on the Internet. Therefore, a technique for monitoring all the communication traffic of the user NW can be considered.
- there is a technique for detecting anomalies by sampling the traffic of the user NW and transmitting it to an external function arranged in a data center or the like.
- the communication traffic flowing from the user NW outside the user NW is applied to the IDS (Intrusion Detection System) to determine whether or not the communication is unauthorized to the destination application server (AP server) and notified to the administrator.
- IDS Intrusion Detection System
- AP server destination application server
- ISP Internet Services Provider
- the above-described prior art has a problem that it is not possible to detect the malicious communication and appropriately protect the user communication without squeezing the bandwidth of the user line and without reducing the accuracy. That is, the technology for monitoring all the communication traffic has a problem that the bandwidth is compressed. Further, the technique of simply sampling and detecting an abnormality without targeting all the above-described communication traffic has a problem that accuracy is lowered.
- a network system of the present invention is a network system including a communication device and a control device that communicates with the communication device via a network. Includes a communication control unit that controls communication via the communication device, and a collection unit that configures a part of the information related to the communication as partial information and transmits the partial information to the control device.
- An apparatus that analyzes using the partial information received from the communication device to determine whether or not the communication is abnormal; and when the analysis unit determines that the communication is abnormal
- a control determination unit that controls a communication path to the communication control unit, and a communication that is transmitted by controlling the communication path so that the communication is transmitted from the communication device to the control device.
- An analysis unit that determines whether or not the communication is sex communication, and the control determination unit is further configured to determine that the communication is a malignant communication by the analysis unit.
- the communication control unit is controlled to limit the malignant communication.
- FIG. 1 is a diagram showing a configuration of a network system according to the first embodiment.
- FIG. 2 is a block diagram showing a configuration of the communication apparatus according to the first embodiment.
- FIG. 3 is a block diagram illustrating a configuration of the control device according to the first embodiment.
- FIG. 4 is a diagram for explaining the transition of the communication mode.
- FIG. 5 is a diagram illustrating a series of communication control processing performed by the network system according to the first embodiment.
- FIG. 6 is a sequence diagram showing a flow of communication control processing in the network system according to the first embodiment.
- FIG. 7 is a flowchart showing the flow of the collection process in the collection apparatus according to the first embodiment.
- FIG. 8 is a flowchart showing the flow of communication control processing in the normal mode of the control device according to the first embodiment.
- FIG. 9 is a flowchart showing a flow of communication control processing in the mirroring mode of the control device according to the first embodiment.
- FIG. 10 is a flowchart showing a flow of communication control processing in the inline mode of the control device according to the first embodiment.
- FIG. 11 is a diagram for explaining a series of communication control processing by the network system according to the second embodiment.
- FIG. 12 is a conceptual diagram of mapping to the feature vector space.
- FIG. 13 is a diagram illustrating an example of a determination criterion used in the abnormality determination process.
- FIG. 14 is a sequence diagram showing a flow of communication control processing in the network system according to the second embodiment.
- FIG. 15 is a flowchart showing a flow of communication control processing in the normal mode of the control device according to the second embodiment.
- FIG. 16 is a diagram for explaining a series of communication control processing by the network system according to the third embodiment.
- FIG. 17 is a sequence diagram showing a flow of communication control processing in the network system according to the third embodiment.
- FIG. 18 is a flowchart showing the flow of collection processing in the collection apparatus according to the third embodiment.
- FIG. 19 is a diagram for explaining a series of communication control processing by the network system according to the fourth embodiment.
- FIG. 20 is a diagram for explaining how to determine the similarity of a set.
- FIG. 21 is a diagram for explaining a series of flow of communication control processing in the mirroring mode in the network system according to the fifth embodiment.
- FIG. 22 is a diagram for describing a series of communication control processes in the inline mode in the network system according to the fifth embodiment.
- FIG. 23 is a diagram for explaining a series of communication control processing in the network system according to the sixth embodiment.
- FIG. 24 is a diagram illustrating an example of information stored in the anomaly information accumulation unit according to the sixth embodiment.
- FIG. 25 is a diagram illustrating an example of a flow table included in the communication control device according to the sixth embodiment.
- FIG. 26 is a diagram illustrating a computer that executes a communication control program.
- FIG. 1 is a diagram showing a configuration of a network system according to the first embodiment.
- the network system 100 illustrated in FIG. 1 includes a communication device 10 installed in a user NW 30 and a control device 20 installed outside the user NW 30.
- the communication device 10 and the control device 20 are connected via an external NW 60.
- the communication device 10 is placed on the user NW 30 side.
- the communication device 10 may be incorporated in an outer edge router for Internet communication on the user NW 30 side, or may be placed between the outer edge router and a terminal 40 such as a PC in the user NW 30.
- the connection is an inline type (transparent type). That is, communication via the communication device 10 or a part thereof is a processing target.
- the communication device 10 includes a collection device 11 and a communication control device 12.
- the collection device 11 collects a part of communication traffic flowing through the user NW 30 and passing through the communication device 10 and transmits it to the collection management device 21 of the control device 20 as partial information of the communication traffic.
- the collection device 11 may transmit a part of the collected communication traffic as it is to the collection management device 21, or may further transmit only a part of the collected communication traffic as partial information. Alternatively, aggregated or statistical information may be transmitted to the outside as partial information of communication traffic.
- the communication control device 12 controls communication traffic in accordance with the control command received from the control device 20.
- communication traffic control processing includes communication mode control and security control (packet filtering, etc.) accompanying the change of the communication mode.
- the location of the control device 20 is outside the user NW 30 and on the control NW 70 side.
- the control device 20 is installed in a communication carrier NW, an ISP NW, or a data center on the Internet.
- the control device 20 includes five devices, that is, a collection management device 21, an analysis device 22, a control determination device 23, an analysis device 24, and a communication control device 25.
- the control device 20 may be a single device, and each of the functions of the collection management device 21, the analysis device 22, the control determination device 23, the analysis device 24, and the communication control device 25 may be provided.
- the collection management device 21 collects partial information transmitted from the collection device 11 and transmits it to the analysis device 22.
- the analysis device 22 analyzes the partial information received from the collection management device 21 by, for example, detecting an abnormality in machine learning, and outputs the analysis result to the control determination device 23.
- the analysis result is stored as machine learning model information and applied to the subsequent analysis.
- feature vectors and model information configured using partial information received as input (for example, feature vector space or feature space composed of feature vectors, composed of feature vectors, etc.) Analysis is performed and whether or not this feature vector is abnormal is output as an analysis result.
- the feature vector is updated by reflecting it in the model information, thereby improving the accuracy of subsequent analysis.
- the control determination device 23 determines the communication mode based on the analysis result received from the analysis device 22, and instructs the communication control devices 12 and 25 to perform the communication mode control according to the communication mode.
- the control determination device 23 determines the communication mode and the content of security control based on the analysis result received from the analysis device 24, and instructs each communication control device 12 and 25 to perform communication control according to these determinations. To do.
- the analysis device 24 performs a deep analysis on the received communication traffic, determines whether the communication is a malicious communication infected with malware or the like, and outputs the determination result to the control determination device 23. For example, the analysis device 24 determines whether it is “black” that is malignant, “white” that is not malignant, or “ash” that cannot be determined as black and white. Note that “ash” may be multi-staged, and may be determined at, for example, five levels from 5 closer to black to 1 closer to white.
- the determination result includes a protocol number, a destination, a transmission source address / port number, and the like of communication to be determined, and security control is performed on each of the communication control devices 12 and 25 using this information.
- the communication control device 25 controls communication traffic in accordance with the control command received from the control determination device 23.
- Communication traffic control processing includes communication mode control and security control associated with a change in communication mode.
- a terminal 80 which is a communication device such as a PC and a router 80 (or a terminal device) for communicating with the Internet.
- the communication device 10 is connected between the terminal 40 and the router 80, and all communication traffic with which the terminal 40 communicates with the Internet is transmitted to and received from the external NW 60 via the router via the communication device 10.
- the collection device 11 is an sFlow agent
- the collection management device 21 is an sFlow collector
- the communication control devices 12 and 25 are OpenFlow (for example, “https: / "/www.opennetworking.org/”), and based on tunneling functions such as GRE and L2TP.
- the analysis device 22 performs online machine learning parallel distributed processing framework Jubatus (for example, NTT Technical Journal 2012.10, pp.30-35, “http://www.ntt.co.jp/ journal / 1210 / files / jn201210030.pdf ”)).
- the analysis device 24 is a device that can identify and analyze deeply from layer 2 to layer 7 application communication that can perform deep packet inspection, and can detect and block the behavior of malignant communication.
- the analysis device 24 determines that the communication is malicious (black), it outputs a corresponding message log. If the analysis device 24 determines that the communication is suspicious (gray), it outputs a corresponding message log, and if there is a level of suspicion, also outputs information indicating the level. If the analysis device 24 determines that the communication is not malignant (white), it outputs the corresponding message log or does not output the message log, so that it is determined that the communication is not a malignant communication. To notify.
- the control determination device 23 determines the content of the instruction based on the results of the analysis device 22 and the analysis device 24, and passes to the OpenFlow compatible switch (for example, Open vSwitch (http://openvswitch.org/)) via the OpenFlow controller. It may be instructed, and the construction and deletion of tunneling between the communication control devices 12 and 25 may be instructed separately.
- OpenFlow compatible switch for example, Open vSwitch (http://openvswitch.org/)
- the OpenFlow controller is incorporated in each of the communication control devices 12 and 25, the control determination device 23 transmits a control command to each OpenFlow controller, and the OpenFlow controller that has received the command receives a flow entry for the target OpenFlow compatible switch. It is also possible to perform control such as writing.
- FIG. 2 is a block diagram showing a configuration of the communication apparatus according to the first embodiment.
- the communication device 10 includes a collection device 11 and a communication control device 12.
- the collection device 11 configures some of the information related to communication as partial information and transmits it to the control device 20. Alternatively, all the collectable communications in the user network may be collected, and a part thereof may be configured as partial information.
- the communication within the user network refers to communication via the communication device 10 and refers to communication between the user network and communication between the user network and an external network such as the Internet.
- the collection device 11 includes an extraction unit 11a and a storage unit 11b.
- the storage unit 11b stores a collection rule in which rules for collecting partial information are defined. For example, the storage unit 11b transmits, as a collection rule, an extraction rule that defines a condition for the extraction unit 11a to extract communication traffic and a condition for transmitting the extracted partial information to the collection management device 21.
- a collection rule an extraction rule that defines a condition for the extraction unit 11a to extract communication traffic and a condition for transmitting the extracted partial information.
- the extraction unit 11a extracts communication traffic based on the collection rules stored in the storage unit 11b, and temporarily stores it in the storage unit 11b as necessary. In addition, the extraction unit 11a extracts partial information that satisfies the requirements of the extraction rule, and transmits the partial information to the collection management device 21 when the transmission rule is satisfied. For example, the extraction unit 11a transmits partial information that satisfies the requirements of the collection rule to the collection management device 21 every time a predetermined number of packets are acquired.
- the communication control device 12 includes a storage unit 12a, a tunnel unit 12b, and a communication control unit 12c.
- the storage unit 12a stores control rules necessary for communication mode control and security control.
- the collection rule stored in the storage unit 11b of the collection device 11 is information on each element constituting the feature vector that is an input to the analysis device 22 that performs abnormality detection or the like (for example, time information for each communication direction, communication session information) Duration, identification information identifying user or user NW 30, source IP address, destination IP address, source port number, destination port number, application identification information, data size, DNS query for name resolution and response content information And the time interval of this query, the number of times, the TTL (Time To Live) of the resolved name, etc.), the calculation method that aggregates or statisticalizes this information in a format similar to sampling or sampling, and collects partial information Trigger for transmission to the management device 21 (triggered by the collection interval, triggered by collection of a predetermined number of packets) For example). For example, as information indicating the trigger, a predetermined time interval may be used as a trigger, or a predetermined number of packets may be collected as a trigger.
- data that can be acquired by SNMP, sFlow, Netflow, IPFIX, and the sampling method thereof can be given as an example.
- a mechanism for acquiring statistical information that can be handled by OpenFlow may be used.
- statistical information collected by the OpenFlow compatible switch is transmitted to the OpenFlow controller according to the OpenFlow specification.
- the control determination device 23 that collected the statistical information transfers the statistical information to the collection management device 21, and each communication control device (the communication control device 12 and the communication control device 25). ),
- the statistical information collected on the communication control device 12 is transferred to the collection management device 21 (via the collection device 11).
- this identification information may be included in the partial information.
- Necessary element information can be extracted by capturing and disassembling a frame or packet. Further, predetermined communication traffic that satisfies the requirements corresponding to the collection rule may be transmitted as it is, or a part of the communication traffic may be transmitted. In this case, partial information is generated on the collection management device 21 described later, or a feature vector to be applied to machine learning or the like is generated from the received information. For example, when the sFlow technique is applied, it is a sampling-based technique, and a feature vector is generated not by an agent (corresponding to the collection apparatus 11) but by a collector (corresponding to the collection management apparatus 21).
- the tunnel unit 12b constructs a tunnel with the communication control device 25 of the opposing control device 20.
- the communication mode is the mirroring mode or the inline mode
- the tunnel unit 12 b establishes a tunnel with the communication control unit 25 c of the opposite communication control device 25 in order to flow communication traffic to the analysis device 24.
- the communication control unit 12 c controls communication via the communication device 10. Specifically, the communication control unit 12c performs communication mode control based on the communication mode and security control such as packet filtering.
- FIG. 3 is a block diagram illustrating a configuration of the control device according to the first embodiment.
- the control device 20 includes a collection management device 21, an analysis device 22, a control determination device 23, an analysis device 24, and a communication control device 25.
- the control device 20 When the control device 20 observes communication traffic flowing through the communication device 10 and determines that it is abnormal communication (malignant or communication that cannot be determined as malignant but is different from normal communication behavior) or when it is determined as malignant communication
- the security control is performed on the communication control device 12 of the communication device 10 and / or the communication control device 25 of the control device 20. Command against.
- the collection management device 21 includes a collection unit 21a and an extraction control unit 21b.
- the collection unit 21 a collects partial information from the communication device 10 and transmits it to the analysis device 22.
- the extraction control unit 21 b transmits the collection rule to the collection device 11 in advance.
- the analysis device 22 analyzes the partial information received from the communication device 10 via the collection management device 21 and determines whether there is an abnormality in the communication within the user network using the analyzed analysis result.
- the analysis device 22 includes an analysis / learning unit 22a and a storage unit 22b.
- the storage unit 22b stores a rule that serves as a determination criterion for determining a communication abnormality.
- the analysis / learning unit 22a analyzes the partial information received from the collection management device 21 by machine learning such as abnormality detection, and notifies the control determination device 23 of the result. Further, the analysis / learning unit 22a updates the learning result of machine learning as model information, and stores the updated model information in the storage unit 22b.
- the analysis / learning unit 22a may use, for example, LOF (Local Outlier Factor), which is a density-based outlier detection method, as an analysis and learning method.
- LOF Local Outlier Factor
- analysis and machine learning will be described in detail.
- elements constituting the feature vector are defined in advance and registered in the analysis device 22.
- a communication packet for example, source / destination IP address or MAC address, protocol number (a number indicating TCP / UDP or the like), port number, and data portion authentication information (1 if present, 0 if not present) Etc.)
- the elements necessary for analysis and learning are defined in advance, and the packet input is accepted.
- a necessary element which may be composed of a plurality of elements having an IPv4 address as an element of every 8 bits, for example
- a feature vector If there are n elements, it is an n-dimensional numerical vector).
- This may be performed by the extraction unit 11a based on the collection rule of the collection device 11.
- information necessary for the feature vectorization is transmitted as partial information from the collection device 11 to the collection management device 21, and the collection management device 21 A feature vector may be generated from this partial information.
- model information for example, a feature vector group, which is stored in the storage unit 22b of the analysis device 22 and is classified by a predetermined learning or classification algorithm. If the input information that is converted into feature vectors is given as an input to a set), whether it is abnormal (or anomaly, indicated by the degree of deviation from the normal model) or non-abnormal based on the distance or density of the space Can be determined.
- the feature vectors are stored in the predetermined storage unit 22b, and the stored feature vector group is classified based on a predetermined learning algorithm.
- LOF an abnormality detection learning algorithm
- learning means that feature vector information is stored in the storage unit 22b, and set feature information from the feature vector information group stored in the storage unit 22b (a boundary line that is drawn to classify the set if classification is used) Etc.). Analysis can be performed by using this feature information.
- LOF abnormality detection learning algorithm
- the control determination device 23 includes a determination unit 23a, a control command unit 23b, and a storage unit 23c.
- the storage unit 23c stores status information and the like of the communication control devices 12 and 25. As the status information, for example, the storage unit 23c indicates which communication traffic of which user or the user NW 30 is route-controlled in which communication mode, the history of transition of the communication mode, and what security control is performed. It stores in association with each user or user NW30.
- the determination unit 23a determines the communication mode using the analysis result analyzed by the analysis device 22. Specifically, when receiving the analysis result from the analysis device 22, the determination unit 23 a determines based on the analysis result and determines the communication mode of the communication control device 12.
- the control command unit 23b When it is determined by the analysis device 22 that there is an abnormality in communication, the control command unit 23b relates to communication determined to be abnormal (communication corresponding to / corresponding to the feature vector determined to be abnormal as an analysis result). Is transferred from the communication control device 12 to the analysis device 24 (via or mirrored), the communication path is controlled with respect to the communication control device 12 in the user NW 30. In addition, when the analysis device 24 determines that the communication within the user NW 30 is a malignant communication, the control command unit 23b performs control so as to limit the malignant communication.
- the control command unit 23b transmits a communication mode control command to the communication control devices 12 and 25 so as to follow the determined communication mode.
- the control command unit 23b receives the analysis result from the analysis device 24, and transmits a security control command to the communication control device 12 (and / or 25) when it is determined that security control is necessary.
- the control rule is a rule for path control and security control based on the communication mode.
- the normal mode, the mirroring mode, and the inline mode are defined as communication modes, and each communication control is performed according to the determination result of the control determination device 23 in consideration of the analysis result of the analysis device 22.
- the devices 12 and 25 will transition to each mode.
- the communication control device 12 of the communication device 10 including the communication interface that communicates with the internal NW (user NW 30) and the communication interface that communicates with the external NW 60 receives the data by bridge / switch and routing processing.
- a route control rule for controlling the communication traffic to be transferred as it is to the destination is set.
- a tunnel is constructed between the communication control device 12 and the opposite communication control device 25.
- This tunnel may be statically constructed, or may be dynamically constructed if it is not constructed at the opportunity to switch to the communication mode. In this case, it is only necessary to dynamically delete the established tunnel when switching back to the normal mode.
- the communication traffic received from the communication interface that communicates with the internal NW or the communication interface that communicates with the external NW 60 is transferred to the destination as it is to the communication control device 12 of the communication device 10, and the received communication
- a route control rule is set to control traffic to be mirrored toward the tunnel opposite side and transferred through the tunnel.
- a route control rule for controlling the communication control device 25 of the control device 20 so as to transfer the communication traffic received from the tunnel opposite side via the tunnel to the analysis device 24 is set.
- the communication control device 12 of the communication device 10 communicates with the external NW 60 so that the communication traffic received from the communication interface communicating with the internal NW is transferred via the tunnel toward the tunnel opposite side.
- the communication control device 12 of the communication device 10 is set with a route control rule for controlling the communication traffic received from the communication control device 25 of the control device 20 via the tunnel to the destination of the communication traffic.
- the communication traffic received from the analysis device 24 is transferred to the tunnel opposite side via the tunnel so that the communication control device 25 of the control device 20 transfers the communication traffic received from the tunnel opposite side to the analysis device 24.
- a route control rule is set to control so that the data is transferred at the same time.
- Security control blocks malicious communication and communication that is determined to be suspicious communication that satisfies a predetermined condition (equivalent to ash in black and white ash determination). Blocking a suspicious communication that satisfies a predetermined condition is a safety block by defeating the safety side. If it is determined that the communication is normal after the blocking, a control command for canceling the blocking is issued at that time. Will be sent. The communication control device 12 and / or 25 is instructed to block the communication that the control determination device 23 determines to block.
- the layer 3 IP address or IP address range level, layer 4 TCP / UDP or port number level, and application layer blocking control are possible, identify specific applications that should be blocked from communication traffic Then, the application communication is blocked using information that can identify the corresponding application.
- a URL filter can be applied, it may be controlled to set a specific URL or FQDN to be blocked in the filter.
- the mail filter it may be controlled to set a specific mail address or domain to be blocked in the filter.
- Information necessary for setting security control such as blocking is included in the analysis result output from the analysis device 24, and the control determination device 23 instructs the communication control device to control using the received analysis result.
- the analysis unit 24 determines that the communication is abnormal by the determination unit 23a of the control determination device 23, the analysis device 24 receives the communication transferred by the path control based on this when functioning in the mirroring mode. The communication is analyzed, and it is determined whether or not the communication within the user NW 30 is a malicious communication.
- the analysis device 24 has a detailed analysis unit 24a.
- the detailed analysis unit 24a deeply analyzes the content of the communication traffic to determine whether the communication is white (normal communication), black (malignant communication), or gray (communication that cannot be determined black and white).
- a transmission source / destination IP address indicating communication, a port number, and a set of at least one of application identification information and the like are transmitted to the control determination device 23 as a determination result.
- the communication control device 25 includes a tunnel unit 25a, a storage unit 25b, and a communication control unit 25c.
- the tunnel unit 25 a establishes a tunnel with the communication control device 12 of the opposite communication device 10.
- the tunnel unit 25a establishes a tunnel with the communication control unit 12c of the opposite communication control device 12 in order to flow communication traffic to the analysis device 24 in the mirroring mode and the inline mode.
- the storage unit 25b stores control rules necessary for communication mode control and security control.
- the communication control unit 25c performs communication mode control based on the communication mode.
- the communication control unit 25c performs security control.
- FIG. 5 is a diagram illustrating a series of communication control processing performed by the network system according to the first embodiment.
- the collection device 11 collects communication traffic flowing through the user NW 30 and passing through the communication control device 12 or a part thereof (see (1) in FIG. 5). And the collection apparatus 11 transmits to the collection management apparatus 21 of the control apparatus 20 as partial information of communication traffic (refer (2) of FIG. 5).
- the collection management device 21 collects the partial information transmitted from the collection device 11 and transmits it to the analysis device 22 (see (3) in FIG. 5). Then, the analysis device 22 analyzes the partial information received from the collection management device 21, for example, by detecting abnormality in machine learning, and outputs the result to the control determination device 23 ((4) in FIG. 5). reference).
- control determination device 23 determines the communication mode based on the analysis result received from the analysis device 22, and instructs the communication control devices 12 and 25 to perform communication mode control according to the communication mode (FIG. 5). (See (5)).
- the analysis device 24 performs a deep analysis on the received communication traffic, determines whether the communication is a malicious communication infected with malware or the like, and outputs the determination result to the control determination device 23 (( 6)).
- the control determination device 23 determines the communication mode and the content of security control based on the analysis result received from the analysis device 24, and instructs each communication control device 12 and 25 to perform communication control according to these determinations. (Refer to (7) in FIG. 5). For example, when the communication mode is the normal mode, the communication control device 12 transfers the communication between the terminal 40 and the site 50 on the Internet as it is (see arrow A in FIG. 5). Further, for example, when the communication mode is the mirroring mode, the communication control device 12 transfers the communication as it is to the destination (the site 50 or the terminal 40 on the Internet), and mirrors the communication in both directions to control the control device 20. The data is also transferred to the analysis device 24 via the communication control device 25 (see arrow B in FIG. 5).
- the communication control device 12 causes the communication between the terminal 40 and the site 50 on the Internet to pass through the communication control device 12, the communication control device 25, and the analysis device 24.
- the data is transferred to the destination via the outer edge router on the user NW 30 side. More specifically, if the communication is from the terminal 40 to the site 50 on the Internet, the communication control device 12 returns from the terminal 40 via the communication control device 12 and the communication control device 25 via the analysis device 24. 25, and transmitted to the site 50 on the Internet via the communication control device 12. If the communication is from the site 50 on the Internet to the terminal 40, the communication is in the reverse order (see arrow C in FIG. 5).
- FIG. 6 is a sequence diagram showing a flow of communication control processing in the network system according to the first embodiment.
- the collection device 11 collects communication traffic or a part thereof that flows through the user NW 30 and passes through the communication control device 12 and transmits it to the collection management device 21 of the control device 20 as partial information of the communication traffic. (Step S101). Subsequently, the collection management device 21 collects the partial information transmitted from the collection device 11 and transmits it to the analysis device 22 (step S102).
- the analysis device 22 analyzes the partial information received from the collection management device 21, for example, by detecting an abnormality in machine learning (step S103). Then, the analysis device 22 outputs the analysis result to the control determination device 23 (step S104).
- control determination device 23 determines the communication mode as the control content based on the analysis result received from the analysis device 22 (step S105), and performs communication mode control according to the communication mode to each of the communication control devices 12 and 25. (Step S106), and notifies the communication control devices 12 and 25 of the control contents (step S107). And each communication control apparatus 12 and 25 sets the notified communication mode control (step S108, S109).
- the communication control device 12 transmits communication traffic to the analysis device 24 (step S110). Then, the analysis device 24 performs a deep analysis on the received communication traffic (step S111), determines whether or not the communication is infected with malware or the like, and outputs the analysis result to the control determination device 23 ( Step S112).
- control determination device 23 determines the communication mode and the content of security control based on the analysis result received from the analysis device 24 (step S113), and performs communication control according to the determination result to each communication control device 12, 25.
- a command is given (step S114), and the communication mode and the content of security control are notified to each communication control device 12, 25 (step S115).
- each communication control device 12, 25 sets the notified communication mode and security control (steps S116 and S117).
- control device 20 arranged outside the user NW 30 efficiently collects part of communication traffic flowing through the user NW 30 or partial information that is statistical information, and uses the collected information as part of the communication traffic. Analyze it. When the analysis determines that the communication behavior is abnormal, the communication mode is changed so that the communication traffic of the user NW 30 to be monitored flows to the control device 20.
- the communication path control in the mirroring mode or inline mode is used to observe the communication traffic itself (payload may be the target) that is not partial information for deeper analysis. If the analysis determines that the communication is malicious communication indicating that it has been infected with malware or the like, the communication traffic is controlled to be temporarily or permanently blocked. If it is determined that the communication is not malignant but has a normal behavior, the communication mode is changed to, for example, the normal mode.
- the influence on the communication performance of the user NW30 is reduced by observing partial information in the communication traffic of the user NW30. Then, the abnormality detection is determined by this observation. This is continued at a predetermined opportunity.
- the communication traffic is analyzed deeply, and when it is determined that the communication is malicious communication, security control is performed on the communication traffic.
- FIG. 7 is a flowchart showing the flow of the collection process in the collection apparatus according to the first embodiment.
- the collection device 11 observes communication traffic (step S201) and determines whether the communication traffic corresponds to the extraction rule (step S202). As a result, when it corresponds to the extraction rule (Yes at Step S202), information related to communication is extracted or statisticalized (Step S203).
- the collection apparatus 11 determines whether it corresponds to a transmission rule, when the information regarding communication is extracted or statisticalized (step S204). For example, the collection device 11 determines whether a predetermined time interval specified in the transmission rule has elapsed, or whether a predetermined number of packets specified in the transmission rule has been collected.
- the collection device 11 transmits the partial information to the collection management device 21 (Step S205). If the extraction rule does not correspond (No at Step S202) or the transmission rule does not apply (No at Step S204), the process returns to Step S201 and the process is repeated.
- FIG. 8 is a flowchart showing the flow of communication control processing in the normal mode of the control device according to the first embodiment.
- FIG. 9 is a flowchart showing a flow of communication control processing in the mirroring mode of the control device according to the first embodiment.
- FIG. 10 is a flowchart showing a flow of communication control processing in the inline mode of the control device according to the first embodiment.
- the collection management device 21 of the control device 20 collects partial information transmitted from the collection device 11 (step S301). Then, the analysis device 22 analyzes the partial information received from the collection management device 21, for example, by detecting an abnormality in machine learning (step S302).
- the analysis device 22 determines whether there is an abnormality in the communication within the user NW 30 using the analyzed analysis result (step S303). As a result, when it is determined that there is no abnormality in communication (No at Step S303), the analysis device 22 returns to the process at Step S301. If it is determined that there is an abnormality in communication (Yes at Step S303), the control determination device 23 determines the communication mode as the control content based on the analysis result received from the analysis device 22 (Step S304).
- the control determination device 23 determines whether or not the degree of communication abnormality is higher than a predetermined threshold (step S305). As a result, if the degree of communication abnormality is higher than the predetermined threshold (Yes at Step S305), the control determination device 23 instructs each communication control device 12, 25 to perform communication mode control for shifting to the inline mode. (Step S306). In addition, when the degree of communication abnormality is equal to or less than a predetermined threshold (No in step S305), the control determination device 23 instructs each communication control device 12, 25 to perform communication mode control for transition to the mirroring mode. (Step S307). Then, each communication control device 12, 25 sets the commanded communication mode control (step S308). When the communication mode is implemented only in the normal mode and the mirroring mode or the inline mode, step S305 is omitted and either step S306 or step S307 is selected alternatively. Become.
- the analysis device 24 performs a deep analysis on the communication traffic received from the communication control device 12 (step S401), and the communication is malignant “black”, not malignant “ It is determined whether the color is “white” or “gray” that cannot be determined as black and white (step S402).
- the control determination device 23 instructs the communication control devices 12 and 25 to perform security control such as packet filtering (step S403), and step S407. Migrate to
- the control determination device 23 instructs the communication control devices 12 and 25 to perform communication mode control for transition to the normal mode (step S404), and step S407. Migrate to
- Step S405 determines whether or not communication is necessary, that is, whether or not the determination result “ash” is equal to or higher than a predetermined level. For example, in the case of five levels from 5 closer to black to 1 closer to white, it is determined whether or not it is “3” or more.
- Step S405 if the control determination device 23 is above the predetermined level (Yes at Step S405), the control determination device 23 instructs each communication control device 12, 25 to perform communication mode control for shifting to the inline mode (Step S406).
- the process proceeds to step S407. If it is not equal to or higher than the predetermined level (No at Step S405), the process returns to Step S401 and the above process is repeated.
- step S407 the communication control device 25 sets the commanded communication mode and security control, and ends the process. Note that when the communication mode is implemented only in the normal mode and the mirroring mode, Step S405 and Step S406 are omitted, and when the ash determination is made in Step 402, the process may return to Step S401. Also, by setting in advance, the ash determination may be treated the same as the black judgment in order to improve safety, or the ash judgment may be treated the same as the white judgment in order to avoid adverse effects due to excessive communication interruption. Good.
- the analysis device 24 performs a deep analysis on the communication traffic received from the communication control device 12 (step S501), and “black” in which communication is malignant, “not malignant”. It is determined whether the color is “white” or “gray” that cannot be determined as black and white (step S502).
- the control determination device 23 instructs the communication control devices 12 and 25 to perform security control such as packet filtering (step S503), and step S507.
- security control such as packet filtering (step S503), and step S507.
- Step S504 determines whether or not communication is necessary, that is, whether or not the determination result “ash” is equal to or higher than a predetermined level. For example, in the case of five levels from 5 closer to black to 1 closer to white, it is determined whether or not it is “3” or more.
- Step S504 if the level is not equal to or higher than the predetermined level (No at Step S504), the control determination device 23 instructs each communication control device 12, 25 to perform communication mode control for transition to the mirroring mode (Step S505). The process proceeds to S507. If it is above the predetermined level (Yes at step S504), the process returns to step S501 and the above process is repeated.
- the control determination device 23 instructs the communication control devices 12 and 25 to perform communication mode control for transition to the normal mode (step S506), and step S507.
- Migrate to In step S507 the communication control device 25 sets the commanded communication mode and security control, and ends the process. Note that when the communication mode is implemented only in the normal mode and the inline mode, Step S504 and Step S505 may be omitted, and when the ash determination is made in Step 502, the process may return to Step S501. Also, by setting in advance, the ash determination may be treated the same as the black judgment in order to improve safety, or the ash judgment may be treated the same as the white judgment in order to avoid adverse effects due to excessive communication interruption. Good.
- the communication device 10 controls, as partial information, partial information or statistical information of information related to communication via the communication device 10. Transmit to device 20. And the control apparatus 20 analyzes the partial information received from the communication apparatus 10, and judges whether there exists abnormality in the communication in the user NW30 using the analyzed analysis result. Then, when it is determined that there is an abnormality in the communication within the user NW 30, the control device 20 performs path control by changing the communication mode, performs analysis using the communication flowing through the user NW 30, and the user NW 30 It is determined whether or not the communication inside is a malicious communication.
- control device 20 receives information related to the communication determined to be abnormal (for example, communication traffic having characteristics determined to be abnormal) from the communication device 10.
- the communication device 10 in the user NW 30 is controlled so as to be transferred to the analysis device 24.
- control is performed to limit the malignant communication.
- the network system 100 suppresses a decrease in accuracy related to the compression of the bandwidth of the communication line and the detection of abnormal / malignant communication for accessing the Internet, which is the external NW 60, from the user NW 30. It is possible to detect malicious communication and protect user communication appropriately.
- the control device 20 analyzes the partial information collected by the communication device 10 to detect an abnormality, and when an abnormality is detected, the information related to the communication of the user NW 30 is transferred to the analysis device 24.
- the malignant communication is determined by performing a deep analysis on all transferred data using IDS, IPS (Intrusion Prevention System), etc., and the malignant communication is dealt with. As a result, it is possible to determine the malignant communication and cope with the malignant communication while suppressing a decrease in accuracy regarding the compression of the bandwidth of the user NW line and the detection of abnormal / malignant communication.
- the model information that is the learning result of the abnormality detection in the analysis device 22 it is determined whether or not the region is an abnormal space region based on a predetermined threshold based on the density and distance of the feature vector group constituting the model information.
- the abnormality is different from normal, and at this point, it cannot always be determined that the communication is malignant.
- a label (white / black / gray) that is a determination result obtained by the analysis device 24 and a feature vector composed of communication traffic corresponding to the determination result are paired.
- mapping mapping
- FIG. 11 is a diagram for explaining a series of communication control processing by the network system according to the second embodiment.
- the analysis device 22 when the analysis device 22 performs analysis by detecting machine learning abnormality or the like, the analysis device 22 outputs the result to the control determination device 23 (see FIG. 11). 11 (4)), the analysis result is stored as machine learning model information.
- the control determination device 23 determines the communication mode and the content of security control based on the analysis result received from the analysis device 24, and instructs each communication control device 12 and 25 to perform communication control according to these determinations. After that, the analysis result received from the analysis device 24 is transmitted to the analysis device 22. Then, the analyzer 22 maps the analysis result received from the analyzer 23 onto the model information space of the analyzer 22 (see (8) in FIG. 11).
- FIG. 12 is a conceptual diagram of mapping to the feature vector space.
- the feature vector space there are a feature vector of abnormality detection by the analysis device 22 in the normal mode and a feature vector corresponding to the determination result of the analysis device 24.
- the feature vector corresponding to the determination result of the analysis device 24 is attached with a label indicating the determination result of the analysis device 24.
- region containing the feature vector corresponding to the determination result of the analyzer 24 is controlled by the determination criterion based on a label. For example, when the result determined to be “black” is mapped as a label in the spatial region determined to be “abnormal”, it is determined that the communication is not malignant but malignant communication. Note that the present invention is not limited to the case of attaching all black, white, and gray labels, and only those determined to be black and / or white may be labeled.
- a determination based on the label may be performed.
- a control rule indicating a determination criterion may be determined in advance, and the control content may be determined according to the control rule.
- FIG. 13 is a diagram illustrating an example of a determination criterion used in the abnormality determination process. As illustrated in FIG. 13, a communication mode is defined for each combination of “mapping information” that is an analysis result of the analysis device 24 and “model information” that is an analysis result of the analysis device 22.
- the model information is a “space area determined to be abnormal” and the mapping information indicating “white determination” corresponds to this area
- the communication (feature vector) corresponding to this area is displayed.
- the communication mode control by the “normal mode” is performed.
- the label is determined to be “white” which is not malignant communication, and thus the normal mode is maintained.
- “(or mirroring mode)” is described in parentheses, and the communication mode in parentheses may be determined. Whether the normal mode or the mirroring mode is set is determined in advance by the user or the administrator. Just let me choose.
- model information is “a space area that is not determined to be abnormal”, and mapping information indicating “black determination” corresponds to this area, communication (feature vector) corresponding to this area
- security control is performed. That is, even in a spatial region that is not determined to be abnormal, since it is a label that has been determined to be “black” for malicious communication, the process proceeds to security control.
- the normal mode can be shifted to the security control.
- clustering is the grouping of features with high relevance / similarity in machine learning, and the set of classification targets is a subset that achieves internal coupling and external separation. Divide into
- a set of labels and feature vectors used for this mapping process is separately incorporated in the analysis device 24 by a device equivalent to the collection device 11 or in-line before the analysis device 24 (such as between the analysis device 24 and the communication control device 25).
- a device equivalent to the collection device 11 or in-line before the analysis device 24 such as between the analysis device 24 and the communication control device 25.
- a device corresponding to the collection device 11 extracts partial information to form a feature vector, and further associates information corresponding to a label, which is a security determination result of the analysis device 24, with the feature vector, so that model information of the analysis device 22 is obtained.
- the associated feature vector and label information may be stored in the storage unit 22 b of the analysis device 22 via the control determination device 23. Further, it may be stored in the storage unit 23c of the control determination device 23, and in this case, it may be applied to the security control determination in combination with the analysis result output from the analysis device 22.
- the transition from the normal mode to the mirroring mode or the inline mode may be determined by omitting the mirroring mode and shifting from the normal mode to the inline mode.
- FIG. 14 is a sequence diagram showing a flow of communication control processing in the network system according to the second embodiment. 14 are the same as steps S101 to S117 of the communication control process in the network system 100 according to the first embodiment described in FIG. 6, and thus the description thereof is omitted.
- the control determination device 23 transmits the analysis result received from the analysis device 24 to the analysis device 22 ( Step S618). Then, the analysis device 22 maps the analysis result received from the analysis device 24 onto the model information space of the analysis device 22 (step S619).
- FIG. 15 is a flowchart showing a flow of communication control processing in the normal mode of the control device according to the second embodiment.
- the control determination device 23 determines whether it corresponds to the analysis result verification. (Step S705).
- a feature vector labeled in the spatial region (clustered spatial region or anomalous / normal separating spatial region) based on the feature vector that is the above analysis result falls under this spatial region or this
- a spatial area within a predetermined distance and range from a labeled feature vector within the spatial area is regarded as a spatial area represented by the label.
- the analyzer 22 determines whether or not this space region falls and what the corresponding label is.
- the communication control devices 12 and 25 are instructed to perform security control such as packet filtering (Step S706).
- the feature vector corresponding to the analysis result (determination result) of the analysis device 24 is further labeled with the determination result of the analysis device 24.
- the feature vector of the partial information corresponding to the predetermined region including the feature vector corresponding to the determination result of the analysis device 24 is controlled based on the determination criterion based on the label. For example, when the result determined to be “black” is mapped as a label in the space area determined to be “abnormal”, it is determined that the communication is not abnormal but malignant communication, and security control such as packet filtering is performed.
- the result of machine learning is performed by reflecting the analysis result of the analysis device 24 and the corresponding feature vector in the model information of the analysis device 22 and updating the model information. This makes it possible to make the model information meaningful and use it as a material for control judgment.
- FIG. 16 is a diagram for explaining a series of communication control processing by the network system according to the third embodiment.
- the control determination device 23 transmits the updated collection rule to the collection device 11 via the collection management device 21 (see (8) in FIG. 16).
- the collection apparatus 11 updates the collection rule memorize
- control determination device 23 updates the collection rule to update the partial information to be collected in order to make the determination with higher accuracy.
- IP address of an overseas source that is not an IP address assigned to the home country or a specific country / region of the foreign country, where an arbitrary source or destination IP address is targeted It is good also as targeting. Further, communication with an IP address managed by a specific ISP may be targeted.
- the time interval for collecting the partial information and the sampling rate indicating how many packets are collected for every packet or for every specific destination or transmission source may be updated. For example, it may be possible to collect partial information at intervals of 10 minutes at intervals of 1 minute, or to increase the sampling rate. Also, the sampling target protocol and port number may be specified, or the sampling rate may be increased by collecting every 100 packets of communication traffic of these protocols and port numbers every 10 packets.
- the model information of abnormality detection which is the learning result of machine learning
- the feature vector space is composed of the density of feature vectors, feature vectors, and feature vectors Since feature vectors or spatial regions that are determined to be abnormal can be identified based on the distance between sets, etc., the rules have been updated to allow more efficient collection of communication traffic corresponding to feature vectors corresponding to this spatial region It is possible to do.
- the model information since the model information is composed of various feature vectors, it may be updated so that partial information corresponding to a sparse space that does not yet have a feature vector in the feature vector space can be collected.
- the collection time interval is shortened or the sampling rate is set on the condition that a predetermined number of black determinations are output as a result within a predetermined period. It is good also as collecting more partial information by raising. Further, for example, on the condition that the same or similar type of black determination is output as a result more than a predetermined number of times within a predetermined period, information characterizing the type of black determination (corresponding to an address having a black determination) It is also possible to extract partial addresses by extracting country addresses, service port numbers, applications, etc.) and updating the collection rules to increase the collection rate of these information. Thereafter, the updated collection rule may be returned to the original when the black determination is not output as a result for the same or another predetermined period. Further, the collection rule may be updated by applying the analysis result and the analysis result in combination.
- machine learning is generally processed and analyzed based on a fixed feature vector. Therefore, the update of the collection rule accompanied by the addition, deletion, and change of the elements constituting the feature vector is not consistent with the model information that is the learning result so far, so that learning may not function well. However, this is not the case when applying a learning algorithm that can allow dynamic addition, deletion, and change of elements constituting the feature vector.
- FIG. 17 is a sequence diagram showing a flow of communication control processing in the network system according to the third embodiment. Note that the processing in steps S804 to S820 in FIG. 17 is the same as steps S101 to S117 in the communication control processing in the network system 100 according to the first embodiment described in FIG.
- the collection management device 21 generates a collection rule (step S801) and transmits the collection rule to the collection device 11 (step S802). Then, the collection device 11 sets a collection rule (step S803), and transmits partial information to the collection management device 21 based on the set collection rule (step S804).
- control determination device 23 updates the collection rule (step S821) and collects the collection rule. It transmits to the apparatus 11 (step S822). Then, the collection device 11 sets the updated collection rule (step S823).
- FIG. 18 is a flowchart showing the flow of collection processing in the collection apparatus according to the third embodiment.
- the collection device 11 when the collection device 11 receives the updated collection rule from the control determination device 23, the collection device 11 updates the collection rule (step S901). Then, the collection device 11 observes the communication traffic (step S902) and determines whether the communication traffic corresponds to the updated extraction rule (step S903). As a result, if the extraction rule is met (Yes at step S903), information related to communication is extracted or statisticized (step S904). Thereafter, the same processing as that of the collection device 11 according to the first embodiment is performed, and the partial information is transmitted to the collection management device 21 (step S906).
- control determination device 23 dynamically updates the collection rule, thereby appropriately collecting the partial information to be collected. It is possible to collect.
- the determination result is based on the analysis result and / or analysis result of one user NW 30, but the model information that is the analysis result of each user NW 30 may be integrated and shared. .
- model information can be configured by a larger number and a variety of feature vector groups, and generally an improvement in the accuracy of abnormality detection is expected.
- the analysis device 22 is configured to construct one model information by applying the feature vector of each user NW30 to one machine learning.
- model information that is an analysis result of each user NW 30 is integrated and model information for each user is shared by the analysis device 22. Note that description of the same processing as in the first embodiment is omitted.
- FIG. 19 is a diagram for explaining a series of communication control processing by the network system according to the fourth embodiment.
- the analysis apparatus 22 constructs one model information by applying the feature vector of each user NW30 to one machine learning, and shares the model information for each user (see (8) in FIG. 19).
- the model information that is the analysis result of each user NW 30 may be clustered, and only the model information of the users NW 30 having similar model information may be shared.
- the model information similar to the original model information that is, by sharing among the model information corresponding to the user NW30 having similar communication behavior
- the user NW30 Model information can be configured in line with the communication trend.
- the analyzer 22 stores the model information in the storage unit 22b in association with each user NW30. Further, the similarity between the model information is calculated at a predetermined opportunity, and the model information determined to be similar is integrated and shared. In this case, the integrated model information may be further stored while storing the model information for each user NW30.
- the analysis device 22 obtains a Jackard coefficient, a dice coefficient, and a Simpson coefficient as the calculated coefficient “sim”, and determines that they are similar if the calculated coefficient “sim” is equal to or greater than a predetermined threshold.
- the similarity may be determined by obtaining three coefficients of the Jackard coefficient, the dice coefficient, and the Simpson coefficient, or the similarity may be determined by obtaining any one or two coefficients.
- the model information is obtained by analyzing the trend between learning models of the user NW30 and between the learning models of the cluster and determining abnormality in the model information unit. Since it is possible to determine not only the abnormality determination of the feature vector but also the model information itself, this determination result may be applied as the analysis result. In this case, even if it is a feature vector group that is not abnormal in a certain model information, it can be detected that the model information itself is a set of a large number of abnormal feature vectors by comparing with other model information. be able to.
- the present invention is not limited to this.
- the communication in which an abnormality is detected by the analysis device 22 is encrypted communication
- the communication is changed to the inline mode.
- the communication is plaintext communication, each is changed to the mirroring mode.
- the communication control devices 12 and 25 may be controlled.
- the communication in which an abnormality is detected by the analysis device 22 is encrypted communication, even if the communication is switched to the mirroring mode and the communication is drawn into the analysis device 24, the communication is encrypted.
- the analysis device 24 cannot perform deep analysis by DPI (Deep Packet Inspection).
- the communication in which the abnormality is detected by the analysis device 22 is encrypted communication
- the communication is switched to the inline mode.
- the communication is plaintext communication
- the encrypted communication inspection device 26 that decrypts the encrypted communication received from the terminal 40, transmits the decrypted communication to the analyzing device 22, and encrypts it again and transmits it to the destination.
- description of the same processing as in the first embodiment is omitted.
- the control determination device 23 may use, for example, a packet source or destination port number for identification between encrypted communication and plaintext communication.
- a packet source or destination port number for identification between encrypted communication and plaintext communication.
- HTTPS Hypertext Transfer Protocol Secure
- the port number of the destination is “443” (https (http protocol over TLS / SSL): 443) or FTPS (File Transfer Protocol over SSL / TLS) If the port number is “989” (FTP data transfer port) or “990” (FTP control port), the communication is determined to be encrypted communication.
- the mode may be changed to the mirroring mode.
- the identification of this known non-decryptable encrypted communication also uses the port number.
- the destination IP address may be used for identification. Further, information on the port number and the IP address is stored in the storage unit 23c in the control determination device 23, for example.
- control determination device 23 transitions to the mirroring mode when it is determined that the communication in which the abnormality is detected by the analysis device is plaintext communication. After the transition to the mirroring mode, the communication control device 25 transfers the received communication to the analysis device 24 as in the first embodiment.
- control determination device 23 shifts to the inline mode when it is determined that the communication in which the abnormality is detected by the analysis device is the encryption communication.
- CA certificate authority
- the encrypted communication inspection device 26 establishes an encrypted communication session such as SSL / TLS between the terminal 40 and the Web server 90.
- the encrypted communication inspection device 26 decrypts the received encrypted communication, transmits the decrypted communication to the analysis device 22, encrypts it again, and transmits it to the Web server 90 that is the destination.
- the cryptographic communication inspection device 26 is a device generally called an SSL inspection device or the like.
- the encryption communication inspection device 26 and the analysis device 24 may be configured by the same device.
- the communication in which the abnormality is detected by the analysis device 22 is encrypted communication
- the communication is switched to the inline mode. Controls the communication control devices 12 and 25 so as to shift to the mirroring mode, so that even if the communication in which an abnormality is detected is encrypted communication, the analysis device 24 can analyze the communication. It is.
- an unregistered packet that does not correspond to the flow table of the OpenFlow compatible switch can transfer this packet or a predetermined part of information of this packet to the OpenFlow controller. Then, the processing of this packet is determined on the OpenFlow controller side, and a flow entry can be set in the flow table of the OpenFlow compatible switch so as to follow this processing.
- control for switching to the mirroring mode or inline mode using the information detected in the past as abnormal communication in the analysis device 22 for the packet forwarded to the OpenFlow controller or the corresponding communication is blocked. You may make it perform control to perform.
- a mirroring mode or an inline mode is used for a packet transferred to the OpenFlow controller using information detected in the past as abnormal communication in the analyzer 22.
- a case of performing control to make a transition to will be described. Note that description of the same processing as in the first embodiment is omitted.
- FIG. 23 is a diagram for explaining a series of communication control processing in the network system according to the sixth embodiment.
- the network system according to the sixth embodiment is different from the first embodiment in that it further includes an anomaly information storage unit 27.
- the anomaly information accumulating unit 27 accumulates information indicating an abnormal communication (hereinafter referred to as “anomaly information” as appropriate) based on the result analyzed by the analysis device 22.
- the control determination device 23 receives a packet from the communication control device 12 having the OpenFlow compatible switch function via the OpenFlow controller 14, the information included in the packet is stored in the anomaly information storage unit 27. It is determined whether or not the information matches the anomaly information, and when it is determined that there is an abnormality, the communication control device 12 or the communication control devices 12 and 25 are controlled to shift to the mirroring mode or the inline mode. Thus, the communication control device 12 is controlled so that the communication is transferred from the communication control device 12 to the analysis device 24. It is assumed that the communication control device 25 also has an OpenFlow compatible switch function.
- the anomaly information storage unit 27 includes “ID” for identifying each entry, “5” of a protocol number, a source IP address, a destination IP address, a source port number, and a destination port number.
- the “tuple information” is stored in association with “control content” which is the content of control in the case of corresponding to the 5-tuple information.
- the anomaly information storage unit 27 for example, has an ID “1”, a protocol number “6 (TCP)”, and a transmission source IP address “ABCD”.
- the destination IP address “EFFGH”, the transmission source port number “10000”, the destination port number “80”, and the control content “mirroring mode” are stored in association with each other.
- the 5-tuple information may be information specifying a range such as an IP address range.
- IDs 1 and 2 store information about the protocol number, source IP address, destination IP address, source port number, and destination port number, respectively. It means that information is stored.
- IDs 1 and 2 when all the items of the 5-tuple and the information of all the items of the 5-tuple of the packet to be processed match, it is regarded as “corresponding” to communication having an abnormality.
- IDs 3 and 5 if the information of the packet to be processed matches three of the protocol number, destination IP address, and destination port number, it is regarded as “applicable” for communication with an abnormality.
- IDs 4 and 6 when two of the protocol number and the destination IP address match the information on the packet to be processed, it is regarded as “corresponding” to communication having an abnormality.
- bidirectional information may be stored as in ID1 and ID2.
- the communication control device 12 performs packet transfer processing according to a rule called flow entry.
- the flow entry stores packet processing rule information regarding what kind of packet is to be processed. For example, in the flow entry of the communication control device 12, as illustrated in FIG. 25, an “ID” for identifying the flow entry and a “match condition” that is a condition for determining whether or not the received packet is matched. In addition, “action” that is processing performed when a packet matches the matching condition and “counter” that is statistical information about the packet are stored in association with each other.
- the table in FIG. 25 is called a flow table, and each row in the flow table is called a flow entry.
- the statistical information includes the number of packets, the number of bytes, the duration after the flow entry is registered, and the like.
- the match condition may be set for all items of five tuples, or may be set for only one or more arbitrary items. Further, in the match condition, an item of packet header information other than the input port of the OpenFlow compatible switch to which the packet is input and the 5-tuple may be set.
- the action mainly includes processing such as an output destination port of a packet that matches the match condition, discarding the matched packet, and rewriting a specified feed in the header of the matched packet.
- the statistical information in the flow entry is transmitted as partial information from the communication control switch 12 having an OpenFlow-compatible switch function to the analysis device 22 via the OpenFlow controller 14, and the partial information other than the statistical information is collected and managed by the collection management device. 21 or the communication control device 25 to be transmitted to the analysis device 22.
- the communication control device 12 sends a notification message (Packet) when the received packet is unregistered (or specified in advance for a predetermined packet) without corresponding rule information in the flow table.
- Packet a notification message
- the OpenFlow controller 14 see (1) in FIG. 23.
- the Packet In message is a message for sending a received packet to the OpenFlow controller 14 when there is no matching flow in the flow table.
- the OpenFlow controller 14 notifies the control determination device 23 of the 5-tuple information of the packet included in the notification message (see (2) in FIG. 23). Subsequently, the control determination device 23 refers to the anomaly information in the anomaly information storage unit 27 and collates with the received notification (see (3) in FIG. 23).
- the control determination device 23 sends a control command to the OpenFlow controller 14 to execute the corresponding control (mirror mode, inline mode, or security control). If not, a control command is sent to the OpenFlow controller 14 to execute control in the normal mode (see (4) in FIG. 23).
- the OpenFlow controller 14 notifies the message (Flow Mod message) for setting the flow entry to the communication control device 12 or the communication control device 25 on the user NW 30 side that has received the notification message (Packet In message) ((Flow Mod message in FIG. 23). See 5)). And the communication control apparatus 12 and the communication control apparatus 25 will update the flow entry / flow table of the communication control apparatus 12 or the communication control apparatus 25, if a message (Flow Mod message) is received. Further, the OpenFlow controller 14 notifies the communication control apparatus 12 that has sent the notification message of a packet processing message (Packet Out message). Then, the communication control device 12 performs processing according to the packet processing message (Packet Out message).
- Packet Out message Packet Out message
- the communication control device 12 performs packet processing according to the rule information of the flow table without notifying the OpenFlow controller 14.
- the Packet Out message is a message used when sending back the packet sent to the OpenFlow controller 14 by Packet In to the predetermined destination (or dropping it) to the communication control device 12 side. is there.
- the OpenFlow controller 14 sets a flow entry corresponding to the corresponding control (mirror mode, inline mode or security control) to the communication control device 25 on the control NW 70 side (Flow Mod message: if necessary). (Addition / update / deletion of flow entry) is notified (see (6) of FIG. 23).
- This control is not required when static control (mirror mode, inline mode) is set in the flow table of the communication control device 25 on the control NW 70 side, but control (mirror mode, inline mode) is dynamically performed. When setting, this notification is performed together with the notification to the communication control device 12.
- the configuration of the network system in FIG. 23 is an example, and the present invention is not limited to this.
- the anomaly information storage unit 27 may be included in the control determination device 23, and the OpenFlow controller 14 determines control. It may be included in the device 23, or both may be included in the control determination device 23.
- information that has been detected in the past as abnormal communication in the analyzer 22 is accumulated, and control is performed using the accumulated information to shift to the mirroring mode or the inline mode. It is possible to perform control for appropriately shifting to the mirroring mode or the inline mode even for the first appearing packet.
- anomaly information indicating anomalies that are analysis results may be accumulated as in the sixth embodiment, and this accumulated anomaly may be accumulated.
- the control determination device 23 may notify the setting to the communication control devices 12 and 25 to control communication.
- the control determination device 23 collects information (such as 5-tuple information) related to the currently effective communication (communication registered in the flow table of the OpenFlow compatible switch) from the communication control device 12 periodically or at predetermined intervals. And when there exists communication applicable to anomaly information, it is good also considering this communication as the object of control.
- the flow table of the OpenFlow compatible switch corresponds to, for example, the storage unit 12a of the communication control device 12 and 25b of the communication control device 25.
- the communication control device 12 filters packets.
- the terminal performing the communication is connected to a quarantine NW (not shown), and the security check inside the terminal is performed. It is also possible to force malware removal and security updates as necessary.
- the security control is executed by the communication control device 12 by transmitting a control command to the communication control device 12 of the communication device 10.
- the analysis device 24 first blocks and then transmits a control command for reflecting the security control to the communication control device 12 of the communication device 10. It is good. In this case, there is no time lag from determination to interruption.
- security control is performed by the communication control device 12 of the communication device 10, it may be handled in the same manner as in the normal mode or the mirroring mode.
- the security control when the black result is determined as the analysis result in communication of a certain user NW 30 may be applied not only to the user NW 30 but also to other users NW 30.
- the control control device 23 has described the security control target as the communication control devices 12 and 25, at least the communication control device 12 may be the target.
- the position of the analysis device 24 in the inline mode is arranged in an inline connection between the terminal 40 and the site 50 on the Internet, so that communication traffic received by the analysis device 24 is transmitted as it is. (If the analysis device 24 determines that the communication is malicious, the communication may be interrupted by itself.)
- the analysis device 24 receives communication traffic copied by mirroring, and is discarded after the analysis. It becomes.
- transition of the communication mode it may be configured to transition between the three modes of the normal mode, the mirroring mode, and the inline mode, or may be configured to transition between the two modes of the normal mode and the mirroring mode, and the normal mode and the inline mode.
- the configuration may be a transition from an arbitrary mode to an arbitrary mode
- the configuration of this arbitrary transition may be a configuration excluding the transition from the inline mode to the mirroring mode
- this A configuration excluding the transition from the normal mode to the inline mode and the transition from the inline mode to the mirroring mode may be used from the configuration of any transition.
- the solid line / broken line in FIG. 4 is an example showing the transition of the transition, and the broken line transition may be omitted. Or the structure which combined these may be sufficient.
- the communication corresponding to the command may be cut off and then immediately returned to the normal mode.
- the inline mode or mirroring
- the white determination is continued for a predetermined period in the analysis device 24 or the black or gray determination is not output for a predetermined period
- the normal mode is restored. It is good as well.
- the communication regarding the partial information and the collection rule between the collection device 11 and the collection management device 21 and the communication between the communication control devices 12 and 25 may be encrypted.
- the collection device 11 may transmit information necessary for feature vectorization to the collection management device 21, and the collection management device that has received the information may convert the information into a feature vector and pass it to the analysis device.
- the communication control device 12 realizes a general switching function.
- the communication control device 25 does not particularly operate.
- the communication traffic received from the communication interface communicating with the internal NW or the communication interface communicating with the external NW is transferred to the storage unit 12a of the communication control device 12 according to a command from the OpenFlow controller.
- a flow entry for controlling transfer to the opposite side (communication control device 25 side) is written.
- a flow entry for controlling communication traffic received from the tunnel opposite side (communication control device 12 side) to the analysis device 24 side is written in the storage unit 25b of the communication control device 25.
- the storage unit 12a of the communication control device 12 stores communication traffic received by the communication interface communicating with the internal NW or communication traffic received by the communication interface communicating with the external NW (not communication traffic from the tunnel opposite side). Is transferred to the tunnel opposite side (communication control device 25 side), and a flow entry for controlling to transfer the communication traffic received from the tunnel opposite side (communication control device 25 side) to the destination of the communication traffic is written.
- communication traffic received from the tunnel opposite side (communication control device 12 side) is transferred to the analysis device 24 side, and communication traffic returned from the analysis device 24 side is opposite to the tunnel (communication control). A flow entry for controlling transfer to the device 12 side) is written.
- the flow entry is a control rule received from the OpenFlow controller, and includes a matching rule and an action.
- the communication traffic is The control set in the action corresponding to this matching rule is executed.
- the matching rule mainly includes information from Layer 1 to Layer 4, such as the port of the OpenFlow-compatible switch to which the packet is input, the MAC address, IP address, and port number of the source and destination of the packet.
- One or more sets can be described as conditions.
- the action can specify an operation such as transferring a packet corresponding to the matching rule to the designated output destination port or dropping the corresponding packet without transferring it.
- all communication traffic may be controlled, but only communication traffic of a specific destination, transmission source, and service (port number) may be controlled. Individual control is possible by setting the flow entry. In this case, communication traffic other than these individual control targets is controlled in the normal mode.
- the OpenFlow controller instructs each OpenFlow compatible switch to write the flow entry corresponding to the communication mode to be controlled.
- each communication control device instead of the control determination device 23, the control determination device 23 instructs each OpenFlow controller to perform these controls. Then, each OpenFlow controller writes a flow entry to the OpenFlow compatible switch in the same device.
- the communication mode to be applied is determined based on machine learning such as abnormality detection and clustering.
- the communication mode is not limited to this, and it is analyzed that the communication satisfies a predetermined condition based on partial information. May be configured to change the communication mode.
- this predetermined condition is described as a rule, stored in the storage unit 22b of the analysis device 22, and the analysis / learning unit 22a collates this rule with the input partial information to output the analysis result.
- the control determination device 23 may determine the communication mode based on the analysis result. This is an explicit rule.
- the partial information may be a part of communication traffic flowing through the communication device on the user NW 30 side. For example, statistical information such as the start time and end time of communication corresponding to a set of 5 tuples, the total number of packets flowing during that time, and the total data size may be used. Further, for example, in communication between terminals A and B, statistical information may be calculated for each communication direction (A ⁇ B, B ⁇ A). This information is assumed to be information that can be collected according to the OpenFlow specification.
- the partial information may be a specific communication itself among the communications transmitted and received by the terminal.
- communication such as DNS may be always mirrored to the collection management device or the analysis device.
- information including the name desired to be resolved from the request packet and the response packet and the resolved IP address is stored in association with each other.
- a feature vector may be configured, and a name or an IP address may be an object of analysis or machine learning.
- the partial information may be a combination of a part of communication traffic flowing through the above-described communication device on the user NW side and a specific communication itself.
- the present invention is not limited to this, and may be replaced if it is a replaceable SDN (Software Defined Networking) technique or a technique having a function capable of realizing the present invention.
- the communication device 10 and the control device 20 can physically and virtually disperse each function (device) included, and in this case, each function (device) in both devices is distributed as one unit. It is good.
- the collection management device 21 may be omitted, the collection unit 21 a may be incorporated in the analysis device 22, and the extraction control unit 21 b may be incorporated in the control determination device 23.
- each unit in each device may be configured to be incorporated in another device to the extent that it functions effectively.
- program It is also possible to create a program in which processing executed by the communication device 10 and the control device 20 according to the above embodiment is described in a language that can be executed by a computer. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the program. Further, such a program may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by a computer and executed to execute the same processing as in the above embodiment.
- a computer that executes a communication control program that realizes the same function as the communication device 10 and the control device 20 will be described.
- FIG. 26 is a diagram illustrating a computer that executes a communication control program.
- the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
- the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- the hard disk drive interface 1030 is connected to the hard disk drive 1090.
- the disk drive interface 1040 is connected to the disk drive 1041.
- a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041.
- a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050.
- a display 1130 is connected to the video adapter 1060.
- the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094.
- Each table described in the above embodiment is stored in, for example, the hard disk drive 1090 or the memory 1010.
- the communication control program is stored in the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described, for example.
- a program module describing each process executed by each device of the network system described in the above embodiment is stored in hard disk drive 1090.
- data used for information processing by the communication control program is stored in the hard disk drive 1090 as program data, for example.
- the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.
- the program module 1093 and the program data 1094 related to the communication control program are not limited to being stored in the hard disk drive 1090.
- the program module 1093 and the program data 1094 are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1041 or the like. May be issued.
- the program module 1093 and the program data 1094 related to the communication control program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. May be read by the CPU 1020.
- a network such as a LAN (Local Area Network) or a WAN (Wide Area Network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
以下の実施の形態では、第一の実施の形態に係るネットワークシステムの構成、通信装置の構成、制御装置の構成、ネットワークシステムの全体の処理の流れ、通信装置および制御装置それぞれの処理の流れを順に説明し、最後に第一の実施の形態による効果を説明する。
図1は、第一の実施の形態に係るネットワークシステムの構成を示す図である。図1に示すネットワークシステム100では、ユーザNW30内に設置された通信装置10と、ユーザNW30の外に設置された制御装置20とを有する。通信装置10と制御装置20とは、外部NW60を介して接続される。
次に、図2を用いて、図1に示した通信装置10の構成を説明する。図2は、第一の実施の形態に係る通信装置の構成を示すブロック図である。図2に示すように、この通信装置10は、収集装置11と通信制御装置12とで構成される。
次に、図3を用いて、図1に示した制御装置20の構成を説明する。図3は、第一の実施の形態に係る制御装置の構成を示すブロック図である。図3に示すように、この制御装置20は、収集管理装置21と分析装置22と制御判断装置23と解析装置24と通信制御装置25とで構成される。
次に、図6を用いて、第一の実施の形態に係るネットワークシステム100における通信制御処理の流れについて説明する。図6は、第一の実施の形態に係るネットワークシステムにおける通信制御処理の流れを示すシーケンス図である。
次に、図7を用いて、収集装置11における収集処理の流れについて説明する。図7は、第一の実施の形態に係る収集装置における収集処理の流れを示すフローチャートである。
次に、図8、9、10を用いて、制御装置20における通信制御処理の流れについて説明する。図8は、第一の実施の形態に係る制御装置の通常モードにおける通信制御処理の流れを示すフローチャートである。図9は、第一の実施の形態に係る制御装置のミラーリングモードにおける通信制御処理の流れを示すフローチャートである。図10は、第一の実施の形態に係る制御装置のインラインモードにおける通信制御処理の流れを示すフローチャートである。
このように、第一の実施の形態に係るネットワークシステム100は、通信装置10は、該通信装置10を経由する通信に関する情報のうち、一部の情報または統計化された情報を部分情報として制御装置20に送信する。そして、制御装置20は、通信装置10から受信した部分情報を分析し、分析された分析結果を用いて、ユーザNW30内の通信に異常があるか否かを判断する。そして、制御装置20は、ユーザNW30内の通信に異常があると判断された場合には、通信モードを変更することで経路制御を行い、ユーザNW30を流れる通信を用いて解析を行い、ユーザNW30内の通信が悪性の通信であるか否かを判定する。制御装置20は、ユーザNW30内の通信に異常があると判断された場合には、該異常と判断された通信に関する情報(例えば、異常と判定された特徴を持つ通信トラフィック)が通信装置10から解析装置24へ転送されるようにユーザNW30内の通信装置10を制御する。そして、解析装置24によってユーザNW30内の通信が悪性の通信であると判定された場合には、該悪性の通信を制限するように制御する。
上記の第一の実施の形態では、部分情報を異常検知などの機械学習により分析し、さらに機械学習の結果をモデル情報として更新する場合を説明したが、解析装置24の解析結果を分析装置22のモデル情報に反映または付加することで、モデル情報を更新してもよい。
上記の第一の実施の形態では、記憶部11bに記憶された収集ルールに基づいて、通信トラフィックの部分情報を収集管理装置へ送信する場合を説明したが、この収集ルールを適宜更新するようにしてもよい。そこで、以下の第三の実施形態では、制御判断装置23が収集ルールを適宜更新する場合について説明する。なお、第一の実施の形態と同様の処理については説明を省略する。
上記の第一の実施の形態では、1つのユーザNW30の分析結果および/または解析結果を基に判定することとしていたが、各ユーザNW30の分析結果であるモデル情報を統合・共有してもよい。これにより、より多数で多様な特徴ベクトル群にてモデル情報を構成することができ、一般に異常検知の精度の向上が見込まれる。この場合、分析装置22は、各ユーザNW30の特徴ベクトルを1つの機械学習にかけて1つのモデル情報を構築する構成とする。
上記の第一の実施の形態では、通信の異常の度合いに応じて、ミラーリングモードへ遷移するかインラインモードへ遷移するかを制御する場合を説明したが、これに限定されるものではない。例えば、分析装置22で異常を検知された通信が、暗号化されている通信である場合には、インラインモードへ遷移させることとし、平文通信である場合には、ミラーリングモードへ遷移させるように各通信制御装置12、25を制御してもよい。
上記の第一の実施の形態では、通常モードでユーザNW30側の通信制御装置12を流れている通信に関する部分情報を収集し、分析して異常を検出した際に、該当する通信をミラーリングモードまたはインラインモードへ遷移させる場合を説明したが、これに限定されるものではない。例えば、分析装置22において異常通信として過去に検出された情報を蓄積させ、蓄積された情報を用いて、初出のパケットに対して、ミラーリングモードまたはインラインモードへ遷移させる制御を行うようにしてもよい。
例えば、上記の実施の形態では、通信制御装置12でパケットをフィルタリングすることとしていたが、該当通信を行っている端末を図示しない検疫NWに接続させて、端末内部のセキュリティチェックを実施して、必要に応じてマルウェア除去やセキュリティのアップデートを強制することとしてもよい。
通信モードの遷移については、通常モードとミラーリングモードとインラインモードの3つのモード間を遷移する構成でもよいし、通常モードとミラーリングモード、通常モードとインラインモードの2つのモード間を遷移する構成でもよい。3つのモード間を遷移する場合には、任意のモードから任意のモードへ遷移する構成でもよく、この任意の遷移の構成から、インラインモードからミラーリングモードへの遷移を除く構成でもよく、また、この任意の遷移の構成から、通常モードからインラインモードへの遷移やインラインモードからミラーリングモードへの遷移を除く構成でもよい。図4中の実線・破線は遷移の推移を示す一例であり、破線の遷移は省略されることとしてもよい。または、これらを組み合わせた構成でもよい。
上記の実施形態では、収集装置11が特徴ベクトルを生成して、収集管理装置21に送信する場合を説明したが、これに限定されるものではない。例えば、収集装置11が特徴ベクトル化に必要な情報を収集管理装置21に送信し、これを受信した収集管理装置が特徴ベクトル化して分析装置へ渡すこととしてもよい。
通信装置10を経由する全通信トラフィックをこれらの通信モードの通信制御対象としてもよいが、ユーザNW30内の端末同士の通信は安全であるなどとみなして、内部NWと外部NWとの間の通信のみを通信モード制御の対象とすることとしてもよい。また特定の宛先および/または送信元との通信や特定のプロトコル、サービス、アプリケーションの通信のみを通信モード制御の対象とすることとしてもよい。この場合の対象外の通信トラフィックは、通常モードと同様に、送信元と宛先の間を通信装置10を介して通信する。これらは、制御判断装置23からの制御命令の内容に基づいて対象が決定される。なお、収集する通信についても、内部NWと外部NWとの間の通信のみを収集の対象とすることとしてもよく、収集ルールに内部NWと外部NWとの間の通信のみを収集するルールが記述されていてもよい。
また、部分情報は、ユーザNW30側の通信装置を流れる通信トラヒックの一部の通信であればよい。例えば、5タプルを組として該当する通信の開始時間、終了時間、その間に流れた総パケット数、総データサイズ等の統計情報でもよい。また、例えば、端末A、B間の通信において、通信の向き毎(A→B、B→A)に統計情報を算出してもよい。なお、この情報はOpenFlowの仕様で収集可能な情報であるものとする。
通信装置10や制御装置20は、内包する各機能(装置)を物理的・仮想的に分散可能であり、その際は両装置内の各機能(装置)が各々一つの単位として分散されることとしてもよい。また、例えば、収集管理装置21は省略可能であり、収集部21aは分析装置22に、抽出制御部21bは制御判断装置23に組み込まれることとしてもよい。また各装置内の各部は、有効に機能する程度において別の各装置に組み込まれる構成をとってもよい。
また、上記実施の形態に係る通信装置10や制御装置20が実行する処理をコンピュータが実行可能な言語で記述したプログラムを作成することもできる。この場合、コンピュータがプログラムを実行することにより、上記実施の形態と同様の効果を得ることができる。さらに、かかるプログラムをコンピュータ読み取り可能な記録媒体に記録して、この記録媒体に記録されたプログラムをコンピュータに読み込ませて実行することにより上記実施の形態と同様の処理を実現してもよい。以下に、通信装置10や制御装置20と同様の機能を実現する通信制御プログラムを実行するコンピュータの一例を説明する。
11 収集装置
11a 抽出部
11b、12a、22b、23c、25b 記憶部
12、25 通信制御装置
12b、25a トンネル部
12c、25c 通信制御部
14 OpenFlowコントローラ
20 制御装置
21 収集管理装置
21a 収集部
21b 抽出制御部
22 分析装置
22a 分析/学習部
23 制御判断装置
23a 判断部
23b 制御命令部
24 解析装置
24a 詳細解析部
26 暗号通信検査装置
27 アノマリ情報蓄積部
100 ネットワークシステム
Claims (12)
- 通信装置と、ネットワークを介して前記通信装置と通信する制御装置とを備えたネットワークシステムであって、
前記通信装置は、
該通信装置を経由する通信を制御する通信制御部と、
前記通信に関する情報のうち、一部の情報を部分情報として構成して前記制御装置に送信する収集部と、
を備え、
前記制御装置は、
前記通信装置から受信した部分情報を用いて分析して前記通信に異常があるか否かを判断する分析部と、
前記分析部によって前記通信に異常があると判断された場合には、前記通信が前記通信装置から前記制御装置へ送信されるよう、前記通信制御部に対して通信経路を制御する制御判断部と、
通信経路の制御により送信されてきた通信が悪性の通信であるか否かを判定する解析部と、
を備えたことを特徴とし、
前記制御判断部は、
さらに、前記解析部によって前記通信が悪性の通信であると判定された場合には、前記通信制御部に対して該悪性の通信を制限するよう制御する
ことを特徴とするネットワークシステム。 - 前記制御装置は、
前記部分情報を基にして生成される特徴空間を示す情報であって、前記分析部が行う分析に適用されるモデル情報を記憶する記憶部をさらに備え、
前記解析部は、解析対象の通信に関する情報に該当する部分情報を構成して該通信の解析結果と対応付けた付加情報を、前記モデル情報と対応付けて前記記憶部に記憶させ、
前記制御判断部は、前記分析部によって前記通信に異常があると判断され、かつ、前記モデル情報の特徴空間において前記付加情報が対応付けられている所定の領域内に異常と判断された部分情報が該当すると判断された場合には、該付加情報に対応する解析結果を基にして、前記通信制御部を制御することを特徴とする請求項1に記載のネットワークシステム。 - 前記制御判断部は、前記分析部の分析に関する情報および/または前記解析部の解析に関する情報を用いて、前記部分情報を収集する収集ルールを生成し、該収集ルールを前記収集部に送信して、該収集部の収集ルールを更新させることを特徴とする請求項1または2に記載のネットワークシステム。
- 前記制御装置は、
前記部分情報を基にして生成される特徴空間を示す情報であって、前記分析部が行う分析に適用されるモデル情報を記憶する記憶部をさらに備え、
前記分析部は、さらに、複数の通信装置の各々を経由する通信に対応するモデル情報を共有して構成される共有モデル情報を前記記憶部に記憶させ、前記共有モデル情報を用いて、前記通信に異常があるか否かを判断することを特徴とする請求項1または2に記載のネットワークシステム。 - 前記制御装置は、
前記部分情報を基にして生成される特徴空間を示す情報であって、前記分析部が行う分析に適用されるモデル情報を記憶する記憶部をさらに備え、
前記分析部は、さらに、複数の通信装置の各々を経由する通信に対応するモデル情報を共有して構成される共有モデル情報を前記記憶部に記憶させ、前記共有モデル情報を用いて、前記通信に異常があるか否かを判断することを特徴とする請求項3に記載のネットワークシステム。 - ネットワークを介して通信する通信装置から受信した、前記通信に関する情報のうちの一部の情報である部分情報を用いて分析して前記通信に異常があるか否かを判断する分析部と、
前記分析部によって前記通信に異常があると判断された場合には、前記通信が前記通信装置から自装置へ送信されるよう、前記通信装置に対して通信経路を制御する制御判断部と、
通信経路の制御により送信されてきた通信が悪性の通信であるか否かを判定する解析部と、
を備えたことを特徴とし、
前記制御判断部は、
さらに、前記解析部によって前記通信が悪性の通信であると判定された場合には、前記通信装置に対して該悪性の通信を制限するよう制御する
ことを特徴とする制御装置。 - 自装置を経由する通信を制御する通信制御部と、
前記通信に関する情報のうち、一部の情報を部分情報として構成して、ネットワークを介して自装置と通信する制御装置に送信する収集部と、
を備えたことを特徴とし、
前記通信制御部は、
さらに、前記制御装置によって前記通信に異常があると判断された場合には、前記通信が前記制御装置へ送信されるよう、通信経路を制御する命令を受け付け、該通信経路を制御する設定を行い、また、前記制御装置によって通信が悪性の通信であると判定された場合には、該悪性の通信を制限する命令を受け付け、該悪性の通信を制限する設定を行う
ことを特徴とする通信装置。 - 通信装置と、ネットワークを介して前記通信装置と通信する制御装置とを備えたネットワークシステムにおける通信制御方法であって、
前記通信装置が、
該通信装置を経由する通信を制御する通信制御工程と、
前記通信に関する情報のうち、一部の情報を部分情報として構成して前記制御装置に送信する収集工程と、
を実行し、
前記制御装置が、
前記通信装置から受信した部分情報を用いて分析して前記通信に異常があるか否かを判断する分析工程と、
前記分析工程によって前記通信に異常があると判断された場合には、前記通信が前記通信装置から前記制御装置へ送信されるよう、前記通信装置に対して通信経路を制御する制御判断工程と、
通信経路の制御により送信されてきた通信が悪性の通信であるか否かを判定する解析工程と、
前記解析工程によって前記通信が悪性の通信であると判定された場合には、前記通信装置に対して該悪性の通信を制限するよう制御する制限工程と、
を実行することを特徴とする通信制御方法。 - 請求項6または7に記載の装置をコンピュータで実現させることを特徴とする通信制御プログラム。
- 通信装置と、ネットワークを介して前記通信装置と通信する制御装置とを備えたネットワークシステムであって、
前記通信装置は、
該通信装置を経由する通信を制御する通信制御部と、
前記通信に関する情報のうち、一部の情報を部分情報として構成して前記制御装置に送信する収集部と、
を備え、
前記制御装置は、
前記通信装置から受信した部分情報を用いて分析して前記通信に異常があるか否かを判断する分析部と、
前記分析部によって分析された結果に基づいて、異常がある通信を示す情報を蓄積する蓄積部と、
前記通信装置から通信を受信した場合に、該通信に含まれる情報が前記蓄積部に蓄積された異常がある通信を示す情報と一致するか否かを判定し、異常があると判断された場合には、前記通信が前記通信装置から前記制御装置へ送信されるよう、前記通信制御部に対して通信経路を制御する制御判断部と、
通信経路の制御により送信されてきた通信が悪性の通信であるか否かを判定する解析部と、
を備えたことを特徴とし、
前記制御判断部は、
さらに、前記解析部によって前記通信が悪性の通信であると判定された場合には、前記通信制御部に対して該悪性の通信を制限するよう制御する
ことを特徴とするネットワークシステム。 - ネットワークを介して通信する通信装置から受信した、前記通信に関する情報のうちの一部の情報である部分情報を用いて分析して前記通信に異常があるか否かを判断する分析部と、
前記分析部によって分析された結果に基づいて、異常がある通信を示す情報を蓄積する蓄積部と、
前記通信装置から通信を受信した場合に、該通信に含まれる情報が前記蓄積部に蓄積された異常がある通信を示す情報と一致するか否かを判定し、異常があると判断された場合には、前記通信が前記通信装置から自装置へ送信されるよう、前記通信装置に対して通信経路を制御する制御判断部と、
通信経路の制御により送信されてきた通信が悪性の通信であるか否かを判定する解析部と、
を備えたことを特徴とし、
前記制御判断部は、
さらに、前記解析部によって前記通信が悪性の通信であると判定された場合には、前記通信装置に対して該悪性の通信を制限するよう制御する
ことを特徴とする制御装置。 - 通信装置と、ネットワークを介して前記通信装置と通信する制御装置とを備えたネットワークシステムにおける通信制御方法であって、
前記通信装置が、
該通信装置を経由する通信を制御する通信制御工程と、
前記通信に関する情報のうち、一部の情報を部分情報として構成して前記制御装置に送信する収集工程と、
を実行し、
前記制御装置が、
前記通信装置から受信した部分情報を用いて分析して前記通信に異常があるか否かを判断する分析工程と、
前記分析工程によって分析された結果に基づいて、異常がある通信を示す情報を蓄積する蓄積工程と、
前記通信装置から通信を受信した場合に、該通信に含まれる情報が蓄積された異常がある通信を示す情報と一致するか否かを判定し、異常があると判断された場合には、前記通信が前記通信装置から前記制御装置へ送信されるよう、前記通信装置に対して通信経路を制御する制御判断工程と、
通信経路の制御により送信されてきた通信が悪性の通信であるか否かを判定する解析工程と、
前記解析工程によって前記通信が悪性の通信であると判定された場合には、前記通信制御部に対して該悪性の通信を制限するよう制御する制限工程と、
を実行することを特徴とする通信制御方法。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/319,192 US10476901B2 (en) | 2014-06-18 | 2015-06-17 | Network system, control apparatus, communication apparatus, communication control method, and communication control program |
CN201580031941.4A CN106464577B (zh) | 2014-06-18 | 2015-06-17 | 网络系统、控制装置、通信装置以及通信控制方法 |
EP15809108.2A EP3145130B1 (en) | 2014-06-18 | 2015-06-17 | Network system, communication control method, and communication control program |
JP2016529415A JPWO2015194604A1 (ja) | 2014-06-18 | 2015-06-17 | ネットワークシステム、制御装置、通信装置、通信制御方法および通信制御プログラム |
US15/498,138 US10397260B2 (en) | 2014-06-18 | 2017-04-26 | Network system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2014125403 | 2014-06-18 | ||
JP2014-125403 | 2014-06-18 |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/319,192 A-371-Of-International US10476901B2 (en) | 2014-06-18 | 2015-06-17 | Network system, control apparatus, communication apparatus, communication control method, and communication control program |
US15/498,138 Division US10397260B2 (en) | 2014-06-18 | 2017-04-26 | Network system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015194604A1 true WO2015194604A1 (ja) | 2015-12-23 |
Family
ID=54935584
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2015/067519 WO2015194604A1 (ja) | 2014-06-18 | 2015-06-17 | ネットワークシステム、制御装置、通信装置、通信制御方法および通信制御プログラム |
Country Status (5)
Country | Link |
---|---|
US (2) | US10476901B2 (ja) |
EP (1) | EP3145130B1 (ja) |
JP (3) | JPWO2015194604A1 (ja) |
CN (1) | CN106464577B (ja) |
WO (1) | WO2015194604A1 (ja) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6152998B1 (ja) * | 2016-09-29 | 2017-06-28 | パナソニックIpマネジメント株式会社 | テレビ会議装置 |
JP2017147525A (ja) * | 2016-02-16 | 2017-08-24 | 日本電信電話株式会社 | 転送制御装置、アプリケーション分析制御システム、転送制御方法及びアプリケーション分析制御方法 |
CN107809344A (zh) * | 2016-09-09 | 2018-03-16 | 中华电信股份有限公司 | 实时讯务量搜集与分析系统及方法 |
JP2018067829A (ja) * | 2016-10-20 | 2018-04-26 | 中華電信股▲分▼有限公司 | 即時トラフィック収集・分析システム及び方法 |
WO2018139458A1 (ja) * | 2017-01-30 | 2018-08-02 | 日本電気株式会社 | セキュリティ情報分析装置、セキュリティ情報分析方法、セキュリティ情報分析プログラム、セキュリティ情報評価装置、セキュリティ情報評価方法及びセキュリティ情報分析システム、及び記録媒体 |
KR20180107932A (ko) * | 2017-03-23 | 2018-10-04 | 한국과학기술원 | 소프트웨어 정의 네트워크에서의 악성 프로그램 탐지 장치, 방법 및 컴퓨터 프로그램 |
JP2019029798A (ja) * | 2017-07-28 | 2019-02-21 | 日本電信電話株式会社 | 異常検知システム及び異常検知方法 |
JP2019106621A (ja) * | 2017-12-12 | 2019-06-27 | 日本電信電話株式会社 | 異常検知システム、異常検知方法、および、異常検知プログラム |
JP2019165337A (ja) * | 2018-03-19 | 2019-09-26 | 株式会社リコー | 通信システム、通信制御装置、通信制御方法及び通信制御プログラム |
WO2020036160A1 (ja) * | 2018-08-15 | 2020-02-20 | 日本電信電話株式会社 | 通信システム及び通信方法 |
JP2020140723A (ja) * | 2016-07-22 | 2020-09-03 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | ネットワーク攻撃防御システムおよび方法 |
JPWO2021009887A1 (ja) * | 2019-07-17 | 2021-01-21 | ||
JPWO2021009818A1 (ja) * | 2019-07-12 | 2021-01-21 | ||
JP2021044608A (ja) * | 2019-09-06 | 2021-03-18 | 株式会社日立製作所 | ネットワークセキュリティ装置及び学習優先度決定方法 |
JP2021525040A (ja) * | 2018-05-21 | 2021-09-16 | 華為技術有限公司Huawei Technologies Co.,Ltd. | ネットワークデバイスを設定するための方法および装置ならびに記憶媒体 |
WO2023135778A1 (ja) * | 2022-01-17 | 2023-07-20 | 日本電気株式会社 | 通信分析装置、通信分析方法、通信分析システムおよび記録媒体 |
WO2024185324A1 (ja) * | 2023-03-09 | 2024-09-12 | 富士通株式会社 | 光パス設定装置、光パス設定方法および光パス設定プログラム |
US12120137B2 (en) | 2019-07-17 | 2024-10-15 | Nippon Telegraph And Telephone Corporation | Generation device, generation method, and generation program |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104077530A (zh) * | 2013-03-27 | 2014-10-01 | 国际商业机器公司 | 用于评估数据访问语句的安全性的方法和装置 |
US20170004188A1 (en) * | 2015-06-30 | 2017-01-05 | Ca, Inc. | Apparatus and Method for Graphically Displaying Transaction Logs |
EP3486809A4 (en) * | 2016-10-03 | 2019-12-25 | Nippon Telegraph and Telephone Corporation | CLASSIFICATION DEVICE, METHOD AND PROGRAM |
US10425434B2 (en) * | 2017-01-19 | 2019-09-24 | Cisco Technology, Inc. | Statistical fingerprinting of network traffic |
JP6760110B2 (ja) * | 2017-01-30 | 2020-09-23 | 富士通株式会社 | 制御装置、転送装置、および、制御方法 |
CN107493265B (zh) * | 2017-07-24 | 2018-11-02 | 南京南瑞集团公司 | 一种面向工业控制系统的网络安全监控方法 |
JP6746140B2 (ja) * | 2017-08-23 | 2020-08-26 | Kyoto Robotics株式会社 | ピッキングシステム |
WO2019123447A1 (en) * | 2017-12-24 | 2019-06-27 | Arilou Information Security Technologies Ltd. | System and method for tunnel-based malware detection |
IL263956A (en) * | 2018-12-24 | 2020-06-30 | Amzel Moshe | Systems and methods for early detection, warning and prevention of cyber threats |
CN110149239B (zh) * | 2019-04-01 | 2022-10-14 | 电子科技大学 | 一种基于sFlow的网络流量监控方法 |
WO2021009925A1 (ja) | 2019-07-18 | 2021-01-21 | 三菱電機株式会社 | ネットワークセキュリティ装置、ネットワークセキュリティシステムおよびネットワークセキュリティ方法 |
CN114128215B (zh) * | 2019-07-23 | 2023-05-12 | 日本电信电话株式会社 | 异常检测装置、异常检测方法以及记录介质 |
CN110602101B (zh) * | 2019-09-16 | 2021-01-01 | 北京三快在线科技有限公司 | 网络异常群组的确定方法、装置、设备及存储介质 |
US11316885B1 (en) * | 2019-10-30 | 2022-04-26 | Rapid7, Inc. | Self-learning data collection of machine characteristics |
JP7273759B2 (ja) * | 2020-03-19 | 2023-05-15 | 株式会社東芝 | 通信装置、通信方法、情報処理システムおよびプログラム |
JP7563227B2 (ja) | 2021-02-22 | 2024-10-08 | 日本電信電話株式会社 | ネットワーク監視制御システム、監視制御装置、解析監視サーバ及びネットワーク監視制御方法 |
EP4290822A1 (en) * | 2022-06-10 | 2023-12-13 | Sorin Mihai Grigorescu | Method and ai operating system for robotics and complex automation |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009117929A (ja) * | 2007-11-02 | 2009-05-28 | Nippon Telegr & Teleph Corp <Ntt> | 不正アクセス監視装置およびその方法 |
JP2013192128A (ja) * | 2012-03-15 | 2013-09-26 | Fujitsu Telecom Networks Ltd | 中継装置及び中継方法 |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3966231B2 (ja) | 2003-06-11 | 2007-08-29 | 日本電信電話株式会社 | ネットワークシステムと不正アクセス制御方法およびプログラム |
US7457293B2 (en) | 2004-04-05 | 2008-11-25 | Panasonic Corporation | Communication apparatus, method and program for realizing P2P communication |
US8200700B2 (en) | 2005-02-01 | 2012-06-12 | Newsilike Media Group, Inc | Systems and methods for use of structured and unstructured distributed data |
JP4715293B2 (ja) | 2005-05-10 | 2011-07-06 | ソニー株式会社 | 無線通信システム、無線通信装置及び無線通信方法、並びにコンピュータ・プログラム |
CN1878141A (zh) | 2005-05-20 | 2006-12-13 | 阿拉克斯拉网络株式会社 | 网络控制装置及其控制方法 |
JP2006352831A (ja) * | 2005-05-20 | 2006-12-28 | Alaxala Networks Corp | ネットワーク制御装置およびその制御方法 |
JP2007243459A (ja) | 2006-03-07 | 2007-09-20 | Nippon Telegraph & Telephone East Corp | トラヒック状態抽出装置及び方法ならびにコンピュータプログラム |
CN101098156B (zh) | 2006-06-28 | 2012-05-23 | 鸿富锦精密工业(深圳)有限公司 | 具有特殊使用模式的通讯装置 |
CN101686235B (zh) * | 2008-09-26 | 2013-04-24 | 北京神州绿盟信息安全科技股份有限公司 | 网络异常流量分析设备和方法 |
JP2011130238A (ja) | 2009-12-18 | 2011-06-30 | Nippon Telegr & Teleph Corp <Ntt> | 異常トラヒック監視方法および異常トラヒック監視装置 |
US20150169024A1 (en) | 2012-06-17 | 2015-06-18 | Nation-E Ltd | Disaster recovery system and method |
JP2014155153A (ja) | 2013-02-13 | 2014-08-25 | Panasonic Corp | 秘密情報送信装置、秘密情報送信装置のプログラム、秘密情報送信システム、及び、秘密情報送信方法 |
US10944765B2 (en) * | 2014-01-10 | 2021-03-09 | Red Bend Ltd. | Security system for machine to machine cyber attack detection and prevention |
US9600676B1 (en) | 2014-06-16 | 2017-03-21 | Verily Life Sciences Llc | Application-level wireless security for wearable devices |
-
2015
- 2015-06-17 WO PCT/JP2015/067519 patent/WO2015194604A1/ja active Application Filing
- 2015-06-17 CN CN201580031941.4A patent/CN106464577B/zh active Active
- 2015-06-17 JP JP2016529415A patent/JPWO2015194604A1/ja not_active Withdrawn
- 2015-06-17 US US15/319,192 patent/US10476901B2/en active Active
- 2015-06-17 EP EP15809108.2A patent/EP3145130B1/en active Active
-
2017
- 2017-04-26 US US15/498,138 patent/US10397260B2/en not_active Expired - Fee Related
- 2017-05-24 JP JP2017103072A patent/JP6356871B2/ja active Active
- 2017-10-20 JP JP2017203905A patent/JP6453976B2/ja active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009117929A (ja) * | 2007-11-02 | 2009-05-28 | Nippon Telegr & Teleph Corp <Ntt> | 不正アクセス監視装置およびその方法 |
JP2013192128A (ja) * | 2012-03-15 | 2013-09-26 | Fujitsu Telecom Networks Ltd | 中継装置及び中継方法 |
Non-Patent Citations (2)
Title |
---|
TAKAHIRO HAMADA ET AL.: "A Consideration of Network Security for Virtualization of Home Network System", PROCEEDINGS OF THE 2014 IEICE GENERAL CONFERENCE TSUSHIN 2, 4 March 2014 (2014-03-04), pages 224, XP008185433 * |
YASUHIRO KOMIYA ET AL.: "A study of security SaaS on Cloud Computing", IPSJ SIG NOTES HEISEI 22 NENDO 1 [ CD-ROM ] IPSJ SIG NOTES COMPUTER SECURITY(CSEC, 15 June 2010 (2010-06-15), pages 1 - 6, XP055244958 * |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2017147525A (ja) * | 2016-02-16 | 2017-08-24 | 日本電信電話株式会社 | 転送制御装置、アプリケーション分析制御システム、転送制御方法及びアプリケーション分析制御方法 |
JP2020140723A (ja) * | 2016-07-22 | 2020-09-03 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | ネットワーク攻撃防御システムおよび方法 |
CN107809344B (zh) * | 2016-09-09 | 2021-01-22 | 中华电信股份有限公司 | 实时讯务量搜集与分析系统及方法 |
CN107809344A (zh) * | 2016-09-09 | 2018-03-16 | 中华电信股份有限公司 | 实时讯务量搜集与分析系统及方法 |
JP2018056822A (ja) * | 2016-09-29 | 2018-04-05 | パナソニックIpマネジメント株式会社 | テレビ会議装置 |
JP6152998B1 (ja) * | 2016-09-29 | 2017-06-28 | パナソニックIpマネジメント株式会社 | テレビ会議装置 |
JP2018067829A (ja) * | 2016-10-20 | 2018-04-26 | 中華電信股▲分▼有限公司 | 即時トラフィック収集・分析システム及び方法 |
US11593475B2 (en) | 2017-01-30 | 2023-02-28 | Nec Corporation | Security information analysis device, security information analysis method, security information analysis program, security information evaluation device, security information evaluation method, security information analysis system, and recording medium |
JPWO2018139458A1 (ja) * | 2017-01-30 | 2019-12-19 | 日本電気株式会社 | セキュリティ情報分析装置、セキュリティ情報分析方法、セキュリティ情報分析プログラム、セキュリティ情報評価装置、セキュリティ情報評価方法及びセキュリティ情報分析システム |
WO2018139458A1 (ja) * | 2017-01-30 | 2018-08-02 | 日本電気株式会社 | セキュリティ情報分析装置、セキュリティ情報分析方法、セキュリティ情報分析プログラム、セキュリティ情報評価装置、セキュリティ情報評価方法及びセキュリティ情報分析システム、及び記録媒体 |
JP7067489B2 (ja) | 2017-01-30 | 2022-05-16 | 日本電気株式会社 | セキュリティ情報分析装置、セキュリティ情報分析方法、セキュリティ情報分析プログラム、セキュリティ情報評価装置、セキュリティ情報評価方法及びセキュリティ情報分析システム |
KR101966514B1 (ko) * | 2017-03-23 | 2019-04-05 | 한국과학기술원 | 소프트웨어 정의 네트워크에서의 악성 프로그램 탐지 장치, 방법 및 컴퓨터 프로그램 |
KR20180107932A (ko) * | 2017-03-23 | 2018-10-04 | 한국과학기술원 | 소프트웨어 정의 네트워크에서의 악성 프로그램 탐지 장치, 방법 및 컴퓨터 프로그램 |
JP2019029798A (ja) * | 2017-07-28 | 2019-02-21 | 日本電信電話株式会社 | 異常検知システム及び異常検知方法 |
JP2019106621A (ja) * | 2017-12-12 | 2019-06-27 | 日本電信電話株式会社 | 異常検知システム、異常検知方法、および、異常検知プログラム |
JP2019165337A (ja) * | 2018-03-19 | 2019-09-26 | 株式会社リコー | 通信システム、通信制御装置、通信制御方法及び通信制御プログラム |
JP7059726B2 (ja) | 2018-03-19 | 2022-04-26 | 株式会社リコー | 通信システム、通信制御装置、通信制御方法及び通信制御プログラム |
US11463305B2 (en) | 2018-05-21 | 2022-10-04 | Huawei Technologies Co., Ltd. | Method and apparatus for configuring network device, and storage medium |
JP2021525040A (ja) * | 2018-05-21 | 2021-09-16 | 華為技術有限公司Huawei Technologies Co.,Ltd. | ネットワークデバイスを設定するための方法および装置ならびに記憶媒体 |
JP7254099B2 (ja) | 2018-05-21 | 2023-04-07 | 華為技術有限公司 | ネットワークデバイスを設定するための方法および装置ならびに記憶媒体 |
WO2020036160A1 (ja) * | 2018-08-15 | 2020-02-20 | 日本電信電話株式会社 | 通信システム及び通信方法 |
US11805098B2 (en) | 2018-08-15 | 2023-10-31 | Nippon Telegraph And Telephone Corporation | Communication system and communication method |
JP7063185B2 (ja) | 2018-08-15 | 2022-05-09 | 日本電信電話株式会社 | 通信システム及び通信方法 |
JP2020028068A (ja) * | 2018-08-15 | 2020-02-20 | 日本電信電話株式会社 | 通信システム及び通信方法 |
JPWO2021009818A1 (ja) * | 2019-07-12 | 2021-01-21 | ||
JP7160205B2 (ja) | 2019-07-12 | 2022-10-25 | 日本電信電話株式会社 | 抽出装置、抽出方法及び抽出プログラム |
JP7176636B2 (ja) | 2019-07-17 | 2022-11-22 | 日本電信電話株式会社 | 生成装置、生成方法及び生成プログラム |
WO2021009887A1 (ja) * | 2019-07-17 | 2021-01-21 | 日本電信電話株式会社 | 生成装置、生成方法及び生成プログラム |
JPWO2021009887A1 (ja) * | 2019-07-17 | 2021-01-21 | ||
US12120137B2 (en) | 2019-07-17 | 2024-10-15 | Nippon Telegraph And Telephone Corporation | Generation device, generation method, and generation program |
JP7319872B2 (ja) | 2019-09-06 | 2023-08-02 | 株式会社日立製作所 | ネットワークセキュリティ装置及び学習優先度決定方法 |
JP2021044608A (ja) * | 2019-09-06 | 2021-03-18 | 株式会社日立製作所 | ネットワークセキュリティ装置及び学習優先度決定方法 |
WO2023135778A1 (ja) * | 2022-01-17 | 2023-07-20 | 日本電気株式会社 | 通信分析装置、通信分析方法、通信分析システムおよび記録媒体 |
WO2024185324A1 (ja) * | 2023-03-09 | 2024-09-12 | 富士通株式会社 | 光パス設定装置、光パス設定方法および光パス設定プログラム |
Also Published As
Publication number | Publication date |
---|---|
EP3145130A1 (en) | 2017-03-22 |
EP3145130B1 (en) | 2019-02-27 |
JP6453976B2 (ja) | 2019-01-16 |
EP3145130A4 (en) | 2018-03-28 |
US10476901B2 (en) | 2019-11-12 |
CN106464577A (zh) | 2017-02-22 |
JPWO2015194604A1 (ja) | 2017-04-27 |
US10397260B2 (en) | 2019-08-27 |
US20170230396A1 (en) | 2017-08-10 |
CN106464577B (zh) | 2019-10-29 |
JP6356871B2 (ja) | 2018-07-11 |
US20170149808A1 (en) | 2017-05-25 |
JP2017143583A (ja) | 2017-08-17 |
JP2018038062A (ja) | 2018-03-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6356871B2 (ja) | ネットワークシステム | |
EP3306890B1 (en) | Analyzing encrypted traffic behavior using contextual traffic data | |
US9860154B2 (en) | Streaming method and system for processing network metadata | |
US10686831B2 (en) | Malware classification and attribution through server fingerprinting using server certificate data | |
JP6014280B2 (ja) | 情報処理装置、方法およびプログラム | |
CN108040057B (zh) | 适于保障网络安全、网络通信质量的sdn系统的工作方法 | |
US11546266B2 (en) | Correlating discarded network traffic with network policy events through augmented flow | |
US10257213B2 (en) | Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program | |
US10218731B2 (en) | Method and system for data breach and malware detection | |
JP5870009B2 (ja) | ネットワークシステム、ネットワーク中継方法及び装置 | |
JP6599819B2 (ja) | パケット中継装置 | |
CA2897664A1 (en) | An improved streaming method and system for processing network metadata | |
US11863584B2 (en) | Infection spread attack detection device, attack origin specification method, and program | |
WO2019235403A1 (ja) | 感染拡大攻撃検知システム及び方法、並びに、プログラム | |
Kuzniar et al. | PoirIoT: Fingerprinting IoT Devices at Tbps Scale | |
JP6581053B2 (ja) | フロー解析装置、トラフィック解析システム、及びフロー解析方法 | |
Krmıcek | Hardware-Accelerated Anomaly Detection in High-Speed Networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15809108 Country of ref document: EP Kind code of ref document: A1 |
|
REEP | Request for entry into the european phase |
Ref document number: 2015809108 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015809108 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15319192 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2016529415 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |