WO2023112175A1 - Dispositif, procédé et programme de surveillance de trafic - Google Patents

Dispositif, procédé et programme de surveillance de trafic Download PDF

Info

Publication number
WO2023112175A1
WO2023112175A1 PCT/JP2021/046135 JP2021046135W WO2023112175A1 WO 2023112175 A1 WO2023112175 A1 WO 2023112175A1 JP 2021046135 W JP2021046135 W JP 2021046135W WO 2023112175 A1 WO2023112175 A1 WO 2023112175A1
Authority
WO
WIPO (PCT)
Prior art keywords
rule
unit
identification information
offset
new
Prior art date
Application number
PCT/JP2021/046135
Other languages
English (en)
Japanese (ja)
Inventor
悠介 関原
奈美子 池田
晶子 大輝
寛之 鵜澤
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2021/046135 priority Critical patent/WO2023112175A1/fr
Publication of WO2023112175A1 publication Critical patent/WO2023112175A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters

Definitions

  • the present invention relates to a traffic monitoring device, a traffic monitoring method, and a program.
  • Non-Patent Document 1 estimating attack traffic from past attack data using machine learning.
  • Inference methods that use machine learning, etc. require learning time to generate rules, and the processing load of the machine learning process itself increases the time lag between an attack and its detection.
  • the object of the present invention is to identify attack traffic with light load processing.
  • a traffic monitoring device for monitoring traffic in a communication network, comprising a receiving unit for receiving packets flowing through the communication network, and a packet received by the receiving unit. Identifying a clipping section for clipping first identification information for identifying a flow from the packet based on an offset that specifies the packet clipping position, and a rule having information matching the first identification information clipped by the clipping section.
  • an aggregating unit for aggregating at least one of the specified number of times for each rule specified by the rule specifying unit and the amount of data of the packet specified as the rule, and the aggregating a new offset for extracting not only the first identification information but also the second identification information that can be used to identify attack traffic when the aggregation result by the unit satisfies a predetermined criterion; and a new offset control unit that generates a new offset control unit that has information that matches the first identification information and the second identification information extracted based on the new offset by the extracting unit.
  • a rule is specified, and the aggregation unit aggregates at least one of a specified number of times of the new rule or a data amount of the packet specified with the new rule.
  • the traffic monitoring method includes a receiving step of receiving packets flowing through the communication network, and a third step of identifying a flow from the packets based on an offset specifying a cut-out position of the packets received in the receiving step.
  • the tallying step includes counting the specified number of times of the new rule or the new At least one of a valid rule and the amount of data of the identified packets is aggregated.
  • the program according to the present invention comprises: a receiving step of receiving a packet flowing through the communication network; a step of extracting information; a rule specifying step of specifying a rule having information that matches the first identification information extracted by the extracting step; and specifying the rule for each rule specified by the rule specifying step.
  • a tallying step of tallying at least one of the number of times and the amount of data of the packet identified as the rule; and attack traffic in addition to the first identification information when the tallied result of the tallying step satisfies a predetermined criterion.
  • attack traffic is identified with light load processing.
  • FIG. 1 is a configuration diagram of a traffic monitoring device according to one embodiment of the present invention.
  • FIG. 2 is a diagram showing an example of the data structure of a packet.
  • FIG. 3 is a diagram for explaining a method of extracting packets by offset.
  • FIG. 4 is a diagram showing a configuration example of a rule table.
  • FIG. 5 is a diagram showing a configuration example of a rule table.
  • FIG. 6 is a diagram for explaining a method of extracting packets based on offsets.
  • FIG. 7 is a configuration diagram when the traffic monitoring apparatus of FIG. 1 is configured by a computer.
  • the traffic monitoring device 10 includes a receiving unit 11, an extracting unit 12, a rule specifying unit 13, an aggregating unit 14, and an output unit 15, as shown in FIG.
  • the traffic monitoring device 10 includes a rule control section 16 , an offset control section 17 and a storage section 19 .
  • the traffic monitoring device 10 having such a configuration is configured to monitor traffic on the communication network NW.
  • each of the above units 11 to 17 is composed of a logic circuit written in, for example, FPGA (Field-Programmable Gate Array), ASIC (Application Specific Integrated Circuit), or the like. At least part of each unit 11 to 17 may be configured by a processor such as a CPU (Central Processing Unit) that executes programs.
  • the storage unit 19 is composed of an appropriate non-volatile storage device such as a flash memory or SSD (Solid State Drive).
  • the storage unit 19 may be composed of at least a part of memory such as FPGA (Field-Programmable Gate Array), ASIC (Application Specific Integrated Circuit), or the like.
  • Each of the units 11 to 17 may include a memory that temporarily holds data being processed.
  • the receiving unit 11 sequentially receives a plurality of packets (more specifically, mirroring packets) flowing through the communication network NW one by one and outputs them to the extracting unit 12 .
  • a packet consists of data (also called payload) and a header placed before the data.
  • the header includes a source MAC address and a destination MAC address, as shown in FIG.
  • the header also includes arbitrary information such as source and destination IP addresses, source and destination port addresses, VLANID, communication protocol, and the like.
  • the extraction unit 12 extracts a portion of the packet.
  • This clipping position is specified by the offset stored in the storage unit 19 .
  • the clipping unit 12 clips a part of the packet at the clipping position specified by the offset.
  • the clipped part is a bit delimiter and is also called a field value.
  • a group of packets with matching field values is also called a flow.
  • the field value is also identification information that identifies the flow.
  • the clipping position specified by the offset is set so that the clipped field value includes a necessary and sufficient portion to specify the flow to be monitored.
  • the extracted field values include various addresses, VLANIDs, communication protocols, and the like.
  • the field value does not necessarily have to match the protocol field in the packet header, and may span multiple header fields (eg, the L2 and L3 headers in FIG. 2).
  • Fig. 3 shows an example of clipping based on the offset.
  • offsets 1 to 4 are prepared as one offset, and these are used to cut out the field values of the positions labeled with fields 1 to 4 in the packet.
  • Offsets 1 to 4 indicate the beginning of the region to be cut out, from which a certain number of bits of data are cut out.
  • a plurality of offsets may be prepared according to the data structure of the header of the packet to be monitored.
  • the clipping unit 12 copies packets by the number of offsets, and applies each offset to each packet to clip.
  • the extraction unit 12 may extract each field value based on each offset by copying the data at the extraction position specified by each offset from a single packet. After that, the following processing is performed for a plurality of clipped portions.
  • the field value extracted by the extraction unit 12 is input to the rule identification unit 13.
  • the rule identification unit 13 compares the input field values with rules prepared for each flow.
  • the rules are registered in the rule table 19A stored in the storage unit 19, and the rule specifying unit 13 selects a value that matches the input field value from among the rules registered in the rule table 19A. Identify the rules you have.
  • FIG. A "*" in the rule table 19A indicates that any value (even no value) of the corresponding portion of the field value to be compared with the rule is treated as a match.
  • a field value where the value of field 3 is "12" and the value of field 4 is "8080" is any other value (for example, the field value without field 5 extracted by the offset in FIG. 3). ), rule #2 in FIG. 4 is specified.
  • the rule identifying unit 13 supplies the rule number of the identified rule (here, one of #1 to #3) to the counting unit 14.
  • the tallying unit 14 counts the number of times the rule number is supplied from the rule identifying unit 13 (that is, the number of packets input to the receiving unit 11) for each rule number. In this way, the tallying unit 14 tallies the number of rules specified by the rule specifying unit 13 for each rule.
  • rules are prepared for each logical network. When there is a flood attack on a certain logical network, the number of counts (specific number of rules) by the totaling unit 14 for the rules of that logical network increases. In order to detect this, the tallying unit 14 notifies the rule control unit 16 of the rule number of the rule exceeding the threshold when the number of counts per predetermined period exceeds the threshold.
  • the storage unit 19 or the like stores a rule number and a packet header configuration (more specifically, information specifying which data is located at which position in the header).
  • the rule control unit 16 acquires the packet header configuration corresponding to the rule number from the storage unit 19 or the like as the packet header configuration of the network under attack.
  • the packet header configuration may be identifiable by the content of rules (contents of fields 1 to 5) registered in the rule table 19A. In this case, the rule with the notified rule number is referenced.
  • the rule control unit 16 creates a new rule by adding identification information to be compared with new identification information that can be used to identify the type of DDoS attack among the information contained in the packet.
  • the information added here is, for example, a TCP flag indicating the type of TCP.
  • the rule control unit 16 notifies the offset control unit 17 of the specified packet header configuration. Based on the packet header structure, the offset control unit 17 generates a new offset for extracting identification information (value of field 5) that can identify a DDoS attack from the packet in addition to other identification information.
  • the offset is stored in storage unit 19 . This offset, for example, is obtained by adding an offset 5 for cutting out the field 5 to the stationary offset in FIG. 3, and consists of offsets 1 to 5 (see FIG. 6).
  • subsequent traffic will continue to be monitored by processing subsequent packets based on the new monitoring rule and offset.
  • the number of packets received by the receiving unit 11 (the number of times the rule number is supplied from the rule identifying unit 13) is counted for each of the rules #4 to #6 to which information necessary for identifying traffic attacks has been added. Therefore, the type of attack (ACK, SYN, FIN) is specified by the count number.
  • the attack is being carried out against the logical network of the rule with the large count number.
  • the output unit 15 outputs the specified number of times for each rule by the rule specifying unit 13, which is counted by the counting unit 14, as a counting result.
  • the output unit 15 displays the tally result on a display device provided in the traffic monitoring device 10 or an external display device of the traffic monitoring device 10, for example. As a result, the presence or absence of attack traffic and its type can be presented to the user.
  • the output unit 15, for example, outputs the aggregated result to a processing unit provided inside or outside the traffic monitoring device 10, and the processing unit identifies the presence or absence of attack traffic and its type based on the aggregated result.
  • the processing unit may execute a process of displaying the logical network determined to have attack traffic on the display device and/or a process of blocking communication in the logical network.
  • the TCP flag is used as identification information that can be used to identify DDoS attacks, that is, to identify attack traffic (for example, the presence or absence of attack traffic, and at least the former of its types).
  • Information that can specify the traffic type using packet format bit string information, such as ICMP, UDP, NTP, and HTTP requests, may be adopted as the information.
  • the aggregation unit 14 may aggregate the packet data amount for each rule instead of or in addition to the specific number of times of the rule.
  • the receiving unit 11 or the clipping unit 12 specifies the data amount of the received packet, and supplies the specified data amount of the packet to the counting unit 14 via the rule specifying unit 13 or directly.
  • the totaling unit 14 is supplied with the data amount together with the rule number from the rule specifying unit 13 .
  • the tallying unit 14 tallies the data amount by accumulating the supplied data amount for each rule number. In this way, for each rule specified by the packet rule specifying unit 13, the tallying unit 14 tallies at least one of the number of times the rule is specified and the data amount of the packet specified as the rule. do.
  • the rule control unit 16 generates the new rule as a monitoring rule and registers it in the rule table 19A when the result of counting by the counting unit 14 satisfies a predetermined criterion.
  • the offset control unit 17 also generates the new offset and stores it in the storage unit 19 .
  • a predetermined criterion is, for example, when one of the specific number of times per predetermined period and the amount of data exceeds a predetermined threshold value set for one of them. Alternatively, it is acceptable if both the specific number of times per predetermined period and the data amount exceed respective threshold values set for both of them.
  • the extraction unit 12 extracts the first identification information (field value) for identifying the flow from the packet received by the reception unit 11 based on the offset specifying the extraction position of the packet.
  • the rule identifying unit 13 also identifies a rule having information that matches the first identification information extracted by the extracting unit 12 .
  • the tallying unit 14 tallies at least one of the specified number of times for the rule and the data amount of the packet specified for the rule.
  • the offset control unit 17 cuts out not only the first identification information but also the second identification information (for example, the TCP flag in field 5) that can be used to identify the attack traffic when the aggregation result by the aggregation unit 14 satisfies a predetermined criterion.
  • the rule specifying unit 13 creates a new rule having information that matches the first identification information and the second identification information extracted based on the new offset by the extracting unit 12 (for example, rules #4 to #6). either).
  • the tallying unit 14 tallies at least one of the specified number of times of the new rule or the amount of data of the packet specified as the new rule. In such a configuration, the load processing for specifying the rule by the rule specifying unit 13 is light due to the clipping by the offset.
  • attack traffic is identified with light load processing.
  • the rule identifying unit 13 identifies, from among the one or more rules, a rule having information that matches the first identification information extracted by the extracting unit 12, and the rule controlling unit 16 collects the result obtained by the totalizing unit 14. satisfies a predetermined criterion, the new rule is generated and added to the one or more rules, so the number of rules before the totalized result satisfies the predetermined criterion can be suppressed. This realizes light load handling.
  • the rule identifying unit 13 identifies a rule having information matching the first identification information from among the one or more rules registered in the rule table, and the rule control unit 16 identifies the newly generated new A rule is registered in the rule table.
  • the output unit 15 may output a tally result of tallying at least one of the specified number of times of the new rule or the amount of data of the packet specified as the new rule. It is possible to notify the presence or the like.
  • FIG. 7 shows a hardware configuration diagram when the traffic monitoring device 10 is configured by a computer.
  • the traffic monitoring device 10 includes a processor 101 such as a CPU, a main memory 102 of the processor 101, and a non-volatile storage device 103 that stores programs and various data and constitutes the storage unit 19 in FIG. Furthermore, the traffic monitoring device 10 includes a NIC (Network Interface Card) 104 that is connected to the communication network NW and relays packets.
  • the processor 101 executes or uses programs and data stored in the storage device 103 and read out to the main memory 102 to operate as the units 11 to 17 described above.
  • the receiving unit 11 and the output unit 15 may be implemented by a combination of the processor 101 executing the program and the NIC 104 .
  • the present invention is not limited to the above embodiments and modifications.
  • the present invention includes various modifications to the above embodiments and modifications that can be understood by those skilled in the art within the scope of the technical idea of the present invention.
  • the configurations described in the above embodiments and modified examples can be appropriately combined within a consistent range. It is also possible to delete any configuration among the above configurations.
  • the various programs described above may be stored not only in the non-volatile storage device 103 but also in a non-temporary computer-readable storage medium.
  • "Apparatus” and "unit” refer to an object whose configuration realizing its operation is housed in a plurality of housings, even if the configuration realizing its operation is housed in a single housing ( system).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Un dispositif de surveillance de trafic (10) comprend : une unité de découpe (12) qui découpe des premières informations d'identification identifiant un flux provenant d'un paquet reçu par une unité de réception (11) sur la base d'un décalage qui spécifie une position de découpe du paquet ; une unité d'identification de règles (13) qui identifie des règles contenant des informations qui correspondent aux premières informations d'identification découpées par l'unité de découpe (12) ; et une unité de comptage (14) qui compte le nombre de fois où les règles sont identifiées, etc., par l'unité d'identification de règles (13). Le dispositif de surveillance de trafic (10) est en outre pourvu d'une unité de commande de décalage (17) qui, lorsque le nombre de fois où les règles sont identifiées, etc., est supérieur à une valeur de référence prescrite, génère un nouveau décalage permettant de découper des secondes informations d'identification qui peuvent être utilisées pour identifier un trafic d'attaque, en plus des premières informations d'identification. L'unité d'identification de règles (13) identifie des règles contenant des informations qui correspondent aux premières informations d'identification et aux secondes informations d'identification découpées par l'unité de découpe. L'unité de comptage (14) compte le nombre de fois où les règles contenant des informations qui correspondent aux premières informations d'identification et aux secondes informations d'identification sont identifiées. Une telle configuration permet une identification d'un trafic d'attaque au moyen d'un traitement à faible charge.
PCT/JP2021/046135 2021-12-14 2021-12-14 Dispositif, procédé et programme de surveillance de trafic WO2023112175A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/046135 WO2023112175A1 (fr) 2021-12-14 2021-12-14 Dispositif, procédé et programme de surveillance de trafic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/046135 WO2023112175A1 (fr) 2021-12-14 2021-12-14 Dispositif, procédé et programme de surveillance de trafic

Publications (1)

Publication Number Publication Date
WO2023112175A1 true WO2023112175A1 (fr) 2023-06-22

Family

ID=86773791

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/046135 WO2023112175A1 (fr) 2021-12-14 2021-12-14 Dispositif, procédé et programme de surveillance de trafic

Country Status (1)

Country Link
WO (1) WO2023112175A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007116405A (ja) * 2005-10-20 2007-05-10 Alaxala Networks Corp 異常トラヒックの検出方法およびパケット中継装置
JP2009020781A (ja) * 2007-07-13 2009-01-29 Sony Corp ヒストグラム算出回路およびヒストグラム算出方法、並びにプログラム
JP2011035932A (ja) * 2005-05-20 2011-02-17 Alaxala Networks Corp ネットワーク制御装置およびその制御方法
JP2015046683A (ja) * 2013-08-27 2015-03-12 日本電信電話株式会社 トラヒック走査装置及び方法
JP2018164141A (ja) * 2017-03-24 2018-10-18 アラクサラネットワークス株式会社 通信装置及び通信方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011035932A (ja) * 2005-05-20 2011-02-17 Alaxala Networks Corp ネットワーク制御装置およびその制御方法
JP2007116405A (ja) * 2005-10-20 2007-05-10 Alaxala Networks Corp 異常トラヒックの検出方法およびパケット中継装置
JP2009020781A (ja) * 2007-07-13 2009-01-29 Sony Corp ヒストグラム算出回路およびヒストグラム算出方法、並びにプログラム
JP2015046683A (ja) * 2013-08-27 2015-03-12 日本電信電話株式会社 トラヒック走査装置及び方法
JP2018164141A (ja) * 2017-03-24 2018-10-18 アラクサラネットワークス株式会社 通信装置及び通信方法

Similar Documents

Publication Publication Date Title
EP2289221B1 (fr) Protection d'un réseau contre l'intrusion
US9787556B2 (en) Apparatus, system, and method for enhanced monitoring, searching, and visualization of network data
CN108701187B (zh) 用于混合硬件软件分布式威胁分析的设备和方法
US8509106B2 (en) Techniques for preventing attacks on computer systems and networks
US7379426B2 (en) Routing loop detection program and routing loop detection method
KR101574193B1 (ko) 분산 서비스 거부 공격 탐지 및 방어 장치 및 방법
US10505952B2 (en) Attack detection device, attack detection method, and attack detection program
US20110138463A1 (en) Method and system for ddos traffic detection and traffic mitigation using flow statistics
US20070115850A1 (en) Detection method for abnormal traffic and packet relay apparatus
US11546266B2 (en) Correlating discarded network traffic with network policy events through augmented flow
WO2016106592A1 (fr) Procédé et dispositif pour une analyse d'informations de caractéristique
EP2933954A1 (fr) Procédé et appareil de notification d'anomalie de réseau
US10469528B2 (en) Algorithmically detecting malicious packets in DDoS attacks
US10693890B2 (en) Packet relay apparatus
JP2006279930A (ja) 不正アクセス検出方法及び装置、並びに不正アクセス遮断方法及び装置
US20140304817A1 (en) APPARATUS AND METHOD FOR DETECTING SLOW READ DoS ATTACK
JPWO2012147909A1 (ja) ネットワーク装置、通信システム、異常トラヒックの検出方法およびプログラム
CN108616488B (zh) 一种攻击的防御方法及防御设备
EP2452466B1 (fr) Appareil et procédé d'amélioration de transfert, de classification et de surveillance du trafic de réseau
WO2023112175A1 (fr) Dispositif, procédé et programme de surveillance de trafic
EP3092737B1 (fr) Systèmes pour améliorer la surveillance, la recherche et la visualisation de données de réseau
EP2929472A2 (fr) Appareil, système et procédé de surveillance de réseau, de rapport de données et de traitement de données améliorés
EP3092771A1 (fr) Appareil, système et procédé permettant de meilleures surveillance et interception de données de réseau
US11223562B1 (en) Selectively processing packets based on their classification by a counting bloom filter as a first packet or a subsequent packet of a transport protocol connection
WO2023273843A1 (fr) Procédé et appareil de sécurité et de défense, dispositif et support de stockage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21968092

Country of ref document: EP

Kind code of ref document: A1