Patent Application
20210306357
The present invention relates to an assignment apparatus, a communication system, and an assignment method.
One known technique as a countermeasure for Distributed Denial of Service (DDoS) attack relies on the following mechanism, Specifically, traffic to the targets of the DDoS attack is entirely guided to a DDoS mitigation apparatus (security apparatus), and the security apparatus discards attack packets and allows non-attack packets to pass through (see Non Patent Literature 1).
The security apparatus executes various types of analysis processing in multiple stages, and discards the packet at any of the stages where abnormality is detected. Not all the types of analysis processing executed by the security apparatus require a payload of a packet. In other words, there is analysis processing that can be executed only using lower layer information included in 5-tuple of the header and the like. Examples of this include processing known as InvaidPackets in which an invalid port number is determined, processing known as IP Address Filter Lists in which a packet of a designated IP address is discarded, and the like.
Non Patent Literature 1: Arbor Networks, “Arbor Networks TMS”, [online]; Arbor Networks, [ Search Jun. 29, 2018]; Internet: URL:http://jp.arbornetworks.com/wp-content/uploads/2016/06/ds_tms_jp2016-030516AP-number-updated.pdf
Unfortunately, the known technique involves a risk of the security apparatus running short of resources due to payloads not used for analysis processing transferred thereto. Specifically, the payloads are not used when the packets are discarded through the analysis processing using the information about the lower layer in the earlier stage at the security apparatus. The security apparatus may run short of resources due to such payloads not to be used.
The present invention is made in view of the above, and an object of the present invention is to reduce the amount of data transferred to a security apparatus.
An assignment apparatus according to the present invention for solving the problem described above and achieving an object is configured to transfer packets received from a network to a user and to a security apparatus configured to detect an attack packet and includes a copy unit configured to copy each of the packets received from the network and a compression unit configured to compress a payload of each of the packets copied to transfer a packet with the compressed payload to the security apparatus,
With the invention, the amount of data transferred to a security apparatus can be reduced.
Hereinafter, embodiments of the present disclosure will be described in detail with reference to the drawings. Note that the present invention is not limited by the embodiment. In illustration of the drawings, the identical parts are denoted by the same reference signs.
The security apparatus 20a is a DDoS mitigation apparatus that executes simple analysis processing on a packet only using lower layer information included in 5-tuple of the header of the packet and the like. On the other hand, the security apparatus 20b is a DDoS mitigation apparatus that executes normal analysis processing on a packet using higher layer information such as contents of the payload of the packet. The security apparatus 20a and the security apparatus 20b may each include a plurality of apparatuses. The security apparatus 20a and the security apparatus 20b may also be a virtual security apparatus built on the virtualization infrastructure server.
The assignment apparatus 10 executes assignment processing described later to assign and transfer the packets received from the network to a user and to the security apparatus (20a, 20b). Specifically, the assignment apparatus 10 compresses the payload of a packet assigned to the security apparatus 20a that executes the simple analysis processing, and transfers a packet with the compressed payload thereto. The assignment apparatus 10 further assigns and transfers the packet, to be transferred to the security apparatus, to two types of the security apparatus 20a or the security apparatus 20b.
When the result of the simple analysis is OK (analysis (1)), the next processing (analysis (2)) is subsequently executed. When the result of the simple analysis is NG (abnormal) (analysis (2)), the packet is discarded with the payload unused.
A processable band (resource) of the security apparatus is limited. Thus, reception of a packet including a payload that would not be used may result in a failure to process a flow as illustrated in
With the assignment apparatus 10 according to the present embodiment, as illustrated in
Description is given with reference to
The security apparatus (20a, 20b) is implemented by a Central Processing Unit (CPU). a Network Processor (NP), a Field Programmable Gate Array (FPGA), or the like, and includes a detection unit 21a and a notification unit 21b. The detection unit 21a detects an attack packet by analyzing each of the packets received from the assignment apparatus 10. Specifically, the detection unit 21a executes the simple analysis processing or the normal analysis processing to detect the attack packet. In addition, the notification unit 21b notifies the controller 30 of information about the attack packet detected.
The security apparatus 20a executes the simple analysis processing on a packet by only using lower layer information included in 5-tuple of the header of the packet and the like. On the other hand, the security apparatus 20b executes the normal analysis processing on a packet by using higher layer information such as contents of the payload of the packet.
The filter information 12a is information identifying an attack packet detected by the security apparatus (20a, 20b). The filter information 12a is notified from the controller 30 and stored in the storage unit 12, for example. Note that the filter information 12a may be stored in the storage unit 12 via, an input unit such as a keyboard or a mouse (not illustrated).
The assignment rule 12b is information designating a processing method for each predetermined flow in network traffic. For example, in the assignment rule 12b, a processing method for each protocol is designated. For example, with the assignment rule 12b. UDP and TCP flows used by DNS are designated to be subject to the normal analysis processing, and flows of other protocols are designated to be subject to the simple analysis processing.
Alternatively, with the assignment rule 12b, a processing method is designated for each destination IP address. For example, with the assignment rule 12b, each IP address of the destination user is designated to be subject to the normal analysis processing, subject to the resource friendly simple analysis processing, or the like, on the basis of the type of analysis service under contract with the user.
Alternatively, with the assignment rule 12b, a processing method is designated on the basis of the destination IP address and a time period required for executing detection processing or a time period required before starting the detection processing at the security apparatus. For example, with the assignment rule 12b, each IP address of the destination user is designated to be subject to the simple analysis processing, if due to the user contract, a time period required before starting the normal analysis processing for the target flow exceeds a predetermined time period so that the processing starts late. Alternatively, with the assignment rule 12b, each IP address of the destination user is designated to be subject to the simple analysis processing, if due to the user contract, a time period expected to be required for executing the normal analysis processing on the target flow exceeds a predetermined time period.
Note that the assignment rule 12b is stored in the storage unit 12 via an input unit such as a keyboard or a mouse (not illustrated), or via the controller 30 for example.
As illustrated in
The discarding unit 11a uses the filter information 12a to discard the attack packet in packets received from the network. Specifically, the discarding unit 11a identifies in the packets received from the network, the known attack packet stored in the filter information 12a, and discards this packet so as not to be used in the processing in the later stage.
The assignment unit 11b uses the assignment rule 12b to assign the packets received from the network to the copy unit 11c described later or to the other security apparatus 20b, for each predetermined flow. Specifically, the assignment unit 11b determines the packet to be subject to the simple analysis processing or subject to the normal analysis processing, or to be transferred to none of the security apparatuses, based on the processing method for each flow designated with the assignment rule 12b.
Furthermore, the assignment unit 11b transfers the packet determined to be subject to the simple analysis processing to the copy unit 11c described later, and transfers the packet determined to be subject to the normal analysis processing to the security apparatus 20b.
The copy unit 11c copies each of the packets received from the network. Specifically, the copy unit 11c copies each of the packets received from the network via the discarding unit 11a and the assignment unit 11b. The copy unit 11c transfers the copied packet to the compression unit 11d and transfers the original packet directly to the destination user. Furthermore, the copy unit 11c transfers the packet determined to be transferred to none of the security apparatuses, to the destination user without processing the packet.
The compression unit 11d compresses the payload of the copied packet and transfers a packet with the compressed payload to the security apparatus 20a. Specifically, the compression unit 11d compresses the payload portion of the copied packet, and transfers a packet with the compressed payload to the security apparatus 20a that executes the simple analysis processing. The compression unit 11d may delete the payload portion of the packet instead of compressing it. In such a case, the compression unit 11d transfers only the header of the copied packet to the security apparatus 20a. Furthermore, when compressing or deleting the payload of a packet, the compression unit 11d recalculates and changes a value such as a checksum related to the packet length.
The controller 30 is implemented by a CPU, an NP, an FPGA, and the like, and includes an acquisition unit 31a and a setting unit 31b. The acquisition unit 31a acquires information about the detected attack packet from the security apparatus (20a, 20b).
The setting unit 31b uses the information about the attack packet acquired from the security apparatus (20a, 20b) to cause the assignment apparatus 10 to store the filter information 12a. The setting unit 31b further causes the assignment apparatus 10 to store the assignment rule 12b.
The security apparatus 20a executes the simple analysis processing using the packet with the payload compressed. Upon detecting an attack packet as a result of executing the simple analysis processing, the security apparatus 20a notifies the controller 30 of the detection result (step (3)).
The controller 30 uses the detection result notified from the security apparatus 20a to set the information identifying the detected attack packet, in the filter information 12a of the assignment apparatus 10 (step (4)). As a result, the discarding unit 11a of the assignment apparatus 10 thereafter discards the known attack packet identified by the filter information 12a, in the packets received from the network, so that the attack packet will not be processed in the later stage.
The assignment unit 11b uses the assignment rule 12b designating the processing method for each predetermined flow of network traffic, to determine whether the received packet is to be subject to the simple analysis processing or to be subject to the normal analysis processing for each predetermined flow. Then, the assignment unit 11b transfers the packet determined to be subject to the simple analysis processing (A) to the copy unit 11c, and transfers the packet determined to be subject to the normal analysis processing (B) to the security apparatus 20b.
For example, the assignment unit 11b can determine each IP address of the destination user to be subject to the simple analysis processing or to be the normal analysis processing, on the basis of the type of the analysis service under contract with the user.
In the example illustrated in
Alternatively, with the assignment rule 12b, each IP address of the destination user can be designated to be subject to the simple analysis processing, if due to the user contract, a time period expected to be required for executing the normal analysis processing on the target flow exceeds a predetermined time period. The address can be designated to be subject to none of the normal analysis processing and the simple analysis processing.
First of all, in the initial setting process in step S1, when the user subscribes to an analysis service (step S11), the controller 30 is notified of the user's IP address and the type of the service such as an attack-detection method (step S12).
The controller 30 causes the security apparatus (20a, 20b) to set an attack-detection parameter on the basis of the type of the analysis service the user has subscribed to (step S13). Furthermore, the controller 30 causes the assignment apparatus 10 to set the assignment rule 12b to be subject to the simple analysis processing or the normal analysis processing, or to be subject to none of the normal analysis processing and the simple analysis processing, based on the type of the analysis service the user has subscribed to (step S14).
Prior to the attack detection processing in step S3, the discarding unit 11a in the assignment apparatus 10 discards the known attack packet in the packets received from the network (step S20). Furthermore, the assignment unit 11b assigns the simple analysis or the normal analysis, on the basis of the assignment rule 12b (step S21).
Note that the sequence from step S20 illustrated in
When the packet is assigned to the simple analysis processing, the assignment unit 11b transfers the packet to the copy unit 11c (step S31). The copy unit 11c copies the received packet and transfers the copies packet to the compression unit 11d (step S32). The copy unit 11c transfers the original packet to the user without processing it (step S36).
The compression unit 11d compresses the payload of the packet and transfers a packet with the compressed payload to the security apparatus 20a (step S33).
On the other hand, when the packet is assigned to the normal analysis processing, the assignment unit 11b transfers the packet to the security apparatus 20b (step S41). When the packet is subject to none of the normal analysis processing and the simple analysis processing, the copy unit 11c transfers the packet to the user without processing it (step S44).
Upon detecting an attack packet, the security apparatus (20a, 20b) notifies the controller 30 of the detection result (step S34, S42). The controller 30 causes the assignment apparatus 10 to set the filter information 12a identifying the attack packet (steps S35, S43).
In the packet discarding processing in step S5, the discarding unit 11a of the assignment apparatus 10 uses the filter information 12a to identify, in the packets received from the network, as the known attack packet, the attack packet detected by the security apparatus (20a, 20b), and discards this packet (step S50).
As described above, in the assignment apparatus 10 according to the present embodiment, the copy unit 11c copies each of the packets received from the network. The compression unit 11d. compresses the payload of the copied packet and transfers a packet with the compressed payload to the security apparatus 20a.
Thus, the amount of data transferred to the security apparatus 20a that executes the simple analysis processing can be reduced. This increases packets that can be processed without increasing the resources of the security apparatus 20a, whereby a risk of resources of the security apparatus 20a running short can be reduced.
The storage unit 12 also stores the filter information 12a for identifying the attack packet detected by the security apparatus, and the discarding unit 11a uses the filter information to discard the attack packet in the packets received from the network. Thus, the known attack packet in the packets received from the network can be discarded.
The storage unit 12 stores the assignment rule 12b designating the processing method for each predetermined flow of the network traffic, and the assignment unit 11b uses the assignment rule 12b to assign the packets received from the network to the copy unit 11c or to the other security apparatus 20b, for each predetermined flow. This allows the received packets to be assigned to the simple analysis processing or to the normal analysis processing for each predetermined flow.
The storage unit 12 may store the assignment rule 12b designating the processing method for each protocol. In such a case, the assignment unit 11b uses the assignment rule 12b to assign the packets received from the network to the copy unit 11c or to the other security apparatus 20b, for each protocol. This enables UDP and TCP flows used by DNS to be designated to be subject to the normal analysis processing, and flows of other protocols to be designated as subject to the simple analysis processing, for example.
The storage unit 12 may store the assignment rule 12b designating the processing method for each destination IP address. In such a case, the assignment apparatus 10 uses the assignment rule 12b to assign the packets received from the network to the copy unit 11c or to the other security apparatus 20b, for each destination IP address. Thus, the assignment apparatus 10 can determine each IP address of the destination user to be subject to the simple analysis processing, to be the normal analysis processing, or the like on the basis of the type of the analysis service under contract with the user.
The storage unit 12 may store the assignment rule 12b designating a processing method on the basis of the destination IP address and a time period required for executing detection processing or a time period required before starting the detection processing at the security apparatus (20a, 20b). In this case, the assignment apparatus 10 uses the assignment rule 12b to assign the packets received from the network to the copy unit 11c or to the other security apparatus 20b, on the basis of the destination IP address and the time period required for the detection processing to be executed or the time period required before starting the detection processing at the security apparatus (20a, 20b).
Thus, for example, the assignment apparatus 10 can designate the packets received from the network to be subject to the simple analysis processing for each IP address of the destination user, if due to the user contract, a time period required before starting the normal analysis processing for the target flow exceeds a predetermined time period so that the processing starts late. Alternatively, the assignment apparatus 10 can designate each of the packets received from the network to be subject to the simple analysis processing for each IP address of the destination user, if due to the user contract, a time period expected to be required for executing the normal analysis processing on the target flow exceeds a predetermined time period.
At the security apparatus (20a, 20b) of the communication system 1 according to the present embodiment, the detection unit 21a detects an attack packet by analyzing the packets received from the assignment apparatus 10, and the notification unit 21b notifies the controller 30 of the information about the detected attack packet. In the controller 30, the acquisition unit 31a acquires the information about the detected attack packet from the security apparatus (20a, 20b), and the setting unit 31b uses the acquired information about the attack packet to store the filter information 12a in the assignment apparatus 10. This enables the attack packet to be easily and efficiently analyzed and discarded.
A program in which the processing executed by the assignment apparatus 10 according to the embodiment described above is described in a computer-executable language can be created as well. As one embodiment, the assignment apparatus 10 can be implemented by installing an assignment program for executing the assignment processing described above in a desired computer as packaged software or on-line software. For example, by causing an information processing apparatus to execute the assignment program described above, the information processing apparatus can be configured to function as the assignment apparatus 10. The information processing apparatus described here includes a desktop or laptop personal computer. In addition, a mobile communication terminal such as a smart phone or a mobile phone, and a slate terminal such as a Personal Digital Assistant (PDA) are included in the category of the information processing apparatus. Furthermore, the function of the assignment apparatus 10 may be implemented on the cloud server.
The memory 1010 includes Read Only Memory (ROM) 1011 and a RAM 1012. The ROM 1011 stores a boot program, such as Basic Input Output System (BIOS), for example. The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to a disk drive 1041. A detachable storage medium such as a magnetic disk or an optical disc, for example, is inserted into the disk drive 1041. A mouse 1051 and a keyboard 1052, for example, are connected to the serial port interface 1050. A display 1061. for example, is connected to the video adapter 1060.
Here, the hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. The respective information described in the aforementioned embodiments are stored in, for example, the hard disk drive 1031 and the memory 1010.
In addition, the assignment program, for example, is stored in a hard disk drive 1031 as a program module 1093 in which commands to he executed by the computer 1000 are described. More specifically, the program module 1093 in which each processing executed by the assignment apparatus 10 described in the embodiment is described is stored in the hard disk drive 1031.
Data used in information processing according to the assignment program is stored, for example, in the hard disk drive 1031 as program data 1094. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the hard disk drive 1031 as needed in the RAM 1012 and executes each of the aforementioned procedures.
The program module 1093 or the program data 1094 relating to the assignment program is not necessarily stored in the hard disk drive 1031 and, for example, may be stored in a detachable storage medium and be read by the CPU 1020 through the disk drive 1041 or the like. Alternatively, the program module 1093 or the program data 1094 related to the assignment program may be stored in another computer connected via a network such as a Local Area Network (LAN) or a Wide Area Network (WAN) and read by the CPU 1020 via the network interface 1070.
Although the embodiments to which the invention made by the present inventors is applied have been described above, the invention is not limited by the description and the drawings as a part of the disclosure of the present invention according to the embodiments. In other words, all of other embodiments, examples, operation technologies, and the like made by those skilled in the art based on the embodiments are within the scope of the invention.
1 Communication system
10 Assignment apparatus
11 Control unit
11
a Discarding unit
11
b Assignment unit
11
c Copy unit
11
d Compression unit
12 Storage unit
12
a Filter information
12
b Assignment rule
20
a,
20
b Security apparatus
21
a Detection unit
21
b Notification unit
30 Controller
31
a Acquisition unit
31
b Setting unit
| Number | Date | Country | Kind |
|---|---|---|---|
| 2018-138773 | Jul 2018 | JP | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2019/028103 | 7/17/2019 | WO | 00 |
