JP7798118B2 - Traffic monitoring device, traffic monitoring method, and program - Google Patents

Description

The present invention relates to a traffic monitoring device, a traffic monitoring method, and a program.

Flood attacks exist, which attack network devices by sending excessive traffic over a network. Traditionally, attacks known as classic DoS (Denial of Services) have been blocked by analyzing the headers of IP packet fields called 5-tuple and identifying the source of the attack based on that information. However, a new technique known as DDoS (Distributed Denial of Services) has recently emerged, which exploits Layer 4 protocol mechanisms such as TCP or UDP to launch attacks from multiple sources. Because 5-tuple analysis is difficult to use to counter such DDoS attacks, attack traffic has been identified by adding Layer 4 and higher protocol information to the 5-tuple and analyzing it.

On the other hand, as network speeds increase, the number of flows is exponentially increasing. It is difficult to identify attack traffic by analyzing all traffic, and methods such as using machine learning to predict attack traffic from past attack data have been proposed to efficiently identify attack traffic (e.g., Non-Patent Document 1).

Yuhei Hayashi, Hikofumi Suzuki, Takeo Nishioka, “Low-bandwidth L3, L4 DDoS detection feature based on the number of 5-tuple flows among 3-tuple flows,” IEICE Technical Report, ICM2019-5(2019-05)

Inference methods using machine learning, etc., have the problem that they require learning time to generate rules, and the processing load of the machine learning process itself results in a large time lag between an attack and its detection.

The present invention aims to identify attack traffic with light processing load.

In order to solve the above problem, the traffic monitoring device of the present invention is a traffic monitoring device that monitors traffic on a communication network, and includes: a receiving unit that receives packets flowing through the communication network; an extracting unit that extracts first identification information that identifies a flow from the packet based on an offset that specifies the extraction position of the packet received by the receiving unit; a rule identifying unit that identifies a rule having information that matches the first identification information extracted by the extracting unit; a counting unit that tally, for each rule identified by the rule identifying unit, at least one of the number of times the rule has been identified and the data volume of the packets identified as the rule; and an offset control unit that, when the tallying result by the counting unit meets a predetermined criterion, generates a new offset to be used by the extracting unit to extract second identification information that can be used to identify attack traffic in addition to the first identification information; the rule identifying unit identifies a new rule having information that matches the first identification information and the second identification information extracted by the extracting unit based on the new offset; and the counting unit tally at least one of the number of times the new rule has been identified or the data volume of the packets identified as the new rule.

Furthermore, the traffic monitoring method of the present invention comprises: a receiving step of receiving packets flowing through the communication network; an extraction step of extracting first identification information that identifies a flow from the packets based on an offset that specifies the extraction position of the packets received in the receiving step; a rule identification step of identifying rules having information that matches the first identification information extracted in the extraction step; an aggregation step of tallying, for each rule identified in the rule identification step, at least one of the number of times the rule has been identified and the data volume of the packets identified as the rule; and an offset control step of generating, as the offset to be used by the extraction unit, a new offset for extracting second identification information that can be used to identify attack traffic in addition to the first identification information when the aggregation result of the aggregation step meets a predetermined criterion, wherein the rule identification step identifies a new rule having information that matches the first identification information and the second identification information extracted based on the new offset in the extraction step, and the aggregation step aggregates at least one of the number of times the new rule has been identified or the data volume of the packets identified as the new rule.

The program of the present invention also executes the following steps: a receiving step for receiving packets flowing through the communication network; an extraction step for extracting first identification information that identifies a flow from the packets based on an offset that specifies the extraction position of the packets received in the receiving step; a rule identification step for identifying rules having information that matches the first identification information extracted in the extraction step; a counting step for tallying, for each rule identified in the rule identification step, at least one of the number of times the rule has been identified and the data volume of the packets identified as the rule; and an offset control step for generating, as the offset to be used by the extraction unit, a new offset for extracting, in addition to the first identification information, second identification information that can be used to identify attack traffic when the counting result of the counting step meets a predetermined criterion; wherein the rule identification step identifies a new rule having information that matches the first identification information and the second identification information extracted based on the new offset in the extraction step, and the counting step tallying at least one of the number of times the new rule has been identified or the data volume of the packets identified as the new rule.

According to the present invention, attack traffic is identified with light processing load.

FIG. 1 is a diagram showing the configuration of a traffic monitoring device according to an embodiment of the present invention. FIG. 2 is a diagram illustrating an example of the data structure of a packet. FIG. 3 is a diagram for explaining a method of extracting a packet using an offset. FIG. 4 is a diagram showing an example of the structure of the rule table. FIG. 5 is a diagram showing an example of the structure of the rule table. FIG. 6 is a diagram for explaining a method of extracting a packet using an offset. FIG. 7 is a diagram showing the configuration of the traffic monitoring device of FIG. 1 when configured by a computer.

The following describes an embodiment of the present invention with reference to the drawings.

As shown in FIG. 1, the traffic monitoring device 10 according to this embodiment comprises a receiving unit 11, a cutout unit 12, a rule identification unit 13, a counting unit 14, and an output unit 15. The traffic monitoring device 10 also comprises a rule control unit 16, an offset control unit 17, and a memory unit 19. The traffic monitoring device 10 having such a configuration is configured to monitor traffic on the communication network NW.

At least a portion of each of the above units 11 to 17 is composed of logic circuits written into, for example, an FPGA (Field-Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit). At least a portion of each of the units 11 to 17 may be composed of a processor such as a CPU (Central Processing Unit) that executes programs. The storage unit 19 is composed of an appropriate non-volatile storage device such as flash memory or an SSD (Solid State Drive). The storage unit 19 may be composed of at least a portion of memory such as an FPGA (Field-Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit). Each of the units 11 to 17 may be composed of memory that temporarily stores data being processed, etc.

The receiver 11 sequentially receives multiple packets (more specifically, mirroring packets) flowing through the communication network NW one by one and outputs them to the extractor 12. As shown in Figure 2, a packet consists of data (also called payload) and a header placed before the data. As shown in Figure 2, the header includes a source MAC address and a destination MAC address. The header further includes optional information such as source and destination IP addresses, source and destination Port addresses, VLAN ID, and communication protocol.

Returning to Figure 1, the cutout unit 12 cuts out a portion from a packet. This cutout position is specified by an offset stored in the memory unit 19. Based on this offset, the cutout unit 12 cuts out a portion from the packet at the cutout position specified by the offset. Here, the cutout portion is a bit-delimited portion, also referred to as a field value. A group of packets with matching field values is also referred to as a flow. In other words, the field value is also identification information that identifies a flow. The cutout position specified by the offset is set so that the cutout field value includes a portion necessary and sufficient to identify the flow to be monitored. The cutout field value includes various addresses, VLAN ID, communication protocol, etc. The field value does not necessarily have to match the protocol field in the packet header, and may be a value that spans multiple header fields (for example, the L2 header and L3 header in Figure 2).

Figure 3 shows an example of offset-based extraction. In Figure 3, offsets 1 to 4 are provided as a single offset, and these are used to extract field values at positions within the packet designated by fields 1 to 4. Offsets 1 to 4 indicate the beginning of the area to be extracted, and a certain number of bits of data are extracted from that beginning. Note that multiple offsets may be provided depending on the data structure of the header of the packet to be monitored. In this case, the extraction unit 12 copies the packet the number of offsets and applies each offset to each packet to extract it. The extraction unit 12 may extract each field value based on each offset by copying data from a single packet at the extraction position specified by each offset. Thereafter, the following processing is performed for the multiple extracted portions.

The field value extracted by the extraction unit 12 is input to the rule identification unit 13. The rule identification unit 13 compares the input field value with the rules prepared for each flow. The rules are registered in a rule table 19A stored in the memory unit 19, and the rule identification unit 13 identifies a rule from the rules registered in the rule table 19A that has a value that matches the input field value.

An example of the configuration of rule table 19A is shown in Figure 4. An "*" in rule table 19A indicates that the value of the corresponding part of the field value compared to the rule will be treated as a match regardless of the value (including no value). For example, a field value where field 3 has a value of "12" and field 4 has a value of "8080" will identify rule #2 in Figure 4 regardless of the other values (including, for example, the missing field value of field 5 extracted by the offset in Figure 3).

The rule identification unit 13 supplies the rule number of the identified rule (here, any one of #1 to #3) to the counting unit 14. The counting unit 14 counts the number of times the rule number is supplied from the rule identification unit 13 (i.e., the number of packets input to the receiving unit 11) for each rule number. In this way, the counting unit 14 counts the number of times a rule is identified by the rule identification unit 13 for each rule. Here, rules are prepared for each logical network. When a flood attack occurs against a certain logical network, the number of times counted by the counting unit 14 for the rules of that logical network (number of times a rule is identified) increases. To detect this, when the number of times counted per specified period exceeds a specified threshold, the counting unit 14 notifies the rule control unit 16 of the rule number of the rule that exceeds the threshold.

Here, it is assumed that the memory unit 19 or the like stores rule numbers and packet header configurations (more specifically, information specifying which data is located at which position in the header). When the rule control unit 16 is notified of a rule number, it acquires the packet header configuration corresponding to that rule number from the memory unit 19 or the like as the packet header configuration of the network under attack. The packet header configuration may be identified by the content of the rule registered in the rule table 19A (the content of fields 1 to 5). In this case, the rule corresponding to the notified rule number is referenced. Based on the identified packet header configuration, the rule control unit 16 generates a new rule as a monitoring rule by adding identification information to be compared with new identification information that can be used to identify the type of DDoS attack from the information contained in the packet, and registers the new rule in the rule table 19A. The information added here may be, for example, a TCP flag indicating the TCP type. When the count number for rule #2 in rule table 19A of FIG. 4 increases, new rules #4 to #6 are registered with a TCP flag value (such as "010000") added to field 5 of rule #2, as shown in FIG. 5.

The rule control unit 16 then notifies the offset control unit 17 of the identified packet header configuration. Based on the packet header configuration, the offset control unit 17 generates a new offset for extracting from the packet identification information (the value of field 5) that can identify a DDoS attack in addition to other identification information, and stores the generated offset in the memory unit 19. This offset is, for example, the steady-state offset in Figure 3 plus offset 5 for extracting field 5, and consists of offsets 1 to 5 (see Figure 6).

From this point on, subsequent packets are processed based on the new monitoring rule and offset, and monitoring of subsequent traffic continues. In particular, for each of rules #4 to #6, which have been updated with the information necessary to identify traffic attacks, the number of packets received by the receiving unit 11 (the number of times the rule number is supplied from the rule identification unit 13) is counted, and the type of attack (ACK, SYN, FIN) is identified from the count. In this case, an attack is being carried out against the logical network of the rule with the highest count.

The output unit 15 outputs the number of times each rule has been identified by the rule identification unit 13, which is tallied by the aggregation unit 14, as the aggregation result. The output unit 15 displays the aggregation result, for example, on a display device provided in the traffic monitoring device 10 or external to the traffic monitoring device 10. This makes it possible to present to a user, etc., the presence or absence of attack traffic and its type. The output unit 15, for example, outputs the aggregation result to a processing unit provided inside or outside the traffic monitoring device 10, and the processing unit may identify the presence or absence of attack traffic and its type based on the aggregation result. The processing unit may perform a process of displaying a logical network determined to contain attack traffic on the display device, and/or a process of blocking communication on the logical network.

In the above explanation, TCP flags are used as identification information that can be used to identify DDoS attacks, i.e., to identify attack traffic (for example, the presence or absence of attack traffic and at least the former of its type), but the identification information may also be information that can identify the traffic type using bit string information in packet formats such as ICMP, UDP, NTP, and HTTP requests.

In place of or in addition to the number of times the rule is specified, the counting unit 14 may also count the amount of packet data for each rule. In this case, the receiving unit 11 or the extracting unit 12 identifies the amount of data for the received packets and supplies the identified amount of packet data to the counting unit 14 either directly or via the rule specifying unit 13. The counting unit 14 is supplied with the amount of data along with the rule number from the rule specifying unit 13. The counting unit 14 accumulates the supplied amount of data for each rule number, thereby counting the amount of data. In this way, the counting unit 14 counts, for each rule specified by the packet rule specifying unit 13, at least one of the number of times the rule is specified and the amount of data for the packets identified by that rule. When the counting result by the counting unit 14 meets a predetermined criterion, the rule control unit 16 generates the new rule as a monitoring rule and registers it in the rule table 19A. At this time, the offset control unit 17 also generates the new offset and stores it in the memory unit 19. The aggregation result by the aggregation unit 14 satisfies a predetermined standard when, for example, one of the specific number of times per specified period and the amount of data exceeds a predetermined threshold set for that one, or when both the specific number of times per specified period and the amount of data exceed the threshold set for each of them.

As described above, the cutout unit 12 cuts out first identification information (field value) that identifies a flow from a packet received by the receiving unit 11 based on an offset that specifies the cutout position of the packet. The rule identification unit 13 also identifies a rule having information that matches the first identification information cut out by the cutout unit 12. The counting unit 14 counts, for each rule identified by the rule identification unit 13, at least one of the number of times the rule has been identified and the data volume of the packet identified as the rule. When the counting result by the counting unit 14 meets a predetermined criterion, the offset control unit 17 generates a new offset to be used by the cutout unit 12 for cutting out not only the first identification information but also second identification information (e.g., TCP flag in field 5) that can be used to identify attack traffic. The rule identification unit 13 then identifies a new rule (e.g., any of rules #4 to #6) having information that matches the first identification information and second identification information cut out by the cutout unit 12 based on the new offset. The counting unit 14 counts at least one of the number of times the new rule is specified and the data volume of the packets identified by the new rule. In this configuration, the offset-based extraction reduces the load on the rule identification unit 13. Furthermore, when the counting result meets a predetermined standard, a new offset is generated for extracting second identification information. Rules are identified and counted based on the second identification information extracted using this offset. Therefore, it is determined that a rule, i.e., a flow, with a large number of counted identifications and/or a large amount of data is the target of attack traffic. Therefore, according to this embodiment, attack traffic is identified with a low processing load.

Furthermore, the rule identification unit 13 identifies, from among one or more rules, a rule having information that matches the first identification information extracted by the extraction unit 12, and when the aggregation result by the aggregation unit 14 meets a predetermined criterion, the rule control unit 16 generates the new rule and adds it to the one or more rules. This reduces the number of rules before the aggregation result meets the predetermined criterion. This allows for light processing load.

Furthermore, the rule identification unit 13 identifies a rule having information matching the first identification information from among one or more rules registered in the rule table, and the rule control unit 16 registers the newly generated rule in the rule table. Managing rules in a table in this way makes it easier to manage the rules.

Furthermore, the output unit 15 may output the results of tallying at least one of the number of times the new rule is identified or the data volume of the packet identified with the new rule, thereby making it possible to notify the presence or absence of attack traffic, etc.

Figure 7 shows a hardware configuration diagram of the traffic monitoring device 10 when configured as a computer. The traffic monitoring device 10 comprises a processor 101 such as a CPU, a main memory 102 of the processor 101, and a non-volatile storage device 103 that stores programs and various data and constitutes the storage unit 19 of Figure 1. The traffic monitoring device 10 further comprises a NIC (Network Interface Card) 104 that is connected to the communication network NW and relays packets. The processor 101 executes or uses the programs and data stored in the storage device 103 and loaded into the main memory 102 to operate as the above-mentioned units 11 to 17. Note that the receiving unit 11 and the output unit 15 may be realized by a combination of the processor 101 that executes programs and the NIC 104.

[Scope of the present invention]
The present invention is not limited to the above-described embodiments and modifications. For example, the present invention includes various modifications to the above-described embodiments and modifications that are understandable to those skilled in the art within the scope of the technical concept of the present invention. The configurations listed in the above-described embodiments and modifications can be combined as appropriate to the extent that no contradictions exist. Furthermore, any of the above-described configurations can be deleted. The various programs described above may be stored not only in the non-volatile storage device 103 but also in a non-transitory computer-readable storage medium. The "device" and "unit" may be an entity in which the configuration that realizes the operation is housed in a single housing, or an entity (system) in which the configuration that realizes the operation is housed distributed across multiple housings.

10...traffic monitoring device, 11...receiving unit, 12...extraction unit, 13...rule identification unit, 14...aggregation unit, 15...output unit, 16...rule control unit, 17...offset control unit, 19...storage unit, 19A...rule table, 101...processor, 102...main memory, 103...storage device, NW...communication network.

Claims (6)

A traffic monitoring device for monitoring traffic in a communication network, comprising:
a receiving unit that receives packets transmitted through the communication network;
an extracting unit that extracts first identification information for identifying a flow from the packet based on an offset that specifies an extracting position of the packet received by the receiving unit;
a rule specifying unit that specifies a rule having information that matches the first identification information extracted by the extraction unit;
a counting unit that counts, for each rule identified by the rule identifying unit, at least one of the number of times the rule is identified and the data amount of the packet identified as the rule;
an offset control unit that generates a new offset to be used by the cutout unit to cut out second identification information that can be used to identify attack traffic in addition to the first identification information when the counting result by the counting unit satisfies a predetermined criterion,
the rule identification unit identifies a new rule having information that matches the first identification information and the second identification information extracted by the extraction unit based on the new offset;
the counting unit counts at least one of the number of times the new rule is specified and the data amount of the packet specified by the new rule;
Traffic monitoring equipment. the rule identification unit identifies a rule having information that matches the first identification information cut out by the cutout unit and either the first identification information or the second identification information from a group of one or more rules;
a rule control unit that, when the counting result satisfies the predetermined criterion, generates the new rule and adds it to the rule group , thereby increasing the number of rules in the rule group ;
2. The traffic monitoring device according to claim 1. The rule group is registered in a rule table,
the rule control unit increases the number of rules in the rule group by additionally registering the new rule in the rule table;
3. The traffic monitoring device according to claim 2. an output unit that outputs a count result obtained by the counting unit counting at least one of the number of times the new rule has been specified and the data amount of the packet specified by the new rule,
A traffic monitoring device according to any one of claims 1 to 3. A traffic monitoring method for monitoring traffic in a communication network by a traffic monitoring device , comprising:
The traffic monitoring device
a receiving step of receiving packets flowing through the communication network;
an extraction step of extracting first identification information for identifying a flow from the packet based on an offset that specifies an extraction position of the packet received in the receiving step;
a rule specifying step of specifying a rule having information that matches the first identification information extracted by the extraction step;
a counting step of counting, for each rule identified by the rule identifying step, at least one of the number of times the rule is identified and the data amount of the packets identified as the rule;
an offset control step of generating a new offset to be used by the cutout unit to cut out second identification information that can be used to identify attack traffic in addition to the first identification information when the counting result by the counting step satisfies a predetermined criterion,
In the rule identifying step, a new rule having information that matches the first identification information and the second identification information extracted based on the new offset in the extraction step is identified;
In the counting step, at least one of the number of times the new rule is specified and the data amount of the packet specified by the new rule is counted.
Traffic monitoring methods. A computer that monitors traffic on a communications network
a receiving step of receiving packets flowing through the communication network;
an extraction step of extracting first identification information for identifying a flow from the packet based on an offset that specifies an extraction position of the packet received in the receiving step;
a rule specifying step of specifying a rule having information that matches the first identification information extracted by the extraction step;
a counting step of counting, for each rule identified by the rule identifying step, at least one of the number of times the rule has been identified and the data amount of the packets identified as the rule;
an offset control step of generating, as the offset to be used by the cutout unit, a new offset for cutting out second identification information that can be used to identify attack traffic in addition to the first identification information when the counting result by the counting step satisfies a predetermined criterion;
the rule identifying step identifies a new rule having information that matches the first identification information and the second identification information extracted based on the new offset in the extraction step;
the counting step counts at least one of the number of times the new rule is specified and the data amount of the packet specified by the new rule;
program.