Detection method for abnormal traffic and packet relay apparatus
First Claim
1. A packet relay apparatus which receives packets, searches for the routes thereof, and transmits them to the searched routes, said packet relay apparatus comprising:
- a packet relay processing section to relay packets on the basis of a routing table;
a packet sampling section to sample the packets which said packet relay processing section has received;
a flow statistics counting section to tally counts on a flow statistics table with the packets received from said packet sampling section; and
a flow statistics generating section to transform information received from said flow statistics counting section into a predetermined format, wherein said flow statistics counting section tallies the total number regarding the flows, which have the total number of the packets or bytes received per unit time being less than a threshold value, collectively as one flow.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention provides a technology including, for example, a packet relay processing section to carry out packet relay, a packet sampling section to carry out packet sampling, a flow statistics counting section to take statistics of each flow, and a flow statistics generating section to generate a NetFlow export datagram, wherein the flow statistics counting section collectively counts the number of the packets or bytes received per unit time when the number does not exceed a threshold value and individually counts the number for each flow when the number exceeds the threshold value, and thereby a flow of abnormal traffic which is suspected to be DoS attack is efficiently detected with small amounts of resources (mainly memories).
-
Citations
11 Claims
-
1. A packet relay apparatus which receives packets, searches for the routes thereof, and transmits them to the searched routes, said packet relay apparatus comprising:
-
a packet relay processing section to relay packets on the basis of a routing table;
a packet sampling section to sample the packets which said packet relay processing section has received;
a flow statistics counting section to tally counts on a flow statistics table with the packets received from said packet sampling section; and
a flow statistics generating section to transform information received from said flow statistics counting section into a predetermined format, wherein said flow statistics counting section tallies the total number regarding the flows, which have the total number of the packets or bytes received per unit time being less than a threshold value, collectively as one flow. - View Dependent Claims (2, 3)
-
-
4. A packet relay apparatus which receives packets, searches for the routes thereof, and transmits them to the searched routes, said packet relay apparatus comprising:
-
a packet relay processing section to relay packets on the basis of a routing table;
a packet sampling section to sample the packets which said packet relay processing section has received;
a flow statistics counting section to tally counts on a flow statistics table with the packets received from said packet sampling section; and
a flow statistics generating section to transform information received from said flow statistics counting section into a predetermined format, wherein said flow statistics counting section monitors the number of packets or bytes of flows received per unit time. - View Dependent Claims (5, 6, 7, 8)
-
-
9. An abnormal traffic detection method for detecting abnormal traffic, comprising the steps of:
-
sampling received packets;
tallying the number of the sampled packets or the number of the bytes of said sampled packets for each flow;
transmitting the total number of the packets or the bytes tallied for each flow to a collector under a predetermined condition;
prior to the step of transmitting the total number to the collector, tallying the total number regarding the flows, each of which has the total counted number of packets or bytes being less than a threshold value, as other flows; and
transmitting said total counted numbers of the packets or bytes of the flows of not less than said threshold value and said other flows to said collector. - View Dependent Claims (10, 11)
-
Specification