Abstract: A system for estimating contact duration between a pair of communication apparatuses. The system includes a storage device and a monitoring apparatus connected to the apparatuses to collect ARP packets broadcast in the network by a first communication apparatus, and to add timestamp information to the ARP packets, and to store the ARP packets with the timestamp in the storage device DB. The monitoring apparatus further extracts selected ARP packets from the ARP packets stored in the storage device DB, wherein the selected ARP packets includes destination MAC address which is the same as a MAC address of a second communication apparatus, wherein the timestamp information of the selected ARP packets is within a predetermined time range TM. The monitoring apparatus further estimates contact duration between the first and second communication apparatuses based on timestamp information of the selected ARP packets.

Abstract: The present invention is a system for estimating “Contact Duration” between a pair of communication apparatuses by passive means in a network in which communication apparatuses Ci (i is a natural number greater than or equal to 2) and a monitoring apparatus M are connected, wherein the monitoring apparatus M comprises of: a packet collection unit configured to collect ARP packets broadcast in the network by communication apparatus Ci, add Time-Stamp information to the ARP packets, and store the collected packet with Time-stamp in a storage device DB; a packet extraction unit configured to extract the ARP packets in which the destination MAC address is the same as the MAC address of communication apparatus Cj (j is a natural number greater than or equal to 2, j is not equal to i) from the ARP packets stored in said storage device DB, wherein the Time-Stamp information of the ARP packets is within a predetermined time range TM; a communication state identification unit configured to estimate “Contact Duratio

Abstract: The present invention is a method for drawing connections for one or more Layer-2 switches as a tree-type network map. The method includes a first step of generating a MvP table consisting of a mapping table M1 and a mapping table M2 based on management information collected from the Layer-2 switches by network monitoring manager H; a third step of identifying parent-child relationship of Layer-2 switches based on the Connection-information between Layer-2 switches in the second step, and generating a Layered-structure of Layer-2 switches based on the parent-child relationship; and a fourth step of drawing connections for Layer-2 switches as a tree-type network map based on the Layered-structure of Layer-2 switches in the third step.

Abstract: The present invention is a method for drawing connections for one or more Layer-2 switches as a tree-type network map, comprising of: a first step of generating a MvP table consisting of a mapping table M1 and a mapping table M2 based on management information collected from the Layer-2 switches by network monitoring manager H, wherein said mapping table M1 provides a mapping between MAC address M (H) of network monitoring manager H and a Switch-Port set Row{M(H)} of ports of Layer-2 switches Sj (1?j?total number of Layer-2 switches) that detected said MAC address M(H), and said mapping table M2 provides a mapping between MAC address M(Sj) of Layer-2 switches Sj and Switch-Port set Row{M(Sj)} of ports of Layer-2 switches Sj that detected said MAC address M(Sj); a second step of normalizing the MvP table, wherein, if the same Switch-Port element is seen in both the Switch-Port set Row{M(H)} of the mapping table M1 and the Switch-Port set Row{M (Sj)} of the mapping table M2, the MvP table is normalized by delet

Abstract: Provided is a technique for building a green architecture for achieving efficient power saving in a Layer-2 network, the technique having: a packet collection process (S01) for collecting all broadcast packets communicated within the network and extracting packet information; a MAC-IP history generation process (S02) for generating MIPT with the latest timestamp from the packet information; an access analysis process (S03) for counting, on the basis of information about the MIPT, the number of packets per category of {SMAC, DMAC} in each time slot having a certain interval, and generating a MAcT; an L2 switch port analysis process (S04) for generating an MDMAcT on the basis of information about the MAcT; a green architecture building process (S05) for generating a GMDMAcT in which a port connection configuration of the MDMAcT has been updated; and a visualization process (S06) for displaying information about the GMDMAcT.

Abstract: Provided is a technique for building a green architecture for achieving efficient power saving in a Layer-2 network, the technique having: a packet collection process (S01) for collecting all broadcast packets communicated within the network and extracting packet information; a MAC-IP history generation process (S02) for generating MIPT with the latest timestamp from the packet information; an access analysis process (S03) for counting, on the basis of information about the MIPT, the number of packets per category of {SMAC, DMAC} in each time slot having a certain interval, and generating a MAcT; an L2 switch port analysis process (S04) for generating an MDMAcT on the basis of information about the MAcT; a green architecture building process (S05) for generating a GMDMAcT in which a port connection configuration of the MDMAcT has been updated; and a visualization process (S06) for displaying information about the GMDMAcT.

Abstract: Disclosed are a method and program for controlling communication of the target apparatus, specifically, blocking the communication of the target apparatus immediately and certainly in case where illegal connection to the target apparatus is detected in the network arranged one or more Layer-2 switches. The network monitoring manager H carries out blocking communication of the target apparatus immediately and certainly by detecting automatically the Layer-2 switch port connected to the communication apparatus, that is identified as the target apparatus including illegal connection, based on the MvP table, and blocking the communication of the target apparatus by administratively disabling the Layer-2 switch port connected to the target apparatus, in case where the network monitoring manager H detects illegal connection to the communication apparatus in the network.

Abstract: A network security monitoring apparatus and a network security monitoring system manages “permitted” or “not permitted” communication between nodes based on an access policy. A network security monitoring system includes nodes 31,32,33, application server 20, router 40, and network security monitoring apparatus 10 deployed in the network. The network security monitoring apparatus 10 judges whether the nodes are permitted to communicate with other nodes in the network or not based on the access policy, and repeatedly transmits data to block the communication between nodes judged as “not permitted” at fixed time intervals until the access policy is changed from “not permitted” to “permitted”. This invention enables to block communication between nodes defined as “not permitted” for communicating with other nodes in the access policy, and to allow communication between nodes defined as “permitted” for communicating with other nodes in the access policy.

Abstract: Disclosed are a method and program for controlling communication of the target apparatus, specifically, blocking the communication of the target apparatus immediately and certainly in case where illegal connection to the target apparatus is detected in the network arranged one or more Layer-2 switches. The network monitoring manager H carries out blocking communication of the target apparatus immediately and certainly by detecting automatically the Layer-2 switch port connected to the communication apparatus, that is identified as the target apparatus including illegal connection, based on the MvP table, and blocking the communication of the target apparatus by administratively disabling the Layer-2 switch port connected to the target apparatus, in case where the network monitoring manager H detects illegal connection to the communication apparatus in the network.

Abstract: A system detects the presence of illegal access attacks. The device for analyzing and diagnosing network traffic divides packets into k (k>0) types based on protocol type and port number, etc., a component observing the number of distinct values of one or more pre-specified fields in packet header for each packet type, for all packets that have transited the observation points in a network, an element observing the number of distinct values of one or more pre-specified fields in the packet payload for each packet type, for all packets that have transited the observation points in a network, and a diagnosis element determining whether the network is abnormal when the number of distinct values observed in fields of each packet type crosses a specified ratio-threshold within a predetermined interval. This enables detection of small-scale DoS attacks with little change in addresses number, improving illegal access detection accuracy.

Abstract: A system detects the presence of illegal access attacks. The device for analyzing and diagnosing network traffic divides packets into k (k>0) types based on protocol type and port number, etc., a component observing the number of distinct values of one or more pre-specified fields in packet header for each packet type, for all packets that have transited the observation points in a network, an element observing the number of distinct values of one or more pre-specified fields in the packet payload for each packet type, for all packets that have transited the observation points in a network, and a diagnosis element determining whether the network is abnormal when the number of distinct values observed in fields of each packet type crosses a specified ratio-threshold within a predetermined interval. This enables detection of small-scale DoS attacks with little change in addresses number, improving illegal access detection accuracy.

Abstract: A system for detecting and tracing a (D)DoS attack and identifying the attack source, which system simplifies the judgment reference to determine whether a (D)DoS attack is present. The number of source addresses of the packets transmitted via the Internet line is monitored. When the number of the source addresses has reached a predetermined number or a predetermined ratio within a predetermined time, it is judged that an unauthorized attack is present. Moreover, where the hop number of the packet is different from a hop number corresponding to the transmission source information, the packet is judged to be malicious.

Abstract: This invention aims to provide a technique that, in wireless network environments, enables the Manager to collect network management information (MIB data in the case of SNMP based network management), which the Agent has stored during periods of disconnection, after connectivity to the mobile nodes has recovered. In a wireless network environment, the Agent (201) has a unit for storing the management information related to network devices with appropriate label information, while the Manager (101) has a unit for sending the Agent a request for a label-specified data, and getting the data which the Agent has stored in Management Information Store 207. The above unit enables the Manager (101) to seamlessly collect the information pertaining to the period of disconnection, which the Agent (201) has stored in Management Information Store 207, after detecting recovery of the connectivity.

Abstract: By synthesizing the map of an entire network, it provides a method for detecting OSI Reference Model layer-2 switches and evaluating the status of the inter-connection of the layer-2 switches. The NMT (102) which implements the SNMP manager queries the specified management IP-addresses and receives responses from the SNMP agents implemented on the layer-2 switches (103,104,105). From the management information in the responses, the existence of the layer-2 switches is confirmed and the MAC address and port information mapping table MvP table is constructed. Based on the MvP table the inter-connection information of the layer-2 switches is detected.

Abstract: A network security monitoring apparatus and a network security monitoring system manages “permitted” or “not permitted” communication between nodes based on an access policy. A network security monitoring system includes nodes 31,32,33, application server 20, router 40, and network security monitoring apparatus deployed in the network. The network security monitoring apparatus 10 judges whether the nodes are permitted to communicate with other nodes in the network or not based on the access policy, and repeatedly transmits data to block the communication between nodes judged as “not permitted” at fixed time intervals until the access policy is changed from “not permitted” to “permitted”. This invention enables to block communication between nodes defined as “not permitted” for communicating with other nodes in the access policy, and to allow communication between nodes defined as “permitted” for communicating with other nodes in the access policy.

Abstract: This invention aims to provide a technique that, in wireless network environments, enables the Manager to collect network management information (MIB data in the case of SNMP based network management), which the Agent has stored during periods of disconnection, after connectivity to the mobile nodes has recovered. In a wireless network environment, the Agent (201) has a unit for storing the management information related to network devices with appropriate label information, while the Manager (101) has a unit for sending the Agent a request for a label-specified data, and getting the data which the Agent has stored in Management Information Store 207. The above unit enables the Manager (101) to seamlessly collect the information pertaining to the period of disconnection, which the Agent (201) has stored in Management Information Store 207, after detecting recovery of the connectivity.

Abstract: By synthesizing the map of an entire network, it provides a method for detecting OSI Reference Model layer-2 switches and evaluating the status of the inter-connection of the layer-2 switches. The NMT(102) which implements the SNMP manager queries the specified management IP-addresses and receives responses from the SNMP agents implemented on the layer-2 switches (103,104,105). From the management information in the responses, the existence of the layer-2 switches is confirmed and the MAC address and port information mapping table MvP table is constructed. Based on the MvP table the inter-connection information of the layer-2 switches is detected.

Abstract: There is provided a system for detecting and tracing a (D)DoS attack and identifying the attack source, which system simplifies the judgment reference to determine whether a (D)DoS attack is present. The number of source addresses of the pockets transmitted via the Internet line is monitored. When the number of the source addresses has reached a predetermined number or a predetermined ratio within a predetermined time, it is judged that an unauthorized attack is present. Moreover, the packet of the HOP number different from the HOP number corresponding to the transmission source information is judged to be unauthorized information.