This application is a National Stage application under 35 U.S.C. § 371 of International Application No. PCT/JP2020/008182, having an International Filing Date of Feb. 27, 2020. The disclosure of the prior application is considered part of the disclosure of this application, and is incorporated by reference in its entirety into this application.
The present invention relates to an impartation device, an impartation method, and an impartation program.
Conventionally, techniques have been proposed that detect a DDoS attack (Distributed Denial of Service attack) in a network by making a router and a flow collector to cooperate with each other, and using, as a scale, a flow defined by 5-tuple, or a transfer capacity in terms of the number of packets (packets per second: pps) or a transfer capacity in terms of the amount of data (bits per second: bps) of collected flows.
However, the conventional techniques cannot achieve attack detection based on a network-structure perspective, such as detection of an incident of a victim receiving many attack packet flows from a large number of attackers, or an incident of an infected terminal sending many attack packet flows to a large number of host ports, which are characteristics of DDoS attacks.
The present invention has been made in view of the foregoing, and an object of the present invention is to provide an impartation device, an impartation method, and an impartation program that can enhance accuracy in DDoS attack detection.
To solve the problem and achieve the object, an impartation device of the present invention includes: a statistic unit that acquires statistical value data on 5-tuple flows in a certain time period; a calculation unit that calculates a degree centrality of a node including an indegree, which is a total sum of a weight of each edge flowing into the node, and an outdegree, which is a total sum of a weight of each edge flowing out of the node, based on the statistical value data on the 5-tuple flows in the certain time period; and an impartation unit that imparts the degree centrality, as a feature, to the statistical value data on the 5-tuple flows in the certain time period.
An impartation method of the present invention is an impartation method executed by an impartation device, including: acquiring statistical value data on 5-tuple flows in a certain time period; calculating a degree centrality of a node including an indegree, which is a total sum of a weight of each edge flowing into the node, and an outdegree, which is a total sum of a weight of each edge flowing out of the node, based on the statistical value data on the 5-tuple flows in the certain time period; and imparting the degree centrality, as a feature, to the statistical value data on the 5-tuple flows in the certain time period.
An impartation program of the present invention causes a computer to execute: acquiring statistical value data on 5-tuple flows in a certain time period; calculating a degree centrality of a node including an indegree, which is a total sum of a weight of each edge flowing into the node, and an outdegree, which is a total sum of a weight of each edge flowing out of the node, based on the statistical value data on the 5-tuple flows in the certain time period; and imparting the degree centrality, as a feature, to the statistical value data on the 5-tuple flows in the certain time period.
According to the present invention, accuracy in DDoS attack detection can be enhanced.
Hereinafter, an embodiment of the present invention will be described in detail with reference to drawings. Note that the present invention is not limited by the embodiment. In a description of the drawings, the same portions are denoted by the same reference signs.
A detection device according to the present embodiment makes it possible to enhance accuracy in DDoS attack detection, by imparting information on degree centrality related to a network structure.
[Detection Device]
First, the detection device according to the embodiment will be described.
The communication unit 11 is a communication interface that transmits various information to and receives various information from another device connected through a network or the like. The communication unit 11 is implemented by a NIC (Network Interface Card) or the like, and performs communication between another device and the control unit 13 (which will be describe later) over a telecommunication circuit such as a LAN (Local Area Network) or the Internet. For example, the communication unit 11 is connected to an external device through a network or the like, and receives input of a packet to be analyzed.
The storage unit 12 is implemented by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and stores a processing program that causes the detection device 10 to operate, data used during execution of the processing program, and the like. The storage unit 12 includes statistical data 121 and a graph table 122.
The statistical data 121 is data on statistical values of a 5-tuple statistical flow acquired by a statistic unit 131 (which will be described later).
The graph table 122 is a table for graph that is used in calculation of a network graph by a degree centrality calculation unit 132 (which will be described later).
In a graph table 1221 (first table) shown in
The items for an indegree include: presence/absence of an edge (the number of edges) communicated by the corresponding node; the number of 5-tuple flows received by the corresponding node; the number of packets received by the corresponding node; and the number of bytes in received data. The items for an outdegree include: presence/absence of an edge (the number of edges) communicated by the corresponding node; the number of 5-tuple flows sent by the corresponding node; the number of packets sent by the corresponding node; and the number of bytes in sent data. Each column of the graph tables 1221, 1222 is updated by the degree centrality calculation unit 132, and is initialized by a degree centrality impartation unit 133.
The control unit 13 includes an internal memory for storing a program defining various processing procedures and required data, and executes various processing based on the program and the data. For example, the control unit 13 is an electronic circuit such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit). The control unit 13 includes the statistic unit 131, the degree centrality calculation unit 132 (calculation unit), the degree centrality impartation unit 133 (impartation unit), and a detection unit 134.
The statistic unit 131 acquires statistical value data on 5-tuple statistical flows, with respect to received packets buffered for a certain time period. The statistic unit 131 stores the statistical value data on the 5-tuple statistical flows in the certain time period in the storage unit 12.
The degree centrality calculation unit 132 calculates a degree centrality of a node, based on the statistical value data on the 5-tuple flows in the certain time period acquired by the statistic unit 131.
The degree centrality of a node is a feature including an indegree, which is a total sum of weights of edges flowing into the node, and an outdegree, which is a total sum of weights of edges flowing out of the node (see (1) in
As shown at (a) in
Note that the node is an IP address, or a combination of an IP address and a port number. The indegree represents a degree of input of flows at a certain node from other nodes, and serves as an indicator detecting that the node may be a victim attacked by attackers when the indegree has a high value.
As shown at (b) in
The outdegree represents a degree of output of flows at a certain node to other nodes, and serves as an indicator detecting that the node may be an attacker or an infected node when the outdegree has a high value.
The degree centrality calculation unit 132 selects the graph table 1221 or the graph table 1222, depending on the granularity of a node under analysis, performs graph calculation for statistical value data DO on 5-tuple flows in a certain time period by using the selected table, and thereby calculates a degree centrality for the statistical value data on the 5-tuple flows in the certain time period (see (A) in
Processing by the degree centrality calculation unit 132 will be described specifically with reference to
When the granularity is an IP address, the degree centrality calculation unit 132 selects the graph table 1221 in which node granularity is an IP address, and accesses, in the graph table 1221, a row in which the extracted node is stated (see (2-1) in
Subsequently, when the extracted node corresponds to a destination IP address (dst_ip), the degree centrality calculation unit 132 acquires, from the statistical value data DO on the 5-tuple flows, presence/absence of an edge (the number of edges) communicated by the node, the number of 5-tuple flows received by the node, the number of packets received by the node, and the number of bytes in the received data. The degree centrality calculation unit 132 updates each of fields of the presence/absence of an edge (the number of edges), the number of 5-tuple flows, the number of packets, and the number of bytes under the indegree in the accessed row in the graph table 1221, 1222, with the respective values acquired (see (3-1), (4-1) in
When the extracted node is a source IP address (src_ip), the degree centrality calculation unit 132 acquires, from the statistical value data DO on the 5-tuple flows, presence/absence of an edge (the number of edges) communicated by the node, the number of 5-tuple flows sent by the node, the number of packets sent by the node, and the number of bytes in the sent data. The degree centrality calculation unit 132 then updates each of fields of the presence/absence of an edge (the number of edges), the number of 5-tuple flows, the number of packets, and the number of bytes under the outdegree in the accessed row in the graph table 1221, 1222, with the respective values acquired (see (3-2), (4-2) in
When node granularity is an IP address, with respect to the node “x”, since the node is the source of the packets, the degree centrality calculation unit 132 updates the number of edges to “2”, the 5-tuple flows to “2”, the number of packets to “α+γ”, and the number of bytes to “β+δ” under the outdegree in the row of the node “x” in the graph table 1221, as shown in
When node granularity is a combination of an IP address, a port number, and protocol information, as shown in
As described above, by using the graph table 1221, 1222, the degree centrality calculation unit 132 calculates, from the statistical value data DO on the 5-tuple flows in the certain time period, a network graph that represents “from which address to which address a communication is performed, how many packets flow, and how much statistical value data is communicated”, or “from which (address, port, protocol) combination to which (address, port, protocol) combination a communication is performed, how many packets flow, and how much statistical value data is communicated”.
Next, referring back to
Processing by the degree centrality impartation unit 133 will be described specifically with reference to
When the granularity is an IP address, the degree centrality impartation unit 133 selects the graph table 1221, and accesses, in the graph table 1221, a row in which the extracted node is stated (see (2-1) in
Subsequently, when the extracted node is a destination IP address (dst_ip), the degree centrality impartation unit 133 retrieves each field under the indegree in the accessed row (see (3-1), (4-1) in
The degree centrality impartation unit 133 then imparts the retrieved degree centrality, as a feature, to the statistical value data DO on the 5-tuple flows (see (5) in
Next, referring back to
For example, baselines for statistical value data on 5-tuple flows in a certain time period and a corresponding degree centrality at a normal time are set in the detection device 10, by learning, in machine learning or the like, statistical value data on 5-tuple flows in a certain time period and a characteristic of a degree centrality imparted to the statistical value data on the 5-tuple flows in the certain time period at a normal time. When the statistical value data on the 5-tuple flows under analysis and the imparted degree centrality deviate from the baselines by predetermined values or more, the detection unit 134 determines abnormality and detects an attack.
[Procedure of Detection Processing by Detection Device]
Next, a processing procedure of detection processing by the detection device 10 will be described.
As shown in
The degree centrality impartation unit 133 imparts the degree centrality calculated by the degree centrality calculation unit 132, as a feature, to the statistical value data on the 5-tuple flows in the certain time period (step S3). Based on the impartation data with the imparted degree centrality related to 5-tuple values, the detection unit 134 detects whether or not the flows in the certain time period have abnormality (step S4), and transmits a result of the detection to a countermeasure device.
As described above, the detection device 10 according to the embodiment calculates a degree centrality of a node including an indegree, which is a total sum of weights of edges flowing into the node, and an outdegree, which is a total sum of weights of edges flowing out of the node, based on statistical value data on 5-tupl flows in a certain time period, and imparts the degree centrality, as a feature, to the statistical value data on the 5-tuple flows.
Specifically, with respect to a certain node, the detection device 10 calculates, as a degree centrality, an outdegree that represents the number of communication-destination nodes with which the node communicates, the number of packets sent out by the node, the number of bytes sent by the node, and the number of flows sent out by the node, and an indegree that represents the number of source nodes with which the certain node, the node communicates, the number of packets received by the node, the number of bytes received by the node, and the number of flows received by the node. In other words, the detection device 10 calculates a degree centrality related to a network structure, as a feature.
Accordingly, by imparting the degree centrality related to the network structure, as a feature, to the statistical value data on the 5-tuple flows, the detection device 10 can achieve attack detection based on a network-structure perspective, whereby accuracy in DDos attack detection can be enhanced.
Node granularity is an IP address or a combination of an IP address, a port number, and protocol information, and the detection device 10 stores in advance the graph table 1221, in which an IP address of a node is associated with an indegree and an outdegree of the node, and the graph table 1222, in which a combination of an IP address, a port number, and protocol information of a node is associated with an indegree and an outdegree of the node. Accordingly, the detection device 10 can calculate a degree centrality appropriately by selecting the graph table 1221 or the graph table 1222, depending on the granularity of a node under analysis, and calculating the degree centrality by using the selected table.
The functions of the detection device 10 according to the present embodiment may be deployed in a distributed manner among a plurality of devices in a communication system.
As shown in
[System Configuration and the Like]
Each component of each device depicted in the drawings is of a functional concept, and does not necessarily need to be physically configured as depicted in the drawings. In other words, a specific distributed or integrated form of each device is not limited to those depicted in the drawings, and an entirety or part of each device can be functionally or physically configured in a distributed or integrated manner in arbitrary units, depending on various loads, usage situations, and the like. Moreover, all, or any one or some, of the functions for the processing performed in each device can be implemented by a CPU and a program that is analyzed and executed by the CPU, or can be implemented by wired logic-based hardware.
Of the processing steps described in the present embodiment, all, or one or some, of processing steps described as being automatically performed may be manually performed, or all, or one or some, of processing steps described as being manually performed may be automatically performed by using a well-known method. In addition, the information described in the above description and the drawings, including processing procedures, control procedures, specific names, and various data and parameters, can be arbitrarily changed unless otherwise specified.
[Program]
The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. For example, the ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to a hard disk drive 1090. The disk drive interface 1040 is connected to a disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120. The video adapter 1060 is connected to, for example, a display 1130.
The hard disk drive 1090 stores, for example, an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. In other words, the program defining each processing step in the detection device 10 is implemented as the program module 1093 in which computer-executable codes are described. The program module 1093 is stored, for example, in the hard disk drive 1090. For example, the program module 1093 for execution of processing similar to the functional components of the detection device 10 is stored in the hard disk drive 1090. Note that the hard disk drive 1090 may be substituted by an SSD (Solid State Drive).
Setting data used in the processing in the embodiment described above is stored as the program data 1094, for example, in the memory 1010 or the hard disk drive 1090. The CPU 1020 reads and executes on the RAM 1012, the program module 1093 or the program data 1094 stored in the memory 1010 or the hard disk drive 1090 when necessary.
Note that the program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored, for example, in a removable storage medium and may be read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected through a network (LAN, WAN (Wide Area Network), or the like). Then, the program module 1093 and the program data 1094 may be read from the other computer by the CPU 1020 via the network interface 1070.
Although embodiments to which the invention made by the present inventor is applied have been described hereinabove, the present invention is not limited by the description and the drawings based on the present embodiment that are part of the disclosure of the present invention. In other words, all of other embodiments, examples, operational techniques, and the like worked based on the present embodiment by persons skilled in the art and the like are incorporated in the scope of the present invention.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2020/008182 | 2/27/2020 | WO |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2021/171526 | 9/2/2021 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
10581891 | Kapoor | Mar 2020 | B1 |
20080123545 | Watanabe et al. | May 2008 | A1 |
20120311704 | Reilly | Dec 2012 | A1 |
20160028762 | Di Pietro | Jan 2016 | A1 |
Number | Date | Country |
---|---|---|
2008136012 | Jun 2008 | JP |
2012253735 | Dec 2012 | JP |
Entry |
---|
Arbor Networks, “Comprehensive protection against large DDOSattacks and threats,” Netscout, Feb. 18, 2020, retrieved from URL <http://jp.arbornetworks.com/>, 11 pages (with English Translation). |
Kurakami et al., “Abnormal traffic detection / analysis system,” NTT Technical Journal, 2008, retrieved from URL <https://www.ntt.co.jp/journal/0807/files/jn200807020.pdf>, 20(7): 9 pages (with English Translation). |
Orizon Systems Co., Ltd., “Flowmon,” orizon.co.jp, retrieved on Feb. 18, 2020, retrieved from URL <https://www.orizon.co.jp/products/flowmon/>, 27 pages (with English Translation). |
Sato et al., “Security Technologies of IoT Gateway,” Mitsubishi Electric Technical Report, 2018, 92(6): 11 pages (with English Translation). |
Number | Date | Country | |
---|---|---|---|
20230254234 A1 | Aug 2023 | US |