1. Field of the Invention
The present invention relates to a system and method for detecting a flow of packets which pass through a network while using port hopping.
2. Description of the Related Art
On the Internet, there is an application (program) which uses as many bands as possible by utilizing the P2P (Peer to Peer) technique, to transfer a large amount of data as a flow of packets by using a false port number. When such an application is used, most of available bands in an ISP (Internet Service Provider) is used by a part of users. Therefore, when there is the flow for transfer of a large amount of data for a long time, the ISP restricts such a flow in accordance with a network management policy. At this time, the application needs to be identified to judge whether the flow is valid or valid.
As an application identification technique of a first conventional example, an “Unauthorized Access blockade System” is disclosed in Japanese Laid Open Patent Application (JP-P2004-38557A). In the first conventional example, a combination of a source IP address and a destination IP address for a valid flow and contents of a packet in the flow are stored as a pattern of the valid flow. An application is identified based on whether the pattern of the received flow is coincident with the pattern of the valid flow.
Also, Japanese Laid Open Patent Application (JP-P2004-140618A), a second conventional example) discloses a “Packet Filter Device and Unauthorized Access Detecting Apparatus”. In the second conventional example, a bit pattern of a packet of an invalid flow is previously stored and an application is identified based on whether or not the bit pattern of a received packet is coincident with the stored bit pattern.
Also, “Invalid Traffic Detecting Method Through Traffic Behavior Monitoring” is disclosed in a paper, (The Institute of Electronics, Information and Communication Engineers, 2005 General conference B-6-43, a third conventional example). In this conventional example, flow features defined based on statistical features such as a packet length average value, a packet length variance value, a packet arrival interval average value and a packet arrival interval variance value are previously stored, and an application is identified based on whether or not the features of a received flow is coincident with the stored statistical flow features.
Here, in the above conventional examples, a first problem is in that it is not possible to detect an application often using “port hopping”, in which a port is changed in a short time to prevent band restriction by the ISP. This is because the port hopping is not taken into account in the first to third conventional examples and a plurality of flows generated by one application is individually identified for each port.
A second problem is in that change of a port used by a flow, which is generated by the application, cannot be continuously followed. This is because the first to third conventional examples individually identify a plurality of flows generated by the application and do not take into account of a relation between the identified flows.
A third problem is in that the identification accuracy of the application is low. This is as follows. In the first to third conventional examples, as an observation time becomes longer, the application identification accuracy becomes higher. However, in identifying the application often using the port hopping, the flow observation time is shorter and thus reliability is decreased. Especially, in the third conventional example, when the observation time is short, the accuracy of the flow features defined by the statistical flow features is greatly lowered.
In conjunction with the above description, a dynamic traffic bandwidth control system for a communication network is disclosed in Japanese Laid Open Patent Application (JP-P2004-536522A). The conventional communication system includes a network system apparatus connected with the Internet via a switching telephone network, a plurality of subscriber home terminals, and a network terminator, and configured to set a connection among the above equipments and network and provide sound service and data service to a plurality of customer premises, and a network control system connected with the network system apparatus, and configured to adjust a connection between the plurality of subscriber home terminals and the telephone network to control a traffic. The network control system includes a first database which contains a system configuration data and a configuration data for each of the subscriber home terminals connected with the network system apparatus; a second database which contains a data indicative of a service connection currently being used in the communications system and use by each of the subscriber home terminals, and a control processor configured to periodically poll the first and second databases to specify a capacity of the band which is used currently in the communication system, and throttle a quantity of the data service supplied to the communications system according to the use of this specified bandwidth.
Also, a private line service system is disclosed in Japanese Laid Open Patent Application (JP-P2004-236258A). A conventional private line service providing system specifies a destination node by an information terminal of a subscriber, sets a private line between a source node of the subscriber and the destination node, and dynamically change the destination node.
Also, a network control framework apparatus is disclosed in Japanese Laid Open Patent Application (JP-P2003-8636A). A communication network includes a gateway module which gives a gateway function among end users; a service quality (QoS) module which gives QoS data of a communication network; a rule engine module which carries out a network resource control based on a specified rule, the rule being specified in a rule specification format; and a rule insertion module which inserts a rule specification in the rule engine and removes a rule specification from the rule engine. The network control framework apparatus controls the resources in an intermediate network element between the two or more of the above communication networks.