[go: up one dir, main page]

WO2018035765A1 - Procédé et appareil de détection d'anomalie de réseau - Google Patents

Procédé et appareil de détection d'anomalie de réseau Download PDF

Info

Publication number
WO2018035765A1
WO2018035765A1 PCT/CN2016/096595 CN2016096595W WO2018035765A1 WO 2018035765 A1 WO2018035765 A1 WO 2018035765A1 CN 2016096595 W CN2016096595 W CN 2016096595W WO 2018035765 A1 WO2018035765 A1 WO 2018035765A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
traffic
network device
abnormality
detecting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2016/096595
Other languages
English (en)
Chinese (zh)
Inventor
贾云健
唐亮
吴玉成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Tinno Wireless Technology Co Ltd
Original Assignee
Shenzhen Tinno Wireless Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Tinno Wireless Technology Co Ltd filed Critical Shenzhen Tinno Wireless Technology Co Ltd
Priority to PCT/CN2016/096595 priority Critical patent/WO2018035765A1/fr
Publication of WO2018035765A1 publication Critical patent/WO2018035765A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Definitions

  • the present application relates to the field of Internet communication technologies, and in particular, to a method and device for detecting network anomalies.
  • the present invention provides a method and device for detecting network anomalies. By monitoring various network devices in the network, detecting whether a traffic abnormality occurs in the network, reducing the detection time, and improving the sensitivity and accuracy of the detection.
  • the embodiment of the present application provides a method for detecting a network abnormality, including:
  • the network running status includes:
  • the traffic of the physical link in the network changes, the state of the network devices in the network, and the source of traffic for each IP address.
  • detecting, according to the running status of the network and the traffic status used by the service on the network device, whether the network abnormality occurs including:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • detecting, according to the running status of the network and the traffic status used by the service on the network device, whether the network abnormality occurs including:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the method further includes:
  • the embodiment of the present application further provides a network abnormality detecting apparatus, including:
  • the network monitoring module detects the running status of the network and the traffic status used by the service on the network device;
  • the abnormality identifying module detects whether a traffic abnormality occurs in the network according to the running state of the network and the traffic state used by the service on the network device.
  • the network running status includes:
  • the traffic of the physical link in the network changes, the state of the network device in the network, and each The source of traffic for the IP address.
  • the abnormality identification module is specifically configured to:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the abnormality identification module is specifically configured to:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the device further includes:
  • a type identifying module configured to determine that a network device that has failed in the network is detected when a traffic abnormality occurs in the network.
  • the embodiment of the present invention provides a method and a device for detecting a network abnormality, which is determined by detecting the running state of the network and the number of users using the network, and determining whether the network has abnormal traffic according to the running state of the network and the traffic state used by the service on the network device.
  • the technical solution can integrate and calculate the data detected by different modules in the network management system, automatically determine whether the network has abnormal traffic, reduce the detection time, improve the sensitivity and accuracy, and solve the prior art.
  • the method for identifying network anomalies caused by abnormal traffic is mostly dependent on manual judgment, which is likely to cause problems of low sensitivity, low accuracy, and long detection time.
  • Embodiment 1 is a schematic flowchart of Embodiment 1 of a method for detecting network anomaly provided by the present application;
  • Embodiment 2 is an application scenario diagram of Embodiment 1 of a method for detecting network anomaly according to the present application
  • FIG. 3 is a schematic flowchart of Embodiment 2 of a method for detecting network anomaly according to the present application
  • Embodiment 4 is a schematic structural diagram of Embodiment 1 of a network abnormality detecting apparatus provided by the present application;
  • FIG. 5 is a schematic structural diagram of Embodiment 2 of a device for detecting network anomaly according to the present application.
  • FIG. 1 is a schematic flowchart of Embodiment 1 of a network abnormality detecting method provided by the present application
  • FIG. 2 is a schematic application diagram of Embodiment 1 of a network abnormality detecting method provided by the present application, as shown in FIG. 1 and FIG.
  • the method for detecting a network abnormality provided by the embodiment may include the following steps:
  • a method for detecting a network abnormality that can be applied to the network management system is provided in the embodiment of the present application, so as to automatically detect whether an abnormality occurs in the network by using the network management system.
  • the network management system may include a network real-time status monitoring system, a network analysis system, and a DPI (Deep Packet Inspection) system.
  • a network real-time status monitoring system may include a network real-time monitoring system, a network analysis system, and a DPI (Deep Packet Inspection) system.
  • DPI Deep Packet Inspection
  • the network real-time status monitoring system can monitor all network devices in the network, obtain information of all network devices, real-time traffic of physical links, and network topology.
  • the DPI system can identify the data flow in the physical link in the network to obtain the source and flow of the traffic. The flow can also be carried out for business or type analysis.
  • the network analysis system can monitor whether the number of users changes, IP address utilization changes, traffic history data, and so on.
  • the data information is obtained through the network management system, and the obtained data information is analyzed and calculated, and the analysis and calculation results can reflect the real-time running state of the network, thereby detecting whether an abnormality occurs in the network.
  • the network running status may include, but is not limited to:
  • the traffic of the physical link in the network changes
  • the traffic change of the physical link in the network can be monitored by the network real-time state monitoring system.
  • the state of the network device in the network can be monitored by the network real-time state monitoring system, and the traffic source of each IP address can be Monitoring through the DPI system, the number of users using the network can be monitored and statistically analyzed by the network analysis system.
  • the network management system can perform real-time calculation and analysis on the network real-time status monitoring system, the data information monitored by the DPI system about the network running status, the number of users using the network analyzed by the network analysis system, and update the corresponding results in real time.
  • the network management system performs real-time calculation and analysis on the network running status and the traffic status used by the service on the network device, and detects whether the network generates traffic. abnormal.
  • the network abnormality is detected:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the network real-time status monitoring system can monitor and store the monitoring result of the physical link in the network, and the stored address can be in the database of the network analysis system, or It is a server in the network and can also be uploaded to the database of the network management system.
  • the network management system determines whether the traffic increase of the physical link in the network exceeds a preset traffic threshold within a specified duration.
  • the method for judging may be: calculating the traffic increase of the physical link in the network within a specified duration of the monitoring, and then comparing the traffic increase with the preset traffic threshold. If the traffic increase of the physical link in the network is greater than or equal to the traffic threshold, the network may be abnormal. If the traffic of the physical link in the network is smaller than the traffic threshold, the network may not be detected. The traffic is abnormal.
  • the traffic threshold is 80%
  • the monitoring time is 8:00:00
  • the traffic of the physical link in the network increases by more than 8:00:00 to 8:00:05.
  • the operation of the network device in the network may be changed by the running status of each network device in the network monitored by the network real-time state monitoring system.
  • the running state of the network device includes a fault or stops running, and the network state real-time monitoring system An alarm is generated for the device status change, and the IP address of the faulty device is unreachable.
  • Traffic flowing to the same IP address can be understood as the number of packets sent by the user to the same IP address is less than the preset number threshold.
  • the traffic reduction used by the service on the network device can be understood as the number of traffic drops of the physical link connected to the network device within a specified duration exceeds the drop threshold or falls to zero.
  • the network abnormality may be detected.
  • the embodiment of the present application provides a network abnormality detecting method, which is configured to detect a network running state and a number of users using a network, where the network running state may include a traffic change of a physical link in the network, a state of the network device in the network, and each IP address traffic source, then based on The network running status and the traffic status used by the service on the network device to determine whether the network has abnormal traffic.
  • This technical solution can integrate and calculate the data detected by different modules in the network management system, and automatically detect whether the network is abnormal. Quickly judge, reduce the detection time, improve the sensitivity and accuracy, and solve the prior art methods for identifying network anomalies caused by abnormal traffic, relying on manual judgment, which is easy to cause lower sensitivity and lower accuracy. And the problem of long detection time.
  • FIG. 3 is a schematic flowchart of a method for detecting a network abnormality according to a second embodiment of the present invention. As shown in FIG. 3, the method for detecting a network abnormality provided by the embodiment of the present application may include the following steps:
  • step 201 the specific process of step 201 is described in detail in step 101 in the foregoing embodiment.
  • the principle and implementation process in the embodiment of the present application are the same, and details are not described herein again.
  • step 202 In the embodiment of the present application, the specific process of step 202 is described in detail in step 102 in the foregoing embodiment. The principle and implementation process in the embodiment of the present application are the same, and details are not described herein again.
  • the cause of the traffic abnormality may be that the network device is faulty, such as the device hardware alarm, the IP unreachable, or the like, or may be caused by other devices actively attacking the network device in the network.
  • the probability that other devices actively attack the network devices in the network is low.
  • the operation of the network device in the network changes, such as the alarm that the network status real-time monitoring system sends a network device status change, and because the IP address of the faulty device is unreachable, the data packet sent by the user to the IP address cannot be received, resulting in the network.
  • the traffic used by the business on the device is reduced. Therefore, in the embodiment of the present application, when it is detected that the traffic abnormality occurs in the network, it may be determined that the traffic abnormality caused by the network is caused by a network device failure in the network.
  • the embodiment of the present application provides a network abnormality detecting method, which is configured to detect a network running state and a number of users using a network, where the network running state may include a traffic change of a physical link in the network, a state of the network device in the network, and each The traffic source of the IP address can be determined to be a network abnormality caused by a network device failure in the network after the traffic abnormal state is determined, and the network device is faulty.
  • the data detected by different modules in the network management system is integrated and calculated, which automatically determines whether the network is abnormal or not, improves the reliability of the network, reduces the detection time, improves the sensitivity and accuracy, and solves the existing
  • the method for identifying network anomalies caused by abnormal traffic is mostly dependent on manual judgment, which is likely to cause problems of low sensitivity, low accuracy, and long detection time.
  • FIG. 4 is a schematic structural diagram of Embodiment 1 of a network abnormality detecting apparatus provided by the present application.
  • the network abnormality detecting apparatus provided by the embodiment of the present application may include: a network monitoring module 11 and an abnormality identifying module 12.
  • the network monitoring module 11 detects the running status of the network and the traffic status used by the service on the network device;
  • the abnormality identification module 12 detects whether the network has abnormal traffic according to the network running status monitored by the network monitoring module 11 and the traffic status used by the service on the network device.
  • the network running status includes:
  • the change in traffic of physical links in the network the state of network devices in the network, and the source of traffic for each IP address.
  • the abnormality identification module 12 is specifically configured to:
  • a traffic anomaly on the network is detected when all of the following conditions are met:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the abnormality identification module 12 is specifically configured to:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 1 , and the implementation principle and technical effects are similar, and details are not described herein again.
  • FIG. 5 is a schematic structural diagram of a second embodiment of a network abnormality detecting apparatus according to the present application.
  • the network abnormality detecting apparatus provided by the embodiment of the present application may further include: a type according to the foregoing third embodiment.
  • the module module 13 is identified.
  • the type identification module module 13 is configured to determine that a network device that has a fault exists in the network when the network detecting module 12 detects that a traffic abnormality occurs in the network.
  • the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 3, and the implementation principle and technical effects are similar, and details are not described herein again.
  • the aforementioned program can be stored in a computer readable storage medium.
  • the program when executed, performs the steps including the foregoing method embodiments; and the foregoing storage medium includes various media that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
  • the device embodiments described above are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located in one place. Or it can be distributed to at least two network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment. Those of ordinary skill in the art can understand and implement without deliberate labor.

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Les modes de réalisation de la présente invention concernent un procédé et un appareil de détection d'anomalie de réseau. Le procédé de détection d'anomalie de réseau décrit dans les modes de réalisation de la présente invention consiste à : détecter l'état de fonctionnement d'un réseau et l'état de trafic utilisé par des services sur un dispositif de réseau, et détecter, en fonction de l'état de fonctionnement du réseau et de l'état de trafic utilisé par les services sur le dispositif de réseau, si une anomalie de trafic se produit sur le réseau. Le procédé de détection d'anomalie de réseau décrit dans les modes de réalisation de la présente invention peut intégrer et calculer des données détectées par différents modules dans un système de gestion de réseau, déterminer automatiquement et rapidement si une anomalie se produit sur le réseau, réduire le temps de détection, et améliorer la sensibilité et la précision.
PCT/CN2016/096595 2016-08-24 2016-08-24 Procédé et appareil de détection d'anomalie de réseau Ceased WO2018035765A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/096595 WO2018035765A1 (fr) 2016-08-24 2016-08-24 Procédé et appareil de détection d'anomalie de réseau

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/096595 WO2018035765A1 (fr) 2016-08-24 2016-08-24 Procédé et appareil de détection d'anomalie de réseau

Publications (1)

Publication Number Publication Date
WO2018035765A1 true WO2018035765A1 (fr) 2018-03-01

Family

ID=61246034

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/096595 Ceased WO2018035765A1 (fr) 2016-08-24 2016-08-24 Procédé et appareil de détection d'anomalie de réseau

Country Status (1)

Country Link
WO (1) WO2018035765A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110633165A (zh) * 2019-08-15 2019-12-31 平安普惠企业管理有限公司 故障处理方法、装置、系统服务器及计算机可读存储介质
CN112242971A (zh) * 2019-07-16 2021-01-19 中兴通讯股份有限公司 一种流量异常检测方法、装置、网络设备及存储介质
CN112311765A (zh) * 2020-09-29 2021-02-02 新华三信息安全技术有限公司 一种报文检测方法及装置
CN116193202A (zh) * 2022-12-05 2023-05-30 百鸟数据科技(北京)有限责任公司 一种用于野外观测的多通路视频观测系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1529462A (zh) * 2003-10-21 2004-09-15 中兴通讯股份有限公司 一种实现异常流量控制的装置及方法
CN102082727A (zh) * 2010-05-28 2011-06-01 烽火通信科技股份有限公司 一种ptn网络业务流量管理的方法
EP2521306A1 (fr) * 2009-12-29 2012-11-07 ZTE Corporation Procédé et système d'analyse statistique de trafic ethernet
CN103391254A (zh) * 2012-05-09 2013-11-13 百度在线网络技术(北京)有限公司 用于分布式cdn的流量管理方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1529462A (zh) * 2003-10-21 2004-09-15 中兴通讯股份有限公司 一种实现异常流量控制的装置及方法
EP2521306A1 (fr) * 2009-12-29 2012-11-07 ZTE Corporation Procédé et système d'analyse statistique de trafic ethernet
CN102082727A (zh) * 2010-05-28 2011-06-01 烽火通信科技股份有限公司 一种ptn网络业务流量管理的方法
CN103391254A (zh) * 2012-05-09 2013-11-13 百度在线网络技术(北京)有限公司 用于分布式cdn的流量管理方法及装置

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112242971A (zh) * 2019-07-16 2021-01-19 中兴通讯股份有限公司 一种流量异常检测方法、装置、网络设备及存储介质
CN112242971B (zh) * 2019-07-16 2023-06-16 中兴通讯股份有限公司 一种流量异常检测方法、装置、网络设备及存储介质
CN110633165A (zh) * 2019-08-15 2019-12-31 平安普惠企业管理有限公司 故障处理方法、装置、系统服务器及计算机可读存储介质
CN110633165B (zh) * 2019-08-15 2022-08-23 平安普惠企业管理有限公司 故障处理方法、装置、系统服务器及计算机可读存储介质
CN112311765A (zh) * 2020-09-29 2021-02-02 新华三信息安全技术有限公司 一种报文检测方法及装置
CN116193202A (zh) * 2022-12-05 2023-05-30 百鸟数据科技(北京)有限责任公司 一种用于野外观测的多通路视频观测系统
CN116193202B (zh) * 2022-12-05 2023-07-18 百鸟数据科技(北京)有限责任公司 一种用于野外观测的多通路视频观测系统

Similar Documents

Publication Publication Date Title
CN109412870B (zh) 告警监控方法及平台、服务器、存储介质
CN101902366B (zh) 一种业务行为异常检测方法和系统
JP5767617B2 (ja) ネットワーク障害検出システムおよびネットワーク障害検出装置
KR100561628B1 (ko) 통계적 분석을 이용한 네트워크 수준에서의 이상 트래픽감지 방법
US12257021B2 (en) Dynamically adjustable frame rate from medical device controller
CN111092786B (zh) 网络设备安全认证服务可靠性增强系统
CN106656627A (zh) 一种基于业务的性能监控和故障定位的方法
CN111355610A (zh) 一种基于边缘网络的异常处理方法及装置
CN106452941A (zh) 网络异常的检测方法及装置
US12199812B2 (en) Enhanced analysis and remediation of network performance
CN108076019A (zh) 基于流量镜像的异常流量检测方法及装置
CN105763387B (zh) 网络流量监控方法和装置
WO2018035765A1 (fr) Procédé et appareil de détection d'anomalie de réseau
CN115529595B (zh) 一种日志数据的异常检测方法、装置、设备及介质
CN106330588B (zh) 一种bfd检测方法与装置
JP2018007179A (ja) 監視装置、監視方法および監視プログラム
KR102150622B1 (ko) 지능형 장비 이상 증상 사전 탐지 시스템 및 방법
CN117478357A (zh) 电力工控网络流量异常检测方法
CN110061854A (zh) 一种无边界网络智能运维管理方法与系统
US11314573B2 (en) Detection of event storms
CN114416418A (zh) 数据检测方法、装置、电子设备和存储介质
CN118611966A (zh) 一种基于网络异常流量的网络安全监测方法及系统
CN107612755A (zh) 一种云资源的管理方法及其装置
CN106897189A (zh) 一种基于数据实时推送的日志监控系统
CN108833414A (zh) 一种在线服务异常监控方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16913788

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16913788

Country of ref document: EP

Kind code of ref document: A1