Detection method for abnormal traffic and packet relay apparatus

US 20070115850A1
Filed: 03/02/2006
Published: 05/24/2007
Est. Priority Date: 10/20/2005
Status: Active Grant

First Claim

Patent Images

1. A packet relay apparatus which receives packets, searches for the routes thereof, and transmits them to the searched routes, said packet relay apparatus comprising:

a packet relay processing section to relay packets on the basis of a routing table;

a packet sampling section to sample the packets which said packet relay processing section has received;

a flow statistics counting section to tally counts on a flow statistics table with the packets received from said packet sampling section; and

a flow statistics generating section to transform information received from said flow statistics counting section into a predetermined format, wherein said flow statistics counting section tallies the total number regarding the flows, which have the total number of the packets or bytes received per unit time being less than a threshold value, collectively as one flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a technology including, for example, a packet relay processing section to carry out packet relay, a packet sampling section to carry out packet sampling, a flow statistics counting section to take statistics of each flow, and a flow statistics generating section to generate a NetFlow export datagram, wherein the flow statistics counting section collectively counts the number of the packets or bytes received per unit time when the number does not exceed a threshold value and individually counts the number for each flow when the number exceeds the threshold value, and thereby a flow of abnormal traffic which is suspected to be DoS attack is efficiently detected with small amounts of resources (mainly memories).

Citations

11 Claims

1. A packet relay apparatus which receives packets, searches for the routes thereof, and transmits them to the searched routes, said packet relay apparatus comprising:
- a packet relay processing section to relay packets on the basis of a routing table;
  
  a packet sampling section to sample the packets which said packet relay processing section has received;
  
  a flow statistics counting section to tally counts on a flow statistics table with the packets received from said packet sampling section; and
  
  a flow statistics generating section to transform information received from said flow statistics counting section into a predetermined format, wherein said flow statistics counting section tallies the total number regarding the flows, which have the total number of the packets or bytes received per unit time being less than a threshold value, collectively as one flow.
- View Dependent Claims (2, 3)
- - 2. The packet relay apparatus according to claim 1, wherein said flow statistics counting section monitors the number of the packets or bytes of flows received per unit time, and when said monitored number of the packets or bytes exceeds a threshold value, delivers said transformed information from said packet relay processing section.
  - 3. The packet relay apparatus according to claim 1, wherein said flow statistics counting section monitors the number of the packets or bytes of a received flow, and when said monitored number of the packets or bytes exceeds a threshold value, delivers said transformed information from said packet relay processing section.

4. A packet relay apparatus which receives packets, searches for the routes thereof, and transmits them to the searched routes, said packet relay apparatus comprising:
- a packet relay processing section to relay packets on the basis of a routing table;
  
  a packet sampling section to sample the packets which said packet relay processing section has received;
  
  a flow statistics counting section to tally counts on a flow statistics table with the packets received from said packet sampling section; and
  
  a flow statistics generating section to transform information received from said flow statistics counting section into a predetermined format, wherein said flow statistics counting section monitors the number of packets or bytes of flows received per unit time.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The packet relay apparatus according to claim 4, wherein said flow statistics counting section delivers said transformed information from said packer relay processing section when said monitored number of the packets or bytes per unit time exceeds a threshold value.
  - 6. The packet relay apparatus according to claim 4, wherein said flow statistics counting section outputs data notifying of an occurrence of abnormality when said monitored number of the packets or bytes per unit time exceeds a threshold value.
  - 7. The packet relay apparatus according to claim 4, wherein said flow statistics counting section tallies the total number regarding the flows, which have the total number of packets or bytes received per unit time being less than a threshold value, collectively as one flow.
  - 8. The packet relay apparatus according to claim 4, wherein said flow statistics counting section monitors the total number of packets or bytes of a received flow, and when said monitored number of packets or bytes exceeds a threshold value, delivers said transformed information from said packet relay processing section.

9. An abnormal traffic detection method for detecting abnormal traffic, comprising the steps of:
- sampling received packets;
  
  tallying the number of the sampled packets or the number of the bytes of said sampled packets for each flow;
  
  transmitting the total number of the packets or the bytes tallied for each flow to a collector under a predetermined condition;
  
  prior to the step of transmitting the total number to the collector, tallying the total number regarding the flows, each of which has the total counted number of packets or bytes being less than a threshold value, as other flows; and
  
  transmitting said total counted numbers of the packets or bytes of the flows of not less than said threshold value and said other flows to said collector.
- View Dependent Claims (10, 11)
- - 10. The abnormal traffic detection method according to claim 9, wherein said method further comprises the step of computing a receive rate for each flow when said number of the sampled packets or said number of the bytes of the sampled packets is tallied for each flow, and said predetermined condition is that said computed receive rate is not less than a threshold value.
  - 11. The abnormal traffic detection method according to claim 9, wherein, at said step of tallying the number for each flow, the flows, each of which has said total number of the packets or bytes being ranked as an upper level, are regarded as said other flows.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alaxala Networks Corporation (Fortinet Inc.)
Original Assignee
Alaxala Networks Corporation (Fortinet Inc.)
Inventors
Sato, Hiroshi, Tsuchiya, Kazuaki

Granted Patent

US 7,729,271 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/252
CPC Class Codes

H04L 43/022   by sampling

H04L 43/16   Threshold monitoring

H04L 45/00   Routing or path finding of ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Detection method for abnormal traffic and packet relay apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Detection method for abnormal traffic and packet relay apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links