CN110535716B - Service stability monitoring method and system for converged media - Google Patents

Service stability monitoring method and system for converged media Download PDF

Info

Publication number
CN110535716B
CN110535716B CN201910667901.9A CN201910667901A CN110535716B CN 110535716 B CN110535716 B CN 110535716B CN 201910667901 A CN201910667901 A CN 201910667901A CN 110535716 B CN110535716 B CN 110535716B
Authority
CN
China
Prior art keywords
real
time
data
characteristic
dimension
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910667901.9A
Other languages
Chinese (zh)
Other versions
CN110535716A (en
Inventor
张琦
徐志亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Media &entertainment Group Co ltd
Shanghai Media Tech Co ltd
Original Assignee
Shanghai Media Tech Co ltd
Shanghai Media &entertainment Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Media Tech Co ltd, Shanghai Media &entertainment Group Co ltd filed Critical Shanghai Media Tech Co ltd
Priority to CN201910667901.9A priority Critical patent/CN110535716B/en
Publication of CN110535716A publication Critical patent/CN110535716A/en
Application granted granted Critical
Publication of CN110535716B publication Critical patent/CN110535716B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2413Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
    • G06F18/24147Distances to closest patterns, e.g. nearest neighbour classification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0852Delays
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0852Delays
    • H04L43/0864Round trip delays
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0681Configuration of triggering conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • H04L43/0829Packet loss
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a method and a system for monitoring service stability of a converged medium, which relate to the technical field of communication and comprise the following steps: preprocessing the real-time flow data; extracting feature dimensions of the real-time flow data to obtain a real-time feature data group; comparing the real-time delay in the real-time characteristic data group with a preset time delay threshold value: if the real-time delay is not smaller than the delay threshold, analyzing according to a pre-generated feature dimension model to obtain key feature data which has the largest influence on the delay in the real-time feature data, and generating an alarm event; and if the real-time delay is smaller than the delay threshold, analyzing the real-time characteristic data, judging that a safety event exists according to the analysis result, analyzing the safety event according to a pre-generated characteristic dimension model to obtain the potential risk of the safety event on the service stability, and generating an early warning event according to the potential risk. The invention can quickly discover and handle the unstable factors of the service.

Description

Service stability monitoring method and system for converged media
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and a system for monitoring service stability of a converged media.
Background
The integrated media is a novel media which makes full use of media carriers, integrates different media with common points and complementarity such as broadcasting, television, newspaper and the like comprehensively in the aspects of manpower, content, propaganda and the like, and realizes 'resource integration, content integration, propaganda integration and benefit integration'. The convergence medium is an industry with particularly high requirements on service stability.
In the prior art, monitoring of service stability mainly depends on real-time flow monitoring, that is, real-time flow data is acquired in a bypass mode in core exchange or aggregation exchange, and service operation conditions are judged according to time delay, flow rate and the like of real-time flow data analysis, but the real-time flow data can only reflect changes of bottom-layer factors such as time delay and the like of unstable services, so that specific problems cannot be confirmed; meanwhile, only the problem points which cause the unstable service continuously can be monitored and checked, and the factors which cause the unstable service transiently cannot be accurately positioned; because the allowed influence factors only include time delay, flow rate, packet loss and the like, and the fusion consideration of safety factors is lacked, the root cause of unstable service cannot be quickly found, and the influence degree caused by the safety factors cannot be predicted; in addition, because no behavior model sediment is formed after the current problems are examined through real-time flow data analysis, the problems of unstable service need to be analyzed again every time, and the quick matching of historical experience and the autonomous positioning of the problems are lacked.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a method for monitoring the service stability of a converged medium, which comprises the steps of presetting a flow acquisition probe in a network link of the converged medium, and setting a cloud platform remotely connected with the flow acquisition probe, wherein the cloud platform analyzes real-time flow data in the network link acquired by the flow acquisition probe so as to monitor the service stability of the converged medium;
the service stability monitoring method specifically comprises the following steps:
step S1, the flow acquisition probe carries out data preprocessing on the acquired real-time flow data to obtain and output a flow data log file;
the flow data log file comprises the real-time flow data with a preset data format;
step S2, the cloud platform performs feature extraction on the real-time traffic data in the traffic data log file according to a preset rule to obtain a real-time feature data group corresponding to the real-time traffic data;
the real-time characteristic data group comprises a flow dimension characteristic, a service dimension characteristic and a safety dimension characteristic which correspond to the real-time flow data;
step S3, the cloud platform extracts the real-time delay in the traffic dimensional feature from the real-time feature data set, and compares the real-time delay with a preset delay threshold:
if the real-time delay is not less than the delay threshold, turning to step S4;
if the real-time delay is smaller than the delay threshold, turning to step S5;
step S4, the cloud platform analyzes the real-time feature data set according to a pre-generated feature dimension model to obtain key feature data causing the real-time delay in the real-time feature data set, generates and outputs a corresponding alarm event according to the key feature, and then exits;
the key feature data comprises the business dimension features, and/or the security dimension features;
step S5, the cloud platform queries the real-time feature data set, and determines whether a security event exists in the security dimension data according to a query result:
if yes, go to step S6;
if not, exiting;
and step S6, the cloud platform analyzes the security event according to the characteristic dimension model to obtain the potential risk of the security event to the service stability, and generates and outputs a corresponding early warning event according to the potential risk.
Preferably, a switch is further disposed in the network link of the converged media, and a mirror image port of the switch is connected to the traffic collection probe;
then the step S1 specifically includes:
step S11, the switch sends the real-time traffic data in the network link to the traffic collection probe through the mirror image port by the switch mirror image drainage;
and step S12, the flow acquisition probe processes the real-time flow data into the preset data format to generate and output a flow data log file.
Preferably, in step S2, the flow dimension feature includes a real-time delay, and the method for extracting the real-time delay specifically includes:
step S211, the cloud platform extracts the real-time traffic data to obtain TCP protocol traffic;
step S212, the cloud platform records the time stamp of each data packet of each connection of the TCP protocol flow;
the time stamp comprises a data request time stamp and a data return time stamp;
step S213, the cloud platform calculates a time difference between the data request timestamp and the data return timestamp to obtain the real-time delay corresponding to each connection;
step S214, the cloud platform takes the real-time delay as the flow dimension characteristic of the real-time flow data and stores the flow dimension characteristic.
Preferably, in step S2, the method for extracting the security dimension feature specifically includes:
step S221, the cloud platform matches the real-time flow data with a preset safety product rule base according to the real-time flow data:
if the matching is successful, generating and outputting a corresponding safety event, and then turning to the step S6;
if the matching is not successful, turning to step S222;
step S222, the cloud platform extracts a corresponding characteristic value from the real-time traffic data and compares the characteristic value with a preset safety threshold:
if the characteristic value is not smaller than the safety threshold value, generating a corresponding safety event, and storing the safety event as the safety dimension characteristic;
and if the characteristic value is smaller than the safety threshold value, generating a normal behavior record, and storing the normal behavior record as the safety dimension characteristic.
Preferably, the security threshold comprises a threshold of the number of packets of the ddos attack, and/or a threshold of the number of sessions.
Preferably, the generation method of the feature dimension model is a K-neighborhood classification algorithm.
Preferably, the method for generating the feature dimension model specifically includes:
step A1, the cloud platform acquires a plurality of historical flow data, and performs feature extraction on each historical flow data to obtain a corresponding historical flow feature group;
step a2, the cloud platform analyzes each historical traffic feature set:
if the traffic dimension characteristic which represents that the service is unstable exists in the historical traffic characteristic group, the cloud platform processes the historical traffic characteristic group to obtain the key characteristic data which cause that the service is unstable;
if the safety dimension characteristics potentially influencing the service stability exist in the historical flow characteristic group, the cloud platform processes the historical flow characteristic group to obtain the potential risk of the safety dimension characteristics on the service stability;
step A3, the cloud platform saves each historical flow characteristic group and the analysis result of the step A2 to generate a sample library;
step A4, the cloud platform trains the sample library to obtain the feature dimension model.
Preferably, the method further includes a process of updating the feature dimension model, specifically including:
and storing the real-time feature data set and the analysis result of the cloud platform on the real-time feature data set according to the feature dimension model into the sample library, and updating the feature dimension model according to the updated sample library.
A system for monitoring the service stability of converged media applies any one of the above methods for monitoring the service stability of converged media, which specifically comprises:
the flow acquisition probe is used for carrying out data preprocessing on the acquired real-time flow data to obtain and output a flow data log file;
the flow data log file comprises the real-time flow data with a preset data format;
the cloud platform is connected the flow acquisition probe, the cloud platform specifically includes:
the characteristic extraction module is used for extracting the characteristics of the real-time flow data in the flow data log file according to a preset rule to obtain a real-time characteristic data group corresponding to the real-time flow data;
the real-time characteristic data group comprises a flow dimension characteristic, a service dimension characteristic and a safety dimension characteristic which correspond to the real-time flow data;
a comparison module connected with the feature extraction module and used for extracting the real-time delay in the flow dimension feature from the real-time feature data group, generating and outputting a corresponding first comparison result when the real-time delay is not less than a preset time delay threshold value, and
when the real-time delay is smaller than the delay threshold, generating and outputting a corresponding second comparison result;
the first processing module is connected with the comparison module and used for analyzing the real-time characteristic data set according to the first comparison result and a pre-generated characteristic dimension model to obtain key characteristic data causing the real-time delay in the real-time characteristic data set, and generating and outputting a corresponding alarm event according to the key characteristic;
the key feature data comprises the business dimension features, and/or the security dimension features;
the query module is connected with the comparison module and used for querying in the real-time feature data group according to the second comparison result, and generating and outputting a corresponding query result when a security event exists in the security dimension data;
and the second processing module is connected with the query module and used for analyzing the safety event according to the query result and the characteristic dimension model to obtain the potential risk of the safety event on the service stability and generating a corresponding early warning event according to the potential risk.
The technical scheme has the following advantages or beneficial effects: the characteristic dimension model can be quickly found and disposed when the service is unstable, a large amount of manual analysis is not needed, and meanwhile, the configuration prevention can be carried out on the network equipment and the safety equipment when the service is not unstable, so that the environmental requirements of different customers are met.
Drawings
Fig. 1 is a schematic flow chart illustrating a method for monitoring service stability of a converged media in a preferred embodiment of the present invention;
FIG. 2 is a flow chart illustrating data preprocessing for a flow acquisition probe according to a preferred embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for extracting real-time delay according to a preferred embodiment of the present invention;
FIG. 4 is a flow chart illustrating a method for extracting security dimension features according to a preferred embodiment of the present invention;
FIG. 5 is a diagram illustrating a K-neighbor classification algorithm according to a preferred embodiment of the present invention;
FIG. 6 is a flow chart illustrating a method for generating a feature dimension model according to a preferred embodiment of the present invention;
fig. 7 is a schematic structural diagram of a system for monitoring service stability of converged media according to a preferred embodiment of the present invention.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments. The present invention is not limited to the embodiment, and other embodiments may be included in the scope of the present invention as long as the gist of the present invention is satisfied.
In a preferred embodiment of the present invention, based on the above problems in the prior art, a method for monitoring service stability of a converged media is provided, in which a traffic acquisition probe is preset in a network link of the converged media, and a cloud platform remotely connected to the traffic acquisition probe is provided, and the cloud platform analyzes real-time traffic data in the network link acquired by the traffic acquisition probe to monitor service stability of the converged media;
as shown in fig. 1, the method for monitoring service stability specifically includes the following steps:
step S1, the flow acquisition probe carries out data preprocessing on the acquired real-time flow data to obtain and output a flow data log file;
the flow data log file comprises real-time flow data with a preset data format;
step S2, the cloud platform performs feature extraction on the real-time traffic data in the traffic data log file according to a preset rule to obtain a real-time feature data group corresponding to the real-time traffic data;
the real-time characteristic data group comprises a flow dimension characteristic, a service dimension characteristic and a safety dimension characteristic which correspond to the real-time flow data;
step S3, the cloud platform extracts the real-time delay in the traffic dimension feature from the real-time feature data set, and compares the real-time delay with a preset delay threshold:
if the real-time delay is not less than the delay threshold, go to step S4;
if the real-time delay is smaller than the delay threshold, turning to step S5;
step S4, the cloud platform analyzes the real-time characteristic data group according to the pre-generated characteristic dimension model to obtain key characteristic data causing real-time delay influence in the real-time characteristic data group, generates and outputs a corresponding alarm event according to the key characteristic, and then quits;
the key feature data comprises business dimension features and/or safety dimension features;
step S5, the cloud platform queries in the real-time characteristic data set, and judges whether a security event exists in the security dimension data according to the query result:
if yes, go to step S6;
if not, exiting;
and step S6, the cloud platform analyzes the security events according to the characteristic dimension model to obtain the potential risks of the security events to the service stability, and generates and outputs corresponding early warning events according to the potential risks.
Specifically, in this embodiment, the cloud platform is a data processing center and is mainly responsible for processing data log files acquired by the flow acquisition probe, and the cloud platform may be an upper computer or a cloud server. Performing multi-dimensional feature extraction on the real-time flow data to respectively obtain flow dimension features, service dimension features and safety dimension features and form a real-time feature data group; the flow dimension characteristics reflect the stability of the current service, and for the converged media, the time delay data is the most obvious characteristic for judging the stability of the service of the converged media. And if the comparison result shows that the current service is in an unstable state, sending the real-time feature data set into a pre-generated feature dimension model for analysis to obtain key feature data causing current service instability. The key characteristic data may be service dimension characteristics, such as unstable service caused by too high access frequency or service burst; the key feature data may also be a security dimension feature, for example, after the key feature data is analyzed and obtained, a corresponding alarm event is generated according to the key feature data and output, so that a worker can perform corresponding processing on the current problem of unstable service according to the alarm event.
Further, if the comparison result indicates that the current service is in a stable state, the security dimension characteristics of the real-time traffic data are further analyzed to determine whether a potential risk affecting the current service stable state exists. The potential risk is taken as a judgment basis according to whether a security event exists in the security dimension characteristics, and if the security event does not exist in the security dimension characteristics, the potential risk influencing the current service stable state does not exist in the network; if a security event exists in the security dimension, the potential risk of the current service stable state exists in the network, at the moment, the real-time feature data set is sent into a pre-generated feature dimension model for analysis, so that the potential risk of the security event on the service stability is obtained, the subsequent risk of the service is sensed in advance, and then a corresponding early warning event is generated according to the influence degree and the possible consequences, so that the staff can take a specific precaution measure on the subsequent risk of the service. The potential risks include the extent to which the security event affects business stability and the possible consequences that have not yet occurred, but will occur with a high probability, to the extent that the impact does not yet occur.
The technical scheme of the invention integrates the flow quality dimension, the application behavior dimension and the safety dimension, constructs an integral continuous service stability monitoring system, continuously models and evaluates the characteristics of flow, liquid level, safety and the like which cause service influence, and can configure and prevent network equipment and safety equipment through characteristic modeling when no safety problem occurs, such as making more reasonable flow control and access strategies. When a problem occurs, the problem is quickly judged according to the historical model, a large amount of manual analysis is not needed, and the problem is quickly found and quickly treated. Specific key technical support, specific technology and special technical support are not required, and mining modeling is established on the existing data. After the occurrence of a business stability problem or the occurrence of potential risk features is monitored, the deep analysis of the feature dimension model is automatically utilized, the root cause causing business influence is identified, and the transmission and marginal effect of the business influence are combed. And the deep analysis result of the characteristic dimension model can be labeled for the real-time characteristic data set, and the labeled characteristic data set is brought into a sample library, continuously self-learned and evolved and automatically attached to different client environments. The characteristic dimension model is a three-dimensional integrated model which is continuously constructed for flow, service and safety based on characteristic analysis of historical flow samples, the historical flow is used for extracting characteristic dimension information, samples are classified in a manual labeling or self-learning mode, and therefore a model base is built and is used for judging which type of characteristics affect service abnormity most, and therefore problems are located quickly.
In this embodiment, the traffic dimension characteristics include characteristic data such as real-time delay, flow rate, packet loss, and the like; the service dimension characteristics comprise service access success rate, service access client IP, access application, access frequency and the like; the security dimension features include security risk behaviors initiated to the business and the host, or initiated security risk behaviors. The time delay threshold is set by the user on the page independently and is regarded as a time delay threshold with abnormal service as a judged baseline index. The statistical process of the real-time delay comprises the following steps: and (3) carrying out flow extraction and restoration through the mirror image drainage of the switch, recording the timestamp of each data packet of each connection for the TCP flow, and calculating the time difference by using the timestamps of the requested and returned data packets according to the matching property of the id of the ack in each data packet to obtain the real-time delay.
In a preferred embodiment of the present invention, a switch is further disposed in the network link of the converged media, and a mirror image port of the switch is connected to the traffic collection probe;
as shown in fig. 2, step S1 specifically includes:
step S11, the switch sends the real-time traffic data in the network link to the traffic collection probe through the mirror port by the mirror drainage of the switch;
in step S12, the flow collection probe processes the real-time flow data into a preset data format to generate and output a flow data log file.
In a preferred embodiment of the present invention, in step S2, the flow dimension feature includes a real-time delay, as shown in fig. 3, the method for extracting the real-time delay specifically includes:
step S211, the cloud platform extracts the real-time traffic data to obtain TCP protocol traffic;
step S212, the cloud platform records the time stamp of each data packet of each connection of the TCP protocol flow;
the time stamp comprises a data request time stamp and a data return time stamp;
step S213, the cloud platform calculates the time difference between the data request timestamp and the data return timestamp to obtain the real-time delay corresponding to each connection;
step S214, the cloud platform takes the real-time delay as a flow dimension characteristic of the real-time flow data and stores the flow dimension characteristic.
In a preferred embodiment of the present invention, in step S2, as shown in fig. 4, the method for extracting the security dimension feature specifically includes:
step S221, the cloud platform matches the real-time flow data with a preset safety product rule base:
if the matching is successful, generating and outputting a corresponding safety event, and then turning to the step S6;
if the matching is not successful, turning to step S222;
step S222, the cloud platform extracts a corresponding characteristic value from the real-time traffic data and compares the characteristic value with a preset safety threshold:
if the characteristic value is not less than the safety threshold value, generating a corresponding safety event, and storing the safety event as a safety dimension characteristic;
and if the characteristic value is smaller than the safety threshold value, generating a normal behavior record, and storing the normal behavior record as a safety dimension characteristic.
In a preferred embodiment of the present invention, the security threshold comprises a threshold for the number of packets, and/or a threshold for the number of sessions, of a ddos attack.
In a preferred embodiment of the present invention, the feature dimension model is generated by a K-neighborhood classification algorithm.
Specifically, in this embodiment, the generation method of the feature dimension model includes, but is not limited to, a K-neighborhood classification algorithm. As a preferred embodiment of the present invention, the feature dimension model is further described in detail according to the K-neighborhood classification algorithm as follows:
the K-neighborhood classification algorithm classifies by measuring the distance between different feature values. Comparing the features in the real-time feature data group obtained by extracting the features of the real-time flow data with the corresponding features in the feature dimension model, finding the first K data which are most similar to the features in the feature dimension model, wherein the category corresponding to the test data is the category with the largest occurrence frequency in the K data, and the value of K is adjusted according to the actual data distribution condition. Wherein the similarity is expressed by distance, can be calculated by using calculation formulas including but not limited to Euclidean distance, Manhattan distance and the like,
take the Euclidean distance formula as an example:
Figure GDA0003798671060000141
the symbols in the drawings are for illustration purposes and not intended to be exhaustive, and are used to explain the examples.
As shown in fig. 5, the red triangle in the figure represents class a of the traffic burst, and the blue square represents class B of the security event, which are not described herein.
Firstly, analyzing real-time flow data in real time to obtain a flow dimension characteristic (circle), and when K is 3, taking 3 points (such as an inner circle in fig. 5) which are most similar to (closest to) the flow dimension characteristic, wherein an A-type proportion 2/3 in the 3 points, the circle belongs to the A-type, which indicates that the service is unstable due to service burst;
when k is 5, the 5 points (such as the outer circle of fig. 5) most similar to (closest to) the traffic dimension feature are taken, wherein B-class accounts for 3/5 in the 5 points, and the circle belongs to B-class, which indicates that the traffic is unstable due to the security event.
In a preferred embodiment of the present invention, as shown in fig. 6, the method for generating the feature dimension model specifically includes:
a1, the cloud platform acquires a plurality of historical flow data, and performs feature extraction on each historical flow data to obtain a corresponding historical flow feature group;
step A2, the cloud platform analyzes each historical traffic feature group:
if the historical flow feature group has flow dimension features representing unstable service, the cloud platform processes the flow dimension features according to the historical flow feature group to obtain key feature data causing unstable service;
if the safety dimension characteristics potentially influencing the service stability exist in the historical flow characteristic group, the cloud platform processes the safety dimension characteristics according to the historical flow characteristic group to obtain the potential risk of the safety dimension characteristics on the service stability;
step A3, the cloud platform stores each historical flow characteristic group and the analysis result of the step A2 to generate a sample library;
and A4, training the cloud platform according to the sample library to obtain a feature dimension model.
In a preferred embodiment of the present invention, the method further includes a process of updating the feature dimension model, specifically including:
and storing the real-time characteristic data group and the analysis result of the cloud platform on the real-time characteristic data group according to the characteristic dimension model into a sample library, and updating the characteristic dimension model according to the updated sample library.
A system for monitoring service stability of converged media, which applies any one of the above methods for monitoring service stability of converged media, as shown in fig. 7, specifically includes:
the flow acquisition probe 1 is used for carrying out data preprocessing on the acquired real-time flow data to obtain and output a flow data log file;
the flow data log file comprises real-time flow data with a preset data format;
cloud platform 2 connects flow acquisition probe 1, and cloud platform 2 specifically includes:
the feature extraction module 21 is configured to perform feature extraction on the real-time traffic data in the traffic data log file according to a preset rule to obtain a real-time feature data group corresponding to the real-time traffic data;
the real-time characteristic data group comprises a flow dimension characteristic, a service dimension characteristic and a safety dimension characteristic which correspond to real-time flow data;
a comparison module 22 connected to the feature extraction module 21 and configured to extract a real-time delay in the flow dimension feature from the real-time feature data set, generate and output a corresponding first comparison result when the real-time delay is not less than a preset delay threshold, and
generating and outputting a corresponding second comparison result when the real-time delay is smaller than the delay threshold;
the first processing module 23 is connected to the comparison module 22, and is configured to analyze the real-time feature data set according to the first comparison result and a pre-generated feature dimension model, obtain key feature data causing real-time delay in the real-time feature data set, generate and output a corresponding alarm event according to the key feature;
the key feature data comprises business dimension features and/or safety dimension features;
the query module 24 is connected to the comparison module 22, and is configured to query the real-time feature data set according to the second comparison result, and generate and output a corresponding query result when a security event exists in the security dimension data;
and the second processing module 25 is connected to the query module 24, and is configured to analyze the security event according to the query result and the feature dimension model, obtain a potential risk of the security event on the service stability, and generate a corresponding early warning event according to the potential risk.
While the invention has been described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention.

Claims (8)

1. A service stability monitoring method for a converged medium is characterized in that a flow acquisition probe is preset in a network link of the converged medium, and a cloud platform remotely connected with the flow acquisition probe is arranged, wherein the cloud platform analyzes real-time flow data in the network link acquired by the flow acquisition probe so as to monitor the service stability of the converged medium;
the service stability monitoring method specifically comprises the following steps:
step S1, the flow acquisition probe carries out data preprocessing on the acquired real-time flow data to obtain and output a flow data log file;
the flow data log file comprises the real-time flow data with a preset data format;
step S2, the cloud platform performs feature extraction on the real-time traffic data in the traffic data log file according to a preset rule to obtain a real-time feature data group corresponding to the real-time traffic data;
the real-time characteristic data group comprises a flow dimension characteristic, a service dimension characteristic and a safety dimension characteristic which correspond to the real-time flow data;
step S3, the cloud platform extracts the real-time delay in the traffic dimensional feature from the real-time feature data set, and compares the real-time delay with a preset delay threshold:
if the real-time delay is not less than the delay threshold, turning to step S4;
if the real-time delay is smaller than the delay threshold, turning to step S5;
step S4, the cloud platform analyzes the real-time feature data set according to a pre-generated feature dimension model to obtain key feature data causing the real-time delay in the real-time feature data set, generates and outputs a corresponding alarm event according to the key feature data, and then exits;
the key feature data comprises the business dimension features, and/or the security dimension features;
step S5, the cloud platform queries the real-time feature data set, and determines whether a security event exists in the security dimension data according to a query result:
if yes, go to step S6;
if not, exiting;
step S6, the cloud platform analyzes the security event according to the characteristic dimension model to obtain the potential risk of the security event to the service stability, and generates and outputs a corresponding early warning event according to the potential risk;
the method for generating the feature dimension model specifically comprises the following steps:
step A1, the cloud platform acquires a plurality of historical flow data, and performs feature extraction on each historical flow data to obtain a corresponding historical flow feature group;
step a2, the cloud platform analyzes each historical traffic feature set:
if the traffic dimension characteristic which represents that the service is unstable exists in the historical traffic characteristic group, the cloud platform processes the historical traffic characteristic group to obtain the key characteristic data which causes that the service is unstable, and then the step A3 is performed;
if the safety dimension characteristics potentially influencing the service stability exist in the historical traffic characteristic group, the cloud platform processes the historical traffic characteristic group to obtain the potential risk of the safety dimension characteristics on the service stability, and then the process goes to step A3;
step A3, the cloud platform saves each historical flow characteristic group and the analysis result of the step A2 to generate a sample library;
and A4, the cloud platform trains according to the sample library to obtain the feature dimension model.
2. The method for monitoring the service stability of the converged media according to claim 1, wherein a switch is further disposed in the network link of the converged media, and a mirror image port of the switch is connected to the traffic collection probe;
the step S1 specifically includes:
step S11, the switch sends the real-time traffic data in the network link to the traffic collection probe through the mirror image port by the switch mirror image drainage;
and step S12, the flow acquisition probe processes the real-time flow data into the preset data format to generate and output a flow data log file.
3. The method for monitoring service stability of converged media according to claim 1, wherein in the step S2, the traffic dimension feature includes a real-time delay, and the method for extracting the real-time delay specifically includes:
step S211, the cloud platform extracts the real-time traffic data to obtain TCP protocol traffic;
step S212, the cloud platform records the time stamp of each data packet of each connection of the TCP protocol flow;
the time stamp comprises a data request time stamp and a data return time stamp;
step S213, the cloud platform calculates a time difference between the data request timestamp and the data return timestamp to obtain the real-time delay corresponding to each connection;
step S214, the cloud platform takes the real-time delay as the flow dimension characteristic of the real-time flow data and stores the flow dimension characteristic.
4. The method for monitoring service stability of converged media according to claim 1, wherein in the step S2, the method for extracting the security dimension feature specifically includes:
step S221, the cloud platform matches the real-time flow data with a preset safety product rule base according to the real-time flow data:
if the matching is successful, generating and outputting a corresponding safety event, and then turning to the step S6;
if the matching is not successful, turning to step S222;
step S222, the cloud platform extracts a corresponding characteristic value from the real-time traffic data, and compares the characteristic value with a preset safety threshold:
if the characteristic value is not smaller than the safety threshold value, generating a corresponding safety event, and storing the safety event as the safety dimension characteristic;
and if the characteristic value is smaller than the safety threshold value, generating a normal behavior record, and storing the normal behavior record as the safety dimension characteristic.
5. The traffic stability monitoring method for converged media, according to claim 4, wherein the security threshold comprises a threshold of the number of packets of a ddos attack, and/or a threshold of the number of sessions.
6. The method for monitoring the service stability of the converged media according to claim 1, wherein the characteristic dimension model is generated by a K-neighborhood classification algorithm.
7. The method for monitoring service stability of converged media according to claim 1, further comprising a process of updating the feature dimension model, specifically comprising:
and storing the real-time feature data set and the analysis result of the cloud platform on the real-time feature data set according to the feature dimension model into the sample library, and updating the feature dimension model according to the updated sample library.
8. A system for monitoring service stability of converged media, applying the method for monitoring service stability of converged media according to any one of claims 1 to 7, specifically comprising:
the flow acquisition probe is used for carrying out data preprocessing on the acquired real-time flow data to obtain and output a flow data log file;
the flow data log file comprises the real-time flow data with a preset data format;
the cloud platform is connected the flow acquisition probe, the cloud platform specifically includes:
the characteristic extraction module is used for extracting the characteristics of the real-time flow data in the flow data log file according to a preset rule to obtain a real-time characteristic data group corresponding to the real-time flow data;
the real-time characteristic data group comprises a flow dimension characteristic, a service dimension characteristic and a safety dimension characteristic which correspond to the real-time flow data;
a comparison module connected with the feature extraction module and used for extracting the real-time delay in the flow dimension feature from the real-time feature data set, generating and outputting a corresponding first comparison result when the real-time delay is not less than a preset delay threshold, and
when the real-time delay is smaller than the delay threshold, generating and outputting a corresponding second comparison result;
the first processing module is connected with the comparison module and used for analyzing the real-time characteristic data set according to the first comparison result and a pre-generated characteristic dimension model to obtain key characteristic data causing the real-time delay in the real-time characteristic data set, and generating and outputting a corresponding alarm event according to the key characteristic;
the key feature data comprises the business dimension features, and/or the security dimension features;
the query module is connected with the comparison module and used for querying in the real-time feature set according to the second comparison result, and generating and outputting a corresponding query result when a security event exists in the security dimension data;
and the second processing module is connected with the query module and used for analyzing the safety event according to the query result and the characteristic dimension model to obtain the potential risk of the safety event on the service stability, and generating a corresponding early warning event according to the potential risk.
CN201910667901.9A 2019-07-23 2019-07-23 Service stability monitoring method and system for converged media Active CN110535716B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910667901.9A CN110535716B (en) 2019-07-23 2019-07-23 Service stability monitoring method and system for converged media

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910667901.9A CN110535716B (en) 2019-07-23 2019-07-23 Service stability monitoring method and system for converged media

Publications (2)

Publication Number Publication Date
CN110535716A CN110535716A (en) 2019-12-03
CN110535716B true CN110535716B (en) 2022-09-30

Family

ID=68661898

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910667901.9A Active CN110535716B (en) 2019-07-23 2019-07-23 Service stability monitoring method and system for converged media

Country Status (1)

Country Link
CN (1) CN110535716B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111191636B (en) * 2020-02-17 2023-04-18 北京同方凌讯科技有限公司 Fused media broadcasting consistency detection method based on image color quantity distribution and moment
CN112235312B (en) * 2020-10-22 2022-04-26 新华三信息安全技术有限公司 Method and device for determining credibility of security event and electronic equipment
CN115865759A (en) * 2023-02-27 2023-03-28 科来网络技术股份有限公司 Network equipment time delay obtaining method and system based on flow mirror protocol

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977368A (en) * 2010-10-22 2011-02-16 中国电信股份有限公司 Method and system for eliminating traffic of IMS service on content charging gateway
CN106789184A (en) * 2016-12-03 2017-05-31 浙江广播电视集团 A kind of method that user independently sets up realization automation operation flow in operation system
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN108777643A (en) * 2018-06-08 2018-11-09 武汉思普崚技术有限公司 A kind of traffic visualization plateform system
CN109391800A (en) * 2018-11-28 2019-02-26 华中科技大学 A kind of intelligence community video monitoring method and system based on broadcasting and TV TVOS Intelligent set top box
CN109639516A (en) * 2018-10-17 2019-04-16 平安科技(深圳)有限公司 Monitoring method, device, equipment and the storage medium of distributed network system (DNS)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3042517A4 (en) * 2013-09-05 2017-05-03 Mitel Mobility Inc. Converged media packet gateway for a novel lte data and voice core network architecture
US9419876B2 (en) * 2014-03-18 2016-08-16 Airmagnet, Inc. Methods and apparatus to determine network delay with location independence from retransmission delay and application response time

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977368A (en) * 2010-10-22 2011-02-16 中国电信股份有限公司 Method and system for eliminating traffic of IMS service on content charging gateway
CN106789184A (en) * 2016-12-03 2017-05-31 浙江广播电视集团 A kind of method that user independently sets up realization automation operation flow in operation system
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN108777643A (en) * 2018-06-08 2018-11-09 武汉思普崚技术有限公司 A kind of traffic visualization plateform system
CN109639516A (en) * 2018-10-17 2019-04-16 平安科技(深圳)有限公司 Monitoring method, device, equipment and the storage medium of distributed network system (DNS)
CN109391800A (en) * 2018-11-28 2019-02-26 华中科技大学 A kind of intelligence community video monitoring method and system based on broadcasting and TV TVOS Intelligent set top box

Also Published As

Publication number Publication date
CN110535716A (en) 2019-12-03

Similar Documents

Publication Publication Date Title
CN110535716B (en) Service stability monitoring method and system for converged media
CN110460594B (en) Threat information data acquisition processing method, device and storage medium
CN110781930A (en) User portrait grouping and behavior analysis method and system based on log data of network security equipment
CN112114995A (en) Process-based terminal anomaly analysis method, device, equipment and storage medium
CN111274218A (en) Multi-source log data processing method for power information system
CN112365265B (en) Internet financial intelligent wind control system
CN115134099B (en) Network attack behavior analysis method and device based on full flow
KR100628329B1 (en) Generation apparatus and method of detection rules for attack behavior based on information of network session
CN111782484B (en) Anomaly detection method and device
CN109150869A (en) A kind of exchanger information acquisition analysis system and method
CN106375295B (en) Data store monitoring method
CN112671767B (en) Security event early warning method and device based on alarm data analysis
CN108737193A (en) A kind of failure prediction method and device
CN113704328A (en) User behavior big data mining method and system based on artificial intelligence
CN106372171B (en) Monitor supervision platform real-time data processing method
CN113904829B (en) Application firewall system based on machine learning
CN115277113A (en) Power grid network intrusion event detection and identification method based on ensemble learning
CN115378619A (en) Sensitive data access method, electronic equipment and computer readable storage medium
CN110909380B (en) Abnormal file access behavior monitoring method and device
CN112291213A (en) Abnormal flow analysis method and device based on intelligent terminal
CN113750538A (en) Big data-based hand-game security platform construction method and system
CN116155581A (en) Network intrusion detection method and device based on graph neural network
CN115174205B (en) Network space safety real-time monitoring method, system and computer storage medium
CN107911232B (en) Method and device for determining business operation rule
CN116248393A (en) Intranet data transmission loophole scanning device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20200218

Address after: 200003 No. 298, Weihai Road, Jing'an District, Shanghai

Applicant after: SHANGHAI MEDIA &ENTERTAINMENT GROUP Co.,Ltd.

Applicant after: SHANGHAI MEDIA TECH CO.,LTD.

Address before: 200041 No. 298, Weihai Road, Shanghai, Jingan District

Applicant before: SHANGHAI MEDIA &ENTERTAINMENT GROUP Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant