JP2007013590A - Network monitoring system, network monitoring device and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To make it possible to detect traffic abnormality caused in a plurality of monitoring lines and to concretely tabulate traffic information by using a predetermined summarization method. <P>SOLUTION: This network monitoring system always collects communication information of a communication signal flowing through each of the monitoring lines, and is provided with: one or a plurality of collecting means for finding packet information and flow statistical information with a transmission source and/or a transmission destination associated therewith on the basis of header information belonging to the communication signal; and an information summarization means for grouping and tabulating traffic information by preset physical summarization objects. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a network monitoring system, a network monitoring apparatus, and a program, and can be applied to, for example, a system, apparatus, and program that collects traffic information in a network and monitors abnormalities.

  In recent years, with the development of network technology, its importance has increased, and network systems have penetrated as social infrastructure. On the other hand, new and sophisticated viruses are generated every day. Threats such as virus infections cause network failures, and the damage increases with the scale of the network. Therefore, a system that detects and monitors abnormalities in the network is strongly desired.

  Conventionally, there is a technique disclosed in Patent Document 1 as a system for detecting an abnormality in a network.

In Patent Literature 1, internal traffic flow information is acquired from a plurality of monitoring target devices arranged in a network, normal traffic is compared with the total amount of abnormal traffic, and the total amount of abnormal traffic is predetermined. A failure detection device that determines an abnormality when the ratio is exceeded is described.
JP 2005-72723 A

  In recent years, networks have become more sophisticated and complex. For example, in a corporate network composed of multiple bases, the line protocol (network protocol) used at each base may be different. Aggregating is technically difficult and the costs for doing so increase. In addition, since there are many applications used, it is impossible to grasp the communication traffic for each application.

  The failure detection apparatus described in Patent Document 1 described above can be monitored collectively over a wide range in the network by providing a plurality of devices to be monitored in the network. Whether or not there is an abnormality is determined from the total amount of traffic inside the monitored device. For this reason, the failure detection device can grasp the presence or absence of an abnormality at a remote location, but what characteristics the abnormality has (for example, whether or not it is an attack targeting a specific terminal) It cannot be grasped individually.

  In addition, the detection method described above only detects the amount of communication traffic that should not flow into the device to be monitored, so that the path information is normal but the traffic that is actually abnormal is detected. I can't.

  Therefore, there is a need for a network monitoring system, a network monitoring device, and a program that can detect traffic anomalies that have occurred in a plurality of monitoring lines and can specifically aggregate traffic information according to a predetermined aggregation method. .

  In order to solve such a problem, the network monitoring system of the first aspect of the present invention (1) always collects communication information of communication signals flowing through the respective monitoring lines, and based on header information included in the communication signals, One or a plurality of collecting means for obtaining packet information and flow statistical information in which a transmission source and / or a transmission destination are associated, and (2) information aggregation for grouping traffic information by grouping with a preset physical aggregation target Means.

  The network monitoring device of the second aspect of the present invention (1) always collects communication information of communication signals flowing through the respective monitoring lines. Based on header information included in the communication signals, packet information, transmission source, Or one or a plurality of collecting means for obtaining flow statistical information associated with transmission destinations, and (2) an information aggregating means for grouping traffic information by grouping with a preset physical aggregation target. And

  The network monitoring device of the third aspect of the present invention constantly collects communication information of communication signals flowing through the respective monitoring lines, and based on header information included in the communication signals, packet information, transmission source and / or transmission destination Is a network monitoring device that aggregates information given from one or a plurality of collection devices for obtaining flow statistical information associated with (1) traffic information by grouping with a preset physical aggregation target And an information aggregating means.

  The program of the fourth aspect of the present invention constantly collects communication information of communication signals flowing through respective monitoring lines, and associates packet information with a transmission source and / or transmission destination based on header information included in the communication signal. The network monitoring device that collects information given from one or more collection devices that obtain the flow statistics information is made to function as an information aggregating unit that aggregates traffic information by grouping according to a preset physical aggregation target Is for.

  According to the network monitoring system, the network monitoring apparatus, and the program of the present invention, it is possible to detect a traffic abnormality occurring in a plurality of monitoring lines and to specifically aggregate traffic information according to a predetermined aggregation method. .

(A) First Embodiment Hereinafter, a first embodiment of a network monitoring system, a network monitoring apparatus, and a program according to the present invention will be described with reference to the drawings.

  In the present embodiment, a case where the network monitoring system, the network monitoring apparatus, and the program of the present invention are applied to a network abnormality monitoring system that monitors a plurality of monitoring lines and detects an abnormality is shown.

(A-1) Configuration of First Embodiment FIG. 1 is an overall configuration diagram showing a schematic configuration of a network abnormality monitoring system of the present embodiment.

  In FIG. 1, the network abnormality monitoring system 1 according to this embodiment uses network lines connected to a plurality of bases as monitoring lines, collects communication data flowing through these monitoring lines, and further collects information collected from the monitoring lines at the plurality of bases. However, the analysis is comprehensively and / or individually based on the aggregated information.

  As shown in FIG. 1, the network abnormality monitoring system 9 of this embodiment includes a plurality of monitoring lines 6, a transfer device 5 connected to each monitoring line 6, a collection device 2, an aggregation device 1, an analysis device 3, and an administrator. The terminal 4 is configured at least.

  The monitoring line 6 is a communication line at each site, and is a monitoring target for network abnormality. Further, the protocol adopted in the layer corresponding to the transport layer of the OSI basic reference model is not particularly limited, but, for example, TCP, UDP, etc. can be applied. The line medium of the monitoring line 6 may be different from each other such as an optical fiber line or an electric line.

  The transfer device 5 copies the communication data flowing through the monitoring line 6 and transfers it to the collection device 2, and corresponds to, for example, a switch, a router, a tapping device, or the like. The transfer device 5 transfers bidirectional data of communication data received from an external network (not shown) and communication data transmitted to the external network to the collection device 2.

  The collection device 2 receives the communication data transferred from the transfer device 5, collects packet information and flow statistical information for each predetermined type based on the header information of the communication data, and information collected by the collection function And a storage function for temporarily storing communication data transferred from the transfer device 5 after detecting the traffic abnormality.

  Here, although the detailed configuration of the collection device 2 will be described later, each collection device 2 can collect all communication data flowing through the monitoring line 6 to be monitored. The collection device 2 gives all or part of the collected information to the aggregation device 1. In FIG. 1, the collection device 2 is provided corresponding to each monitoring line 6, but may collect communication data of a plurality of monitoring lines 6.

  The aggregation device 1 acquires information collected by the collection device 2 from one or a plurality of collection devices 2 and aggregates the collected information according to a predetermined aggregation method.

  Although the details of the collection method of the collected information in the aggregation device 1 will be described later, by providing the aggregation device 1, the monitoring line can be constantly monitored, and the aggregation information obtained by aggregating a plurality of monitoring points based on the monitoring result is obtained. It is possible to create, create statistical information for each monitoring point, and create aggregate information for each line protocol of the monitoring line.

  Further, the aggregation device 1 has a function of anonymizing personal information (for example, an IP address) included in the traffic data. Further, the aggregation device 1 has an alarm notification function for notifying the analysis device 3 or the administrator terminal 4 of an alarm when an abnormality is detected in the monitoring line 6.

  In addition, the aggregation device 1 provides aggregation information to the analysis device 3. In addition, the number of installation of the aggregation device 1, the number of connections with the collection device 2, and the connection mode are not particularly limited and can be adopted in a wide mode.

  The analysis device 3 acquires aggregated information from the aggregation device 1, a setting function for performing various analysis settings such as monitoring target settings, abnormality detection settings, and anonymization settings based on the administrator's instructions from the administrator terminal 4. , It has an analysis function of analyzing the aggregated information according to various settings and giving the analysis result to the administrator terminal 4.

  Although the detailed configuration of the analysis device 3 will be described later, the monitoring target can be constantly monitored by providing the analysis device 3. That is, not only when a network abnormality occurs but also normal traffic analysis.

  The administrator terminal 4 is a terminal that is operated by an administrator who manages the network, and is a terminal for performing various other operations such as setting of setting information related to abnormality detection, network monitoring, etc., and display of analysis results, etc. It is.

  Next, detailed functional configurations of the aggregation device 1, the collection device 2, and the analysis device 3 will be described with reference to the drawings.

  FIG. 2 is a block diagram illustrating a hardware configuration of the aggregation device 1. FIG. 3 is a functional block diagram illustrating functions realized by the aggregation device 1.

  As illustrated in FIG. 2, the aggregation device 1 includes at least a CPU 11, a storage unit 12, and a communication unit 13. The CPU 11 is responsible for the overall control function of the aggregation device 1. The recording unit 12 includes, for example, a ROM, a RAM (which is a concept including a nonvolatile writable memory such as an EEPROM), and the like. For example, the CPU 11 uses the fixed data stored in the ROM or the temporary data stored in the RAM, and executes the processing program stored in the ROM using the RAM as a working memory, whereby the function of the aggregation device 1 is achieved. To control. The communication unit 13 transmits and receives information to and from the collection device 2 and the analysis device 3 according to a predetermined communication protocol.

  In FIG. 3, the main functions realized by the aggregation device 1 of this embodiment include at least an aggregation function unit 11a, an anonymization function unit 11b, a notification function unit 11c, and a detection function unit 11d.

  As aggregation methods in the aggregation function unit 11a, there are a physical aggregation function unit 111, a logical aggregation function unit 112, and a temporal aggregation function unit 113. The aggregation function unit 11a aggregates information by using these function units 111 to 113 alone or in combination according to an abnormal state, an instruction from an administrator, or the like.

  Here, the aggregation method performed by the physical aggregation function unit 111 is, for example, (a) for each monitoring line, (b) for each protocol adopted by the monitoring line, (c) for each of a plurality of monitoring lines at a specific connection destination, (D) A method for aggregating collected information with a tangible object such as every monitoring line of all connection destinations as an object of aggregation.

(A) The aggregation for each monitoring line is performed by setting a group including a plurality of collection devices 2 in advance and acquiring the collection information from each collection device 2, collecting the collection information for each collection device 2 of the group (for example, , Counting the number of packets, counting the bandwidth (data amount), etc.). For example, if the collecting device 2 that monitors the line 6 with different media such as an optical line and an electric line and the collecting device 2 with different installation locations are tabulated as the same group, the difference in traffic volume or physical due to the difference in the line medium The traffic amount of the line 6 that is far away can be totaled.

(B) Aggregation for each monitoring line protocol is performed by grouping, for example, collection devices 2 having different monitoring line protocols, such as TCP / IP, ATM, OC3, SONET, and the like. It is an aggregation of quantity. Thereby, the difference in traffic volume for each application protocol can be shown.

(C) Aggregation for each of the plurality of monitoring lines at the specific connection destination is, for example, totaling the traffic amounts of the plurality of monitoring lines that have communicated with a specific transmission destination (destination). Thereby, communication with respect to a certain specific transmission destination can be monitored.

(D) Aggregation of all connection destinations for each monitoring line is, for example, grouping the lines 6 from the same transmission source to all connection destinations and totaling the traffic volume from the same transmission source. Thereby, it is possible to monitor communication from a specific transmission source.

  Further, the aggregation method performed by the logical aggregation function unit 112 is, for example, a logical method such as (e) communication for a specific transmission / reception destination or (f) special data used for a security attack. A method of aggregating collected information as an aggregation target.

(E) Aggregation for each specific transmission / reception destination communication aggregates statistical data of communication to a specific destination or communication from a specific source.

(F) Aggregation of special data only aggregates statistical data of special attack packet data (for example, a Syn packet or a packet with an incorrect attribute) used for a security attack.

  Further, the aggregation method performed by the temporal aggregation function unit 113 is (g) a method of aggregating collected information at time intervals such as minutes, hours, and days. For example, aggregated information can be created every 5 minutes, every week, or every month.

  Next, the anonymization function unit 11b is a function that replaces other information with at least the analysis apparatus 3 so that specific personal information can be uniquely specified.

  The notification function unit 11c notifies an alert to a preset destination by a predetermined communication method when a network abnormality is detected by the detection function 11d or a detection function in the collection device 2 described later. The notification function unit 11c is capable of other notification methods such as e-mail notification, snmptrap notification, and arbitrary command activation.

  The detection function unit 11d is a function for detecting a network abnormality and notifying the notification function unit 11c when the abnormality is detected.

  FIG. 4 is a block diagram illustrating a hardware configuration of the collection device 2. FIG. 5 is a functional block diagram showing functions realized by the collection device 2.

  As illustrated in FIG. 4, the collection device 2 includes at least a CPU 21, a storage unit 22, and a communication unit 23. The CPU 21 is responsible for the overall control function of the collection device 2. The recording unit 22 includes, for example, a ROM, a RAM (which is a concept including a nonvolatile writable memory such as an EEPROM), and the like. For example, the CPU 21 uses the fixed data stored in the ROM or the temporary data stored in the RAM, and executes the processing program stored in the ROM using the RAM as a working memory, whereby the function of the collection device 2 is achieved. To control. The communication unit 23 transmits / receives information to / from the aggregation device 1 and the transfer device 5 according to a predetermined communication protocol.

  In FIG. 5, the main functions realized by the collection device 2 of the present embodiment include at least a collection function unit 21a, a detection function unit 21b, and a storage function unit 21c.

  The collection function unit 21a monitors the traffic of the communication data received from the transfer device 5, acquires packet information summarizing the communication data, layer 4 port information and ICMP type information based on information included in the communication data, This is a function for collecting flow statistical information for each layer 4 port or ICMP type. Thereby, the flow information for each transmission destination and the flow information for each transmission source can be collected.

  FIG. 6 is an explanatory diagram for explaining a format example of packet information of communication data and an example of flow statistical information. For example, the collection function unit 21a reads the protocol (9), the source IP address (11), and the destination IP address (12) in the packet information format example shown in FIG. Further, the collection function unit 21a creates flow statistical information as shown in FIG. 6B based on the collected information. For example, the flow statistical information in FIG. 6B is a case where statistical information of a flow (data amount) by TCP, UDP, IP, and ICMP per unit time is created. In the data portion, TCP and UDP are A case is shown in which 65536 are set as statistical values, 256 are set as statistical values for IP and ICMP, and 1 × 12 are set as statistical values as other (ETC).

  Based on the information collected by the collection function unit 21a, the detection function unit 21b determines the port type regardless of the amount of communication concentrated only on a specific destination, the large amount of communication from a specific destination, and the destination or destination. This is a function for monitoring traffic volume for each traffic and detecting a traffic abnormality when each traffic volume exceeds a set threshold value. Thereby, for example, so-called PortScan, so-called IP sweep, or traffic abnormality for each port type can be determined.

  The accumulation function unit 21c stores the transfer data received from the transfer device 5 after the abnormality is detected by the detection function unit 21b until a predetermined period elapses. Note that the stored communication data is deleted after the predetermined period. Further, the storage function unit 21 sets a flag on the communication data related to the detected abnormality, and does not delete the communication data (anomaly-related data) for which the flag has been set even after a predetermined period.

  The storage function unit 21c is a so-called snapshot function for improving the efficiency of aggregation, and may be distributed as long as transfer of collected information can be reduced.

  FIG. 7 is a block diagram illustrating a hardware configuration of the analysis apparatus 3. FIG. 8 is a functional block diagram showing functions realized by the analysis device 3.

  As illustrated in FIG. 7, the analysis device 3 includes at least a CPU 31, a storage unit 32, and a communication unit 33. The CPU 31 is responsible for the overall control function of the analyzer 3. The recording unit 32 is configured by, for example, a ROM, a RAM (which is a concept including a nonvolatile writable memory such as an EEPROM), and the like. For example, the CPU 31 uses the fixed data stored in the ROM or the temporary data stored in the RAM, and executes the processing program stored in the ROM using the RAM as a working memory, thereby enabling the function of the analysis device 3 to function. To control. The communication unit 33 transmits and receives information to and from the aggregation device 1 and the administrator terminal 4 according to a predetermined communication protocol.

  In FIG. 8, the main functions realized by the analysis apparatus 3 of the present embodiment include at least a setting function unit 31a and an analysis function unit 31b.

  The setting function unit 31a is a function that receives an instruction input by the administrator from the administrator terminal 4 and performs settings related to a monitoring target, abnormality detection, anonymization, and the like based on the instruction. It is possible to change, delete, or add contents once set.

  The analysis function unit 31b receives the aggregated data notified from the aggregation device 1 and records the received data. Also, the analysis function unit 31b determines whether the traffic flow rate represented by, for example, pps or bps, the number of scans per unit time and / or the number of sweep hosts, or the like exceeds the threshold based on the received data. It is determined whether there is a divergence, and the degree of abnormality of the notification data is quantified (for example, displayed in%). In addition, when an abnormality is detected, the analysis function unit 31b distributes the setting file of each collection device 2 or each aggregation device 1 and monitors the data of a specific transmission / reception destination, sets the grouping range, The threshold value is updated. This set value is reflected in the collection device 2 and the aggregation device 1, and monitoring with the new setting can be continued.

(A-2) Operation of First Embodiment Next, the operation of the network abnormality monitoring system 9 of the present embodiment will be described with reference to the drawings.

  FIG. 9 is a flowchart showing a flow of an abnormality monitoring operation in the network abnormality monitoring system 9 of the present embodiment.

  In FIG. 9, when communication data flows through each monitoring line 6, the transfer device 5 copies the communication data and transfers the communication data to the collection device 2 (F1). At this time, the transfer device 5 gives all of the communication data transmitted / received to / from the monitoring line 6 at each site to the collection device 2.

  When communication data is given from the transfer device 5, the collection device 2 extracts header information of the received communication data, and collects packet information of communication data per unit time and flow statistical information based on the header information. (F2).

  For example, the packet information is a network protocol type of communication data, and the flow statistical information is a destination IP address or a destination IP address included in the header, and the flow statistics for each destination IP address or each destination IP address. Information.

  When packet information and flow statistical information are collected in the collection device 2, a traffic flow for a certain time is calculated based on the collected information, and the presence or absence of an abnormality is determined by comparing the traffic flow with a threshold value. (F3).

  The specific determination of the abnormality detection at this time is determined by comparing the collected information with the traffic flow rate and the threshold value, for example, determining whether the communication traffic amount per unit time to a specific destination exceeds the threshold value. Judgment whether or not the amount of communication traffic per unit time from a specific source exceeded the threshold, and whether or not the unit time communication traffic per port type exceeded the threshold regardless of the source and destination Judge whether or not.

  Then, it is determined that an abnormality has occurred when the traffic flow rate for a certain time exceeds the threshold value, and is determined to be normal when it is equal to or less than the threshold value.

  When a network abnormality is detected, the communication data transferred thereafter from the transfer device 5 is temporarily stored. In addition, the communication data related to the detected abnormality is flagged and stored without being erased even after a predetermined time. Thereby, it can contribute to the cause tracking in the case of the analysis which concerns on abnormality.

  Further, when a network abnormality is detected, the aggregation device 1 is notified to that effect, and the aggregation device 1 aggregates information related to the detected abnormality according to a predetermined aggregation method (F4). Note that the types and contents of the predetermined aggregation method have been described when the functional configuration of the aggregation device 1 is described, and thus detailed description thereof is omitted here.

  For example, when the traffic volume for a specific transmission destination connected to a certain monitoring line 6 exceeds a threshold and an abnormality is detected, the aggregation device 1 groups a plurality of monitoring lines 6 having the specific transmission destination as a communication destination. Then, the traffic volume of each monitoring line 6 is totaled to determine the traffic volume for the transmission destination. As a result, in contrast to conventional collective monitoring over the entire network, this embodiment can monitor and detect individual attacks for each destination. Further, since the collection device 2 collects and accumulates packet information and flow information for each transmission destination / transmission source, the communication history of the transmission destination can be analyzed. Other aggregation methods are also performed according to the respective methods.

  In the aggregation device 1, the personal information such as the IP address included in the traffic data is concealed with hashing, a unique ID, and the like during the aggregation processing related to the abnormality information (F 5).

  When the aggregation process on the abnormality information is performed in the aggregation device 1, the aggregated abnormality information is given from the aggregation device 1 to the analysis device 3 (F6).

  When the abnormality information aggregated is given to the analysis device 3, based on the abnormality information aggregated for each group, resetting of the monitoring reinforcement area and the group at the time of aggregation, updating of the threshold at the time of abnormality detection, etc. are performed (F7). ).

  When the aggregated abnormality information is given to the analysis device 3, an analysis result based on the aggregate information and the setting information is transmitted to the administrator terminal 4 in accordance with an instruction from the administrator terminal 4 (F8).

(B) Other Embodiments In the above-described embodiments, the functions of the collection device 2, the aggregation device 1, and the analysis device 3 may be distributed on the network system.

  That is, for example, the aggregation device 1 may include all or part of the collection function 21a and the detection function 21b of the collection device 2, or the collection device 2 may include the aggregation function 11a and the anonymization function of the aggregation device 1. You may make it provide all or one part of 11b and the notification function 11c. Of course, various modes including the function of the analyzer 3 can be considered.

1 is an overall configuration diagram of a network abnormality monitoring system according to a first embodiment. It is a block diagram which shows the hardware constitutions of the aggregation apparatus of 1st Embodiment. It is a functional block diagram which shows the function which the aggregation apparatus of 1st Embodiment implement | achieves. It is a block diagram which shows the hardware constitutions of the collection apparatus of 1st Embodiment. It is a functional block diagram which shows the function which the collection device of 1st Embodiment implement | achieves. It is explanatory drawing explaining the format example of the packet information of the communication data of 1st Embodiment, and the example of flow statistics information. It is a block diagram which shows the hardware constitutions of the analyzer of 1st Embodiment. It is a functional block which shows the function which the analyzer of 1st Embodiment implement | achieves. It is a flowchart explaining operation | movement of the network abnormality monitoring system of 1st Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Aggregation apparatus, 2 ... Collection apparatus, 3 ... Analysis apparatus, 6 ... Monitoring line, 9 ... Network abnormality monitoring system, 11a ... Aggregation function part, 111 ... Physical aggregation function part, 112 ... Logical aggregation function part, 113 ... time aggregation function part, 21a ... collection function part, 21b ... detection function part, 21c ... storage function part, 31a ... setting function part, 31b ... analysis function part.

Claims (9)

Communication information of communication signals flowing through the respective monitoring lines is always collected, and packet information and flow statistical information relating transmission sources and / or transmission destinations are obtained based on header information included in the communication signals 1 Or multiple collection means;
A network monitoring system comprising: an information aggregating unit that aggregates traffic information by grouping according to a preset physical aggregation target. An anomaly detecting means for detecting a network anomaly by comparing a predetermined traffic flow rate and a threshold based on information obtained by each of the collecting means;
The network monitoring system according to claim 1, further comprising storage means for storing only necessary data when there is a network abnormality.   3. The network monitoring system according to claim 1, further comprising an analyzing unit that performs traffic analysis corresponding to preset analysis setting information with reference to the aggregated information aggregated by the information aggregating unit.   The abnormality detection means detects a network abnormality related to the same transmission source and / or the same transmission destination or a network abnormality of a port type with reference to the packet information and the flow statistical information obtained by each collection means. The network monitoring system according to claim 2, wherein the network monitoring system is provided.   5. The network according to claim 1, wherein the information aggregating unit aggregates traffic information by grouping preset logical aggregation targets in addition to the physical aggregation. Monitoring system.   The network monitoring system according to claim 1, wherein the information aggregating unit further aggregates traffic information at predetermined time intervals. Communication information of communication signals flowing through the respective monitoring lines is always collected, and packet information and flow statistical information relating transmission sources and / or transmission destinations are obtained based on header information included in the communication signals 1 Or multiple collection means;
An information aggregating unit that aggregates traffic information by grouping according to physical aggregation targets set in advance. Communication information of communication signals flowing through the respective monitoring lines is always collected, and packet information and flow statistical information relating transmission sources and / or transmission destinations are obtained based on header information included in the communication signals 1 Or a network monitoring device that aggregates information given from a plurality of collection devices,
A network monitoring apparatus comprising: an information aggregating unit that aggregates traffic information by grouping according to a preset physical aggregation target. Communication information of communication signals flowing through the respective monitoring lines is always collected, and packet information and flow statistical information relating transmission sources and / or transmission destinations are obtained based on header information included in the communication signals 1 Or to a network monitoring device that aggregates information given from multiple collection devices,
A program that functions as an information aggregating means that aggregates traffic information by grouping them according to physical aggregation targets set in advance.

Images