Patent Application
20230198870
The present invention relates to a packet capture technique for verifying and analyzing a network.
In order to monitor and verify various networks, it is necessary to capture and analyze packets flowing in a target network. In the capturing, it is required to limit packets to be captured in order to reduce a packet storage area and reduce a load on an analysis apparatus.
As a general high-performance system that can support a high-speed network and also has a filtering function, there is a capture apparatus made of dedicated hardware, but it is very expensive (see, for example, NPL 1).
Here, as a general method, there is a method in which a packet filter unit is provided in a server and packets that match a set rule are extracted in software and stored in a packet storage unit as illustrated in
Further, various attacks have occurred in networks in recent years and there is an increasing demand for analysis of packets other than highly reliable packets. A load on an analysis apparatus at a subsequent stage can also be reduced and cost can be reduced if only highly malicious packets with unknown field values, which are difficult to predict, can be output, but this has not been realized in the related art.
NPL 1: “SYNESIS, 100G Packet Capture System,” [online], [retrieved on May 22, 2020], Internet <URL: https://www.synthesis.tech/>
In the related art, it is difficult to realize an economical capture system capable of dealing with a high-speed network as described above. Further, there is a problem that it is difficult to perform analysis of packets other than highly reliable packets as has been demanded in recent years.
Embodiments of the present invention have been made to solve the above problems and it is an object of embodiments of the present invention to provide a capture system capable of achieving both economy and high speed.
In order to achieve the object, a packet capture apparatus of embodiments of the present invention includes a hardware processing unit that includes a filter unit and a Network Interface Controller (NIC) unit, the filter unit being configured to filter packets input from a network; and a packet storage unit configured to store packets input from the hardware processing unit. The filter unit includes: a packet input unit configured to receive packets input from the network; a header analysis unit configured to analyze a header structure of each packet input to the packet input unit and extract a field value of a header of the packet; a rule table in which at least one rule including a field value of a flow to be captured is recorded; a flow identification unit configured to identify a flow in which the field value extracted by the header analysis unit matches the at least one rule and/or does not match the at least one rule; and a packet output unit configured to output a packet of the flow identified by the flow identification unit to the NIC unit.
In order to achieve the object, a packet capture method of embodiments of the present invention is a packet capture method performed by a packet capture apparatus including a hardware processing unit that includes a filter unit and an NIC unit, the filter unit being configured to filter packets input from a network, and a packet storage unit configured to store packets input from the hardware processing unit. The packet capture method includes: receiving, by the filter unit, packets input from a network; analyzing, by the filter unit, a header structure of each received packet and extracting, by the filter unit, a field value of the packet; identifying, by the filter unit, a flow in which the extracted field value matches and/or does not match a field value of a flow to be captured; and outputting, by the filter unit, a packet of the identified flow.
According to embodiments of the present invention, it is possible to provide a capture system capable of achieving both economy and high speed.
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The present invention is not limited to the following embodiments.
A first embodiment of the present invention will be described.
A packet capture apparatus 1 includes a hardware processing unit 10, which includes a filter unit 20 for filtering packets input from a network 70 to be monitored and verified and a network interface card (NIC) unit 30, a packet input unit 40 which receives packets input from the hardware processing unit 10, and a packet storage unit 50 that stores packets. The filter unit 20 is implemented in a field programmable gate array (FPGA).
In the packet capture apparatus 1, packets input from the network 70 to be monitored and verified are input to the filter unit 20 implemented in the FPGA. The filter unit 20 is equipped with a function of filtering packets to be captured and outputs the filtered packets to the NIC unit 30. The packet input unit 40 outputs packets input from the NIC unit 30 to the packet storage unit 50 and the packets to be monitored are stored in the packet storage unit 50.
One or a plurality of rules for identifying a flow to be captured, that is, a set of packets corresponding to the same rule including a field value of a packet, are recorded in a rule table 24. A flow identification unit 23 compares a field value input from the header analysis unit 22 with one or a plurality of rules recorded in advance in the rule table 24 to identify a packet to be captured and outputs the identified packet to a packet output unit 25. The packet output unit 25 outputs the packet input from the flow identification unit 23 to the NIC unit 30.
Here, the flow identification unit 23 may be configured to identify packets that match a rule in the rule table 24 or may be configured to identify packets that do not match a rule. Further, the flow identification unit 23 may be configured to be able to identify a flow based on a rule that combines matching/mismatching rules such that it outputs packets that match one rule and do not match another rule.
As a rule for identifying packets in the rule table 24, a specific field value may be used as a wildcard (which is, at any value, determined to be a match) or packets may be captured from a target network to automatically create a rule.
An operation of a packet capture method according to the first embodiment will be described with reference to
When a packet has been input from the network to be monitored and verified (step S1-1), header analysis of the input packet is performed to extract header information (step S1-2).
Next, a header extracted through the header analysis is compared with a rule for a flow to be captured to identify a flow that matches or does not match the rule (step S1-3). Packets of the identified flow are output to the NIC unit (step S1-4).
In the present embodiment, a filtering process in high-load packet capture processing is implemented in an FPGA to perform hardware processing, thereby realizing high-speed capture processing. Because the filtering function is implemented in the FPGA, it is possible to flexibly change filtering conditions such as a field value to be analyzed according to the target network. Flexibly changing the filtering conditions can reduce the capacity of memory and the input bandwidth of the NIC unit for capturing packets, thereby achieving cost reduction.
The matching/mismatching setting unit 26 has a function of setting a condition for the flow identification unit 23, such as that as to whether to identify packets that match a rule recorded in the rule table 24 or to identify packets that do not match a rule. This enables, for example, a process of outputting only abnormal packets other than flows whose security is guaranteed.
Here, setting of the matching/mismatching condition may be implemented such that it is uniformly set for all rules in the rule table 24 or may be implemented such that it is set individually for each rule in the rule table 24.
A condition that combines matching/mismatching with a plurality of rules can also be set. For example, it is possible to output packets whose “IP address is other than A” and whose “Mac address is B” by setting “mismatching with rule #1” and “matching with rule #2” through the matching/mismatching setting unit 26 when “IP address=A” has been registered for rule #1 in the rule table 24 and “Mac address=B” has been registered for rule #2.
Further, it is possible to output only either a packet whose “IP address is other than A” or a packet whose “Mac address is B” when “mismatching with rule #1” or “matching with rule #2” has been set. It is also possible to set a condition such as “matching with rule #1 and matching with rule #2” or “mismatching with rule #3 and matching with rule #4”.
Further, a detailed rule can also be set for each field. For example, a detailed condition such as “matching with the Mac address and port number of rule #1 and matching with the IP address of rule #2” or “mismatching with the port number of rule #3 and mismatching with the IP address of rule #4” can also be set.
By enabling such detailed rule setting, for example, by setting a rule of “matching with VLAN=A and mismatching with IP=B” when an abnormality has occurred in VLAN=A and the security of IP=B is guaranteed, it is possible to capture and analyze packets other than IP=B in VLAN=A.
According to the present embodiment, the filter unit 20 can output only a minimum number of packets suspected of being abnormal because highly malicious packets are often a small number of packets. Outputting packets other than those for which security is guaranteed also reduces the number of packets to be analyzed, thus enabling efficient packet analysis. Because the number of packets output from the filter unit 20 can be minimized, the capacity of memory and the input bandwidth of the NIC unit can be reduced, packet loss can be prevented, and cost reduction can be achieved.
Although a configuration in which the matching/mismatching setting unit 26 is separately provided in the filter unit 20 has been described with reference to
A general NIC unit 30 with reduced cost is configured to distribute packets to a plurality of queues (Queues 1 to 3) according to specific field values in headers of the packets. In the exemplary configuration of the NIC unit in
Here, if the same value is often used for field values of headers, packets may sometimes be concentrated in one queue of the NIC unit as in Queue 1 in
In a third embodiment, the filter unit 20 of the first and second embodiments is configured to have a load balancing function for distributing the load of packets in order to cope with such a situation.
For example, the load balancer unit 27 compares a field value of a packet output from the flow identification unit 23 with a field value of a previously output packet, and if the field values are the same, instructs the packet output unit 25 to convert the field value of the packet output from the flow identification unit 23 to a different value. This configuration can avoid concentration of packets in a specific queue of the NIC unit 30.
The comparison of field values of packets is, for example, comparison of a field value of a packet output from the flow identification unit 23 and a “field value before conversion” of a packet that has been output immediately before.
In order to make distribution to the plurality of queues more even, the load balancer unit 27 may be configured to compare the field value with both a “field value before conversion” and a “field value after conversion” of a previously output packet and convert the field value if the field value is the same as either one of the two field values. The load balancer unit 27 may also be configured to compare the field value with those of all N packets before, where N is an integer of 2 or more, and convert the field value if there is any packet with the same field value among them.
Conditions other than the above can also be set as conditions for converting the field value. For example, a method of rewriting the field value when a greater number of packets than a preset threshold with the same field value have been input among packets that have been input during a certain period or among a predetermined number of packets that have been input or other methods may be adopted.
Various conversion methods can also be set as the field value conversion method. For example, a random value may be added to the field value or one or both of the field value before conversion and time information may be added to the packet and then output from the packet output unit to the NIC unit 30.
Here, as illustrated in
After the distribution to the plurality of queues by the NIC unit 30, the information given by the load balancer unit 27 (the source IP address before conversion or the time information) may be deleted by the packet input unit 40 or the like.
When the time information has been given, the input order can be checked using the time information during analysis and can also be replaced with the original order. When the load balancer unit 27 is configured to give either the “field value before conversion” or “time information,” information to be given can be reduced.
NIC units with high-speed input capability are generally expensive. In the present embodiment, because the filter unit 20 is equipped with a load balancer function, packets can be captured from a high-speed network without loss even when an NIC unit with reduced cost is used, by distributing an input to a plurality of queues of the NIC unit 30. In the present embodiment, because the filter unit 20 is implemented in an FPGA, a condition for performing the load balancer such as a field value can be easily changed according to the target network.
The filter unit 20 of the above embodiments can output only specific packets suspected of being abnormal or highly malicious packets whose field values are unknown, which require analysis, and thus can reduce the input bandwidth of the analysis apparatus 60. Although the analysis apparatus 60 with high-speed input capability is generally expensive, it is possible to reduce the cost and deal with a high-speed network by adopting the filter unit 20 of the present embodiment.
According to the embodiments of the present invention, a high-load filtering process is implemented in an FPGA to realize it through hardware processing, such that it is possible to realize capture processing that achieves both high speed and economy as described above.
If the FPGA is configured to output only packets that do not match a rule, it is possible to capture only highly malicious packets with field values which are difficult to predict. The storage capacity of captured packets can be reduced because the number of highly malicious packets is often small. The input bandwidth and processing load of the NIC unit or the analysis apparatus connected to the FPGA can be reduced, packet loss can be prevented, and required performance can be reduced, such that the cost of the NIC unit or the analysis apparatus can be reduced.
Further, by providing a load balancer function, the packet filtering process can deal with a high-speed network even when an NIC unit with reduced cost is used. Because the high-load filtering process is implemented in the FPGA, filter conditions of a field to be analyzed, load balancer conditions, and the like can be easily changed according to the target network.
Although the present invention has been described above with reference to the embodiments, the present invention is not limited to the above embodiments. Various modifications that can be understood by those skilled in the art can be made to the configurations of the present invention within the scope of the present invention.
1 Packet capture apparatus
10 Hardware processing unit
20 Filter unit
21 Packet input unit
22 Header analysis unit
23 Flow identification unit
24 Rule table
25 Packet output unit
30 NIC unit
40 Packet input unit
50 Packet storage unit
70 Network.
This application is a national phase entry of PCT Application No. PCT/JP2020/020707, filed on May 26, 2020, which application is hereby incorporated herein by reference.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2020/020707 | 5/26/2020 | WO |
