摘要 |
PROBLEM TO BE SOLVED: To detect unauthorized traffic misrepresenting a port number of TCP or UDP, unauthorized traffic in encrypted or encapsulated traffic and novel illicit traffic sent by a computer virus or an illicit user. SOLUTION: The disclosed device comprises: a flow feature list storage section 29 for storing the expected value of a behavior for the traffic for each port number (e.g., average value and variance value of packet lengths, average value and variance value of packet arrival time intervals), a receiving section 26 for receiving the traffic and separating it into data packets; calculation sections 21-24, 30-35 for measuring the behavior of the individually separated traffic; a port number detection section 25 for detecting the port number of a data packet; and a flow comparing section 28 for comparing the measured behavior with the expected value stored in the flow feature list storage section 29 based on the detected port number, and determining the unauthorized traffic. COPYRIGHT: (C)2007,JPO&INPIT
|