WO2016194123A1 - 中継装置、ネットワーク監視システム及びプログラム - Google Patents
中継装置、ネットワーク監視システム及びプログラム Download PDFInfo
- Publication number
- WO2016194123A1 WO2016194123A1 PCT/JP2015/065848 JP2015065848W WO2016194123A1 WO 2016194123 A1 WO2016194123 A1 WO 2016194123A1 JP 2015065848 W JP2015065848 W JP 2015065848W WO 2016194123 A1 WO2016194123 A1 WO 2016194123A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- unauthorized access
- server
- unit
- detection
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/20—Support for services
- H04L49/208—Port mirroring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/141—Denial of service attacks against endpoints in a network
Definitions
- the present invention relates to a relay device, a network monitoring system, and a program, and more particularly to detection of unauthorized access to equipment installed in the same facility as the relay device.
- control system With the opening of the control system, malicious third parties have illegally accessed the control system. Therefore, in the field of control systems such as building management systems, it is required to monitor a network and detect unauthorized access to devices connected to the network.
- Patent Document 1 a method for monitoring a network by using an intrusion detection system (IDS: Intrusion Detection System) or installing a network management device specialized for network monitoring has been proposed (for example, Patent Document 1, Patent Document 1). 2).
- IDS Intrusion Detection System
- Patent Document 3 a technique for detecting unauthorized access from an external network with a function of analyzing a packet relayed to a home gateway has been proposed (for example, Patent Document 3).
- Patent Documents 1 and 2 Although a device for monitoring a network is used as in Patent Documents 1 and 2, enormous costs are required to detect unauthorized access. Moreover, the installation space of an apparatus is also needed. Moreover, in patent document 3, although the unauthorized access to the user terminal from the external network can be detected, the unauthorized access to the user terminal from the internal network cannot be detected.
- switch a network switch
- Some high-performance switches are provided with a mirror port for copying and outputting all traffic data passing through a normal port.
- An object of the present invention is to detect unauthorized access from inside and outside a facility to equipment installed in the facility by effectively using the output from the mirror port of the network switch.
- the relay device is a relay device that relays data communicated between a server connected to an external network outside the facility and a device directly or indirectly connected to the internal network inside the facility.
- Data acquisition means for acquiring data output from the mirror port of the network switch connected to the internal network
- detection means for detecting unauthorized access to the device by analyzing the data acquired by the data acquisition means
- Detection information transmitting means for transmitting detection information related to unauthorized access to the server when unauthorized access is detected.
- a load state monitoring unit that monitors a load state applied to the relay device; and a data storage unit that stores data acquired by the data acquisition unit.
- the detection unit is applied to the relay device. Data is analyzed only when the load is below a predetermined value.
- a matching processing unit that detects unauthorized access to the device by a matching process between the data acquired by the data acquisition unit and preset filter information, and the detection unit includes the matching processing unit. Unauthorized access to the device is detected by analyzing data for which unauthorized access has not been detected by the matching process.
- the detection means detects unauthorized access to the device by analyzing data from the device output from the normal port of the network switch.
- load state monitoring means for monitoring the load state in the relay device
- Data storage means for storing data acquired by the data acquisition means, and data stored in the data storage means according to the state of the load on the relay device, sent to the server, and fraud performed by the detection means Detection processing requesting means for requesting the server to execute access detection processing.
- the network monitoring system communicates between a server connected to an external network outside the facility, a device connected directly or indirectly to the internal network inside the facility, and the server and the device.
- Data acquisition means for acquiring data output from the port, detection means for detecting unauthorized access to the device by analyzing the data acquired by the data acquisition means, and the unauthorized access when the unauthorized access is detected
- Detection information transmission means for transmitting detection information relating to access to the server; It is intended.
- the program according to the present invention is installed in a relay device that relays data communicated between a server connected to an external network outside the facility and a device directly or indirectly connected to the internal network inside the facility.
- Data acquisition means for acquiring data output from a mirror port of a network switch connected to the internal network, and detection for detecting unauthorized access to the device by analyzing the data acquired by the data acquisition means Means for functioning as detection information transmission means for transmitting detection information relating to unauthorized access to the server when unauthorized access is detected.
- the present invention it is possible to detect unauthorized access from inside and outside the facility to the equipment installed in the facility by effectively using the output from the mirror port of the network switch.
- unauthorized access is detected by matching processing with relatively high speed filter information, thereby speeding up unauthorized access detection processing.
- processing load on the relay device can be reduced.
- FIG. 2 is a hardware configuration diagram of a gateway device according to Embodiment 1.
- FIG. 2 is a block configuration diagram of a gateway device in Embodiment 1.
- FIG. 4 is a flowchart showing unauthorized access detection processing performed by the gateway device in the first embodiment.
- FIG. 6 is a block configuration diagram of a gateway device in a second embodiment.
- FIG. 10 is a block configuration diagram of a gateway device in a third embodiment.
- FIG. 10 is a block configuration diagram of a gateway device in a fourth embodiment.
- FIG. 10 is a block configuration diagram of a gateway device in a fifth embodiment.
- FIG. 1 is an overall configuration diagram showing an embodiment of a network monitoring system according to the present invention.
- FIG. 1 shows a configuration in which a server 2 installed in a monitoring center 1 and a gateway device 10 installed in a customer building 3 are connected by an external network 4 such as the Internet.
- a switch 5, a management device 6, a controller 7, and electrical equipment 8 are installed inside the building 3.
- the switch 5 and the controller 7 are internal networks such as a LAN. 9 is connected.
- the gateway device 10 and the management device 6 are connected to the switch 5.
- the switch 5 is a communication device equipped with a line or packet switching function.
- the switch 5 in this embodiment has a mirror port 51 for copying and outputting all traffic data passing through a normal port.
- the mirror port 51 is connected to the monitoring port 361 of the gateway device 10.
- the normal port of the switch 5 is connected to the normal port of the gateway device 10, the management device 6, and the internal network 9.
- the gateway device 10 relays data exchanged between the server 2 and the device 8.
- the management device 6 monitors and manages various devices connected directly or indirectly to the internal network 9 including the device 8.
- the controller 7 controls the operation of the connected device 8 and collects data transmitted from the device 8.
- the number of controllers 7 installed in the building 3 and the devices 8 connected to each controller 7 are determined according to the scale of the building 3.
- the monitoring center 1 uses the server 2 to transmit control data or the like to the device 8 for maintenance management or the like of each device 8 installed in the building 3, or obtains data such as operation result values from the device 8. Or
- the monitoring center 1 monitors the devices 8 installed in one or a plurality of buildings 3. However, since the monitoring contents are the same for each building 3, only one building 3 is shown for convenience.
- FIG. 2 is a hardware configuration diagram of the gateway device 10 according to the present embodiment.
- the gateway device 10 in the present embodiment is equipped with a computer and can be realized with a general-purpose hardware configuration that has existed in the past. That is, the gateway device 10 is provided as a CPU 31, a ROM 32, a RAM 33, a hard disk drive (HDD) 34, a communication means as shown in FIG. 2, and an external network interface (IF) 35 for connecting the external network 4 and an internal An internal network interface (IF) 36 for connecting the network 9 is connected to an internal bus 37.
- the internal network interface 36 includes a monitoring port 361 that receives output from the mirror port 51 of the switch 5, in addition to a normal port (not shown) that receives output from the normal port of the switch 5.
- an interface to which a computer can be connected may be provided for environment setting of the gateway device 10 or the like.
- FIG. 3 is a block configuration diagram of the gateway device 10 according to the present embodiment. Note that components not used in the description in the present embodiment are omitted from the drawings.
- the gateway apparatus 10 in this embodiment includes an internal communication unit 11, an external communication unit 12, a protocol conversion unit 13, a monitoring communication unit 14, a monitoring data acquisition unit 15, a load state monitoring unit 16, an unauthorized access detection unit 17, An unauthorized access notification unit 18, a monitoring data storage unit 19, and a determination rule storage unit 20 are included.
- the internal communication unit 11 provides a communication function with a network device installed in the building 3 such as the device 8 via the internal network 9.
- the external communication unit 12 provides a communication function with an external device such as the server 2 via the external network 4.
- the protocol conversion unit 13 provides a function of mutually converting the protocols of the server 2 and the device 8.
- the monitoring communication unit 14 acquires the packet data received from the monitoring port 361 by receiving the packet data. Since the packet data includes data to be exchanged and the transmission source, transmission destination, type of data signal, and the like of the data, the monitoring data acquisition unit 15 receives the packet data received by the monitoring communication unit 14. And the packet data used for detecting unauthorized access among the received packet data is stored in the monitoring data storage unit 19 as monitoring data.
- the load state monitoring unit 16 monitors the state of the load applied to the gateway device 10.
- the unauthorized access detection unit 17 is provided as a detection unit, and is obtained by the monitoring data acquisition unit 15 and stored in the monitoring data storage unit 19 based on the determination rule set in the determination rule storage unit 20 in advance. Unauthorized access to the device 8 is detected by analyzing the data.
- the unauthorized access notifying unit 18 is provided as a detection information transmitting unit, and transmits detected information related to unauthorized access to the server 2 via the external communication unit 12 when unauthorized access is detected.
- a determination rule represented by a threshold value, a range, and the like for determining that the signal data is normal is set in advance according to the type of signal data transmitted from the device 8. .
- the threshold and the range for determining normality are made clear from the operation results.
- Each component 11 to 18 in the gateway device 10 is realized by a cooperative operation of a computer mounted on the gateway device 10 and a program operating on the CPU 31 mounted on the computer.
- the storage units 19 to 20 are realized by the HDD 34 mounted on the gateway device 10.
- the RAM 33 or an external storage means may be used via a network.
- the program used in this embodiment can be provided not only by communication means but also by storing it in a computer-readable recording medium such as a CD-ROM or USB memory.
- the program provided from the communication means or the recording medium is installed in the computer, and various processes are realized by the CPU 31 of the computer sequentially executing the program.
- the network monitoring system has a feature in the function of the gateway device 10 realized by an application, and other than that, it can use the hardware and the function of each device that has been conventionally used.
- the protocol conversion unit 13 uses the protocol adopted by the device 8 for the data. Convert to a format that matches.
- the internal communication unit 11 transmits the converted data to the device 8.
- the switch 5 outputs the data transmitted from the gateway device 10 from the mirror port 51.
- the protocol conversion unit 13 matches the data with the protocol adopted by the server 2. Convert to format.
- the external communication unit 12 transmits the converted data to the server 2.
- the switch 5 outputs the data transmitted from the device 8 from the mirror port 51.
- the gateway device 10 relays data exchanged between the server 2 and the device 8 as normal function processing. In parallel with this normal function processing, detection of unauthorized access described below is performed. Process.
- unauthorized access detection processing performed by the gateway device 10 according to the present embodiment will be described with reference to the flowchart shown in FIG.
- an unauthorized access detection application is resident in the RAM 33 and unauthorized access detection processing is always executed.
- FIG. 4 when unauthorized access is detected for convenience, the server 2 is notified. Shown to finish.
- steps 110 and 120 in the flowchart are performed independently of the processing after step 130, but are illustrated as a series of processing for the sake of convenience.
- the switch 5 outputs the data transmitted from the external network 4 side and the internal network 9 side from the mirror port 51 as described above, but the monitoring communication unit 14 receives the data output from the mirror port 51. (Step 110). Then, the monitoring data acquisition unit 15 extracts data used for detection of unauthorized access in accordance with a predetermined rule from the received data, and writes the extracted data as monitoring data in the monitoring data storage unit 19 for storage. (Step 120).
- the load state monitoring unit 16 monitors the load state in the gateway device 10 at regular time intervals. If the load applied to the gateway device 10 exceeds the preset threshold value at this monitoring timing (Y in step 130), the unauthorized access detection unit 17 executes unauthorized access detection processing to the gateway device 10 It is determined that such a load increases, which may hinder the execution of the original relay function of the gateway device 10, and execution of unauthorized access detection processing by the unauthorized access detection unit 17 is postponed.
- the unauthorized access detection unit 17 confirms the presence or absence of unauthorized access according to the notification from the load state monitoring unit 16. I do. That is, the unauthorized access detection unit 17 compares the monitoring data stored in the monitoring data storage unit 19 with the determination rule registered in the determination rule storage unit 20 to determine whether the monitoring data is abnormal. Verification is performed (step 140). As a result of the verification, if it is determined that there is an abnormality (Y in step 150), this monitoring data abnormality is regarded as unauthorized access, and the data that is determined to be abnormal and the transmission source, transmission destination, transmission date and time of the data, etc. Detection information including information considered necessary for the analysis is generated (step 160). The unauthorized access notifying unit 18 notifies the server 2 that unauthorized access has been detected by causing the external communication unit 12 to transmit the generated detection information to the server 2 (step 170).
- the abnormality determination based on the monitoring data acquired from the monitoring port 361 is performed only when the load applied to the gateway device 10 is below a certain level, so that the load applied to the gateway device 10 is excessive. Therefore, it is possible to prevent the execution of the relay function that should normally be performed as a relay device from being hindered.
- step 130 is repeated and the unauthorized access is not detected. Therefore, even if the load does not fall below the predetermined threshold, if the state where the load applied to the gateway device 10 exceeds the predetermined time continues for a preset time or longer, that is, the process proceeds to step 140 and subsequent steps due to occurrence of a timeout. It may be.
- the network monitoring system connects the gateway device 10 to the external network 4 as shown in FIG. 1, connects the switch 5 to the internal network 9, and the monitoring port 361 of the gateway device 10.
- the management device 6 may be provided between the gateway device 10 and the switch 5. The same applies to each embodiment described later.
- FIG. FIG. 5 is a block configuration diagram of the gateway device 10 according to the present embodiment.
- symbol is attached
- the gateway device 10 in this embodiment includes an internal communication unit 11, an external communication unit 12, a protocol conversion unit 13, a monitoring communication unit 14, an unauthorized access detection unit 17, an unauthorized access notification unit 18, and a monitoring.
- filter information storage unit 22 filter information used for matching processing by the matching processing unit 21 is set in advance.
- a white list in which identification information of a device that can be trusted as a communication partner for exchanging data with the device 8 is registered in the filter information storage unit 22 as filter information.
- the matching processing unit 21 detects unauthorized access to the device 8 by performing a matching process for checking the sender / receiver of the data received by the monitoring communication unit 14 against the white list.
- the matching processing unit 21 is realized by a cooperative operation between a computer mounted on the gateway device 10 and a program operating on the CPU 31 mounted on the computer.
- the filter information storage unit 22 is realized by the HDD 34 mounted on the gateway device 10.
- the RAM 33 or an external storage means may be used via a network.
- the hardware configuration of the gateway device 10 and other device configurations included in the network monitoring system may be the same as those in the first embodiment.
- the unauthorized access detection process in the present embodiment is basically the same as that in the first embodiment. However, the characteristic processing of the present embodiment is different from the point that the load state is not confirmed because there is no load state monitoring unit 16. That is, when the monitoring communication unit 14 receives data, the matching processing unit 21 compares the communication partner of the received data with the device 8 against the white list as detection of unauthorized access in the first stage. If the communication partner is not registered in the white list, it is determined that the access corresponding to the data is illegal.
- the matching processing unit 21 registers the data in the monitoring data storage unit 19 as monitoring data.
- the unauthorized access detection unit 17 determines whether there is an abnormality in the monitoring data that is not determined as unauthorized access by the matching processing unit 21 as the second stage unauthorized access detection.
- the unauthorized access detection at the second stage performed by the unauthorized access detection unit 17 to be verified may have the same processing contents as in the first embodiment.
- the unauthorized access notification unit displays the detection information generated with the detection of unauthorized access as in the first embodiment. Notifying the server 2 that unauthorized access has been detected by transmitting to the external communication unit 12
- a relatively high-speed filter is preceded by unauthorized access detection by the relatively low-speed unauthorized access detection unit 17 by comparison and verification with the determination rule. Since the matching process with the information is performed, it is possible to speed up the unauthorized access detection process and reduce the processing load on the gateway device 10.
- a white list in which device IDs of reliable communication partners are registered is used as filter information used in the matching process.
- the present invention is not limited to this, and other information, for example, identification of unauthorized devices is used.
- a black list or the like in which information is registered may be used.
- FIG. FIG. 6 is a block configuration diagram of the gateway device 10 in the present embodiment.
- symbol is attached
- the gateway device 10 in this embodiment includes an internal communication unit 11, an external communication unit 12, a protocol conversion unit 13, a monitoring communication unit 14, a monitoring data acquisition unit 15, an unauthorized access detection unit 17, It includes an unauthorized access notification unit 18, a monitoring data storage unit 19, and a determination rule storage unit 20, and further includes a communication state acquisition unit 23 and a communication state storage unit 24.
- the communication state acquisition unit 23 acquires the output data from the normal port of the switch 5 received by the internal communication unit 11 and stores it in the communication state storage unit 24.
- the communication status acquisition unit 23 is realized by a cooperative operation between a computer installed in the gateway device 10 and a program operating on the CPU 31 installed in the computer.
- the communication state storage unit 24 is realized by the HDD 34 mounted on the gateway device 10.
- the RAM 33 or an external storage means may be used via a network.
- the hardware configuration of the gateway device 10 and other device configurations included in the network monitoring system may be the same as those in the first embodiment.
- a DDos (Distributed Denial of Service attack) attack corresponds to this fraud, but an increase in the load on the device 8 due to the DDos attack is also considered as a form of unauthorized access.
- the gateway device 10 does not relay a packet transmitted from the third party device. The attack cannot be detected.
- the unauthorized access detection unit 17 in the present embodiment separates the internal communication unit from the unauthorized access detection based on the data input from the monitoring port 361 by the monitoring communication unit 14 described in the above embodiments. 11 can detect unauthorized access based on normal data input from a normal port.
- the communication state acquisition unit 23 acquires the output data from the normal port of the switch 5 received by the internal communication unit 11 and stores it in the communication state storage unit 24.
- the unauthorized access detection unit 17 responds to an inquiry such as a data transmission request from the server 2 to the device 8 when it takes a long time until the device 8 responds, or the response content is abnormal.
- an inquiry such as a data transmission request from the server 2 to the device 8 when it takes a long time until the device 8 responds, or the response content is abnormal.
- unauthorized access such as a DDos attack is received.
- whether or not it took a long time for the device 8 to respond can be determined by comparing the time required for the response with a preset threshold (time limit).
- Whether or not the response content is abnormal may be determined by comparing the value of the normal data with a normal range set in advance according to the type of the normal data.
- the normal data received by the internal communication unit 11 is also analyzed, so that unauthorized access that cannot be detected from the monitoring data can be detected.
- response data to the inquiry from the server 2 is analyzed.
- the gateway apparatus 10 transmits an inquiry request that requires a response to the device 8 to detect unauthorized access. May be.
- the DDos attack from the inside has been described as an example.
- the unauthorized access detection unit 17 similarly applies an appropriate threshold (upper / lower limit), normal range, value for other unauthorized access.
- Set decision rules such as the degree of change and rate of change so that they can be dealt with.
- FIG. 7 is a block configuration diagram of the gateway device 10 in the present embodiment.
- the gateway device 10 in the present embodiment has a configuration in which a detection processing request unit 25 is added to the configuration shown in the first embodiment.
- the detection process request unit 25 transmits the monitoring data stored in the monitoring data storage unit 19 to the server 2 in accordance with the state of the load on the gateway device 10, and unauthorized access detection processing performed by the unauthorized access detection unit 17. Is requested to the server 2.
- the detection processing request unit 25 is realized by a cooperative operation between a computer mounted on the gateway device 10 and a program that operates on the CPU 31 mounted on the computer.
- the load applied to the gateway device 10 increases, which may impede the execution of the original relay function of the gateway device 10. sell.
- the detection processing request unit 25 has a large load on the gateway device 10 and it is preferable that the unauthorized access detection unit 17 does not execute the process, or the unauthorized access detection unit 17 cannot execute the process.
- the monitoring data stored in the monitoring data storage unit 19 is transmitted to the server 2 by the external communication unit 12, and the server 2 is requested to execute unauthorized access detection processing.
- the case where it is better not to allow the unauthorized access detection unit 17 to execute the process is a case where the gateway device 10 is heavily loaded because, for example, a huge amount of data is being relayed. If the unauthorized access detection unit 17 executes the process when the gateway device 10 is in an overload state, there is a possibility that the execution of the original relay function of the gateway device 10 may be hindered.
- the case where the unauthorized access detection unit 17 cannot execute the process is, for example, that it is necessary to analyze the transition of the monitoring data change in order to detect unauthorized access. This is a case where data for use cannot be held.
- the gateway device 10 is loaded with a load equal to or greater than a predetermined threshold, or monitoring data
- the detection process request unit 25 requests the server 2 to execute an unauthorized access detection process.
- the gateway device 10 can be prevented from being overloaded. Further, by requesting unauthorized server detection processing to the server 2 with higher performance than the gateway device 10, it is possible to execute more sophisticated detection processing.
- the gateway device 10 further transmits monitoring data to the server 2 in a high load state, but the detection processing request unit 25 performs the unauthorized access detection processing in consideration of the traffic of the monitoring data. It is determined whether to execute the unauthorized access detection unit 17 or to request the server 2.
- FIG. FIG. 8 is a block configuration diagram of the gateway device 10 in the present embodiment.
- symbol is attached
- the gateway device 10 in this embodiment includes an internal communication unit 11, an external communication unit 12, a protocol conversion unit 13, a monitoring communication unit 14, a monitoring data acquisition unit 15, an unauthorized access detection unit 17, An unauthorized access notification unit 18, a monitoring data storage unit 19, and a determination rule storage unit 20 are included, and a cooperation processing unit 26 is further included.
- the cooperation processing unit 26 provides a function to cooperate with other gateway devices 10.
- the cooperation processing unit 26 is realized by a cooperative operation between a computer mounted on the gateway device 10 and a program operating on the CPU 31 mounted on the computer.
- a group of gateway devices 10 is formed according to the condition of a neighboring building 3 in a predetermined area or a building 3 owned by the same manager.
- a gateway device 10 representing the group is determined in advance.
- each gateway device 10 when notifying the server 2 of unauthorized access detected by the gateway device 10, each gateway device 10 does not individually notify the server 2, but the gateway device 10 representing each group is the same. The detection information of unauthorized access detected in the group is collected and notified to the server 2.
- the cooperation processing unit 26 in the gateway device 10 transmits detection information to the representative gateway device 10 in the same group. Then, the cooperation processing unit 26 in the representative gateway device 10 collectively transmits the detection information transmitted from the gateway devices 10 in the same group to the server 2.
- the group to which each gateway device 10 belongs and whether or not the own device is a representative may be set in advance in the cooperation processing unit 26 or may be set and registered in a storage unit (not shown).
- timing of transmission to the server 2 may be transmitted immediately after detection information is received, or the detection information received within a predetermined period may be transmitted collectively.
- the detection information is not transmitted individually from the plurality of gateway devices 10, but is transmitted in groups, so that the number of receptions can be reduced.
- the gateway device 10 monitors the device 8 based on the output data from the mirror port 51 of the switch 5 and detects an abnormality occurring in the device 8, that is, an unauthorized access to the device 8.
- the access detection process has been described.
- the device 8 is monitored by analyzing output data from the normal port of the switch 5 as well.
- the configurations and processing contents described in the above embodiments may be combined as appropriate without being separately implemented.
- the gateway device 10 has been described as an example of a relay device. However, data communication between the server 2 and the device 8 is relayed by connecting the external network 4 and the internal network 9 of the building 3. It is not necessary to limit to the gateway device 10 as long as the communication device has a relay function.
- HDD hard disk drive
- IF Internal network interface
- IF Internal network interface
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
図1は、本発明に係るネットワーク監視システムの一実施の形態を示した全体構成図である。図1には、監視センタ1に設置されたサーバ2と顧客のビル3に設置されたゲートウェイ装置10とがインターネット等の外部ネットワーク4にて接続された構成が示されている。また、ビル3の内部には、ゲートウェイ装置10の他に、スイッチ5、管理装置6、コントローラ7及び電気設備等の機器8が設置され、このうちスイッチ5及びコントローラ7は、LAN等の内部ネットワーク9に接続されている。そして、スイッチ5には、ゲートウェイ装置10及び管理装置6が接続されている。
図5は、本実施の形態におけるゲートウェイ装置10のブロック構成図である。なお、実施の形態1と同じ構成要素には同じ符号を付け説明を省略する。本実施の形態におけるゲートウェイ装置10は、実施の形態1と同じく内部通信部11、外部通信部12、プロトコル変換部13、監視用通信部14、不正アクセス検出部17、不正アクセス通知部18、監視用データ記憶部19及び判定ルール記憶部20を有し、更にマッチング処理部21及びフィルタ情報記憶部22を有している。フィルタ情報記憶部22には、マッチング処理部21によるマッチング処理に用いられるフィルタ情報が予め設定されている。本実施の形態では、機器8とデータのやり取りを行う通信相手として信頼できる装置の識別情報が登録されたホワイトリストがフィルタ情報としてフィルタ情報記憶部22に登録されている。マッチング処理部21は、監視用通信部14により受信されたデータの送受信者をホワイトリストと照合するマッチング処理を行うことで機器8への不正アクセスを検出する。
図6は、本実施の形態におけるゲートウェイ装置10のブロック構成図である。なお、実施の形態1と同じ構成要素には同じ符号を付け説明を省略する。本実施の形態におけるゲートウェイ装置10は、実施の形態1と同じく内部通信部11、外部通信部12、プロトコル変換部13、監視用通信部14、監視用データ取得部15、不正アクセス検出部17、不正アクセス通知部18、監視用データ記憶部19及び判定ルール記憶部20を有し、更に通信状態取得部23及び通信状態記憶部24を有している。通信状態取得部23は、内部通信部11が受信したスイッチ5の通常ポートからの出力データを取得し、通信状態記憶部24に格納する。
図7は、本実施の形態におけるゲートウェイ装置10のブロック構成図である。なお、実施の形態1と同じ構成要素には同じ符号を付け説明を省略する。本実施の形態におけるゲートウェイ装置10は、実施の形態1に示した構成に、検出処理要求部25を追加した構成を有している。検出処理要求部25は、ゲートウェイ装置10にかかる負荷の状態に応じて監視用データ記憶部19に記憶された監視用データをサーバ2に送信し、不正アクセス検出部17で行う不正アクセスの検出処理の実行をサーバ2に要求する。検出処理要求部25は、ゲートウェイ装置10に搭載されたコンピュータと、コンピュータに搭載されたCPU31で動作するプログラムとの協調動作により実現される。
図8は、本実施の形態におけるゲートウェイ装置10のブロック構成図である。なお、実施の形態1と同じ構成要素には同じ符号を付け説明を省略する。本実施の形態におけるゲートウェイ装置10は、実施の形態1と同じく内部通信部11、外部通信部12、プロトコル変換部13、監視用通信部14、監視用データ取得部15、不正アクセス検出部17、不正アクセス通知部18、監視用データ記憶部19及び判定ルール記憶部20を有し、更に連携処理部26を有している。連携処理部26は、他のゲートウェイ装置10と連携する機能を提供する。連携処理部26は、ゲートウェイ装置10に搭載されたコンピュータと、コンピュータに搭載されたCPU31で動作するプログラムとの協調動作により実現される。
Claims (7)
- 施設外の外部ネットワークに接続されたサーバと施設内の内部ネットワークに直接又は間接的に接続された機器との間で通信されるデータを中継する中継装置において、
前記内部ネットワークに接続されたネットワークスイッチのミラーポートから出力されるデータを取得するデータ取得手段と、
前記データ取得手段により取得されたデータを解析することで前記機器に対する不正アクセスを検出する検出手段と、
不正アクセスが検出されたときにその不正アクセスに関する検出情報を前記サーバへ送信する検出情報送信手段と、
を有することを特徴とする中継装置。 - 前記中継装置にかかる負荷の状態を監視する負荷状態監視手段と、
前記データ取得手段により取得されたデータを記憶するデータ記憶手段と、
を有し、
前記検出手段は、前記中継装置にかかる負荷が所定以下の場合にのみデータの解析を行うことを特徴とする請求項1に記載の中継装置。 - 前記データ取得手段により取得されたデータと予め設定されているフィルタ情報とのマッチング処理により前記機器への不正アクセスを検出するマッチング処理手段を有し、
前記検出手段は、前記マッチング処理手段によるマッチング処理により不正アクセスが検出されなかったデータを解析することで前記機器に対する不正アクセスを検出することを特徴とする請求項1に記載の中継装置。 - 前記検出手段は、前記ネットワークスイッチの通常ポートから出力される前記機器からのデータを解析することで前記機器に対する不正アクセスを検出することを特徴とする請求項1に記載の中継装置。
- 前記中継装置における負荷状態を監視する負荷状態監視手段と、
前記データ取得手段により取得されたデータを記憶するデータ記憶手段と、
前記中継装置にかかる負荷の状態に応じて前記データ記憶手段に記憶されたデータを前記サーバに送信し、前記検出手段で行う不正アクセスの検出処理の実行を前記サーバに要求する検出処理要求手段と、
を有することを特徴とする請求項1に記載の中継装置。 - 施設外の外部ネットワークに接続されたサーバと、
施設内の内部ネットワークに直接又は間接的に接続された機器と、
前記サーバと前記機器との間で通信されるデータを中継する中継装置と、
前記内部ネットワークに接続され、通常ポートから入力されたデータをミラーポートから前記中継装置へ送信するネットワークスイッチと、
を有し、
前記中継装置は、
前記ネットワークスイッチのミラーポートから出力されるデータを取得するデータ取得手段と、
前記データ取得手段により取得されたデータを解析することで前記機器に対する不正アクセスを検出する検出手段と、
不正アクセスが検出されたときにその不正アクセスに関する検出情報を前記サーバへ送信する検出情報送信手段と、
を有することを特徴とするネットワーク監視システム。 - 施設外の外部ネットワークに接続されたサーバと施設内の内部ネットワークに直接又は間接的に接続された機器との間で通信されるデータを中継する中継装置に搭載されたコンピュータを、
前記内部ネットワークに接続されたネットワークスイッチのミラーポートから出力されるデータを取得するデータ取得手段、
前記データ取得手段により取得されたデータを解析することで前記機器に対する不正アクセスを検出する検出手段、
不正アクセスが検出されたときにその不正アクセスに関する検出情報を前記サーバへ送信する検出情報送信手段、
として機能させるためのプログラム。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2017521382A JP6258562B2 (ja) | 2015-06-02 | 2015-06-02 | 中継装置、ネットワーク監視システム及びプログラム |
EP15894158.3A EP3306868B1 (en) | 2015-06-02 | 2015-06-02 | Relay device, network monitoring system, and program |
US15/576,642 US10826915B2 (en) | 2015-06-02 | 2015-06-02 | Relay apparatus, network monitoring system, and program |
CN201580080557.3A CN107735987A (zh) | 2015-06-02 | 2015-06-02 | 中继装置、网络监视系统和程序 |
PCT/JP2015/065848 WO2016194123A1 (ja) | 2015-06-02 | 2015-06-02 | 中継装置、ネットワーク監視システム及びプログラム |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2015/065848 WO2016194123A1 (ja) | 2015-06-02 | 2015-06-02 | 中継装置、ネットワーク監視システム及びプログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016194123A1 true WO2016194123A1 (ja) | 2016-12-08 |
Family
ID=57441094
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2015/065848 WO2016194123A1 (ja) | 2015-06-02 | 2015-06-02 | 中継装置、ネットワーク監視システム及びプログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US10826915B2 (ja) |
EP (1) | EP3306868B1 (ja) |
JP (1) | JP6258562B2 (ja) |
CN (1) | CN107735987A (ja) |
WO (1) | WO2016194123A1 (ja) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019004101A1 (ja) * | 2017-06-27 | 2019-01-03 | 三菱電機ビルテクノサービス株式会社 | 侵入検知装置および侵入検知方法ならびに侵入検知システム |
CN111798330A (zh) * | 2020-05-20 | 2020-10-20 | 中国南方电网有限责任公司 | 电力现货市场监测数据管理方法、装置及设备 |
JP2021150851A (ja) * | 2020-03-19 | 2021-09-27 | 株式会社東芝 | 通信装置、情報処理システムおよびプログラム |
CN113965477A (zh) * | 2020-07-01 | 2022-01-21 | 慧与发展有限责任合伙企业 | 用于监测网络设备处的入口/出口分组的系统和方法 |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018202934A1 (en) * | 2017-05-02 | 2018-11-08 | Airo Finland Oy | Elimination of latency in a communication channel |
JP2020088716A (ja) * | 2018-11-29 | 2020-06-04 | 株式会社デンソー | 中継装置 |
CN110234115A (zh) * | 2019-05-23 | 2019-09-13 | 深圳和而泰家居在线网络科技有限公司 | 多设备通信系统和数据通信方法 |
US20220109680A1 (en) * | 2019-06-24 | 2022-04-07 | Hewlett-Packard Development Company, L.P. | Intercepting devices |
CN112738151B (zh) * | 2019-09-17 | 2024-05-31 | 三菱重工业株式会社 | 传送装置 |
CN113596023A (zh) * | 2021-07-27 | 2021-11-02 | 北京卫达信息技术有限公司 | 数据中继和远程引导设备 |
CN113612753A (zh) * | 2021-07-27 | 2021-11-05 | 北京卫达信息技术有限公司 | 数据的远程引导系统及方法 |
CN113923080B (zh) * | 2021-10-11 | 2023-12-19 | 中认车联网技术服务(深圳)有限公司 | 基于车载以太网的视频信号监控平台及数据分析方法 |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012169731A (ja) * | 2011-02-10 | 2012-09-06 | Yokogawa Electric Corp | 不正パケット抽出装置 |
Family Cites Families (42)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7295552B1 (en) * | 1999-06-30 | 2007-11-13 | Broadcom Corporation | Cluster switching architecture |
US8010469B2 (en) * | 2000-09-25 | 2011-08-30 | Crossbeam Systems, Inc. | Systems and methods for processing data flows |
US20110238855A1 (en) * | 2000-09-25 | 2011-09-29 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
US20110214157A1 (en) * | 2000-09-25 | 2011-09-01 | Yevgeny Korsunsky | Securing a network with data flow processing |
US20110231564A1 (en) * | 2000-09-25 | 2011-09-22 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
US9800608B2 (en) * | 2000-09-25 | 2017-10-24 | Symantec Corporation | Processing data flows with a data flow processor |
US20110213869A1 (en) * | 2000-09-25 | 2011-09-01 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
US8165114B2 (en) * | 2002-06-13 | 2012-04-24 | Nice Systems Ltd. | Voice over IP capturing |
JP3794491B2 (ja) * | 2002-08-20 | 2006-07-05 | 日本電気株式会社 | 攻撃防御システムおよび攻撃防御方法 |
JP2005157650A (ja) | 2003-11-25 | 2005-06-16 | Matsushita Electric Ind Co Ltd | 不正アクセス検知システム |
JP4480422B2 (ja) * | 2004-03-05 | 2010-06-16 | 富士通株式会社 | 不正アクセス阻止方法、装置及びシステム並びにプログラム |
US7424018B2 (en) * | 2004-05-05 | 2008-09-09 | Gigamon Systems Llc | Asymmetric packet switch and a method of use |
JP2006067279A (ja) | 2004-08-27 | 2006-03-09 | Matsushita Electric Ind Co Ltd | 侵入検知システム及び通信装置 |
US7979368B2 (en) * | 2005-07-01 | 2011-07-12 | Crossbeam Systems, Inc. | Systems and methods for processing data flows |
JP4466597B2 (ja) | 2006-03-31 | 2010-05-26 | 日本電気株式会社 | ネットワークシステム、ネットワーク管理装置、ネットワーク管理方法及びプログラム |
US7873038B2 (en) * | 2007-04-30 | 2011-01-18 | Hewlett-Packard Development Company, L.P. | Packet processing |
US8248928B1 (en) * | 2007-10-09 | 2012-08-21 | Foundry Networks, Llc | Monitoring server load balancing |
JP4820437B2 (ja) * | 2009-07-29 | 2011-11-24 | シャープ株式会社 | 情報処理装置 |
JP5300076B2 (ja) * | 2009-10-07 | 2013-09-25 | 日本電気株式会社 | コンピュータシステム、及びコンピュータシステムの監視方法 |
JP4660658B1 (ja) * | 2010-02-09 | 2011-03-30 | ネットエージェント株式会社 | 通信情報解析システム |
US9674074B2 (en) * | 2011-04-08 | 2017-06-06 | Gigamon Inc. | Systems and methods for stopping and starting a packet processing task |
JP5754704B2 (ja) * | 2011-04-19 | 2015-07-29 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | 複数の産業制御システム間の通信を制御するシステム |
US9432385B2 (en) * | 2011-08-29 | 2016-08-30 | Arbor Networks, Inc. | System and method for denial of service attack mitigation using cloud services |
WO2013123441A1 (en) * | 2012-02-17 | 2013-08-22 | Tt Government Solutions, Inc. | Method and system for packet acquisition, analysis and intrusion detection in field area networks |
US8832264B2 (en) * | 2012-03-01 | 2014-09-09 | Justin Pauley | Network appliance for monitoring network requests for multimedia content |
US20140010096A1 (en) * | 2012-07-09 | 2014-01-09 | International Business Machines Corporation | Port mirroring in distributed switching systems |
JP5987627B2 (ja) * | 2012-10-22 | 2016-09-07 | 富士通株式会社 | 不正アクセス検出方法、ネットワーク監視装置及びプログラム |
JP5919205B2 (ja) * | 2013-01-28 | 2016-05-18 | 日立オートモティブシステムズ株式会社 | ネットワーク装置およびデータ送受信システム |
US8848744B1 (en) * | 2013-03-15 | 2014-09-30 | Extrahop Networks, Inc. | Resynchronization of passive monitoring of a flow based on hole detection |
CN103152227A (zh) * | 2013-03-26 | 2013-06-12 | 北京启明星辰信息技术股份有限公司 | 一种应对网络威胁与攻击的一体化实时检测系统及方法 |
KR102184074B1 (ko) * | 2013-08-05 | 2020-11-27 | 엘지전자 주식회사 | 셀룰러 네트워크에서 간섭 정렬 방법 및 장치 |
US9491189B2 (en) * | 2013-08-26 | 2016-11-08 | Guardicore Ltd. | Revival and redirection of blocked connections for intention inspection in computer networks |
CN103618689A (zh) * | 2013-09-12 | 2014-03-05 | 天脉聚源(北京)传媒科技有限公司 | 一种网络入侵检测的方法、装置和系统 |
US9288221B2 (en) * | 2014-01-14 | 2016-03-15 | Pfu Limited | Information processing apparatus, method for determining unauthorized activity and computer-readable medium |
US9356950B2 (en) * | 2014-05-07 | 2016-05-31 | Attivo Networks Inc. | Evaluating URLS for malicious content |
JP6422677B2 (ja) * | 2014-06-04 | 2018-11-14 | 株式会社ギデオン | ネットワーク中継装置、同装置を用いたDDoS防御方法および負荷分散方法 |
JP2016015676A (ja) * | 2014-07-03 | 2016-01-28 | 富士通株式会社 | 監視装置、監視システム、および、監視方法 |
US20160036837A1 (en) * | 2014-08-04 | 2016-02-04 | Microsoft Corporation | Detecting attacks on data centers |
US10389655B2 (en) * | 2014-09-22 | 2019-08-20 | Dell Products L.P. | Event-based packet mirroring |
CN104579818A (zh) | 2014-12-01 | 2015-04-29 | 国家电网公司 | 智能变电站网络异常报文检测方法 |
JP6476530B2 (ja) * | 2015-04-21 | 2019-03-06 | 株式会社Pfu | 情報処理装置、方法およびプログラム |
US9338147B1 (en) * | 2015-04-24 | 2016-05-10 | Extrahop Networks, Inc. | Secure communication secret sharing |
-
2015
- 2015-06-02 JP JP2017521382A patent/JP6258562B2/ja not_active Expired - Fee Related
- 2015-06-02 EP EP15894158.3A patent/EP3306868B1/en active Active
- 2015-06-02 CN CN201580080557.3A patent/CN107735987A/zh active Pending
- 2015-06-02 WO PCT/JP2015/065848 patent/WO2016194123A1/ja active Application Filing
- 2015-06-02 US US15/576,642 patent/US10826915B2/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012169731A (ja) * | 2011-02-10 | 2012-09-06 | Yokogawa Electric Corp | 不正パケット抽出装置 |
Non-Patent Citations (1)
Title |
---|
HIROSHI NISHIHARA: "Professional ni Manabu Enterprise Security", MONTHLY ASCII DOT TECHNOLOGIES, vol. 15, no. 9, 24 July 2010 (2010-07-24), pages 122 - 125, XP009504676 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019004101A1 (ja) * | 2017-06-27 | 2019-01-03 | 三菱電機ビルテクノサービス株式会社 | 侵入検知装置および侵入検知方法ならびに侵入検知システム |
WO2019003300A1 (ja) * | 2017-06-27 | 2019-01-03 | 三菱電機ビルテクノサービス株式会社 | 侵入検知装置および侵入検知方法 |
JPWO2019004101A1 (ja) * | 2017-06-27 | 2019-12-19 | 三菱電機ビルテクノサービス株式会社 | 侵入検知装置および侵入検知方法ならびに侵入検知システム |
CN110771101A (zh) * | 2017-06-27 | 2020-02-07 | 三菱电机大楼技术服务株式会社 | 入侵检测装置、入侵检测方法以及入侵检测系统 |
CN110771101B (zh) * | 2017-06-27 | 2021-07-13 | 三菱电机大楼技术服务株式会社 | 入侵检测装置、入侵检测方法以及入侵检测系统 |
JP2021150851A (ja) * | 2020-03-19 | 2021-09-27 | 株式会社東芝 | 通信装置、情報処理システムおよびプログラム |
JP7273759B2 (ja) | 2020-03-19 | 2023-05-15 | 株式会社東芝 | 通信装置、通信方法、情報処理システムおよびプログラム |
CN111798330A (zh) * | 2020-05-20 | 2020-10-20 | 中国南方电网有限责任公司 | 电力现货市场监测数据管理方法、装置及设备 |
CN111798330B (zh) * | 2020-05-20 | 2024-04-05 | 中国南方电网有限责任公司 | 电力现货市场监测数据管理方法、装置及设备 |
CN113965477A (zh) * | 2020-07-01 | 2022-01-21 | 慧与发展有限责任合伙企业 | 用于监测网络设备处的入口/出口分组的系统和方法 |
Also Published As
Publication number | Publication date |
---|---|
CN107735987A (zh) | 2018-02-23 |
US20180183816A1 (en) | 2018-06-28 |
US10826915B2 (en) | 2020-11-03 |
EP3306868A4 (en) | 2019-01-02 |
EP3306868A1 (en) | 2018-04-11 |
JP6258562B2 (ja) | 2018-01-10 |
EP3306868B1 (en) | 2021-02-17 |
JPWO2016194123A1 (ja) | 2017-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6258562B2 (ja) | 中継装置、ネットワーク監視システム及びプログラム | |
CN108429651B (zh) | 流量数据检测方法、装置、电子设备及计算机可读介质 | |
WO2014119669A1 (ja) | ログ分析装置、情報処理方法及びプログラム | |
CN103905450B (zh) | 智能电网嵌入式设备网络检测评估系统与检测评估方法 | |
US20050182950A1 (en) | Network security system and method | |
US11258812B2 (en) | Automatic characterization of malicious data flows | |
CN111869189A (zh) | 网络探针和处理消息的方法 | |
US20070150955A1 (en) | Event detection system, management terminal and program, and event detection method | |
US9800593B2 (en) | Controller for software defined networking and method of detecting attacker | |
JP6711710B2 (ja) | 監視装置、監視方法および監視プログラム | |
KR20130085570A (ko) | 단말 중심 사이버 공격 방지 방법 및 그에 따른 단말 장치 | |
WO2021131193A1 (ja) | 攻撃監視用センター装置、及び攻撃監視用端末装置 | |
US12069077B2 (en) | Methods for detecting a cyberattack on an electronic device, method for obtaining a supervised random forest model for detecting a DDoS attack or a brute force attack, and electronic device configured to detect a cyberattack on itself | |
KR20090090641A (ko) | 능동형 보안 감사 시스템 | |
Neu et al. | Lightweight IPS for port scan in OpenFlow SDN networks | |
JP2010263310A (ja) | 無線通信装置、無線通信監視システム、無線通信方法、及びプログラム | |
US11316770B2 (en) | Abnormality detection apparatus, abnormality detection method, and abnormality detection program | |
Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
WO2015011827A1 (ja) | 情報処理装置、フィルタリングシステム、フィルタリング方法、及びフィルタリングプログラム | |
JP2011199507A (ja) | 攻撃検出装置、攻撃検出方法、及びプログラム | |
WO2019235403A1 (ja) | 感染拡大攻撃検知システム及び方法、並びに、プログラム | |
Nakahara et al. | Malware Detection for IoT Devices using Automatically Generated White List and Isolation Forest. | |
CN115174189A (zh) | 异常检测方法、装置、电子设备及存储介质 | |
CN112583817B (zh) | 网络震荡监测与预警方法、装置和介质 | |
CN114172881A (zh) | 基于预测的网络安全验证方法、装置及系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15894158 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2017521382 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15576642 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015894158 Country of ref document: EP |