JP6378655B2 - Monitoring device and monitoring method - Google Patents

Description

  The present invention is a technique for monitoring a network device.

  In network operation management, it is very important to monitor network devices used for the services that are currently provided, and various abnormality detection methods have been proposed to identify network devices that behave abnormally. Yes. For example, Non-Patent Document 1 proposes a failure detection method based on traffic balance analysis as an abnormality detection method. The method of Non-Patent Document 1 analyzes a traffic balance vector from time-series data of traffic volumes of a plurality of IFs (Interfaces) acquired by SNMP (Simple Network Management Protocol). If there is a large variation in this vector and an imbalance is detected, it is determined that an abnormality has occurred in the target IF.

Ai Tsunoda and three others, “Proposal of Traffic Fault Detection Method by Traffic Balance Analysis”, IEICE Society Conference Proceedings 2014, B-6-38

When performing a balance analysis as shown in Non-Patent Document 1, it is necessary to set in advance a combination of a plurality of types of time-series data to be subjected to the balance analysis. A time series data group to be combined may be referred to as a “group”. However, since the number of group candidates to be set increases exponentially with respect to the increase in the number of time-series data to be subjected to balance analysis, manual group creation is not easy. For example, in a network in which 50 switches having 48 ports are arranged, the number of time-series data of the amount of transmitted and received traffic is 48 × 50 × 2 = 4800, but it is a combination of two time-series data. The number of group candidates is ₄₈₀₀ C ₂ = 11,517,600. It is not easy to determine a group for balance analysis from such a large number of group candidates. As a result, the abnormality of the network device cannot be found with high accuracy, and improvement of service quality cannot be realized.

  There is also a method of evaluating and grouping the relationship between time series data by a known numerical analysis method (correlation coefficient or the like). However, even if a group is created using only numerical relationships, it may not be easy to give meaning to the created group, and an effective abnormality detection result cannot be obtained. For example, let us consider a case where two pieces of time-series data of traffic amounts of different network devices used for providing two types of services unrelated to each other are taken up. In this case, even if a large numerical relationship can be confirmed between these two time series data (even if the graphs of the two time series data are very similar), these two time series data are It is not reasonable to conclude immediately that an abnormality has been detected when a grouping and balance analysis is performed to detect a loss of balance. As a result, it is still impossible to detect an abnormality in the network device with high accuracy, and improvement in service quality cannot be realized.

  Therefore, in view of the above circumstances, the present invention finds an abnormality in a network device with high accuracy when monitoring the network device by performing balance analysis using a plurality of types of time-series data related to the network device, It is an object to realize improvement of the above.

  In order to solve the above problem, the invention according to claim 1 is a monitoring device that monitors the network device by performing balance analysis using a plurality of types of time-series data related to the network device, and the network device A plurality of types of the time series data corresponding to the selected role information based on the time series data acquired from the storage unit and stored in the storage unit and selected role information indicating information selected for the device role of the network device A group candidate extraction unit that extracts a group candidate as a candidate for the balance analysis, a degree of relationship calculation unit that calculates a degree of relationship between a plurality of types of time-series data constituting the extracted group candidate, and the calculation If the relationship level is within a predetermined allowable error range, a plurality of types of the time series data for which the relationship level is calculated, Serial includes a determining group determining unit that the subject to a group balance analysis, characterized in that.

  The invention according to claim 4 is a monitoring method in a monitoring device that monitors the network device by performing balance analysis using a plurality of types of time-series data related to the network device, wherein the monitoring device is Based on the time-series data acquired from the network device and stored in the storage unit, and the selected role information indicating information selected for the device role of the network device, a plurality of types of the time corresponding to the selected role information A group candidate extraction step for extracting series data as a group candidate to be subjected to the balance analysis; a degree of relationship calculation step for calculating a degree of relationship between a plurality of types of time series data constituting the extracted group candidate; When the calculated degree of relationship falls within a predetermined tolerance, a plurality of types for which the degree of relationship is calculated Of the time-series data to perform, and the group determining step determines that subject to a group of said balance analysis, characterized in that.

According to the first and fourth aspects of the present invention, the number of group candidates obtained by combining time-series data is theoretically enormous, while considering the similarity of device roles applied to network devices. This makes it possible to create a group that makes it easy to guess the factors that cause a balance loss in balance analysis.
In addition, as in the past, the relationship between time-series data is evaluated and grouped by well-known numerical analysis methods, and the similarity of device roles is also taken into account, so the reliability of the determination of abnormality detection by balance analysis is considered. Can increase the sex.
Therefore, when a network device is monitored by performing balance analysis using a plurality of types of time-series data related to the network device, it is possible to detect an abnormality of the network device with high accuracy and realize improvement in service quality.

  The invention according to claim 2 is the monitoring device according to claim 1, wherein the selection role information is information including a device type of the network device and an identifier of the opposite device of the network device. And the group candidate extraction unit extracts a plurality of types of the time-series data related to the network device in which the device type and the opposite device are the same as the group candidate.

  According to the second aspect of the present invention, a network having a common network configuration can be obtained by including the device type of the network device and the opposite device of the network device in the selection role information used when extracting the group candidates. It is possible to create a group that combines the time-series data of the devices and that makes it easier to guess the factors that cause the balance loss of balance analysis.

  The invention according to claim 3 is the monitoring device according to claim 1, wherein the selection role information includes a type of service provided by the operation of the network device and a service using the service. The group candidate extraction unit extracts, as the group candidates, a plurality of types of time-series data related to the network device in which the service and the service user are the same. It is characterized by that.

  According to the third aspect of the present invention, the selection role information used when extracting the group candidates includes a service provided by operating the network device and a service user who uses the service. Thus, it is possible to create a group that can easily estimate the factors causing the balance loss of the balance analysis by combining the time series data of the network devices having the common service modes.

  According to the present invention, when a network device is monitored by performing balance analysis using a plurality of types of time-series data related to the network device, the time-series data can be appropriately grouped.

It is a functional block diagram of the monitoring apparatus of this embodiment. It is a figure which shows the data structure of the data which a time series data storage part preserve | saves. (A) The figure which shows the data structure of the data which an apparatus role preservation | save part preserve | saves, (b) The figure which shows the example of a network structure. It is a figure which shows the data structure of the data which a group preservation | save part preserve | saves. It is a flowchart which shows the process of the monitoring apparatus of this embodiment.

  EMBODIMENT OF THE INVENTION The form (embodiment) for implementing this invention is demonstrated in detail, referring drawings.

(overall structure)
As shown in FIG. 1, the monitoring device 1 of the present embodiment is a device that monitors network devices arranged in a predetermined network. The network device includes a relay device such as a router and a bridge, and a terminal device such as a server on which an application for providing a predetermined service is installed. For monitoring the network device, for example, a known method such as observation of traffic volume based on SNMP can be used. The monitoring device 1 includes a processing unit 10, a storage unit 20, and an input / output unit 30.

  The input / output unit 30 includes a communication interface that transmits and receives information via a communication line, and is connected to the processing unit 10 via an internal bus or the like. The input / output unit 30 includes an input unit 31 and an output unit 32. The input unit 31 is a functional unit that receives input data input from the outside. The input data includes, for example, command information input from the operator's management console and selection role information (details will be described later) regarding the network device. The output unit 32 is a functional unit that outputs a processing result of processing executed by the monitoring device 1 to the outside as a file. The file includes, for example, a group to be subjected to balance analysis, that is, a combination of a plurality of types of time series data (details will be described later).

  The storage unit 20 is a storage device such as a hard disk, a flash memory, a ROM (Read Only Memory), and a RAM (Random Access Memory). The storage unit 20 stores an application for executing balance analysis (including an application for grouping time-series data to be subjected to balance analysis) (not shown). The balance analysis method itself handled in the present embodiment is well known and will not be described in detail (for example, various observed traffic amounts are expressed as vectors and analyzed). The storage unit 20 includes a time series data storage unit 21, a device role storage unit 22, and a group storage unit 23.

(Time-series data storage unit 21)
The time-series data storage unit 21 stores measurement values acquired from the network device to be monitored by the monitoring device 1 every predetermined time as time-series data. The measurement value includes, but is not limited to, a transmission traffic amount, a reception traffic amount, a CPU usage rate, a memory usage rate, and the like for each IF included in the network device.

  As shown in FIG. 2, the time-series data storage unit 21 sets fields such as device name, IF name, and time-series data, and creates a record for each time-series data. For each record, the value in the field is stored.

In the “device name” column, the name (identifier) of the network device to be monitored by the monitoring device 1 is stored.
In the “IF name” column, the name (identifier) of the IF provided in the network device to be monitored by the monitoring device 1 is stored.
In the “time-series data” column, a set of measurement values measured at predetermined times by the corresponding IF of the network device is stored.

For example, in FIG. 2, time series data measured by the IF with the IF name “A1” among the IFs included in the router with the device name “Router_A” is “T _A1 ”. It is shown to be stored.
The time series data can be obtained for each IF of the network device as shown in FIG. 2, but all the IFs included in the network device can be handled comprehensively and can be obtained for each network device.

(Device Role Storage Unit 22)
The device role storage unit 22 stores a device role applied to a network device to be monitored by the monitoring device 1. A device role refers to an attribute of a network device. Specific examples of the device role include a device type, a counter device, a service type, and a service user. These details will be described later. The device role of the network device can be designated in advance from the operator's management console, for example.

  As shown in FIG. 3A, the device role storage unit 22 sets fields such as device name, device type, opposite device, service type, and service user, and creates a record for each network device. For each record, the value in the field is stored.

The “device name” column is the same as the “device name” column of the time-series data storage unit 21 (FIG. 2).
In the “device type” column, a value indicating the type of the network device to be monitored by the monitoring device 1 is stored.
In the “opposite device” column, the name (identifier) of the network device facing the network device to be monitored by the monitoring device 1 is stored.
The “service type” column stores a value indicating the type of service provided by the operation of the network device to be monitored by the monitoring device 1. The network device here refers to a network device through which a packet related to provision of a corresponding service passes.
In the “service user” column, a value indicating the type of the person who uses the service is stored.

  For example, in FIG. 3A, the network device having the device name “Router_A” is classified as “router”, and the router of “Router_F” is the opposite device (see FIG. 3B). It is shown to operate to send and receive packets related to the telephone service for the destination. Note that “mass” is an abbreviation for mass media, and “mass” in the column “service user” in FIG. 3A means that customer service for the masses is provided. Further, “corporation” in the column “service user” in FIG. 3A means that business services for corporations are provided.

  Of the columns of the device role storage unit 22, the columns of device type, opposite device, service type, and service user constitute a specific example of “device role” of each network device. In particular, it can be said that the device type and the opposite device are device roles related to the network configuration, and the service type and the service user are device roles related to the provided service.

(Group storage unit 23)
The group storage unit 23 stores the time series data set as a group by the group determination unit 13 (FIG. 1) of the processing unit 10 (details will be described later).
As shown in FIG. 4, the group storage unit 23 sets fields such as a group name and a time-series data group, and creates a group for each group. For each record, the value in the field is stored.

In the “group name” column, the name (identifier) of the group set by the group determination unit 13 is stored.
In the “time-series data group” column, combinations of time-series data constituting the group set by the group determination unit 13 are stored.
For example, FIG. 4 shows that a group name “G1” is given to a group composed of two time-series data D _A1 and D _B1 .

  Returning to FIG. 1, the processing unit 10 governs the entire processing executed by the monitoring device 1. The processing unit 10 is realized, for example, by a CPU (Central Processing Unit) developing a program stored in the storage unit 20 on the RAM of the storage unit 20 and executing the program. The processing unit 10 includes functional units such as a group candidate extraction unit 11, a relationship degree calculation unit 12, and a group determination unit 13. The monitoring device 1 stores the time series data group (described later) determined as a group by the group determination unit 13 in the group storage unit 23, and outputs the group as a file in response to an external request. Moreover, the monitoring apparatus 1 can perform balance analysis using the time series data which comprise the created group according to the request | requirement from the outside.

(Group candidate extraction unit 11)
The group candidate extraction unit 11 acquires time-series data (a specific example of input data) acquired from the network device and stored in the storage unit 20, and selection role information (input data of the input data) input as selection information regarding the device role of the network device. Based on the specific example), a plurality of types of time-series data corresponding to the selected role information are extracted as group candidates to be subjected to balance analysis. The selected role information is information indicating the device role selected by the operator's management console. Specifically, at least one of the device type, the opposite device, the service type, and the service user (see FIG. 3A) is selected. It is information indicating that it has been selected.

(Group candidate extraction method 1)
For example, when performing a balance analysis, a group can be created by combining time series data of network devices having a common network configuration. In this case, the device role selected by the selected role information is set to the device type and the opposite device. Then, the group candidate extraction unit 11 refers to the device role storage unit 22 (FIG. 3A) and identifies a plurality of network devices having the same device type and the opposite device. Further, the group candidate extraction unit 11 refers to the time-series data storage unit 21 (FIG. 2) and extracts time-series data associated with the device names of the plurality of specified network devices. The group candidate extraction unit 11 sets the extracted time series data as a group candidate that is a target of balance analysis.

  For example, according to FIG. 3A, regarding the network devices having device names “Router_A” and “Router_B”, the device types are both “router” and the opposite devices are both “Router_F”. Therefore, the group candidate extraction unit 11 refers to the time series data storage unit 21 (FIG. 2) and extracts all time series data for each IF associated with the network devices “Router_A” and “Router_B”. And a group candidate.

(Group candidate extraction method 2)
For example, when performing a balance analysis, a group can be created by combining time-series data of network devices that share a provided service. In this case, the device role selected in the selected role information is a service type and a service user. Then, the group candidate extraction unit 11 refers to the device role storage unit 22 (FIG. 3A) and identifies a plurality of network devices having the same service type and service user. Further, the group candidate extraction unit 11 refers to the time-series data storage unit 21 (FIG. 2) and extracts time-series data associated with the device names of the plurality of specified network devices. The group candidate extraction unit 11 sets the extracted time series data as a group candidate that is a target of balance analysis.

  For example, according to FIG. 3A, regarding the network devices whose device names are “Router_A” and “Router_B”, the service type is both “telephone” and the service users are both “mass”. Therefore, the group candidate extraction unit 11 refers to the time series data storage unit 21 (FIG. 2) and extracts all time series data for each IF associated with the network devices “Router_A” and “Router_B”. And a group candidate.

(Relationship calculation unit 12)
The degree-of-relationship calculation unit 12 calculates the degree of relationship between a plurality of types of time-series data constituting the group candidates extracted by the group candidate extraction unit 11. For example, one calculated degree of relationship can be calculated for two time-series data.

  For example, the degree-of-relationship calculation unit 12 can calculate a correlation coefficient from two pieces of time series data, and use the calculated correlation coefficient as the degree of relationship. The method of calculating the correlation coefficient is well known and will not be described in detail.

Further, for example, the relationship degree calculation unit 12 calculates an average and a variance for each of the two time series data. The degree-of-relationship calculation unit 12 generates two two-dimensional vectors whose components are the calculated average and variance for each time series data. The relationship degree calculation unit 12 can calculate a distance between two generated two-dimensional vectors, and can use the calculated distance as a relationship degree. For example, a two-dimensional vector (average a1, variance a2) is generated for time series data A, and a two-dimensional vector (average b1, variance b2) is generated for time series data B. At this time, the distance between these two-dimensional vectors is set to {square root} {(b1-a1) ² + (b2-a2) ² }
Calculate as Here, the calculated distance is the Euclidean distance, but the distance that can be used as the degree of relation is not limited to the Euclidean distance, and various types of distances can be used.

(Group determination unit 13)
When the degree of relationship calculated by the degree-of-relationship calculation unit 12 falls within a predetermined tolerance, the group determination unit 13 sets a plurality of types of time-series data for which the degree of relationship is calculated as balance analysis targets. Is determined to be a group. The allowable error σ can be specified by an operator of the management console, for example, and is stored in the storage unit 20. The time-series data group in which the target group candidate is determined to be a group by the group determination unit 13 is given a predetermined group name and stored in the group storage unit 23 (see FIG. 4).

For example, when the relationship degree calculation unit 12 uses the correlation coefficient already described (takes values from 0 to 1) as the degree of relationship, the group determination is performed when the correlation coefficient takes a value greater than 1−σ. The unit 13 sets the target group candidate as a group, and stores the corresponding two time-series data in the group storage unit 23.
Further, for example, when the relationship calculation unit 12 uses the distance (takes a positive value) between two two-dimensional vectors already described as the relationship, when the correlation coefficient takes a value smaller than σ, The group determination unit 13 sets the target group candidate as a group, and stores the corresponding two time-series data in the group storage unit 23.

  For example, when the input unit 31 receives a request for balance analysis from the operator's management console, the monitoring device 1 according to the present embodiment reads the group stored in the group storage unit 23 and outputs the file at the output unit 32. can do. In addition, the monitoring device 1 according to the present embodiment can output a balance analysis result regarding the grouped time-series data to the output unit 32 as a file.

(processing)
With reference to FIG. 5, the process of the monitoring apparatus 1 of this embodiment is demonstrated. As shown in FIG. 5, this process starts from step S1.

In step S1, the monitoring device 1 continuously acquires time-series data from the network device arranged in the network to be monitored.
Next, in step S2, the monitoring device 1 acquires selected role information designated by the operator's management console.

  Next, in step S3, the monitoring device 1 uses the group candidate extraction unit 11 to calculate the corresponding time series data based on the time series data acquired in step S1 and the selected role information acquired in step S2. Are extracted as group candidates (group candidate extraction step).

  Next, in step S4, the monitoring device 1 calculates the degree of relationship between the time series data constituting the group candidate extracted in step S3 by the relationship degree calculation unit 12 (relation degree calculation step).

Next, in step S5, the monitoring apparatus 1 uses the degree of relationship calculated in step S4 by the group determination unit 13 to determine whether the target group candidate may be a group to be a target of balance analysis. Is determined (group determination step). If it is determined that the group is acceptable, the monitoring apparatus 1 stores the target time-series data group as a group in the group storage unit 23, and outputs the group as a file in response to an external request. Moreover, the monitoring apparatus 1 can perform balance analysis using the time series data which comprise the created group according to the request | requirement from the outside.
Above, description of the process of FIG. 5 is complete | finished.

According to this embodiment, the number of group candidates obtained by combining time-series data is theoretically enormous, while considering the similarity of device roles applied to network devices, balance analysis It is possible to create a group that makes it easy to guess the factors that cause the imbalance.
For example, if server A and server B providing the same telephone service are groups of time series data of these servers, the meaning when an abnormality is detected in the group can be easily estimated. (It can be inferred that the abnormality is recognized as a telephone service, not another type of service), and the possibility of improving service quality by taking appropriate measures according to the abnormality detection Can be increased.

In addition, as in the past, the relationship between time-series data is evaluated and grouped by well-known numerical analysis methods, and the similarity of device roles is also taken into account, so the reliability of the determination of abnormality detection by balance analysis is considered. Can increase the sex.
For example, it is assumed that a group of time-series data of these servers is created for a server C that provides a telephone service for corporations and a server D that provides a video distribution service for the masses. In this case, even if the relationship between the time series data by the numerical analysis method shows a high similarity (eg, the correlation coefficient is extremely close to 1), it is difficult to read and understand the meaning of the created group. Therefore, even if an imbalance occurs in the group, it is not appropriate to immediately conclude that an abnormality has been detected, and there is a high possibility that it will not lead to an improvement in service quality.

  In this embodiment, in view of such circumstances, when monitoring a network device by performing balance analysis using a plurality of types of time-series data related to the network device, the network device is detected with high accuracy, and a service is detected. Quality improvement can be realized.

  In addition, in the selection role information used when extracting group candidates, by combining the device type of the network device and the opposite device of the network device, the time series data of the network device having a common network configuration is combined. It is possible to create a group that makes it easier to guess the factors that cause a balance loss in balance analysis.

  In addition, the selection role information used when extracting the group candidates includes the service provided by the operation of the network device and the service user using the service, thereby providing a common mode of service provided. Thus, it is possible to create a group that combines time series data of network devices that can easily estimate factors that cause a balance loss in balance analysis.

(Modification)
In this embodiment, a group is created by combining two time series data, but a group can be created by combining three or more time series data.

  Moreover, the measurement value of the time series data which comprises a group is not restricted to one type, You may extend to multiple types. For example, when the number of time series data constituting the group is 3, a group is created by combining the time series data of the transmission traffic amount, the time series data of the CPU usage rate, and the time series data of the memory usage rate. be able to. In addition, the time series data for each IF included in each network device may be a plurality of types of time series data constituting a group. That is, the type of time-series data is not limited to measured values such as the amount of transmission traffic and the CPU usage rate, but can also include IF.

  Further, as a combination of time series data constituting a group, time series data of a plurality of types of measurement values for the same device can be targeted. For example, a group can be configured by combining time series data of CPU usage rate, memory usage rate, number of calls, and number of SIP (Session Initiation Protocol) signals measured by a network device called router A.

  Further, as a combination of time series data constituting a group, time series data between a plurality of network devices with respect to the same measurement value can be targeted. For example, a group can be configured by combining time-series data of measured values such as the number of SIP signals among a plurality of network devices such as router A, router B, router C,.

A technique obtained by appropriately combining various techniques described in the present embodiment can also be realized.
The software described in this embodiment can be realized as hardware, and the hardware can also be realized as software.
In addition, hardware, software, flowcharts, and the like can be changed as appropriate without departing from the spirit of the present invention.

DESCRIPTION OF SYMBOLS 1 Monitoring apparatus 10 Processing part 11 Group candidate extraction part 12 Relation degree calculation part 13 Group determination part 20 Storage part 21 Time series data preservation | save part 22 Device role preservation | save part 23 Group preservation | save part 30 Input / output part 31 Input part 32 Output part

Claims (4)

A monitoring device that monitors the network device by performing a balance analysis using a plurality of types of time-series data related to the network device,
Based on the time-series data acquired from the network device and stored in the storage unit, and selected role information indicating information selected for the device role of the network device, a plurality of types of the corresponding to the selected role information A group candidate extraction unit that extracts time-series data as group candidates to be subjected to the balance analysis;
A degree-of-relationship calculation unit for calculating a degree of relationship between a plurality of types of time-series data constituting the extracted group candidates;
Group determination that determines that the plurality of types of time-series data for which the degree of relation is calculated are groups to be subjected to the balance analysis when the degree of relation calculated is within a predetermined tolerance. And comprising
A monitoring device characterized by that. The selection role information is information including a device type of the network device and an identifier of the opposite device of the network device,
The group candidate extraction unit extracts, as the group candidates, a plurality of types of time-series data related to the network device in which the device type and the opposite device are the same.
The monitoring apparatus according to claim 1. The selection role information is information including a type of service provided by operating the network device, and a type of service user using the service,
The group candidate extraction unit extracts a plurality of types of time-series data related to the network device in which the service and the service user are the same as the group candidates.
The monitoring apparatus according to claim 1. A monitoring method in a monitoring device that monitors the network device by performing balance analysis using a plurality of types of time-series data related to the network device,
The monitoring device is
Based on the time-series data acquired from the network device and stored in the storage unit, and selected role information indicating information selected for the device role of the network device, a plurality of types of the corresponding to the selected role information A group candidate extraction step of extracting time series data as a group candidate to be subjected to the balance analysis;
A degree-of-relation calculation step of calculating a degree of relationship between the plurality of types of time-series data constituting the extracted group candidates;
Group determination that determines that the plurality of types of time-series data for which the degree of relation is calculated are groups to be subjected to the balance analysis when the degree of relation calculated is within a predetermined tolerance. Step and execute,
A monitoring method characterized by that.

Images