Abnormal traffic detection apparatus, abnormal traffic detection method and abnormal traffic detection program
First Claim
1. An abnormal traffic detection apparatus that, when traffics are transmitted and received between a plurality of ISPs (Internet Service Providers) connected to the Internet via a switch, monitors traffics passing through the switch and uses traffic information on the monitored traffics to detect abnormal traffics toward the ISPs, comprising:
- an amount information storing unit configured to store amount information on an amount of traffics as an amount information table, the amount information table corresponding to each ISP that is a destination of the traffics, the amount information being included in the traffic information;
a storage controlling unit configured to identify the ISP which is a destination of the traffics on the basis of one or more destination IP addresses of the traffic information, the storage controlling unit configured to, when a destination IP address identified by the traffic information is already stored in the amount information table corresponding to the identified ISP, store the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and the storage controlling unit configured to, when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, store the amount information in the amount information table corresponding to the identified ISP; and
an abnormal traffic judging unit that judges, for each of the ISPs, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table.
1 Assignment
0 Petitions
Accused Products
Abstract
An abnormal traffic detection apparatus for detecting an abnormal traffic toward a communication apparatus by using information on traffics passing through a switch, comprising destination IP address counting units (C1 to C4) configured to store amount information on amount of traffics as an amount information table corresponding to each communication apparatus, a traffic separating unit (21) for registering amount information on a new destination IP address in the amount information table corresponding to the destination IP address, each time a traffics having the new destination IP address passes through the switch, and storing the amount information in the amount information table corresponding to each communication apparatus, and abnormal traffic judging units (J1 to J4) for detecting an abnormality of the traffic amount flowing through the switch on the basis of the amount information stored in the amount information table.
-
Citations
10 Claims
-
1. An abnormal traffic detection apparatus that, when traffics are transmitted and received between a plurality of ISPs (Internet Service Providers) connected to the Internet via a switch, monitors traffics passing through the switch and uses traffic information on the monitored traffics to detect abnormal traffics toward the ISPs, comprising:
-
an amount information storing unit configured to store amount information on an amount of traffics as an amount information table, the amount information table corresponding to each ISP that is a destination of the traffics, the amount information being included in the traffic information; a storage controlling unit configured to identify the ISP which is a destination of the traffics on the basis of one or more destination IP addresses of the traffic information, the storage controlling unit configured to, when a destination IP address identified by the traffic information is already stored in the amount information table corresponding to the identified ISP, store the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and the storage controlling unit configured to, when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, store the amount information in the amount information table corresponding to the identified ISP; and an abnormal traffic judging unit that judges, for each of the ISPs, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table. - View Dependent Claims (2, 3)
-
-
4. An abnormal traffic detection method that, when traffics are transmitted and received between a plurality of ISPs (Internet Service Providers) connected to the Internet via a switch, monitors traffics passing through the switch and uses traffic information on the monitored traffics to detect abnormal traffics toward the ISPs, the method comprising:
-
a traffic information acquiring step of acquiring the traffic information; a destination identifying step of identifying the ISP which is a destination of the traffics on the basis one or more destination IP addresses of the traffic information; an amount information storing step of storing when a destination IP address identified by the traffic information is already stored in an amount information table corresponding to the identified ISP, the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, storing the amount information in the amount information table corresponding to the identified ISP, the amount information being included in the traffic information; and an abnormal traffic judging step of judging, for each of the ISPs or each of the routers, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table. - View Dependent Claims (5, 6, 10)
-
-
7. A non-transitory computer readable storage medium that stores an abnormal traffic detection program that uses traffic information on traffics, which are monitored when transmitted and received passing through a switch between a plurality of ISPs (Internet Service Providers) connected to the Internet via the switch, to cause a computer to detect abnormal traffics toward the ISP, comprising:
-
a traffic information acquiring step of acquiring the traffic information; a destination identifying step of identifying an ISP which is a destination of the traffics on the basis of one or more destination IP addresses of the traffic information; an amount information storing step of storing when a destination IP address identified by the traffic information is already stored in an amount information table corresponding to the identified ISP, the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, storing the amount information in the amount information table corresponding to the identified ISP, the amount information being included in the traffic information; and an abnormal traffic judging step of judging, for each of the ISPs, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table. - View Dependent Claims (8, 9)
-
Specification