Patent Application
20250233797
This application is based upon and claims the benefit of the priority of Japanese patent application No. 2024-004581, filed on Jan. 16, 2024, the disclosure of which is incorporated herein in its entirety by reference thereto.
The present disclosure relates to an investigation apparatus, a communication system, an investigation method, and a program that can determine a path(s) of communication on the Internet with high accuracy.
IP (Internet Protocol) used for the Internet enables end-to-end two-way communications, regardless of the path. That is, IP realizes a mechanism in which a communication can be executed even if a communication path is changed, regardless of presence or absence of a malicious intent. Meanwhile, because the Internet has been created such that users can perform communications without being aware of the communication paths, they are rarely aware of the paths through which the communications are performed. Thus, for example, even when a communication is being performed through an area which has a high risk of a disaster or the like and in which the communication quality or reliability could consequently deteriorate, it is difficult to recognize the risk and to take measures such as disconnecting the communication.
Patent Literature (PTL) 1 discloses a technique of referring to a transit time zone in an e-mail header in order to detect a targeted attack e-mail. PTL 1 discloses “The transit time zone is acquired on a basis of time zone information included in Received information of one or more servers that are routed from the originating transmitting server to the receiving server.” and “Thus, on a basis of each received e-mail, each time zone information included in a transit server information (Receive information) is extracted as feature information. Targeted attack e-mails may be transmitted via foreign servers. Therefore, the detection accuracy of targeted attack e-mails is improved if the time zones of the servers through which the target e-mails are received are used as the feature information for comparison.”
The disclosure of the above citation list is incorporated herein by reference thereto. The following analysis has been made by the present inventors.
As described above, the invention disclosed in PTL 1 aims to improve a detection accuracy of e-mails that are at risk of being targeted attack e-mails by comparing the time zone information of the transit server(s) included in a header of the received e-mail as a feature with a typical feature of the targeted attack e-mails.
However, because the time zone information of the transit server(s) can be arbitrarily changed by a server setting, the possibility of time zone information being forged cannot be denied according to the invention disclosed in PTL 1. Therefore, even if the e-mail passes through a server on a risky path, the disguise may cause an omission of detection of risky targeted-attack e-mails.
In one aspect of the present disclosure, it is an object to provide an investigation apparatus, a communication system, an investigation method, and a program that can investigate a path(s) of communication on the internet with high accurately and that can determine a high-risk path(s).
According to a first aspect of the present disclosure, there is provided an investigation apparatus, including: a location identification result acquisition part that acquires a location identification result of a target node to be investigated in a network; and a node visualization output part that visualizes and outputs the target node by disposing the target node on a map, on a basis of the location identification result; wherein the node visualization output part further outputs information on a region to which the target node belongs.
According to a second aspect of the present disclosure, there is provided a communication system, including: an investigation apparatus including a location identification result acquisition part that acquires a location identification result of a target node to be investigated in a network; a node visualization output part that visualizes and outputs the target node by disposing the target node on a map, on a basis of the location identification result, that outputs information on a region to which the target node belongs, and that calculates, visualizes and outputs a path to reach the target node; and a control signal transmission part that transmits a signal to a communication control apparatus that controls communication to execute control of predetermined communication according to the path calculated by the node visualization output part, and a communication control apparatus including a communication control part that receives a control signal transmitted from the control signal transmission part and executes control of a communication.
According to a third aspect of the present disclosure, there is provided an investigation method, causing a computer to execute steps of: acquiring a location identification result of a target node to be investigated in a network; and disposing the target node on a map on a basis of the location identification result and visualizing and outputting information on a region to which the target node belongs.
According to a fourth aspect of the present disclosure, there is provided a program, causing a computer to execute processing for: acquiring a location identification result of a target node to be investigated in a network; and disposing the target node on a map on a basis of the location identification result and visualizing and outputting information on a region to which the target node belongs.
The program can be recorded in a computer-readable storage medium. The storage medium may be a non-transitory storage medium such as a semiconductor memory, a hard disk, a magnetic recording medium, or an optical recording medium. The present disclosure can be embodied as a computer program product.
According to the individual aspects of the present disclosure, it is possible to provide an investigation apparatus, a communication system, an investigation method, and a program that can investigate a path(s) of communication on the internet with high accurately and that can determine a high-risk path(s).
First, an overview of an example embodiment will be described. Note that reference signs in the drawings provided in this overview are for the sake of convenience for each element as an example to promote better understanding, and the description of this overview is not intended to impose any limitations.
The location identification result acquisition part 11 acquires a location identification result(s) of one or more target node(s), which is a target(s) to be investigated in a network. The node visualization output part 12 visualizes and outputs the target node(s) by disposing thereof on a map, on a basis of the location identification result(s). In addition, the node visualization output part also outputs information about a region(s) to which the target node(s) belongs.
As described above, the investigation apparatus according to an example embodiment can locate a target node(s) on the Internet and can visualize and output the target node(s) by disposing the target node(s) on a map. In addition, the investigation apparatus can output information about a region(s) to which the target node(s) belongs. In this way, the investigation apparatus can evaluate and output, for example, a regional risk(s) or the like that exist on a path(s) that the target node(s) has.
The location identification result acquisition part 11 acquires a location identification result(s) of one or more target node(s), which is a target(s) to be investigated in a network. The “network” may include a closed network such as a LAN (Local Area Network) with restricted access and an open network such as the Internet, which anyone can access. The “target node” is a node to be investigated, and the “node” refers to a network device having a network interface on a network. The “node” may include a terminal, a server, a router, and a switch.
The “acquisition” here refers to temporary or permanent storage of calculated or generated data in a storage area of a computer. The “location identification” refers to identifying information about the physical location of a target node, the physical location being expressed on a certain scale. The physical location information may include absolute location information, such as indication by latitude and longitude, or location information identified from the direction and distance with respect to a particular location.
The location identification result may be acquired by directly visiting a target node and by acquiring the latitude and longitude of this location by a GPS (Global Positioning System) or the like to be uploaded to the investigation apparatus.
However, on the Internet, the location(s) of a target node(s) is not apparent, and the target nodes are installed not only domestically but also abroad. Thus, it is necessary to proceed with the location identification using, for example, an existing technique as described below.
The location identification result acquisition part 11 in the investigation apparatus 10 transmits an investigation packet P to another target node and receives a response packet R as a transmission result. Next, the location identification result acquisition part 11 acquires a transmission time Tp at which the investigation packet P was transmitted and a reception time Tr at which the response packet R was received. Next, the location identification result acquisition part 11 calculates a round-trip time RTT using the transmission time Tp, the reception time Tr, and equation (1).
The location identification result acquisition part 11 acquires a propagation velocity Vm of the transmission medium between the another target node and the investigation apparatus 10 as a medium velocity. The distance to the another target node can be calculated using equation (2).
In addition to r1, the location identification result acquisition part 11 also calculates a distance (r2) between the another target node and another point and a distance (r3) between the another target node and still another point (these points may be nodes that have been newly acquired by investigation packets). Consequently, the location identification result acquisition part 11 can calculate the position coordinates (x, y) of the location of the another target node by so-called three-point positioning. That is, the location identification result acquisition part 11 calculates the coordinates (x, y) of the intersection of the circles of radii r1, r2, and r3 centered at the coordinates (x1, y1), (x2, y2), and (x3, y3) of three points, respectively.
By solving the above x and y, the position coordinates (x, y) of the location of the target node can be calculated. The location identification result acquisition part 11 can further process the conversion of position coordinates to latitude and longitude to obtain latitude and longitude (φ, λ).
The regional attribute value storage part 13 stores regional attribute values, each of which is a value that is associated with a latitude and a longitude and each of which indicates an attribute of a region at the corresponding latitude and longitude. The regional attribute value storage part 13 stores a regional attribute value that corresponds to the latitude and longitude values, which are the result acquired by the location identification result acquisition part 11.
The regional information storage part 14 stores regional information, which is information associated with the regional attribute values and about the region.
If location identification result indicates that the region is outside of the map, the regional information is not possible to visualize as described below, and there may be regional information with an associated regional attribute value of “N/A (Not Applicable)”.
If the coverage region includes a high-risk area, such as a region where quality and reliability of communication may be degraded due to a high risk of disaster, etc., as described above, the regional information storage part 14 may store information indicating that the region having the regional attribute value as the regional information associated with the regional attribute value is at least a high-risk region.
The above regional attribute value storage part 13 and the above regional information storage part 14 visualize only a part of Asia in the example illustrated in
The node visualization output part 12 visualizes and outputs a target node(s) by disposing the target node(s) on a map, on a basis of a location identification result(s). Once the position information by latitude and longitude is acquired, the location on the map is identified and it can be placed.
For example, target node 1 obtains RTT values by transmitting investigation packets from the nodes A, B, and C, respectively, to the target note 1. As described above, distances rA, rB, and rC from nodes A, B, and C to the target node 1, respectively, can be obtained from half the product of a medium velocity and the respective RTTs. The coordinates of the target node 1 are the intersection of circles of radii rA, rB, and rC with nodes A, B, and C as centers. Therefore, its coordinates can be obtained by solving the following simultaneous equations (3) using the known coordinates (xA, yA), (xB, yB) and (xC, yC) of nodes A, B and C.
The obtained coordinates (x, y) of the target node 1 are expressed on a plane rectangular coordinate system, so the coordinates are converted into an expression using a latitude and a longitude. As a result, 45 degrees north latitude and 133.0 degrees east longitude are obtained as the location identification result.
If the location identification result is an unstable value, extrapolation could be needed. Thus, the investigation apparatus 10 may be further provided with a location identification result edit part (not illustrated) that edits the location identification result.
The node visualization output part 12 also outputs information about the region(s) to which the target node(s) belongs, on a basis of the location identification result(s), the regional attribute value(s), and the regional information. Referring to the regional attribute value storage part 13, the value of the cell in the table corresponding to 45 degrees north latitude and 133.0 degrees east longitude, “4” is obtained as the regional attribute value (see
The node visualization output part 12 may output a predetermined warning if a path to reach a predetermined target node includes a maritime node. In addition, the node visualization output part 12 may output a predetermined warning if a path to reach a predetermined target node includes a node outside a visualization area. For example, as the predetermined warning, in
Next, a hardware configuration of the investigation apparatus according to the example embodiment of the present disclosure will be described.
The investigation apparatus 10 can be configured by an information processing apparatus (a computer), and has a configuration illustrated as an example in
However, the configuration illustrated in
For example, the memory 72 is a RAM (Random Access Memory), a ROM (Read-Only Memory), or an auxiliary storage device (a hard disk or the like).
The input-output interface 73 is a means serving as an interface for a display device or an input device not illustrated. The display device is, for example, a liquid crystal display, and the input device is, for example, a device that receives user operations, such as a keyboard or a mouse.
The functions of the investigation apparatus 10 are realized by processing modules, which are a location identification result acquisition program and a node visualization output program, the table storing the regional attribute values, the table storing the regional information, and the media velocity (Vm), for example.
The above processing modules are realized, for example, by the CPU 71 executing programs stored in the memory 72, respectively. The program can be updated by downloading thereof over a network or by using a storage medium storing the program. In addition, the above-described processing modules may be realized by semiconductor chips. That is, there is means that executes the functions of the above-described processing modules by using some hardware and/or software.
If the hardware of the investigation apparatus 10 starts the process, the location identification result acquisition program is invoked from the memory 72 and becomes executable by the CPU 71. This program causes investigation nodes S1 to S3, located at three locations (at least three locations, one of which may be the investigation apparatus 10) in a network, to transmit an investigation packet to a single target node and causes the single target node to receive a response packet, thereby obtaining round-trip time (RTT) values to store thereof in the memory 72. This program causes the CPU 71 to execute arithmetic processing for calculating a value of (each RTT value×Vm)/2 for these three RTT values, so as to obtain distances r1 to r3. Next, r1 to r3 and the known coordinate values (x1, y1), (x2, y2), and (x2, y2) of the investigation nodes S1 to S3 are assigned to the above-described equations (3), and the CPU 71 executes arithmetic processing in which equations (3) are calculated as simultaneous equations to acquire a solution (x,y). This series of processes is performed for N target nodes to obtain the coordinate values (x1, y1) to (xN, yN) of the target nodes 1 to N. These coordinates are temporarily stored in the memory 72.
The CPU 71 converts the coordinates (x1, y1) to (xN, yN) into latitudes and longitudes (φ1, λ1) to (φN, λN) using a known technique. Next, the node visualization output program is invoked from the memory 72 by the CPU 71 and becomes executable. This program reads out the table (illustrated in
Next, the program reads out the table (illustrated in
The read out regional attribute values and regional information are visualized by the program and output to the input-output interface 73 such as a display (see
As described above, the investigation apparatus according to the present example embodiment can identify the locations of the individual target nodes and can visualize information about the regions to which the individual target nodes belong on a map, on a basis of their respective latitudes and longitudes. This makes it possible to easily visualize what path or environment under which the communication is taking place.
The node visualization output part 12 according to the present example embodiment can calculate, visualize, and output a path(s) to reach a target node(s). For example, the node visualization output part 12 can acquire addresses of target nodes, routers, and other nodes on the path by transmitting a traceroute command, etc. to a target node.
The control signal transmission part 15 transmits a signal for causing a communication control apparatus that controls communication to execute predetermined communication control according to the path calculated by the node visualization output part 12. The “according to the path calculated” includes, for example, a case in which a node outside the visualization area is included in a path to reach a predetermined target node. The “communication control apparatus” refers to a network device such as a router. The “predetermined communication control” could be disconnection of a communication, detour to another route, etc.
For example, if a predetermined change is made within a predetermined time period on the path to reach a predetermined target node in the node visualization output part 12, the control signal transmission part 15 may execute a process to transmit a control signal to cause control of the predetermined communication to be executed.
Concretely, if a path length to reach a predetermined target node is changed by a predetermined amount or more within a predetermined time period in the node visualization output part 12, the control signal transmission part 15 may execute a process such as transmitting a control signal to cause control to close the path leading to the target node. The “path length” of an individual path can be calculated on a basis of a corresponding path traveling time that can be investigated with an investigation packet (using, for example, a ping or traceroute command) and the media velocity (Vm) of the individual path. This is because if the path length suddenly becomes longer than the path length at the timing of the previous node visualization output, there is a high possibility that some abnormality has occurred on the network and that the path has become a detour route, and even if there is a prospect of recovery, it is likely to remain a high-risk route. If there is a possibility of occurrence of an abnormality in the network, the predetermined time interval for executing the process by the location identification result acquisition part 11 and the node visualization output part 12 may be shortened to control more detailed investigation monitoring.
If a predetermined change is made on the path to reach a predetermined target node within a predetermined time period, the node visualization output part 12 may visualize and output the degree of the predetermined change in at least one or more of the following elements of a numerical value, a figure, and a color. For example, as a result of the location identification by the location identification result acquisition part 11, if the length of a path to reach one target node is identified to be 1.5 times greater than the previous location identification result, the node visualization output part 12 may executes visualization such as blinking an icon, which is a figure indicating the target node.
As described above, the investigation apparatus according to the present example embodiment can calculate and visualize a path(s) to reach a target node(s). In addition, by identifying the location of each target node at predetermined time intervals and calculating a path to reach thereof, it is possible to observe large fluctuations in the network path caused by failures, etc., and to perform a process for control to close or reroute the path.
In a third example embodiment, a communication system including the investigation apparatus according to the second example embodiment and a network control apparatus for controlling communication paths will be described.
The communication control apparatus 20 includes a network device or the like such as a router or a switch. The communication system may include a plurality of communication control apparatuses 20. The communication control part 21 receives a control signal transmitted from the control signal transmission part 15 and executes communication control. The “control signal” is a signal used to control a process such as blocking the communication path of packets to a specific destination, rerouting the communication path of packets to a specific destination, etc., as generally performed by routers and the like. The signal reception may be configured to intervene with device authentication or other processes to prevent unauthorized control signal reception.
According to the communication system of the present example embodiment, it is possible to execute appropriate communication control according to the state of the communication path(s). Even if a status on a path is unknown, especially on the Internet, visualization and monitoring a change(s) in path can reduce the risk of communication disruptions and delays caused by failures and other problems.
The above-described example embodiments can partly or entirely be described as, but not limited to, the following modes.
See the investigation apparatus according to the above-described first aspect.
The investigation apparatus according to mode 1, preferably, further including: a regional attribute value storage part that stores a regional attribute value associated with a latitude and longitude, which is a value indicating an attribute of the region at the latitude and longitude; and a regional information storage part that stores regional information associated with the regional attribute value, which is information about the region; wherein the node visualization output part outputs the information on the region to which the target node belongs, on a basis of the location identification result, the regional attribute value, and the regional information.
The investigation apparatus according to mode 2, preferably, wherein the regional information storage part stores whether a region having a regional attribute value is at least domestic, foreign, maritime, or outside the visualization area, as regional information associated with the regional attribute value.
The investigation apparatus according to mode 3, preferably, wherein the node visualization output part further calculates, visualizes, and outputs a path to reach the target node.
The investigation apparatus according to mode 4, preferably, further including a control signal transmission part that transmits a signal to a communication control apparatus that controls communication to execute control of predetermined communication according to the path calculated by the node visualization output part.
The investigation apparatus according to mode 5, preferably, wherein the control signal transmission part transmits a control signal to execute control of a predetermined communication, if there is a predetermined change within a predetermined time period on the path to reach a predetermined target node in the node visualization output part.
The investigation apparatus according to mode 6, preferably, wherein the node visualization output part visualizes and outputs a degree of the predetermined change by at least one or more of a numerical value, a figure, and a color.
The investigation apparatus according to mode 6, preferably, wherein the control signal transmission part transmits a control signal to execute control to close the path leading to the target node, if a path length to reach a predetermined target node is changed by a predetermined amount or more within a predetermined time in the node visualization output part.
The investigation apparatus according to mode 5, preferably, wherein the control signal transmission part transmits a control signal to execute control of a predetermined communication, if a node outside the visualization area is included in a path to reach a predetermined target node in the node visualization output part.
The investigation apparatus according to mode 4, preferably, wherein the node visualization output part outputs a predetermined warning if a maritime node is included in a path to reach a predetermined target node.
The investigation apparatus according to mode 4, preferably, wherein the node visualization output part outputs a predetermined warning if a node outside the visualization area is included in a path to reach a predetermined target node.
The investigation apparatus according to any one of modes 1 to 11, preferably, further including a location identification result edit part that edits the location identification result.
See the communication system according to the above-described second aspect.
See the investigation method according to the above-described third aspect.
See the program according to the above-described fourth aspect.
The disclosure of the PTL, etc., which have been referred to in the above, is incorporated herein by reference thereto. Modifications and adjustments of the example embodiments or examples are possible within the scope of the overall disclosure (including the claims) of the present invention and on a basis of the basic technical concept of the present disclosure. Various combinations or selections (including eliminations) of various disclosed elements (including the elements in each of the claims, example embodiments, examples, drawings, etc.) are possible within the scope of the disclosure of the present invention. That is, the present disclosure of course includes various variations and modifications that could be made by those skilled in the art according to the overall disclosure including the claims and the technical concept. The description discloses numerical value ranges. However, even if the description does not particularly disclose arbitrary numerical values or small ranges included in the ranges, these values and ranges should be deemed to have been specifically disclosed.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2024-004581 | Jan 2024 | JP | national |
