WO2023112174A1 - Data processing device, data processing method, and program - Google Patents

Data processing device, data processing method, and program Download PDF

Info

Publication number
WO2023112174A1
WO2023112174A1 PCT/JP2021/046134 JP2021046134W WO2023112174A1 WO 2023112174 A1 WO2023112174 A1 WO 2023112174A1 JP 2021046134 W JP2021046134 W JP 2021046134W WO 2023112174 A1 WO2023112174 A1 WO 2023112174A1
Authority
WO
WIPO (PCT)
Prior art keywords
processing
data
unit
receiving
result
Prior art date
Application number
PCT/JP2021/046134
Other languages
French (fr)
Japanese (ja)
Inventor
悠介 関原
奈美子 池田
寛之 鵜澤
晶子 大輝
彩希 八田
周平 吉田
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2021/046134 priority Critical patent/WO2023112174A1/en
Publication of WO2023112174A1 publication Critical patent/WO2023112174A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation

Definitions

  • the present invention relates to a data processing device, a data processing method, and a program.
  • TCAM is mounted as a dedicated chip, there is a problem that it cannot be introduced unless it is an expensive dedicated device.
  • a design method using a high-level language such as C or JAVA which is easy to adapt to a new field with a small number of man-hours, is used.
  • FIG. 9 shows a data processing device 910 as a comparative example that can be considered as a device employing sequential processing.
  • the processing by the processing execution unit 914 is started. Therefore, the processing execution unit 914 has to wait until all the output data (processing results) from the units 911 to 913 are available, and the operation efficiency of the processing execution unit is poor.
  • Such a problem can also be applied to general data processing devices other than the data processing device 910 .
  • An object of the present invention is to improve the operational efficiency of the processing execution unit.
  • a data processing apparatus includes a receiving section that executes reception processing for receiving and outputting data, and a first processing for the data output from the reception section. a first processing unit that outputs a first processing result of the first processing; and a second processing unit that executes a second processing on the data after the first processing and outputs a second processing result of the second processing.
  • a second processing unit that receives the data from the receiving unit, receives the first processing result from the first processing unit, receives the second processing result from the second processing unit, and receives the received a processing execution unit that executes processing based on data, the first processing result, and the second processing result, wherein at least the first processing out of the reception processing, the first processing, and the second processing and the processing time of each of the second processing is constant irrespective of the content of the data to be processed, and the processing execution unit performs the processing of the data and the second processing of the data before receiving the second processing result. 1 Start processing using at least one of the processing results.
  • a data processing method includes a receiving step of executing a receiving process of receiving and outputting data, and executing a first process on the data output in the receiving step. a first processing step of outputting a first processing result of the first processing; and executing a second processing on the data after the first processing, and outputting a second processing result of the second processing.
  • a second processing step for receiving the data output in the receiving step, receiving the first processing result output in the first processing step, and receiving the second processing result output in the second processing step; a processing execution step of receiving a processing result and executing processing based on the received data, the first processing result, and the second processing result;
  • the processing time for each of at least the first process and the second process is constant regardless of the content of data to be processed, and in the process execution step, before receiving the result of the second process Processing using at least one of the data and the first processing result of the data is started.
  • a computer includes a receiving step of executing a receiving process of receiving and outputting data in the computer, and performing a first process on the data output in the receiving step. a first processing step of executing and outputting a first processing result of the first processing; and executing a second processing on the data after the first processing and outputting a second processing result of the second processing. a second processing step of outputting; receiving the data output in the receiving step; receiving the first processing result output in the first processing step; and receiving the first processing result output in the second processing step.
  • the operational efficiency of the processing execution unit is improved.
  • FIG. 1 is a configuration diagram of a data processing device according to one embodiment of the present invention.
  • FIG. 2 is a diagram showing an example of the data structure of a packet.
  • FIG. 3 is a diagram showing a configuration example of a rule table.
  • FIG. 4 is a diagram for explaining a method for making the processing time constant.
  • FIG. 5 is a diagram for explaining a method for making the processing time constant.
  • FIG. 6 is a timing chart showing the operation of the data processing device.
  • FIG. 7 is a timing chart showing the operation of the data processing device.
  • FIG. 8 is a configuration diagram when the data processing apparatus of FIG. 1 is configured by a computer.
  • 1 is a configuration diagram of a data processing device according to a comparative example;
  • the data processing apparatus 10 includes a receiving section 11, a time stamp section 12 configured as a first processing section, and a packet identification section 13 configured as a second processing section. , a process execution unit 14 , an output unit 15 , and a storage unit 19 .
  • the data processing device 10 having such a configuration is configured as a traffic monitoring device that monitors the traffic of the communication network NW for each flow.
  • each of the above units 11 to 14 is composed of a logic circuit written in, for example, FPGA (Field-Programmable Gate Array), ASIC (Application Specific Integrated Circuit), or the like. At least part of each unit 11 to 14 may be configured by a processor such as a CPU (Central Processing Unit) that executes programs.
  • the storage unit 19 is composed of an appropriate non-volatile storage device such as a flash memory or SSD (Solid State Drive).
  • the storage unit 19 may be composed of at least a part of memory such as FPGA (Field-Programmable Gate Array), ASIC (Application Specific Integrated Circuit), or the like.
  • Each of the units 11 to 14 may include a memory that temporarily holds data being processed.
  • the receiving unit 11 receives a packet (more specifically, a mirroring packet) flowing through the communication network NW, and executes reception processing for outputting it to the time stamp unit 12 and the processing execution unit 14 .
  • a packet consists of data (also called payload) and a header placed before the data.
  • Each data that constitutes the header has meaning for each certain number of bits.
  • This meaningful bit-delimited data is called a header field value, and a group of packets with matching header field values is called a flow. Therefore, the header field value is also information that identifies the flow.
  • the header field value may include IP (Internet Protocol) addresses indicating the source and destination of the L3 header.
  • a flow may be, for example, a set of packets having a common header field value indicating at least one of destination, source, and communication protocol.
  • the time stamp unit 12 refers to a real-time clock or the like, generates a time stamp for the packet output from the reception unit 11, and executes time stamp processing for outputting the generated time stamp to the processing execution unit 14.
  • the time stamp unit 12 outputs the packet from the reception unit 11 to the packet identification unit 13 . At this time, the packet may be given a time stamp.
  • the packet identification unit 13 identifies the flow to which the packet from the timestamp unit 12 for which the timestamp is generated belongs, and performs packet identification processing to output a flow ID, which is flow information identifying the identified flow.
  • the packet identification unit 13 includes a header analysis unit 13A, a hash calculation unit 13B, and a rule matching unit 13C. These units 13A and 13B perform the following processes to perform packet identification processing.
  • a packet input from the time stamp unit 12 to the packet identification unit 13 is first input to the header analysis unit 13A.
  • the header analysis unit 13A analyzes the header of the input packet and executes analysis processing for extracting header field values from the header.
  • the extracted header field value is input to hash calculator 13B.
  • the hash calculation unit 13B executes hash calculation processing for hashing the input header field value.
  • the hash calculation unit 13B outputs the hashed header field value together with the time stamp to the rule matching unit 13C.
  • the rule matching unit 13C matches the input header field value (hashed header field value) with a predetermined packet belonging to the monitored flow registered in the rule table 19A stored in the storage unit 19. Executes a matching process that compares the rule with As shown in FIG. 3, rules registered in the rule table 19A are registered for each flow, and one rule consists of a header field value (hashed header field value) of the flow and and the associated flow ID. A flow ID may consist of a rule ID that identifies a rule.
  • the rule matching unit 13C refers to each rule in the rule table 19A and acquires the flow ID corresponding to the input header field value.
  • the rule matching unit 13 ⁇ /b>C outputs the acquired flow ID to the process execution unit 14 .
  • the processing execution unit 14 receives a packet from the reception unit 11, receives a time stamp from the time stamp unit 12, receives a flow ID from the packet identification unit 13, and performs processing based on the received packet, time stamp, and flow ID. (here, the processing required for traffic monitoring).
  • the processing execution unit 14 includes an aggregation unit 14A, a packet capture unit 14B, and an anomaly detection unit 14C as calculation units that execute the above processing.
  • the aggregation unit 14A counts the number of times the flow ID is input from the packet identification unit 13 for each flow ID, that is, for each flow.
  • the counted number of receptions can be said to be the number of packets received by the receiving unit 11, that is, the number of packets.
  • the counting unit 14A measures the amount of data based on the packets from the receiving unit 11, and integrates the measured amount of data for each flow.
  • the tallying unit 14A outputs the number of packets counted or integrated during the predetermined period and the amount of data for each flow to the output unit 15 at regular intervals as a tallying result.
  • the processing result may be either the number of packets or the amount of data.
  • the packet capture unit 14B executes packet capture to store packets from the reception unit 11 in the storage unit 19. Furthermore, the packet capture unit 14B adds a time stamp from the time stamp unit 12. FIG.
  • the anomaly detection unit 14C detects a traffic anomaly (for example, , microbursts, etc.). When detecting traffic anomaly, the anomaly detection unit 14C outputs to the output unit 15 as anomaly occurrence information that the traffic anomaly has occurred.
  • the anomaly occurrence information may include information on the type of traffic anomaly that has occurred.
  • the output unit 15 outputs the result of processing by the processing execution unit 14, here, the aggregated result from the aggregation unit 14A and the abnormality occurrence information from the abnormality detection unit 14C.
  • the output unit 15 displays the tally result and/or the abnormality occurrence information on, for example, a display unit provided in the data processing device 10 .
  • the output unit 15 outputs, for example, the abnormality occurrence information to a predetermined processing unit provided inside or outside the data processing device 10, and the processing unit outputs the traffic abnormality detected flow based on the abnormality occurrence information. You may perform the process for interrupting communication about.
  • the output unit 15 may acquire packets captured by the packet capture unit 14B and output the acquired packets to a device external to the data processing device 10 .
  • the receiving section 11 is configured such that the processing time for receiving processing (hereinafter also referred to as processing time A) is constant regardless of the data content of the packet input to the receiving section 11 .
  • the time stamp unit 12 is also configured such that the processing time for time stamp processing (hereinafter also referred to as processing time B) is constant regardless of the data content of the packet input to the time stamp unit 12 .
  • the packet identification unit 13 is also configured such that the processing time for packet identification processing (hereinafter also referred to as processing time C) is constant regardless of the data content of the packet input to the packet identification unit 13 . In other words, each of the units 11 to 13 completes necessary processing for any input data (data to be processed) within a certain processing time.
  • Each start timing of the processing times A to C is, for example, the timing at which data input is started.
  • the end timing of each of the processing times A to C is, for example, the timing at which the output of data (processing results, etc.) is started.
  • the processing times A to C may be the same processing time, or may be different times.
  • the fact that the processing time A is the same for any packet processing means that the processing in the receiving unit 11 is completed within a certain processing time regardless of which processing branch is passed through. For example, as shown in the upper diagram of FIG. 4, if the processing time of the process A after branching is 3 clock cycles and the processing time of the process B is 2 clock cycles, then the process shown in the lower diagram A delay circuit for one clock cycle is inserted after B. This makes the processing time after branching constant. Alternatively, as shown in FIG. 5, part of the processing A after branching is parallelized to shorten the processing time to two clock cycles. This makes the processing time after branching constant. The same applies to the time stamp section 12 and the packet identification section 13 as well. Note that the adjustment of the processing time is not limited to this.
  • Each unit 11 to 13 measures the time from the start of processing with a timer or the like, and outputs the data of the processing result until the time from the start of processing measured by the timer or the like reaches the processing times A to C even after the processing is completed. may wait.
  • the receiving unit 11 executes the receiving process during the processing time A.
  • a packet received in the reception process is input to the time stamp unit 12 and the process execution unit 14 (timing T2).
  • the time stamp unit 12 executes time stamp processing during the processing time B, triggered by the packet input from the reception unit 11 .
  • the time stamp added by the time stamp processing is input to the processing execution unit 14, and the packet to which the time stamp is to be added is input to the packet identification unit 13 (timing T3).
  • the packet identification unit 13 executes packet identification processing in processing time C, triggered by the packet input from the time stamp unit 12 .
  • the flow ID and the like acquired in the packet identification process are input to the process execution unit 14 (timing T4).
  • the processing execution unit 14 can identify which data is input to itself in relation to the processing times A to C. This is because the processing times A to C are constant as described above. For example, the reception unit 11 transmits a packet reception notification to the processing execution unit 14 at the start of packet reception processing (timing T1).
  • the packet After sending the reception notification, the packet is input to the processing execution unit 14 without fail after the processing time A has elapsed (timing T2). Therefore, the processing execution unit 14 recognizes data input after the processing time A has elapsed after receiving the reception notification as a packet.
  • the processing execution unit 14 performs packet capture, for example, by storing packets in the storage unit 19 using the packet capture unit 14B.
  • the processing execution unit 14 After the processing time B has elapsed from the input of the packet, the time stamp is always input to the processing execution unit 14 (timing T3). Therefore, the processing execution unit 14 recognizes the data input after the processing time B has elapsed after the packet is input as the time stamp given to the packet. For example, the processing execution unit 14 associates the time stamp input from the time stamp unit 12 with the packet stored in the storage unit 19 by the packet capture unit 14B, and stores the time stamp in the storage unit 19. Memorize. Note that the process execution unit 14 may hold the packet, add a time stamp to the packet, and store the packet in the storage unit 19 when the time stamp is input.
  • the processing execution unit 14 After the time stamp is input, the flow ID and the like obtained by the packet identification process are input to the process execution unit 14 after the processing time C has elapsed (timing T4). Therefore, the processing execution unit 14 recognizes the data input after the processing time C has elapsed after the time stamp is input as the flow ID of the flow to which the current packet belongs. The processing execution unit 14 executes the processing of the aggregation unit 14A and the processing of the abnormality detection unit 14C based on the flow ID and the like.
  • the processing execution unit 14 determines which data arrived at which timing based on the designed processing times A to C of the respective units 11 to 13 for each data input at different timings. can do. . Then, the processing execution unit 14 uses at least one of the packet and the time stamp of the packet (for example, packet capture and time stamping in FIG. 6) before the flow ID of the packet is input. Processing can begin. As a result, the process execution unit 14 does not wait until the flow ID or the like is input before starting the process as in the comparative example, thereby improving the operation efficiency.
  • the processing execution unit 14 receives a packet from the reception unit 11, and processes a plurality of pieces of data, which are input for each predetermined processing time of the time stamp processing and the packet identification processing, as a time stamp for the packet, Then, the processing is executed as the flow ID for the packet. This prevents the processing execution unit 14 from confusing the time stamp or flow ID of one packet with the time stamp or flow ID of another packet.
  • each of the units 11 to 13 in the preceding stage of the processing execution unit 14 can sequentially accept subsequent input data after data output has been completed. As shown in FIG. 7, for example, after the receiving unit 11 outputs the first packet (see “receiving process” indicated by the solid line), before the packet identification process by the packet identifying unit 13 is completed, the receiving unit 11 outputs the second packet (referred to by the dotted line). (See “Receiving Process”). As a result, the speed of data processing is increased.
  • At least one of the header analysis unit 13A and the hash calculation unit 13B of the packet identification unit 13 may output processing result data to the processing execution unit 14.
  • the processing execution unit 14 may perform a predetermined processing based on the input processing result data. In such a case, the processing time of each section 13A to 13C of the packet identification section 13 should also be constant regardless of the contents of the data to be processed.
  • the processing execution unit 14 may detect the input of a packet by its data content, etc. In this case, which data is the time stamp and flow ID is specified based on the processing times B and C after the packet is input. can.
  • FIG. 8 shows a hardware configuration diagram when the data processing device 10 is configured by a computer.
  • the data processing device 10 includes a processor 101 such as a CPU, a main memory 102 of the processor 101, and a non-volatile storage device 103 that stores programs and various data and constitutes the storage unit 19 in FIG. Further, the data processing device 10 includes a NIC (Network Interface Card) 104 that is connected to the communication network NW and relays packets.
  • the processor 101 executes or uses programs and data stored in the storage device 103 and read out to the main memory 102 to operate as the units 11 to 15 described above. Note that the receiving unit 11 and the output unit 15 may be implemented by a combination of the processor 101 executing the program and the NIC 104 .
  • the data processing device 10 is not limited to the above configuration.
  • the data processing apparatus 10 includes, for example, a receiving unit (receiving unit 11 in the above configuration) that executes reception processing for receiving and outputting data (packets in the above configuration), and for the data output from the receiving unit: a first processing unit (time stamp unit 12 in the above configuration) that executes a first process (time stamp processing in the above configuration) and outputs a first processing result (time stamp in the above configuration) of the first process; be prepared.
  • the data processing device 10 performs, for example, a second process (a packet identification process in the above configuration) on the data after the first process, and outputs a second process result of the second process.
  • a processing execution unit (In the above, the processing execution unit 14) can be provided.
  • the processing time of at least the first processing and the second processing out of the reception processing, the first processing, and the second processing may be constant regardless of the content of the data to be processed.
  • the processing execution unit Before receiving the second processing result, the processing execution unit often performs processing using at least one of the data and the first processing result of the data (in the above description, packet capture, time stamping in FIG. 6, ) may be started.
  • the processing execution unit does not wait until the second processing result is input before starting the processing, and the operation efficiency of the processing execution unit is improved.
  • the data may be image data
  • the first processing may be image binarization processing
  • the second processing may be image recognition for the binarized image.
  • the processing execution unit may execute processing for storing the image data, the binarized image, and the result of image recognition in the storage unit.
  • the processing execution unit receives the data from the reception unit and processes the plurality of data input at predetermined processing time intervals for each of the first processing and the second processing.
  • the processing may be performed as the first processing result and the second processing result, thereby preventing the first processing result and the second processing result for certain data from being mistaken for processing results for other data. .
  • the receiving section After outputting the first data as the data, the receiving section is capable of receiving second data as the other data before the second processing ends. This improves the processing speed.
  • the present invention is not limited to the above embodiments and modifications.
  • the present invention includes various modifications to the above embodiments and modifications that can be understood by those skilled in the art within the scope of the technical idea of the present invention.
  • the configurations described in the above embodiments and modified examples can be appropriately combined within a consistent range. It is also possible to delete any configuration among the above configurations.
  • the program may be stored not only in the non-volatile storage device 103 but also in a non-temporary computer-readable storage medium.
  • "Apparatus” and "unit” refer to an object whose configuration realizing its operation is housed in a plurality of housings, even if the configuration realizing its operation is housed in a single housing ( system).

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This data processing device (10) comprises a process executing unit (14) that receives a packet from a reception unit (11), receives a timestamp from a timestamp unit (12), receives flow information from a packet identifying unit (13), and executes processing based on the received packet, timestamp, and flow information. The respective processing times of the reception processing by the reception unit, timestamp processing by the timestamp unit, and packet identification processing by the packet identifying unit are constant regardless of the contents of the data to be processed. The process executing unit starts processing using at least one of a packet and a timestamp for the packet before the flow information for the packet is input thereto.

Description

データ処理装置、データ処理方法、及び、プログラムDATA PROCESSING DEVICE, DATA PROCESSING METHOD, AND PROGRAM
 本発明は、データ処理装置、データ処理方法、及び、プログラムに関する。 The present invention relates to a data processing device, a data processing method, and a program.
 ネットワークにおいてその通信状況を把握するため、ネットワークを流れるパケット及びその情報を取得することが一般的に行われている。従来はネットワーク上のパケットはその設計思想において固有のフィールド構造を持っていることが一般的であったが、ネットワークの仮想化が進み複数のネットワークが単一の物理構成上で構成されるようになったことに伴い、ネットワーク上のパケットのフィールド構造は一意に定まらなくなってきている。このような状況において、通信データの識別装置にはパケットのフィールド構造に対して柔軟に識別対象を選択できることが要求されている。このような課題を解決するものとして、一般にはTCAM(Ternary Content Addressable Memory)を用いた比較一致方式がある(例えば、非特許文献1)。しかし、TCAMは専用のチップとして実装されるため、高価な専用装置でないと導入できないという問題がある。これに対し専用チップでないハードウェア及びソフトウェアにおいてはCやJAVAなどの少ない工数で新たなフィールドに対応させやすい高位言語を用いた設計手法が用いられている。 In order to understand the communication status in the network, it is common practice to acquire the packets flowing through the network and their information. In the past, it was common for packets on a network to have a unique field structure in their design concept, but as network virtualization progresses, multiple networks are configured on a single physical configuration. As a result, the field structure of packets on the network is no longer uniquely determined. Under such circumstances, a communication data identification device is required to be able to flexibly select an identification object with respect to the field structure of a packet. As a solution to such problems, there is generally a comparison and matching method using TCAM (Ternary Content Addressable Memory) (for example, Non-Patent Document 1). However, since the TCAM is mounted as a dedicated chip, there is a problem that it cannot be introduced unless it is an expensive dedicated device. On the other hand, for hardware and software that are not dedicated chips, a design method using a high-level language such as C or JAVA, which is easy to adapt to a new field with a small number of man-hours, is used.
 高位言語は手続き型の記述言語であり、逐次行われる処理に対する記述となる。図9に、逐次処理を採用した装置として考えられる比較例としてのデータ処理装置910を示す。この比較例では、受信部911、タイムスタンプ部912、パケット識別部913それぞれからの出力データがバッファ919に全て格納されてから、処理実行部914による処理が開始される。従って、処理実行部914は、各部911~913からの出力データ(処理結果)が出揃うまで待機する必要があり、処理実行部の動作効率が悪い。このような課題は、データ処理装置910以外のデータ処理装置一般にもいえる。 A high-level language is a procedural description language, and is a description of processes that are performed sequentially. FIG. 9 shows a data processing device 910 as a comparative example that can be considered as a device employing sequential processing. In this comparative example, after all the output data from the receiving unit 911, the time stamp unit 912, and the packet identification unit 913 are stored in the buffer 919, the processing by the processing execution unit 914 is started. Therefore, the processing execution unit 914 has to wait until all the output data (processing results) from the units 911 to 913 are available, and the operation efficiency of the processing execution unit is poor. Such a problem can also be applied to general data processing devices other than the data processing device 910 .
 本発明は、処理実行部の動作効率を良くすることを課題とする。 An object of the present invention is to improve the operational efficiency of the processing execution unit.
 上記課題を解決するために、本発明に係るデータ処理装置は、データを受信して出力する受信処理を実行する受信部と、前記受信部から出力された前記データに対して第1処理を実行し、当該第1処理の第1処理結果を出力する第1処理部と、前記第1処理のあとに前記データに対して第2処理を実行し、当該第2処理の第2処理結果を出力する第2処理部と、前記受信部から前記データを受信し、前記第1処理部から前記第1処理結果を受信し、前記第2処理部から前記第2処理結果を受信し、受信した前記データと前記第1処理結果と前記第2処理結果とに基づく処理を実行する処理実行部と、を備え、前記受信処理、前記第1処理、及び、前記第2処理のうち少なくとも前記第1処理及び前記第2処理のそれぞれの処理時間は、処理対象のデータの内容によらず一定であり、前記処理実行部は、前記第2処理結果を受信する前に前記データと前記データについての前記第1処理結果との少なくとも一方を用いた処理を開始する。 In order to solve the above problems, a data processing apparatus according to the present invention includes a receiving section that executes reception processing for receiving and outputting data, and a first processing for the data output from the reception section. a first processing unit that outputs a first processing result of the first processing; and a second processing unit that executes a second processing on the data after the first processing and outputs a second processing result of the second processing. a second processing unit that receives the data from the receiving unit, receives the first processing result from the first processing unit, receives the second processing result from the second processing unit, and receives the received a processing execution unit that executes processing based on data, the first processing result, and the second processing result, wherein at least the first processing out of the reception processing, the first processing, and the second processing and the processing time of each of the second processing is constant irrespective of the content of the data to be processed, and the processing execution unit performs the processing of the data and the second processing of the data before receiving the second processing result. 1 Start processing using at least one of the processing results.
 上記課題を解決するために、本発明に係るデータ処理方法は、データを受信して出力する受信処理を実行する受信ステップと、前記受信ステップで出力された前記データに対して第1処理を実行し、当該第1処理の第1処理結果を出力する第1処理ステップと、前記第1処理のあとに前記データに対して第2処理を実行し、当該第2処理の第2処理結果を出力する第2処理ステップと、前記受信ステップで出力された前記データを受信し、前記第1処理ステップで出力された前記第1処理結果を受信し、前記第2処理ステップで出力された前記第2処理結果を受信し、受信した前記データと前記第1処理結果と前記第2処理結果とに基づく処理を実行する処理実行ステップと、を備え、前記受信処理、前記第1処理、及び、前記第2処理のうち少なくとも前記第1処理及び前記第2処理のそれぞれの処理時間は、処理対象のデータの内容によらず一定であり、前記処理実行ステップでは、前記第2処理結果を受信する前に前記データと前記データについての前記第1処理結果との少なくとも一方を用いた処理を開始する。 In order to solve the above problems, a data processing method according to the present invention includes a receiving step of executing a receiving process of receiving and outputting data, and executing a first process on the data output in the receiving step. a first processing step of outputting a first processing result of the first processing; and executing a second processing on the data after the first processing, and outputting a second processing result of the second processing. a second processing step for receiving the data output in the receiving step, receiving the first processing result output in the first processing step, and receiving the second processing result output in the second processing step; a processing execution step of receiving a processing result and executing processing based on the received data, the first processing result, and the second processing result; Of the two processes, the processing time for each of at least the first process and the second process is constant regardless of the content of data to be processed, and in the process execution step, before receiving the result of the second process Processing using at least one of the data and the first processing result of the data is started.
 上記課題を解決するために、本発明に係るコンピュータは、コンピュータに、データを受信して出力する受信処理を実行する受信ステップと、前記受信ステップで出力された前記データに対して第1処理を実行し、当該第1処理の第1処理結果を出力する第1処理ステップと、前記第1処理のあとに前記データに対して第2処理を実行し、当該第2処理の第2処理結果を出力する第2処理ステップと、前記受信ステップで出力された前記データを受信し、前記第1処理ステップで出力された前記第1処理結果を受信し、前記第2処理ステップで出力された前記第2処理結果を受信し、受信した前記データと前記第1処理結果と前記第2処理結果とに基づく処理を実行する処理実行ステップと、を実行させ、前記受信処理、前記第1処理、及び、前記第2処理のうち少なくとも前記第1処理及び前記第2処理のそれぞれの処理時間は、処理対象のデータの内容によらず一定であり、前記処理実行ステップでは、前記第2処理結果を受信する前に前記データと前記データについての前記第1処理結果との少なくとも一方を用いた処理を開始する。 In order to solve the above problems, a computer according to the present invention includes a receiving step of executing a receiving process of receiving and outputting data in the computer, and performing a first process on the data output in the receiving step. a first processing step of executing and outputting a first processing result of the first processing; and executing a second processing on the data after the first processing and outputting a second processing result of the second processing. a second processing step of outputting; receiving the data output in the receiving step; receiving the first processing result output in the first processing step; and receiving the first processing result output in the second processing step. 2 receiving a processing result, causing a processing execution step of executing processing based on the received data, the first processing result, and the second processing result, and performing the reception processing, the first processing, and Each processing time of at least the first processing and the second processing of the second processing is constant regardless of the contents of data to be processed, and the processing execution step receives the result of the second processing. A process using at least one of the data and the first process result on the data is started.
 本発明によれば、処理実行部の動作効率が良くなる。 According to the present invention, the operational efficiency of the processing execution unit is improved.
図1は、本発明の一実施形態に係るデータ処理装置の構成図である。FIG. 1 is a configuration diagram of a data processing device according to one embodiment of the present invention. 図2は、パケットのデータ構造の一例を示す図である。FIG. 2 is a diagram showing an example of the data structure of a packet. 図3は、ルールテーブルの構成例を示す図である。FIG. 3 is a diagram showing a configuration example of a rule table. 図4は、処理時間を一定とするための方法を説明するための図である。FIG. 4 is a diagram for explaining a method for making the processing time constant. 図5は、処理時間を一定とするための方法を説明するための図である。FIG. 5 is a diagram for explaining a method for making the processing time constant. 図6は、データ処理装置の動作を示すタイミングチャートである。FIG. 6 is a timing chart showing the operation of the data processing device. 図7は、データ処理装置の動作を示すタイミングチャートである。FIG. 7 is a timing chart showing the operation of the data processing device. 図8は、図1のデータ処理装置をコンピュータにより構成したときの構成図である。FIG. 8 is a configuration diagram when the data processing apparatus of FIG. 1 is configured by a computer. 比較例に係るデータ処理装置の構成図である。1 is a configuration diagram of a data processing device according to a comparative example; FIG.
 以下、本発明の実施の形態について図面を参照して説明する。 Hereinafter, embodiments of the present invention will be described with reference to the drawings.
 本実施の形態に係るデータ処理装置10は、図1に示すように、受信部11と、第1処理部として構成されたタイムスタンプ部12と、第2処理部として構成されたパケット識別部13と、処理実行部14と、出力部15と、記憶部19と、を備える。このような構成のデータ処理装置10は、通信ネットワークNWのトラフィックをフローごとに監視するトラフィック監視装置として構成されている。 As shown in FIG. 1, the data processing apparatus 10 according to the present embodiment includes a receiving section 11, a time stamp section 12 configured as a first processing section, and a packet identification section 13 configured as a second processing section. , a process execution unit 14 , an output unit 15 , and a storage unit 19 . The data processing device 10 having such a configuration is configured as a traffic monitoring device that monitors the traffic of the communication network NW for each flow.
 上記各部11~14の少なくとも一部は、例えば、FPGA(Field-Programmable Gate Array)、ASIC(Application Specific Integrated Circuit)などに書き込まれた論理回路から構成される。各部11~14の少なくとも一部は、プログラムを実行するCPU(Central Processing Unit)などのプロセッサにより構成されてもよい。記憶部19は、フラッシュメモリ、SSD(Solid State Drive)などの適宜の不揮発性の記憶装置からなる。記憶部19は、FPGA(Field-Programmable Gate Array)、ASIC(Application Specific Integrated Circuit)などの少なくとも一部のメモリにより構成されてもよい。各部11~14は、処理中のデータなどを一時的に保持するメモリを含んで構成されてもよい。 At least part of each of the above units 11 to 14 is composed of a logic circuit written in, for example, FPGA (Field-Programmable Gate Array), ASIC (Application Specific Integrated Circuit), or the like. At least part of each unit 11 to 14 may be configured by a processor such as a CPU (Central Processing Unit) that executes programs. The storage unit 19 is composed of an appropriate non-volatile storage device such as a flash memory or SSD (Solid State Drive). The storage unit 19 may be composed of at least a part of memory such as FPGA (Field-Programmable Gate Array), ASIC (Application Specific Integrated Circuit), or the like. Each of the units 11 to 14 may include a memory that temporarily holds data being processed.
 受信部11は、通信ネットワークNWを流れるパケット(より具体的にはミラーリングパケット)を受信して、タイムスタンプ部12及び処理実行部14に出力する受信処理を実行する。パケットは、図2に示すように、データ(ペイロードともいう)と、データの前に配置されたヘッダと、で構成されている。ヘッダを構成する各データは、あるビット数ごとに意味づけられている。この意味づけられたビット区切りのデータを、ヘッダフィールド値といい、ヘッダフィールド値が一致するパケットの一群をフローという。従って、ヘッダフィールド値はフローを特定する情報でもある。なお、ヘッダフィールド値は、L3ヘッダの送信元及び宛先を示す各IP(Internet Protocol)アドレスなどを含んでもよい。フローは、例えば、宛先、送信元、及び、通信プロトコルのうちの少なくとも1つを示すヘッダフィールド値が共通するパケットの集合であればよい。 The receiving unit 11 receives a packet (more specifically, a mirroring packet) flowing through the communication network NW, and executes reception processing for outputting it to the time stamp unit 12 and the processing execution unit 14 . As shown in FIG. 2, a packet consists of data (also called payload) and a header placed before the data. Each data that constitutes the header has meaning for each certain number of bits. This meaningful bit-delimited data is called a header field value, and a group of packets with matching header field values is called a flow. Therefore, the header field value is also information that identifies the flow. Note that the header field value may include IP (Internet Protocol) addresses indicating the source and destination of the L3 header. A flow may be, for example, a set of packets having a common header field value indicating at least one of destination, source, and communication protocol.
 図1に戻り、タイムスタンプ部12は、リアルタイムクロックなどを参照し、受信部11から出力されたパケットに対してタイムスタンプを生成して処理実行部14に出力するタイムスタンプ処理を実行する。タイムスタンプ部12は、受信部11からのパケットをパケット識別部13に出力する。このとき、パケットにタイムスタンプが付与されていてもよい。 Returning to FIG. 1, the time stamp unit 12 refers to a real-time clock or the like, generates a time stamp for the packet output from the reception unit 11, and executes time stamp processing for outputting the generated time stamp to the processing execution unit 14. The time stamp unit 12 outputs the packet from the reception unit 11 to the packet identification unit 13 . At this time, the packet may be given a time stamp.
 パケット識別部13は、タイムスタンプが生成されたタイムスタンプ部12からのパケットが属するフローを識別し、識別したフローを特定するフロー情報であるフローIDを出力するパケット識別処理を実行する。パケット識別部13は、ヘッダ解析部13A、ハッシュ演算部13B、及び、ルールマッチング部13Cを備え、これら各部13A~13Bが下記の処理を行うことでパケット識別処理を実行する。 The packet identification unit 13 identifies the flow to which the packet from the timestamp unit 12 for which the timestamp is generated belongs, and performs packet identification processing to output a flow ID, which is flow information identifying the identified flow. The packet identification unit 13 includes a header analysis unit 13A, a hash calculation unit 13B, and a rule matching unit 13C. These units 13A and 13B perform the following processes to perform packet identification processing.
 タイムスタンプ部12からパケット識別部13に入力されたパケットは、まずヘッダ解析部13Aに入力される。ヘッダ解析部13Aは、入力されたパケットのヘッダを解析して当該ヘッダからヘッダフィールド値を抽出する解析処理を実行する。抽出されたヘッダフィールド値は、ハッシュ演算部13Bに入力される。 A packet input from the time stamp unit 12 to the packet identification unit 13 is first input to the header analysis unit 13A. The header analysis unit 13A analyzes the header of the input packet and executes analysis processing for extracting header field values from the header. The extracted header field value is input to hash calculator 13B.
 ハッシュ演算部13Bは、入力されたヘッダフィールド値をハッシュ化するハッシュ演算処理を実行する。ハッシュ演算部13Bは、ハッシュ化されたヘッダフィールド値を前記タイムスタンプとともにルールマッチング部13Cに出力する。 The hash calculation unit 13B executes hash calculation processing for hashing the input header field value. The hash calculation unit 13B outputs the hashed header field value together with the time stamp to the rule matching unit 13C.
 ルールマッチング部13Cは、入力されたヘッダフィールド値(ハッシュ化されたヘッダフィールド値)と、記憶部19が記憶するルールテーブル19Aに登録された、監視対象のフローに属するパケットを指定する予め定められたルールと、を比較するマッチング処理を実行する。図3に示すように、ルールテーブル19Aに登録されたルールは、フローごとに登録され、1つのルールは、そのフローのヘッダフィールド値(ハッシュ化されたヘッダフィールド値)と、当該ヘッダフィールド値に対応付けられたフローIDとを含む。フローIDは、ルールを識別するルールIDからなってもよい。ルールマッチング部13Cは、マッチング処理において、ルールテーブル19Aの各ルールを参照し、入力されたヘッダフィールド値に対応するフローIDを取得する。ルールマッチング部13Cは、取得したフローIDを処理実行部14に出力する。 The rule matching unit 13C matches the input header field value (hashed header field value) with a predetermined packet belonging to the monitored flow registered in the rule table 19A stored in the storage unit 19. Executes a matching process that compares the rule with As shown in FIG. 3, rules registered in the rule table 19A are registered for each flow, and one rule consists of a header field value (hashed header field value) of the flow and and the associated flow ID. A flow ID may consist of a rule ID that identifies a rule. In the matching process, the rule matching unit 13C refers to each rule in the rule table 19A and acquires the flow ID corresponding to the input header field value. The rule matching unit 13</b>C outputs the acquired flow ID to the process execution unit 14 .
 処理実行部14は、受信部11からパケットを受信し、タイムスタンプ部12からタイムスタンプを受信し、パケット識別部13からフローIDを受信し、受信したパケットとタイムスタンプとフローIDとに基づく処理(ここでは、トラフィックの監視に必要な処理)を実行する。処理実行部14は、前記処理を実行する演算部として、集計部14A、パケットキャプチャ部14B、及び、異常検出部14Cを備える。 The processing execution unit 14 receives a packet from the reception unit 11, receives a time stamp from the time stamp unit 12, receives a flow ID from the packet identification unit 13, and performs processing based on the received packet, time stamp, and flow ID. (here, the processing required for traffic monitoring). The processing execution unit 14 includes an aggregation unit 14A, a packet capture unit 14B, and an anomaly detection unit 14C as calculation units that execute the above processing.
 集計部14Aは、パケット識別部13からのフローIDの入力回数を、フローIDごとつまりフローごとにカウントする。カウントされる受信回数は、受信部11が受信したパケットの数つまりパケット数ともいえる。集計部14Aは、受信部11からのパケットに基づいて、そのデータ量を計測し、計測したデータ量をフロー毎に積算する。集計部14Aは、一定期間ごとに、フローそれぞれについて、当該一定期間にカウント又は積算したパケット数及びデータ量を集計結果として出力部15に出力する。処理結果は、パケット数とデータ量とのいずれかであってもよい。 The aggregation unit 14A counts the number of times the flow ID is input from the packet identification unit 13 for each flow ID, that is, for each flow. The counted number of receptions can be said to be the number of packets received by the receiving unit 11, that is, the number of packets. The counting unit 14A measures the amount of data based on the packets from the receiving unit 11, and integrates the measured amount of data for each flow. The tallying unit 14A outputs the number of packets counted or integrated during the predetermined period and the amount of data for each flow to the output unit 15 at regular intervals as a tallying result. The processing result may be either the number of packets or the amount of data.
 パケットキャプチャ部14Bは、受信部11からのパケットを記憶部19に格納するパケットキャプチャを実行する。さらに、パケットキャプチャ部14Bは、タイムスタンプ部12からのタイムスタンプを付与する。 The packet capture unit 14B executes packet capture to store packets from the reception unit 11 in the storage unit 19. Furthermore, the packet capture unit 14B adds a time stamp from the time stamp unit 12. FIG.
 異常検出部14Cは、記憶部19に保存されたパケット、集計部14Aによる集計結果、タイムスタンプ部12からのタイムスタンプなどをもとに何らかの判別式に基づいて、フローごとに、トラフィック異常(例えば、マイクロバーストなど)を検出する。異常検出部14Cは、トラフィック異常を検出した場合、トラフィック異常が発生した旨を異常発生情報として出力部15に出力する。異常発生情報は、発生したトラフィック異常の種類の情報を含んでもよい。 The anomaly detection unit 14C detects a traffic anomaly (for example, , microbursts, etc.). When detecting traffic anomaly, the anomaly detection unit 14C outputs to the output unit 15 as anomaly occurrence information that the traffic anomaly has occurred. The anomaly occurrence information may include information on the type of traffic anomaly that has occurred.
 出力部15は、処理実行部14による処理結果、ここでは、集計部14Aからの集計結果及び異常検出部14Cからの異常発生情報を出力する。出力部15は、例えば、データ処理装置10が備える表示部などに集計結果及び又は異常発生情報を表示する。出力部15は、例えば、異常発生情報を、データ処理装置10の内部又は外部に設けられた所定の処理部に出力し、当該処理部は、異常発生情報に基づいて、トラフィック異常が検出したフローについて通信を遮断するための処理を実行してもよい。出力部15は、パケットキャプチャ部14Bがキャプチャしたパケットを取得し、取得したパケットをデータ処理装置10の外部の装置に出力してもよい。 The output unit 15 outputs the result of processing by the processing execution unit 14, here, the aggregated result from the aggregation unit 14A and the abnormality occurrence information from the abnormality detection unit 14C. The output unit 15 displays the tally result and/or the abnormality occurrence information on, for example, a display unit provided in the data processing device 10 . The output unit 15 outputs, for example, the abnormality occurrence information to a predetermined processing unit provided inside or outside the data processing device 10, and the processing unit outputs the traffic abnormality detected flow based on the abnormality occurrence information. You may perform the process for interrupting communication about. The output unit 15 may acquire packets captured by the packet capture unit 14B and output the acquired packets to a device external to the data processing device 10 .
 この実施の形態では、受信部11は、受信処理の処理時間(以下、処理時間Aともいう)が受信部11に入力されるパケットのデータ内容によらず一定となるように構成されている。タイムスタンプ部12も、タイムスタンプ処理の処理時間(以下、処理時間Bともいう)がタイムスタンプ部12に入力されるパケットのデータ内容によらず一定となるように構成されている。パケット識別部13も、パケット識別処理の処理時間(以下、処理時間Cともいう)がパケット識別部13に入力されるパケットのデータ内容によらず一定となるように構成されている。つまり、各部11~13は、どのような入力データ(処理対象のデータ)に対しても一定の処理時間で必要な処理を完了する。上記処理時間A~Cの各開始タイミングは、例えば、データが入力開始されたタイミングである。上記処理時間A~Cの各終了タイミングは、例えば、データ(処理結果など)が出力開始されたタイミングである。処理時間A~Cは、互いに同じ処理時間であってもよいし、互いに異なる時間であってもよい。 In this embodiment, the receiving section 11 is configured such that the processing time for receiving processing (hereinafter also referred to as processing time A) is constant regardless of the data content of the packet input to the receiving section 11 . The time stamp unit 12 is also configured such that the processing time for time stamp processing (hereinafter also referred to as processing time B) is constant regardless of the data content of the packet input to the time stamp unit 12 . The packet identification unit 13 is also configured such that the processing time for packet identification processing (hereinafter also referred to as processing time C) is constant regardless of the data content of the packet input to the packet identification unit 13 . In other words, each of the units 11 to 13 completes necessary processing for any input data (data to be processed) within a certain processing time. Each start timing of the processing times A to C is, for example, the timing at which data input is started. The end timing of each of the processing times A to C is, for example, the timing at which the output of data (processing results, etc.) is started. The processing times A to C may be the same processing time, or may be different times.
 処理時間Aがどのようなパケットに対する処理においても同じとは、受信部11での処理でどの処理分岐を経由しても一定の処理時間で処理が完了することを意味する。例えば、図4の上段の図に示すように、分岐後の処理Aの処理時間がクロック3サイクル分で、処理Bの処理時間がクロック2サイクル分である場合、下段の図のように、処理Bのあとにクロック1サイクル分の遅延回路を挿入する。これにより、分岐後の処理時間が一定となる。または、図5に示すように、分岐後の処理Aの一部を並列化して、処理時間をクロック2サイクル分に短縮する。これによって、分岐後の処理時間が一定となる。このようなことは、タイムスタンプ部12及びパケット識別部13についても同じである。なお、処理時間の調整はこれに限られない。各部11~13は、処理開始からの時間をタイマなどで計測し、処理が終了しても、前記タイマなどで計測した処理開始からの時間が処理時間A~Cに達するまで処理結果のデータ出力を待機してもよい。 The fact that the processing time A is the same for any packet processing means that the processing in the receiving unit 11 is completed within a certain processing time regardless of which processing branch is passed through. For example, as shown in the upper diagram of FIG. 4, if the processing time of the process A after branching is 3 clock cycles and the processing time of the process B is 2 clock cycles, then the process shown in the lower diagram A delay circuit for one clock cycle is inserted after B. This makes the processing time after branching constant. Alternatively, as shown in FIG. 5, part of the processing A after branching is parallelized to shorten the processing time to two clock cycles. This makes the processing time after branching constant. The same applies to the time stamp section 12 and the packet identification section 13 as well. Note that the adjustment of the processing time is not limited to this. Each unit 11 to 13 measures the time from the start of processing with a timer or the like, and outputs the data of the processing result until the time from the start of processing measured by the timer or the like reaches the processing times A to C even after the processing is completed. may wait.
 図6に示すように、受信部11は、処理時間Aで受信処理を実行する。受信処理で受信されたパケットは、タイムスタンプ部12及び処理実行部14に入力される(タイミングT2)。タイムスタンプ部12は、受信部11からのパケットの入力を契機として、処理時間Bでタイムスタンプ処理を実行する。タイムスタンプ処理で付与されたタイムスタンプは、処理実行部14に入力され、タイムスタンプの付与対象のパケットは、パケット識別部13に入力される(タイミングT3)。パケット識別部13は、タイムスタンプ部12からのパケットの入力を契機として、処理時間Cでパケット識別処理を実行する。パケット識別処理で取得されるフローIDなどは、処理実行部14に入力される(タイミングT4)。 As shown in FIG. 6, the receiving unit 11 executes the receiving process during the processing time A. A packet received in the reception process is input to the time stamp unit 12 and the process execution unit 14 (timing T2). The time stamp unit 12 executes time stamp processing during the processing time B, triggered by the packet input from the reception unit 11 . The time stamp added by the time stamp processing is input to the processing execution unit 14, and the packet to which the time stamp is to be added is input to the packet identification unit 13 (timing T3). The packet identification unit 13 executes packet identification processing in processing time C, triggered by the packet input from the time stamp unit 12 . The flow ID and the like acquired in the packet identification process are input to the process execution unit 14 (timing T4).
 処理実行部14は、自身に入力されたデータがどのデータかを、処理時間A~Cとの関係で特定することができる。これは上述のように処理時間A~Cが一定であるからである。受信部11は、例えば、パケットの受信処理開始時(タイミングT1)にパケットの受信通知を処理実行部14に送信する。 The processing execution unit 14 can identify which data is input to itself in relation to the processing times A to C. This is because the processing times A to C are constant as described above. For example, the reception unit 11 transmits a packet reception notification to the processing execution unit 14 at the start of packet reception processing (timing T1).
 前記の受信通知送信後、必ず処理時間A経過後にパケットが処理実行部14に入力される(タイミングT2)。従って、処理実行部14は、受信通知の受領後、処理時間A経過後に入力されたデータをパケットと認識する。処理実行部14は、例えば、パケットキャプチャ部14Bによりパケットを記憶部19に保存するパケットキャプチャを行う。 After sending the reception notification, the packet is input to the processing execution unit 14 without fail after the processing time A has elapsed (timing T2). Therefore, the processing execution unit 14 recognizes data input after the processing time A has elapsed after receiving the reception notification as a packet. The processing execution unit 14 performs packet capture, for example, by storing packets in the storage unit 19 using the packet capture unit 14B.
 前記パケットの入力から処理時間B経過後には、必ずタイムスタンプが処理実行部14に入力される(タイミングT3)。従って、処理実行部14は、パケットの入力後、処理時間B経過後に入力されたデータを当該パケットに付与されたタイムスタンプと認識する。処理実行部14は、例えば、パケットキャプチャ部14Bにより記憶部19に保存したパケットに、タイムスタンプ部12から入力されたタイムスタンプを付与するよう、当該タイムスタンプをパケットに対応付けて記憶部19に記憶させる。なお、処理実行部14は、パケットを保持し、タイムスタンプの入力を契機として、パケットにタイムスタンプを付与して記憶部19に格納してもよい。 After the processing time B has elapsed from the input of the packet, the time stamp is always input to the processing execution unit 14 (timing T3). Therefore, the processing execution unit 14 recognizes the data input after the processing time B has elapsed after the packet is input as the time stamp given to the packet. For example, the processing execution unit 14 associates the time stamp input from the time stamp unit 12 with the packet stored in the storage unit 19 by the packet capture unit 14B, and stores the time stamp in the storage unit 19. Memorize. Note that the process execution unit 14 may hold the packet, add a time stamp to the packet, and store the packet in the storage unit 19 when the time stamp is input.
 タイムスタンプの入力後、必ず処理時間C経過後にパケット識別処理で得られるフローIDなどが処理実行部14に入力される(タイミングT4)。このため、処理実行部14は、タイムスタンプの入力後、処理時間C経過後に入力されたデータを今回のパケットが属するフローのフローIDと認識する。処理実行部14は、フローIDなどに基づいて集計部14Aの処理及び異常検出部14Cの処理を実行する。 After the time stamp is input, the flow ID and the like obtained by the packet identification process are input to the process execution unit 14 after the processing time C has elapsed (timing T4). Therefore, the processing execution unit 14 recognizes the data input after the processing time C has elapsed after the time stamp is input as the flow ID of the flow to which the current packet belongs. The processing execution unit 14 executes the processing of the aggregation unit 14A and the processing of the abnormality detection unit 14C based on the flow ID and the like.
 処理実行部14は異なるタイミングに入力された各データに対して、設計された各部11~13の処理時間A~Cをもとに、どのタイミングに到着したものが、どのデータであるかを判別することができる。。そして、処理実行部14は、あるパケットについてのフローIDなどが入力される前に当該パケットと当該パケットについてのタイムスタンプとの少なくとも一方(例えば、図6のパケットキャプチャ、タイムスタンプ付与)を用いた処理を開始することができる。これにより、処理実行部14は、上記比較例のようにフローIDなどが入力されるまで処理開始を待機することがなく、動作効率が良くなる。 The processing execution unit 14 determines which data arrived at which timing based on the designed processing times A to C of the respective units 11 to 13 for each data input at different timings. can do. . Then, the processing execution unit 14 uses at least one of the packet and the time stamp of the packet (for example, packet capture and time stamping in FIG. 6) before the flow ID of the packet is input. Processing can begin. As a result, the process execution unit 14 does not wait until the flow ID or the like is input before starting the process as in the comparative example, thereby improving the operation efficiency.
 さらに、処理実行部14は、受信部11からパケットを受信してから、タイムスタンプ処理及びパケット識別処理のそれぞれの一定の処理時間ごとに入力された複数のデータを、当該パケットについてのタイムスタンプ、及び、当該パケットについてのフローIDとして処理を実行する。これにより、処理実行部14は、1つのパケットについてのタイムスタンプ又はフローIDを他のパケットのタイムスタンプ又はフローIDと取り違えることが抑制される。 Further, the processing execution unit 14 receives a packet from the reception unit 11, and processes a plurality of pieces of data, which are input for each predetermined processing time of the time stamp processing and the packet identification processing, as a time stamp for the packet, Then, the processing is executed as the flow ID for the packet. This prevents the processing execution unit 14 from confusing the time stamp or flow ID of one packet with the time stamp or flow ID of another packet.
 さらに、処理実行部14の前段の各部11~13は、データ出力を完了したものから、順次後続の入力データを受け付けることができる。図7に示すように、例えば、受信部11は、第1パケット(実線の「受信処理」参照)を出力したあと、パケット識別部13によるパケット識別処理が終了する前に第2パケット(点線の「受信処理」参照)を受信可能に設けられている。これにより、データ処理の高速化が図られている。 Further, each of the units 11 to 13 in the preceding stage of the processing execution unit 14 can sequentially accept subsequent input data after data output has been completed. As shown in FIG. 7, for example, after the receiving unit 11 outputs the first packet (see “receiving process” indicated by the solid line), before the packet identification process by the packet identifying unit 13 is completed, the receiving unit 11 outputs the second packet (referred to by the dotted line). (See "Receiving Process"). As a result, the speed of data processing is increased.
 図1の点線で示すように、パケット識別部13のヘッダ解析部13A及びハッシュ演算部13Bのうちの少なくとも一方は、処理実行部14に対して処理結果のデータを出力してもよい。処理実行部14は、入力された処理結果のデータに基づいて所定の処理を行ってもよい。このような場合、パケット識別部13の各部13A~13Cの各処理時間も、処理対象のデータの内容によらず一定であるとよい。処理実行部14は、パケットの入力をそのデータ内容などにより検知してもよく、この場合、どのデータがタイムスタンプ及びフローIDであるかはパケットの入力後の処理時間B及びCに基づいて特定できる。 As indicated by the dotted line in FIG. 1, at least one of the header analysis unit 13A and the hash calculation unit 13B of the packet identification unit 13 may output processing result data to the processing execution unit 14. The processing execution unit 14 may perform a predetermined processing based on the input processing result data. In such a case, the processing time of each section 13A to 13C of the packet identification section 13 should also be constant regardless of the contents of the data to be processed. The processing execution unit 14 may detect the input of a packet by its data content, etc. In this case, which data is the time stamp and flow ID is specified based on the processing times B and C after the packet is input. can.
 図8にデータ処理装置10をコンピュータにより構成したときのハードウェア構成図を示す。データ処理装置10は、CPUなどのプロセッサ101と、プロセッサ101のメインメモリ102と、プログラム及び各種データを記憶し、図1の記憶部19を構成する不揮発性の記憶装置103と、を備える。さらに、データ処理装置10は、通信ネットワークNWに接続され、パケットを中継するNIC(Network Interface Card)104を備える。プロセッサ101は、記憶装置103に記憶され、メインメモリ102に読み出されたプログラム及びデータを実行又は使用して上記各部11~15として動作する。なお、受信部11及び出力部15は、プログラムを実行するプロセッサ101とNIC104との組み合わせにより実現されてもよい。 FIG. 8 shows a hardware configuration diagram when the data processing device 10 is configured by a computer. The data processing device 10 includes a processor 101 such as a CPU, a main memory 102 of the processor 101, and a non-volatile storage device 103 that stores programs and various data and constitutes the storage unit 19 in FIG. Further, the data processing device 10 includes a NIC (Network Interface Card) 104 that is connected to the communication network NW and relays packets. The processor 101 executes or uses programs and data stored in the storage device 103 and read out to the main memory 102 to operate as the units 11 to 15 described above. Note that the receiving unit 11 and the output unit 15 may be implemented by a combination of the processor 101 executing the program and the NIC 104 .
 データ処理装置10は、上記構成に限定されない。データ処理装置10は、例えば、データ(上記構成ではパケット)を受信して出力する受信処理を実行する受信部(上記構成では受信部11)と、前記受信部から出力された前記データに対して第1処理(上記構成ではタイムスタンプ処理)を実行し、当該第1処理の第1処理結果(上記構成ではタイムスタンプ)を出力する第1処理部(上記構成ではタイムスタンプ部12)と、を備えることができる。データ処理装置10は、例えば、前記第1処理のあとに前記データに対して第2処理(上記構成ではパケット識別処理)を実行し、当該第2処理の第2処理結果を出力する第2処理部(上記ではパケット識別部13)と、前記受信部から前記データを受信し、前記第1処理部から前記第1処理結果を受信し、前記第2処理部から前記第2処理結果を受信し、受信した前記データと前記第1処理結果と前記第2処理結果とに基づく処理(上記では、集計部14A、パケットキャプチャ部14B、及び、異常検出部14Cによる処理)を実行する処理実行部(上記では処理実行部14)と、を備えることができる。そして、前記受信処理、前記第1処理、及び、前記第2処理のうち少なくとも前記第1処理及び前記第2処理のそれぞれの処理時間は、処理対象のデータの内容によらず一定であってもよく、前記処理実行部は、前記第2処理結果を受信する前に前記データと前記データについての前記第1処理結果との少なくとも一方を用いた処理(上記では図6のパケットキャプチャ、タイムスタンプ付与)を開始してもよい。このような構成により、上記比較例のように処理実行部が第2処理結果が入力されるまで処理開始を待機することがなく、処理実行部の動作効率が良くなる。なお、上記各処理の具体例は、上記実施の形態に限定されない。上記データは画像データであってもよく、上記第1処理は画像の2値化処理であってもよく、上記第2処理は2値化された画像に対する画像認識であってもよい。上記処理実行部は、画像データ、2値化画像、及び画像認識の結果のそれぞれを記憶部に格納していく処理を実行してもよい。 The data processing device 10 is not limited to the above configuration. The data processing apparatus 10 includes, for example, a receiving unit (receiving unit 11 in the above configuration) that executes reception processing for receiving and outputting data (packets in the above configuration), and for the data output from the receiving unit: a first processing unit (time stamp unit 12 in the above configuration) that executes a first process (time stamp processing in the above configuration) and outputs a first processing result (time stamp in the above configuration) of the first process; be prepared. The data processing device 10 performs, for example, a second process (a packet identification process in the above configuration) on the data after the first process, and outputs a second process result of the second process. (packet identification unit 13 in the above description), the data is received from the receiving unit, the first processing result is received from the first processing unit, and the second processing result is received from the second processing unit. , a processing execution unit ( In the above, the processing execution unit 14) can be provided. The processing time of at least the first processing and the second processing out of the reception processing, the first processing, and the second processing may be constant regardless of the content of the data to be processed. Before receiving the second processing result, the processing execution unit often performs processing using at least one of the data and the first processing result of the data (in the above description, packet capture, time stamping in FIG. 6, ) may be started. With such a configuration, unlike the comparative example, the processing execution unit does not wait until the second processing result is input before starting the processing, and the operation efficiency of the processing execution unit is improved. It should be noted that specific examples of the above processes are not limited to the above embodiments. The data may be image data, the first processing may be image binarization processing, and the second processing may be image recognition for the binarized image. The processing execution unit may execute processing for storing the image data, the binarized image, and the result of image recognition in the storage unit.
 前記処理実行部は、前記受信部から前記データを受信してから前記第1処理及び前記第2処理のそれぞれの一定の処理時間ごとに入力された複数のデータを、それぞれ、前記データについての前記第1処理結果及び前記第2処理結果として前記処理を実行してもよく、これにより、あるデータに対する第1処理結果と第2処理結果が他のデータに対する処理結果として取り違えられることが抑制される。 The processing execution unit receives the data from the reception unit and processes the plurality of data input at predetermined processing time intervals for each of the first processing and the second processing. The processing may be performed as the first processing result and the second processing result, thereby preventing the first processing result and the second processing result for certain data from being mistaken for processing results for other data. .
 前記受信部は、前記データとしての第1データを出力したあと、前記第2処理が終了する前に他の前記データとしての第2データを受信可能に設けられている。これにより、処理速度が向上する。 After outputting the first data as the data, the receiving section is capable of receiving second data as the other data before the second processing ends. This improves the processing speed.
 本発明は、上記の実施の形態及び変形例に限定されるものではない。例えば、本発明には、本発明の技術思想の範囲内で当業者が理解し得る、上記の実施の形態及び変形例に対する様々な変更が含まれる。上記実施の形態及び変形例に挙げた各構成は、矛盾の無い範囲で適宜組み合わせることができる。また、上記の各構成のうちの任意の構成を削除することも可能である。上記プログラムは、不揮発性の記憶装置103に限らず、非一時的なコンピュータ読み取り可能な記憶媒体に記憶されてもよい。「装置」及び「部」は、その動作を実現する構成が一つの筐体に収容された物であっても、その動作を実現する構成が複数の筐体に分散して収容された物(システム)であってもよい。 The present invention is not limited to the above embodiments and modifications. For example, the present invention includes various modifications to the above embodiments and modifications that can be understood by those skilled in the art within the scope of the technical idea of the present invention. The configurations described in the above embodiments and modified examples can be appropriately combined within a consistent range. It is also possible to delete any configuration among the above configurations. The program may be stored not only in the non-volatile storage device 103 but also in a non-temporary computer-readable storage medium. "Apparatus" and "unit" refer to an object whose configuration realizing its operation is housed in a plurality of housings, even if the configuration realizing its operation is housed in a single housing ( system).
 10…データ処理装置、11…受信部、12…タイムスタンプ部、13…パケット識別部、13A…ヘッダ解析部、13B…ハッシュ演算部、13C…ルールマッチング部、14…処理実行部、14A…集計部、14B…パケットキャプチャ部、14C…異常検出部、15…出力部、19…記憶部、19A…ルールテーブル、101…プロセッサ、102…メインメモリ、103…記憶装置、NW…通信ネットワーク。 DESCRIPTION OF SYMBOLS 10... Data processing apparatus 11... Receiving part 12... Timestamp part 13... Packet identification part 13A... Header analysis part 13B... Hash calculation part 13C... Rule matching part 14... Processing execution part 14A... Aggregation Unit 14B Packet capture unit 14C Abnormality detection unit 15 Output unit 19 Storage unit 19A Rule table 101 Processor 102 Main memory 103 Storage device NW Communication network.

Claims (7)

  1.  データを受信して出力する受信処理を実行する受信部と、
     前記受信部から出力された前記データに対して第1処理を実行し、当該第1処理の第1処理結果を出力する第1処理部と、
     前記第1処理のあとに前記データに対して第2処理を実行し、当該第2処理の第2処理結果を出力する第2処理部と、
     前記受信部から前記データを受信し、前記第1処理部から前記第1処理結果を受信し、前記第2処理部から前記第2処理結果を受信し、受信した前記データと前記第1処理結果と前記第2処理結果とに基づく処理を実行する処理実行部と、を備え、
     前記受信処理、前記第1処理、及び、前記第2処理のうち少なくとも前記第1処理及び前記第2処理のそれぞれの処理時間は、処理対象のデータの内容によらず一定であり、
     前記処理実行部は、前記第2処理結果を受信する前に前記データと前記データについての前記第1処理結果との少なくとも一方を用いた処理を開始する、
     データ処理装置。     a receiving unit that executes a receiving process for receiving and outputting data;
    a first processing unit that performs a first process on the data output from the receiving unit and outputs a first processing result of the first process;
    a second processing unit that executes a second process on the data after the first process and outputs a second process result of the second process;
    receiving the data from the receiving unit, receiving the first processing result from the first processing unit, receiving the second processing result from the second processing unit, and receiving the received data and the first processing result and a processing execution unit that executes processing based on the second processing result,
    each processing time of at least the first processing and the second processing out of the reception processing, the first processing, and the second processing is constant regardless of the content of the data to be processed;
    The processing execution unit starts processing using at least one of the data and the first processing result of the data before receiving the second processing result.
    Data processing equipment.
  2.  前記データは、通信ネットワークを流れるパケットであり、
     前記第1処理部は、前記第1処理として、前記受信部から出力された前記パケットに対してタイムスタンプを生成し、生成した前記タイムスタンプを前記第1処理結果として出力するタイムスタンプ処理を実行するタイムスタンプ部であり、
     前記第2処理部は、前記第2処理として、前記タイムスタンプが生成された前記パケットが属するフローを識別し、識別した前記フローを特定するフロー情報を前記第2処理結果として出力するパケット識別処理を実行するパケット識別部である、
     請求項1に記載のデータ処理装置。     The data are packets flowing through a communication network,
    The first processing unit, as the first processing, generates a time stamp for the packet output from the receiving unit, and executes time stamp processing for outputting the generated time stamp as the first processing result. is a time stamp part that
    The second processing unit, as the second processing, identifies a flow to which the packet for which the timestamp is generated belongs, and outputs flow information identifying the identified flow as the result of the second processing. is a packet identifier that performs
    2. A data processing apparatus according to claim 1.
  3.  前記処理実行部は、前記受信部から前記データを受信してから前記第1処理及び前記第2処理のそれぞれの一定の処理時間ごとに入力された複数のデータを、それぞれ、前記データについての前記第1処理結果及び前記第2処理結果として前記処理を実行する、
     請求項1又は2に記載のデータ処理装置。     The processing execution unit receives the data from the reception unit and processes the plurality of data input at predetermined processing time intervals for each of the first processing and the second processing. executing the process as a first process result and the second process result;
    3. A data processing apparatus according to claim 1 or 2.
  4.  前記受信部は、前記データとしての第1データを出力したあと、前記第2処理が終了する前に他の前記データとしての第2データを受信可能に設けられている、
     請求項1から3のいずれか1項に記載のデータ処理装置。     After outputting the first data as the data, the receiving unit is provided so as to be able to receive second data as the other data before the second processing ends.
    4. A data processing apparatus according to any one of claims 1 to 3.
  5.  前記データは、通信ネットワークを流れるパケットであり、
     前記第2処理部は、前記パケットのヘッダを解析してヘッダフィールド値を抽出するヘッダ解析部と、抽出された前記ヘッダフィールド値をハッシュ化するハッシュ演算部と、ハッシュ化されたヘッダフィールド値と予め定められたルールとを比較し前記パケットが属するフローの前記フロー情報を取得するルールマッチング部と、を備える、
     請求項1から4のいずれか1項に記載のデータ処理装置。     The data are packets flowing through a communication network,
    The second processing unit includes a header analysis unit that analyzes the header of the packet and extracts a header field value, a hash calculation unit that hashes the extracted header field value, and a hashed header field value. a rule matching unit that acquires the flow information of the flow to which the packet belongs by comparing with a predetermined rule;
    5. A data processing apparatus according to any one of claims 1 to 4.
  6.  データを受信して出力する受信処理を実行する受信ステップと、
     前記受信ステップで出力された前記データに対して第1処理を実行し、当該第1処理の第1処理結果を出力する第1処理ステップと、
     前記第1処理のあとに前記データに対して第2処理を実行し、当該第2処理の第2処理結果を出力する第2処理ステップと、
     前記受信ステップで出力された前記データを受信し、前記第1処理ステップで出力された前記第1処理結果を受信し、前記第2処理ステップで出力された前記第2処理結果を受信し、受信した前記データと前記第1処理結果と前記第2処理結果とに基づく処理を実行する処理実行ステップと、を備え、
     前記受信処理、前記第1処理、及び、前記第2処理のうち少なくとも前記第1処理及び前記第2処理のそれぞれの処理時間は、処理対象のデータの内容によらず一定であり、
     前記処理実行ステップでは、前記第2処理結果を受信する前に前記データと前記データについての前記第1処理結果との少なくとも一方を用いた処理を開始する、
     データ処理方法。     a reception step for executing reception processing for receiving and outputting data;
    a first processing step of performing a first process on the data output in the receiving step and outputting a first processing result of the first process;
    a second processing step of performing a second processing on the data after the first processing and outputting a second processing result of the second processing;
    receiving the data output in the receiving step, receiving the first processing result output in the first processing step, receiving the second processing result output in the second processing step, and receiving a processing execution step of executing processing based on the data, the first processing result, and the second processing result;
    each processing time of at least the first processing and the second processing out of the reception processing, the first processing, and the second processing is constant regardless of the content of the data to be processed;
    In the process execution step, before receiving the second process result, the process using at least one of the data and the first process result of the data is started.
    Data processing method.
  7.  コンピュータに、
     データを受信して出力する受信処理を実行する受信ステップと、
     前記受信ステップで出力された前記データに対して第1処理を実行し、当該第1処理の第1処理結果を出力する第1処理ステップと、
     前記第1処理のあとに前記データに対して第2処理を実行し、当該第2処理の第2処理結果を出力する第2処理ステップと、
     前記受信ステップで出力された前記データを受信し、前記第1処理ステップで出力された前記第1処理結果を受信し、前記第2処理ステップで出力された前記第2処理結果を受信し、受信した前記データと前記第1処理結果と前記第2処理結果とに基づく処理を実行する処理実行ステップと、を実行させ、
     前記受信処理、前記第1処理、及び、前記第2処理のうち少なくとも前記第1処理及び前記第2処理のそれぞれの処理時間は、処理対象のデータの内容によらず一定であり、
     前記処理実行ステップでは、前記第2処理結果を受信する前に前記データと前記データについての前記第1処理結果との少なくとも一方を用いた処理を開始する、
     プログラム。     to the computer,
    a reception step for executing reception processing for receiving and outputting data;
    a first processing step of performing a first process on the data output in the receiving step and outputting a first processing result of the first process;
    a second processing step of performing a second processing on the data after the first processing and outputting a second processing result of the second processing;
    receiving the data output in the receiving step, receiving the first processing result output in the first processing step, receiving the second processing result output in the second processing step, and receiving a processing execution step of executing processing based on the data, the first processing result, and the second processing result;
    each processing time of at least the first processing and the second processing out of the reception processing, the first processing, and the second processing is constant regardless of the content of the data to be processed;
    In the process execution step, before receiving the second process result, the process using at least one of the data and the first process result of the data is started.
    program.
PCT/JP2021/046134 2021-12-14 2021-12-14 Data processing device, data processing method, and program WO2023112174A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/046134 WO2023112174A1 (en) 2021-12-14 2021-12-14 Data processing device, data processing method, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/046134 WO2023112174A1 (en) 2021-12-14 2021-12-14 Data processing device, data processing method, and program

Publications (1)

Publication Number Publication Date
WO2023112174A1 true WO2023112174A1 (en) 2023-06-22

Family

ID=86773794

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/046134 WO2023112174A1 (en) 2021-12-14 2021-12-14 Data processing device, data processing method, and program

Country Status (1)

Country Link
WO (1) WO2023112174A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006020317A (en) * 2004-06-30 2006-01-19 Zarlink Semiconductor Inc Joint pipelining packet classification, and address search method and device for switching environments
JP2019146000A (en) * 2018-02-20 2019-08-29 APRESIA Systems株式会社 Relay device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006020317A (en) * 2004-06-30 2006-01-19 Zarlink Semiconductor Inc Joint pipelining packet classification, and address search method and device for switching environments
JP2019146000A (en) * 2018-02-20 2019-08-29 APRESIA Systems株式会社 Relay device

Similar Documents

Publication Publication Date Title
US7903555B2 (en) Packet tracing
US9825841B2 (en) Method of and network server for detecting data patterns in an input data stream
Lee et al. A hadoop-based packet trace processing tool
US9336203B2 (en) Semantics-oriented analysis of log message content
CN110808994B (en) Method and device for detecting brute force cracking operation and server
CN110287163B (en) Method, device, equipment and medium for collecting and analyzing security log
CN111130883A (en) Method and device for determining topological graph of industrial control equipment and electronic equipment
US10069797B2 (en) 10Gbps line rate stream to disk with fast retrieval (metadata) and network statistics
CN108270783B (en) Data processing method and device, electronic equipment and storage medium
CN110149247B (en) Network state detection method and device
WO2023112174A1 (en) Data processing device, data processing method, and program
CN115357513B (en) Program ambiguity test method, device, equipment and storage medium
KR101625890B1 (en) Test automation system and test automation method for detecting change for signature of internet application traffic protocol
US11947507B2 (en) Traffic monitoring device, traffic monitoring method, and traffic monitoring program
US9577669B2 (en) Methods, systems, and computer readable media for optimized message decoding
US20160143082A1 (en) Method for detecting a message from a group of packets transmitted in a connection
CN109857359A (en) MIPI data processing method, device and circuit
CN114301812B (en) Method, device, equipment and storage medium for monitoring message processing result
CN109361674A (en) Bypass stream data detection method, device and the electronic equipment of access
JP7239016B2 (en) Sorting device, sorting method, sorting program
US20190349390A1 (en) Packet format inference apparatus and computer readable medium
CN114297010A (en) Service board card detection method and device
US20190050568A1 (en) Process search apparatus and computer-readable recording medium
CN209690900U (en) MIPI data processing circuit
CN116886445B (en) Processing method and device of filtering result, storage medium and electronic equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21968091

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2023567361

Country of ref document: JP

Kind code of ref document: A