Communication service providers measure network traffic and itemize communication types, to use the traffic and types for operational management. Here, the “communication type” is a notion that covers not only a protocol type distinguishable by a port number such as SMTP (Simple Mail Transfer Protocol) and HTTP (HyperText Transfer Protocol), but also various types of services implemented on HTTP such as YouTube (registered trademark) and LINE. The type of a service can be inferred from a host name that is described in a URL (Uniform Resource Locator) of an HTTP header, for example, “youtube.com” or “line.me”.
In recent years, however, many HTTP flows are encrypted by SSL (Secure Socket Layer)/TLS (Transport Layer Security); thereby observing information in the HTTP header including the URL has become difficult. Also, in CDN (Contents Delivery Network) services that are spreading, it is often the case that a host name obtained by reversely looking up with the IP address of a server represents CDN service providers, such as e566.dspe1.akamaiedge.net, which cannot be used for identifying the service.
Thereupon, in Non-patent document 1, a technology is disclosed that makes use of an operation of a client before starting a communication, which converts a host name into an IP address, so as to obtain the IP address of the client and the IP address of a server in an encrypted flow, and to infer the host name from the DNS response corresponding to the encrypted flow. This technology is assumed to be used by a communication service provider, and is based on an assumption that although all communications executed by a client pass through the communication service provider, the communication service provider cannot grasp contents of an encrypted flow.
Non-patent document 1 will be described in more detail. Here, C represents a set of IP addresses of clients; S represents a set of IP addresses of servers; and N represents a set of host names of the servers.
A DNS query transmitted by a client requests a server IP address s in S corresponding to a name n in the set of N. A DNS response as the answer includes an A record denoted by “n→s”, in which n in the set of N is associated with s in the set of S; and a CNAME record denoted by “n′→n”, in which n is associated with an alias n′ in the set of N.
FIG. 1 is a diagram illustrating an example of a DNS query and a DNS response. FIG. 1 illustrates a DNS query q1 and a DNS response r1 corresponding to the DNS query q1. In the DNS query q1, the object of name resolution is “www.ieee.org”. The DNS response r1 includes two A records and two CNAME records. In the example of the DNS response r1, the included A records correspond to respective aliases of “www.ieee.org” being the object of the name resolution. Note that seconds in the parentheses of each record represents the expiration time of the record.
The technology of Non-patent document 1 monitors DNS responses so as to manage each pair of a client c in the set of C and a server s in the set of S associated with a solved name n in the set of N (CxS→N). In the example in FIG. 1, assuming that the IP address of the client is 1.1.1.1, the following two correspondence relationships are stored: (1.1.1.1, 23.2.132.181)→www.ieee.org; and (1.1.1.1, 23.10.1.125)→www.ieee.org.
When an encrypted flow is observed, the service is identified by a host name that is included in the header of the encrypted flow, and that has been associated with a pair of the IP address of a client and the IP address of a server.