Abnormal traffic detection apparatus, abnormal traffic detection method and abnormal traffic detection program

US 8,422,386 B2
Filed: 09/25/2008
Issued: 04/16/2013
Est. Priority Date: 10/02/2007
Status: Active Grant

First Claim

Patent Images

1. An abnormal traffic detection apparatus that, when traffics are transmitted and received between a plurality of ISPs (Internet Service Providers) connected to the Internet via a switch, monitors traffics passing through the switch and uses traffic information on the monitored traffics to detect abnormal traffics toward the ISPs, comprising:

an amount information storing unit configured to store amount information on an amount of traffics as an amount information table, the amount information table corresponding to each ISP that is a destination of the traffics, the amount information being included in the traffic information;

a storage controlling unit configured to identify the ISP which is a destination of the traffics on the basis of one or more destination IP addresses of the traffic information, the storage controlling unit configured to, when a destination IP address identified by the traffic information is already stored in the amount information table corresponding to the identified ISP, store the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and the storage controlling unit configured to, when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, store the amount information in the amount information table corresponding to the identified ISP; and

an abnormal traffic judging unit that judges, for each of the ISPs, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An abnormal traffic detection apparatus for detecting an abnormal traffic toward a communication apparatus by using information on traffics passing through a switch, comprising destination IP address counting units (C1 to C4) configured to store amount information on amount of traffics as an amount information table corresponding to each communication apparatus, a traffic separating unit (21) for registering amount information on a new destination IP address in the amount information table corresponding to the destination IP address, each time a traffics having the new destination IP address passes through the switch, and storing the amount information in the amount information table corresponding to each communication apparatus, and abnormal traffic judging units (J1 to J4) for detecting an abnormality of the traffic amount flowing through the switch on the basis of the amount information stored in the amount information table.

5 Citations

10 Claims

1. An abnormal traffic detection apparatus that, when traffics are transmitted and received between a plurality of ISPs (Internet Service Providers) connected to the Internet via a switch, monitors traffics passing through the switch and uses traffic information on the monitored traffics to detect abnormal traffics toward the ISPs, comprising:
- an amount information storing unit configured to store amount information on an amount of traffics as an amount information table, the amount information table corresponding to each ISP that is a destination of the traffics, the amount information being included in the traffic information;
  
  a storage controlling unit configured to identify the ISP which is a destination of the traffics on the basis of one or more destination IP addresses of the traffic information, the storage controlling unit configured to, when a destination IP address identified by the traffic information is already stored in the amount information table corresponding to the identified ISP, store the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and the storage controlling unit configured to, when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, store the amount information in the amount information table corresponding to the identified ISP; and
  
  an abnormal traffic judging unit that judges, for each of the ISPs, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table.
- View Dependent Claims (2, 3)
- - 2. The abnormal traffic detection apparatus according to claim 1, wherein the storage controlling unit is configured to identify the ISP as the destination of the traffics on the basis of a destination MAC (Media Access Control) address and a destination VLAN (Virtual Local Area Network), both of which are included in the traffic information, and previously-stored information on a ISP corresponding to the destination MAC address and the destination VLAN.
  - 3. The abnormal traffic detection apparatus according to claim 1, wherein the judging unit is configured to store threshold values, which are used in judging whether the traffic amount is abnormal, for the respective amount information tables, and is configured to compare, for each of the amount information tables, the amount information stored in the amount information table and the threshold value corresponding to the amount information in order to judge whether the traffic amount flowing through the switch is abnormal.

4. An abnormal traffic detection method that, when traffics are transmitted and received between a plurality of ISPs (Internet Service Providers) connected to the Internet via a switch, monitors traffics passing through the switch and uses traffic information on the monitored traffics to detect abnormal traffics toward the ISPs, the method comprising:
- a traffic information acquiring step of acquiring the traffic information;
  
  a destination identifying step of identifying the ISP which is a destination of the traffics on the basis one or more destination IP addresses of the traffic information;
  
  an amount information storing step of storing when a destination IP address identified by the traffic information is already stored in an amount information table corresponding to the identified ISP, the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, storing the amount information in the amount information table corresponding to the identified ISP, the amount information being included in the traffic information; and
  
  an abnormal traffic judging step of judging, for each of the ISPs or each of the routers, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table.
- View Dependent Claims (5, 6, 10)
- - 5. The abnormal traffic detection method according to claim 4, wherein the amount information storing step includes identifying the ISP as the destination of the traffics on the basis of a destination MAC address and a destination VLAN, both of which are included in the traffic information, and previously-stored information on a ISP corresponding to the destination MAC address and the destination VLAN.
  - 6. The abnormal traffic detection method according to claim 4, wherein the abnormal traffic judging step includes storing threshold values, which are used in judging whether the traffic amount is abnormal, for the respective amount information tables, and comparing, for each of the amount information tables, the amount information stored in the amount information table and the threshold value corresponding to the amount information in order to judge whether the traffic amount flowing through the switch is abnormal.
  - 10. The abnormal traffic detection method according to claim 4, further comprising a notifying step of notifying one of the ISPs that there is abnormal traffic when the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table corresponding to the ISP.

7. A non-transitory computer readable storage medium that stores an abnormal traffic detection program that uses traffic information on traffics, which are monitored when transmitted and received passing through a switch between a plurality of ISPs (Internet Service Providers) connected to the Internet via the switch, to cause a computer to detect abnormal traffics toward the ISP, comprising:
- a traffic information acquiring step of acquiring the traffic information;
  
  a destination identifying step of identifying an ISP which is a destination of the traffics on the basis of one or more destination IP addresses of the traffic information;
  
  an amount information storing step of storing when a destination IP address identified by the traffic information is already stored in an amount information table corresponding to the identified ISP, the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, storing the amount information in the amount information table corresponding to the identified ISP, the amount information being included in the traffic information; and
  
  an abnormal traffic judging step of judging, for each of the ISPs, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table.
- View Dependent Claims (8, 9)
- - 8. The non-transitory computer readable storage medium according to claim 7, wherein the amount information storing step includes identifying the ISP as the destination of the traffics on the basis of a destination MAC address and a destination VLAN, both of which are included in the traffic information, and previously-stored information on a ISP corresponding to the destination MAC address and the destination VLAN.
  - 9. The non-transitory computer readable storage medium according to claim 7, wherein the abnormal traffic judging step includes storing threshold values, which are used in judging whether the traffic amount is abnormal, for the respective amount information tables, and comparing, for each of the amount information tables, the amount information stored in the amount information table and the threshold value corresponding to the amount information in order to judge whether the traffic amount flowing through the switch is abnormal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nippon Telegraph and Telephone Corporation
Original Assignee
Nippon Telegraph and Telephone Corporation
Inventors
Chikira, Kazuaki, Mori, Hideo
Primary Examiner(s)
WONG, XAVIER S

Application Number

US12/679,029
Publication Number

US 20100220619A1
Time in Patent Office

1,664 Days
Field of Search

None
US Class Current

370/252
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Abnormal traffic detection apparatus, abnormal traffic detection method and abnormal traffic detection program

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

5 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Abnormal traffic detection apparatus, abnormal traffic detection method and abnormal traffic detection program

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links