1. Field of the Invention
The present invention is related to an encrypted-traffic discrimination (identification) device that monitors traffic flowing over a network such as the internet, at, for example, a node or terminal on the network, and readily discriminates with high precision whether or not the traffic is encrypted text or plain text, and to an encrypted-traffic discrimination (identification) system of the same.
2. Description of the Related Art
There is a conventional technique for extracting characteristics of encrypted data that operates as follows. First, encrypted text that has been encrypted with a given encryption method is generated by an encryption signal transmission section, and this test communication signal data is collected and the characteristics thereof determined. Next, in an encryption determination section, characteristic information (data) is collected for communication data for which the type of traffic is not known, and this characteristic information is compared with characteristic information for known encrypted text which has been already determined. When these match, the traffic of unknown type is inferred to be data encrypted by a known encryption method. Combinations of communication application, encrypted communication software, and encryption protocols can be identified as types of encrypted communication according to this method. Examples of protocols that can be used as such encryption protocols include, for a WEB service, Hypertext Transfer Protocol Security (HTTPS) (Secure Socket Layer (SSL)), and for a Virtual Private Network (VPN), Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES), and the like. Examples of data used for extraction of characteristics of encrypted data include, for example:
(1) generation interval between communication sessions
(2) packet generation interval within communication session
(3) packet size within communication session
(4) total packet count within communication session
(5) relationship of packet transmission and reception directions within communication session
(6) ratio of packet transmission and reception directions within communication session
(7) protocol occupancy within communication session
(8) each packet size at start of communication session
(9) total packet count at start of communication session
(10) total data size at start of communication session
(11) Source/Destination IP distribution over a long interval
(12) Destination Port distribution over a long interval
(13) Presence or absence of queries to DNS server over a long interval
(14) Presence or absence of transmission data during which no data is transmitted from the communication application side. (See Japanese Patent Application Laid-Open (JP-A) No. 2006-146039).
However, in the technology according to JP-A No. 2006-146039, even using data relating to the above (1) to (14), it is not always the case that the type of communication, and specifically, whether or not the traffic being communicated is encrypted text, can be easily determined.
Therefore, there is a requirement for a encrypted-traffic discrimination device that acquires and computes data of characteristics of traffic being communicated over a network, and, based on this data, easily and correctly determines whether or not the traffic is encrypted text.