CN111181759B - Method, device, equipment and storage medium for identifying abnormality of network equipment - Google Patents

Method, device, equipment and storage medium for identifying abnormality of network equipment Download PDF

Info

Publication number
CN111181759B
CN111181759B CN201910730389.8A CN201910730389A CN111181759B CN 111181759 B CN111181759 B CN 111181759B CN 201910730389 A CN201910730389 A CN 201910730389A CN 111181759 B CN111181759 B CN 111181759B
Authority
CN
China
Prior art keywords
data
abnormal
template
abnormal event
regular expression
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910730389.8A
Other languages
Chinese (zh)
Other versions
CN111181759A (en
Inventor
张梦妮
周峰
谭利军
吴懿伦
马晓雁
胡群星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910730389.8A priority Critical patent/CN111181759B/en
Publication of CN111181759A publication Critical patent/CN111181759A/en
Application granted granted Critical
Publication of CN111181759B publication Critical patent/CN111181759B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a method, a device, equipment and a storage medium for identifying the abnormity of network equipment, wherein the method comprises the following steps: obtaining network communication data of at least one data type of a network device; when abnormal data exists in the network communication data of at least one data type, converting the abnormal data into standard format data; matching the abnormal event template to the standard format data based on a first regular expression corresponding to the abnormal event template in the abnormal event template library, wherein the first regular expression defines a character string matched with the abnormal event template; extracting key fields in the standard format data by using a second regular expression corresponding to the matched abnormal event template, wherein the second regular expression defines key character strings matched with the abnormal events; generating standard characterization data for the network device's exceptional events based on the critical fields. By the aid of the technical scheme, multi-dimensional abnormal analysis of the network equipment can be performed quickly, abnormal analysis efficiency is improved, and manpower consumption is reduced.

Description

Method, device, equipment and storage medium for identifying abnormality of network equipment
Technical Field
The present application relates to the field of internet communication technologies, and in particular, to a method, an apparatus, a device, and a storage medium for identifying an abnormality of a network device.
Background
With the rapid development of computer and internet technologies, people's daily life has a higher and higher degree of dependence on data communication networks, and the influence caused by the abnormality of devices in network communication is gradually increased. Therefore, when the network device is abnormal, the specific abnormal condition of the network device in the network link can be quickly and accurately positioned, and the abnormality can be eliminated, which becomes the focus of attention of the network device user.
In the prior art, network monitoring is often implemented through a Simple Network Management Protocol (SNMP) and a probe script, that is, the SNMP receives a random message (and an event report) in network communication to know whether a problem occurs in a network device. Then, the operation and maintenance personnel is notified in the form of mail, telephone, etc. when the abnormality occurs, and then the operation and maintenance personnel analyzes the specific situation of the abnormality. However, in the above conventional scheme, only the anomaly analysis of a specific data source is focused, and only the anomaly is determined, but the specific situation of the anomaly cannot be given, and a large number of operation and maintenance personnel are still required to perform the specific anomaly analysis, so that the efficiency of the anomaly analysis is low, and time is consumed. Therefore, there is a need to provide a more reliable or efficient solution.
Disclosure of Invention
The application provides an anomaly identification method, an anomaly identification device, equipment and a storage medium for network equipment, which can be used for rapidly analyzing the anomaly of multi-dimensional network equipment, greatly improving the efficiency of anomaly analysis and reducing the labor consumption.
In one aspect, the present application provides an anomaly identification method for a network device, where the method includes:
obtaining network communication data of at least one data type of a network device;
when abnormal data exists in the network communication data of the at least one data type, converting the abnormal data into standard format data;
matching the abnormal event template to the standard format data based on a first regular expression corresponding to the abnormal event template in an abnormal event template library, wherein the first regular expression defines a character string matched with the abnormal event template;
extracting key fields in the standard format data by using a second regular expression corresponding to the matched abnormal event template, wherein the second regular expression defines key character strings matched with abnormal events;
generating standard characterization data for the network device's exceptional events based on the key fields.
Another aspect provides an abnormality recognition apparatus for a network device, the apparatus including:
the network communication data acquisition module is used for acquiring network communication data of at least one data type of the network equipment;
the data format conversion module is used for converting the abnormal data into standard format data when the abnormal data exists in the network communication data of the at least one data type;
the abnormal event template matching module is used for matching the abnormal event template to the standard format data based on a first regular expression corresponding to the abnormal event template in the abnormal event template library, and the first regular expression defines a character string matched with the abnormal event template;
the key field extraction module is used for extracting the key fields in the standard format data by using a second regular expression corresponding to the matched abnormal event template, wherein the second regular expression defines a key character string matched with the abnormal event;
and the abnormity characterization module is used for generating standard characterization data of the abnormal events of the network equipment based on the key fields.
Another aspect provides an abnormality recognition apparatus for a network device, the apparatus including a processor and a memory, the memory storing at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the abnormality recognition method for a network device as described above.
Another aspect provides a computer-readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by a processor to implement the method for anomaly identification of a network device as described above.
The method, the device, the equipment and the storage medium for identifying the abnormity of the network equipment have the following technical effects:
the method and the device realize unified identification of different abnormal data by acquiring the network communication data of at least one data type and converting the abnormal data into data in a standard format; then, matching the abnormal event template of the abnormal event corresponding to the abnormal data by combining with a first regular expression which defines the character string matched with the abnormal event template; and then, extracting key fields from the standard format data in combination with a second regular expression defining key character strings matching the abnormal events, and finally generating standard characterization data capable of characterizing the specific conditions of the abnormal events of the network equipment based on the key fields. By utilizing the technical scheme provided by the embodiment of the specification, the abnormity analysis of the multidimensional network equipment can be rapidly carried out, the abnormity analysis efficiency can be greatly improved, and the manpower consumption is reduced.
Drawings
In order to more clearly illustrate the technical solutions and advantages of the embodiments of the present application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic diagram of an application environment provided by an embodiment of the present application;
fig. 2 is a schematic flowchart of an anomaly identification method for a network device according to an embodiment of the present application;
FIG. 3 is a schematic flow chart illustrating a process of converting the abnormal data into data in a standard format according to an embodiment of the present application;
fig. 4 is a schematic flowchart of matching an abnormal event template to the standard format data based on a first regular expression corresponding to an abnormal event template in an abnormal event template library according to an embodiment of the present application;
FIG. 5 is a schematic flow chart illustrating a process of creating an abnormal event template library according to an embodiment of the present application;
FIG. 6 is an exception template for a port disconnection exception provided in an embodiment of the present application;
FIG. 7 is an exception template for another port disconnection exception provided by an embodiment of the present application;
FIG. 8 is an exception template for a traffic exception provided by an embodiment of the present application;
FIG. 9 is a schematic diagram of standard characterization data of a port disconnection exception event according to an embodiment of the present application;
FIG. 10 is a schematic diagram of standard characterization data for another port disconnection exception event provided by an embodiment of the present application;
fig. 11 is an SNMP port traffic view showing cliff-type traffic exceptions according to an embodiment of the present application;
FIG. 12 is a schematic diagram of standard characterization data of a traffic anomaly event according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of a target network link according to an embodiment of the present application;
fig. 14 is a schematic diagram of an abnormality recognition apparatus of a network device according to an embodiment of the present application;
FIG. 15 is an architecture diagram of anomaly identification provided by an embodiment of the present application;
fig. 16 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, fig. 1 is a schematic diagram of an application environment according to an embodiment of the present application, and as shown in fig. 1, the application environment may include at least one network device 100 and an anomaly identification platform 200 in a network link.
In this embodiment, the network device 100 may include a client-side physical device such as a smart phone, a desktop computer, a tablet computer, a notebook computer, a digital assistant, a smart wearable device, etc., or may include a switch (as shown in fig. 1), a load balancer, a server, etc., or may include software running in the physical device, such as a virtual machine, etc.
In this embodiment, the anomaly identification platform 200 may be used to identify a specific anomaly condition for a network device in a network link. Specifically, the anomaly identification platform 200 may include a user-oriented anomaly identification terminal 201 and an anomaly identification server 202 for providing background service support for the anomaly identification terminal.
In the embodiment of the present specification, the anomaly identification terminal 201 may include a smart phone, a desktop computer, a tablet computer, a notebook computer, a digital assistant, a smart wearable device, and other types of physical devices. And may also include software running on physical devices, such as applications, application pages, etc. Specifically, the abnormality recognition terminal may be used to import network communication data of the network device, display specific abnormal conditions of the network device, and the like.
In this embodiment, the anomaly identification server 202 may include a server operating independently, or a distributed server, or a server cluster composed of a plurality of servers. Specifically, the anomaly identification server may be configured to identify a specific anomaly condition of the network device.
In addition, it should be noted that, the above-mentioned abnormality recognition server obtains the network communication data of the network device through the abnormality recognition terminal is only an example, and in practical application, the abnormality recognition server may also obtain the network communication data of the network device through a corresponding interface or the like.
The following describes an abnormality identification method of the present application, and fig. 2 is a flowchart of an abnormality identification method of a network device according to an embodiment of the present application, where the present specification provides the method operation steps as described in the embodiment or the flowchart, but may include more or less operation steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. In practice, the system or server product may be implemented in a sequential or parallel manner (e.g., parallel processor or multi-threaded environment) according to the embodiments or methods shown in the figures. Specifically, as shown in fig. 2, the method may include:
s201: network communication data of at least one data type of a network device is obtained.
In embodiments of the present description, the network communication data may include, but is not limited to, at least one of the following: log data of the network device, execution command data of the network device, network diagnostic data of the network device, network management data of the network device.
Specifically, the log data of the network device may include log data generated by the network device during network communication. Specifically, the data of the execution command of the network device may include data generated by the network device executing the command during communication. In particular, the network diagnostic data of the network device may include, but is not limited to, data after executing a "Ping" (Ping is a command under Windows, Unix, and Linux systems) command. Specifically, the network management data of the network device may include, but is not limited to, data such as traffic, packet loss rate, light attenuation, memory, and cpu.
In the embodiment of the specification, network communication data of at least one data type of the network equipment is acquired, so that whether the network equipment is abnormal or not can be identified from multiple dimensions.
S203: when abnormal data exists in the network communication data of the at least one data type, converting the abnormal data into standard format data.
In practical applications, it is often possible to determine whether there is an abnormality in the current network device based on the network communication data of the network device, specifically, different types of network communication data often correspond to different abnormality identification algorithms, and when there are a plurality of network communication data in a certain data type, the abnormality identification algorithms for the plurality of network communication data also have different situations. In the embodiment of the present specification, a corresponding anomaly identification algorithm group may be set for each data type of network communication data. Accordingly, after obtaining the network communication data, a group of anomaly identification algorithms corresponding to the data type of the network communication data may be determined; and then, carrying out anomaly identification on the data of the data type based on the anomaly identification algorithm group.
In a specific embodiment, taking the network diagnosis data of the network device as an example, the identification of whether the network device has abnormal connection can be realized through the ping algorithm, i.e. whether the network is connected can be checked by using the 'ping' command, which can help us to analyze and judge the network fault well)
In another specific embodiment, taking the network management data of the network device as an example, the random message (and the event report) in the network communication may be received through an SNMP (simple network management protocol) to know whether the network device has a problem. Specifically, SNMP is a standard protocol specifically designed for managing network devices (servers, workstations, routers, switches, HUBS, etc.) over an IP network, which is an application layer protocol.
In another specific embodiment, taking the execution command data of the network device as an example, it is generally possible to identify whether there is an abnormality by analyzing whether there is an error in the execution command data, performing multiple times of repeated execution, and the like.
In another specific embodiment, taking the log data of the network device as an example, generally, whether there is an abnormality can be identified by analyzing the log data, matching with a preset abnormality log, and the like.
In practical applications, network communication data formats of different types of network devices or network devices of different manufacturers of the same type are considered. In the embodiment of the specification, abnormal data in network communication data is converted into standard format data. Specifically, as shown in fig. 3, converting the abnormal data into the standard format data may include:
s2031: determining a data type of the anomalous data.
S2033: and acquiring a standard format template corresponding to the data type, wherein the standard format template comprises a key field object for representing an abnormal event.
S2035: converting the exception data into the standard format data based on the standard format template.
In the embodiment of the present specification, different data types may correspond to different standard format templates; specifically, the standard format template may be a preset fixed format and includes a key field object for characterizing an abnormal event.
In a specific embodiment, taking the network management data of the network device as an example, the standard format template may be regarded as a content log format (content _ syslog), and specifically, may be as follows:
content_syslog=”'%%QCLOUD_SNMP/{}:Direction={},AlarmThreshold={},AlarmNum={},InterfaceName={}.”'.format(attr_name,Direction,AlarmThreshold,num,port)
%% QCLOUD _ SNMP represents network management data of a specified device; the incoming specific parameters can be written in { }, assuming that the incoming data in%% QCLOUD _ SNMP { } is traffic. Correspondingly, Direction (flow Direction), AlarmThreshold (flow alarm threshold), alarmnnum (flow alarm number), and InterfaceName (port number) are key field objects for representing abnormal events, respectively.
In this embodiment of the present specification, after a standard format template corresponding to a certain abnormal data is determined, specific parameters in the abnormal data may be written into the standard format template, so as to obtain the standard format data. In combination with the standard format template, for example, the Direction of the traffic in the abnormal data is transmitted to Direction { }.
In the embodiment of the present specification, when it is determined that the network device is abnormal, the abnormal data is converted into data in a standard format, so that different abnormal data can be uniformly identified.
S205: and matching the abnormal event template to the standard format data based on the first regular expression corresponding to the abnormal event template in the abnormal event template library.
In an embodiment of the present specification, the first regular expression may define a string matching the abnormal event template. Specifically, as shown in fig. 4, the matching of the abnormal event template to the standard format data based on the first regular expression corresponding to the abnormal event template in the abnormal event template library may include:
s2051: determining a first regular expression corresponding to an abnormal event template in an abnormal event template library;
s2053: judging whether the standard format data comprises a character string defined by a first regular expression corresponding to an abnormal event template;
s2055: and when the standard format data comprises a character string defined by a first regular expression corresponding to the abnormal event template, taking the abnormal event template corresponding to the character string defined by the first regular expression in the standard format data as the matched abnormal event template.
In a specific embodiment, assuming an abnormal event template corresponding to a port abnormality, correspondingly, the string defined by the first regular expression corresponding to the abnormal event template corresponding to the port abnormality and matching the abnormal event template may be%% IFNET/3/PUY _ UPDOWN, that is, when the standard format data includes%% IFNET/3/PUY _ UPDOWN, the abnormal event template corresponding to the port abnormality may be used as the matching abnormal event template.
In this embodiment of the present specification, the abnormal event template library may include abnormal event templates corresponding to a large number of abnormal events, and specifically, as shown in fig. 5, creating the abnormal event template library may include using the following method:
s501: a plurality of initial event setting templates corresponding to the abnormal events are created.
S503: and setting an abnormal template parameter in each initial event setting template.
S505: and generating an abnormal event template of each abnormal event based on each initial event setting template with the set abnormal template parameters.
S507: and constructing the abnormal event template library based on the abnormal event template of each abnormal event.
Specifically, the abnormal template parameters may include a first regular expression, a second regular expression, a form of standard characterization data (i.e., an analysis pattern) of the abnormal event, and basic data of the abnormal event.
In particular, the form of the criteria characterizing data of an abnormal event may include a form of data that may characterize a particular instance of an abnormal event. Specifically, the basic data may include a template identifier, a template name, device manufacturer information, an event Level (generally, the higher the Level is, the more serious the abnormal condition is), a health Level (generally, the lower the Level is, the more serious the abnormal condition is), an abnormal type, an abnormal sub-category, standard format sample data, an SLA (Service-Level Agreement), and the like.
Specifically, the exception template parameter may further include a self-healing interface of the exception event. Correspondingly, when each abnormal event template is generated, a self-healing interface of the abnormal event can be set in each initial event setting template.
Specifically, the self-healing interface of the exception event may be used to invoke a self-healing policy of the exception event.
In a specific embodiment, as shown in fig. 6, fig. 6 is an abnormal event template of a port disconnection abnormal event according to an embodiment of the present application.
In addition, in practical application, if the abnormal event template is not matched, a new type of reminder can be sent to a worker so as to update the abnormal event template library.
S207: and extracting key fields in the standard format data by using a second regular expression corresponding to the matched abnormal event template.
In an embodiment of the present specification, the second regular expression defines a key string matching the abnormal event. Specifically, the extracting the key fields in the standard format data by using the second regular expression corresponding to the matched abnormal event template includes:
1) determining a second regular expression corresponding to the matched abnormal event template;
2) and extracting key fields in the standard format data based on the key character strings defined by the second regular expression.
In a specific embodiment, as shown in fig. 7, fig. 7 is an abnormal event template of another port disconnection abnormal event provided by the embodiment of the present application. Specifically, as can be seen from fig. 7, the second regular expression may include "inference face" (-) and "change state to" (\\ w +) ". Key fields in the standard format data can be extracted based on "afferface" ] and "change state to" \\ w +): port and state change information (the state of a port includes down and up connections).
In a specific embodiment, as shown in fig. 8, fig. 8 is an abnormal event template of a traffic abnormal event according to an embodiment of the present application. Specifically, as can be seen from fig. 8, the second regular expression may include "ifName ═ lambda", "", TrafficDirection ═ w +) ", TrafficDirection ═ d +). Based on "ifName ═ w +),", TrafficDirection ═ d +), key fields in the standard format data can be extracted: port, traffic direction, and traffic magnitude.
S209: generating standard characterization data for the network device's exceptional events based on the key fields.
In this embodiment, the form of the standard representation data of the abnormal event may be determined in combination with the corresponding abnormal template, and the standard representation data of the corresponding form may be generated based on the key field. In embodiments of the present description, the standard characterization data may include data in a specified format that characterizes the particular case of the abnormal event.
Further, in some embodiments, the method may further include:
and displaying standard characterization data of the abnormal events of the network equipment.
In a specific embodiment, in combination with the above abnormal event template shown in fig. 6, as shown in fig. 9, fig. 9 is a schematic diagram of standard characterization data of a port disconnection abnormal event provided in the embodiment of the present application. Specifically, as can be seen from fig. 9, a frequency histogram of port down/up is used as the standard characterization data of the port disconnection abnormal event. Specifically, the abscissa is different time points, and the ordinate is the down/up frequency.
In another specific embodiment, in combination with the above abnormal event template shown in fig. 7, as shown in fig. 10, fig. 10 is a schematic diagram of another standard characterization data of a port disconnection abnormal event provided in this embodiment of the present application. Specifically, as can be seen from fig. 10, a frequency histogram of port down/up is used as the standard characterization data of the port disconnection abnormal event. Specifically, the abscissa is different time points, and the ordinate is the down/up frequency.
In a specific embodiment, as shown in fig. 11, fig. 11 is an SNMP port traffic view showing a cliff-type traffic exception according to an embodiment of the present application. In conjunction with the above-described abnormal event template shown in fig. 8, the method is performed as standard characterization data of the abnormal event of the traffic in the form of the port direction-traffic (key-value). Specifically, as shown in fig. 12, fig. 12 is a schematic diagram of standard characterization data of a flow anomaly event according to an embodiment of the present application. Specifically, in fig. 12, the abscissa indicates different times, and the ordinate indicates the magnitude of the flow rate (where the flow rate in the direction is positive and the flow rate in the direction is negative).
As can be seen from the technical solutions provided by the embodiments of the present specification, the present specification realizes that different abnormal data can be uniformly identified by acquiring at least one data type of network communication data and converting the abnormal data into data in a standard format; then, matching the abnormal event template of the abnormal event corresponding to the abnormal data by combining with a first regular expression which defines the character string matched with the abnormal event template; and then, extracting key fields from the standard format data in combination with a second regular expression defining key character strings matching the abnormal events, and finally generating standard characterization data capable of characterizing the specific conditions of the abnormal events of the network equipment based on the key fields. By utilizing the technical scheme provided by the embodiment of the specification, the abnormity analysis of the multidimensional network equipment can be rapidly carried out, the abnormity analysis efficiency can be greatly improved, and the manpower consumption is reduced.
In other embodiments, the identification of the root cause source of the anomaly in the network link may be performed by combining the standard characterization data of the anomaly event of the network device in the network link, which specifically includes:
1) and acquiring standard characterization data of the abnormal events of the network equipment in the target network link.
2) Determining a transmission direction of the target network link.
3) And determining abnormal source equipment of the target network link based on the transmission direction of the target network link and the standard characterization data of the abnormal event of the network equipment.
Specifically, generally, the first network device with an abnormal event may be used as an abnormal source device in combination with the transmission direction. In addition, the abnormal source equipment of the target network link, which is determined based on the transmission direction of the target network link and the standard characterization data of the abnormal event of the network equipment, can also be fed back to the staff for further confirmation.
In other embodiments, after determining the abnormal source device causing the network link abnormality, the method may call a self-healing policy in combination with a self-healing interface in the abnormal event template corresponding to the abnormal source device, so as to perform self-healing of the abnormality, and accordingly, the method may further include:
1) calling a self-healing strategy by using a self-healing interface in an abnormal event template corresponding to the abnormal source equipment;
2) and carrying out self-healing treatment on the abnormal source equipment based on the self-healing strategy.
In a particular embodiment, as shown in fig. 13, assume that the target network link includes a load balancer 1301, a switch 1302, a switch 1303, and a server 1304. In the switch 1302, two ports have abnormal events, and the standard characterization data of the abnormal events is shown in fig. 9. An exception event occurs on one port in the switch 1303 and the standard characterization data of the exception event is shown in fig. 10 and 12. In combination with the transmission direction of the target network link in fig. 13 and the standard characterization data of the abnormal events of the switch 1302 and the switch 1303, it can be determined that the switch 1302 has a chip failure, which causes the port 10GE/1/0/20 to frequently vibrate, and triggers the port TenG1/0/25DOWN of the neighboring switch 1303, thereby triggering an upper layer service, such as a load balancer, to automatically isolate the affected background server, which causes an alarm of abnormal traffic at the switch port where the server is located. Accordingly, the switch 1302 may be determined to be an abnormal source device, and then a port isolation command may be automatically issued based on the corresponding self-healing interface. After the fault port is isolated, the load balancer detects the health of the background server again so as to recover the flow distribution, and the SNMP flow detection algorithm reports the flow of the port where the load balancer is located to the platform and also recovers to the normal state.
An embodiment of the present application further provides an abnormality identification apparatus for a network device, as shown in fig. 14, the apparatus includes:
a network communication data obtaining module 1410, configured to obtain network communication data of at least one data type of the network device;
a data format conversion module 1420, configured to, when there is abnormal data in the network communication data of the at least one data type, convert the abnormal data into standard format data;
the abnormal event template matching module 1430 is configured to perform abnormal event template matching on the standard format data based on a first regular expression corresponding to an abnormal event template in an abnormal event template library, where the first regular expression defines a character string matching the abnormal event template;
a key field extracting module 1440, configured to extract a key field in the standard format data by using a second regular expression corresponding to the matched abnormal event template, where the second regular expression defines a key character string matching an abnormal event;
an anomaly characterization module 1450, configured to generate standard characterization data of an anomaly event of the network device based on the key field.
In some embodiments, the network communication data includes at least one of the following types of data:
log data of the network device, execution command data of the network device, network diagnostic data of the network device, network management data of the network device.
In some embodiments, the data format conversion module comprises:
the data type determining unit is used for determining the data type of the abnormal data;
the standard format template acquisition unit is used for acquiring a standard format template corresponding to the data type, and the standard format template comprises a key field object representing an abnormal event;
and the standard format data conversion unit is used for converting the abnormal data into the standard format data based on the standard format template.
In some embodiments, the exceptional template matching module comprises:
the first regular expression determining unit is used for determining a first regular expression corresponding to the abnormal event template in the abnormal event template library;
the character string judging unit is used for judging whether the standard format data comprises a character string defined by a first regular expression corresponding to the abnormal event template;
and the abnormal event template determining unit is used for taking the abnormal event template corresponding to the character string defined by the first regular expression in the standard format data as the matched abnormal event template when the character string defined by the first regular expression corresponding to the abnormal event template is included in the standard format data.
In some embodiments, the key field extraction module comprises:
the second regular expression determining unit is used for determining a second regular expression corresponding to the matched abnormal event template;
and the key field extracting unit is used for extracting the key fields in the standard format data based on the key character strings defined by the second regular expression.
In some embodiments, the apparatus further comprises:
the system comprises an anomaly identification algorithm group determining module, a data type judging module and a data type judging module, wherein the anomaly identification algorithm group determining module is used for determining an anomaly identification algorithm group corresponding to the data type of network communication data after acquiring data of at least one data type of network equipment;
and the anomaly identification module is used for carrying out anomaly identification on the data of the data type based on the anomaly identification algorithm group.
In some embodiments, the apparatus further comprises:
the initial event setting template creating module is used for creating a plurality of initial event setting templates corresponding to the abnormal events;
the first model setting module is used for setting abnormal template parameters in each initial event setting template, wherein the abnormal template parameters comprise a first regular expression, a second regular expression, a form of standard representation data of an abnormal event and basic data of the abnormal event;
the abnormal event template generating module is used for generating an abnormal event template of each abnormal event based on each initial event setting template with the set abnormal template parameters;
and the abnormal event template library construction module is used for constructing the abnormal event template library based on the abnormal event template of each abnormal event.
In some embodiments, the exception template parameters further include: a self-healing interface for abnormal events;
the device further comprises:
and the second template setting module is used for setting a self-healing interface of the abnormal event in each initial event setting template.
In some embodiments, the apparatus further comprises:
the standard representation data acquisition module is used for acquiring standard representation data of an abnormal event of the network equipment in the target network link;
a transmission direction determining module, configured to determine a transmission direction of the target network link;
and the abnormal source equipment determining module is used for determining the abnormal source equipment of the target network link based on the transmission direction of the target network link and the standard representation data of the abnormal event of the network equipment.
In some embodiments, the apparatus further comprises:
the self-healing strategy calling module is used for calling a self-healing strategy by using a self-healing interface in the abnormal event template corresponding to the abnormal source equipment;
and the self-healing processing module is used for carrying out self-healing processing on the abnormal source equipment based on the self-healing strategy.
In some embodiments, the apparatus further comprises:
and the display module is used for displaying the standard representation data of the abnormal events of the network equipment. The device and method embodiments in the device embodiment are based on the same application concept.
The embodiment of the present application provides an abnormality recognition device of a network device, where the abnormality recognition device of the network device includes a processor and a memory, where the memory stores at least one instruction, at least one program, a code set, or an instruction set, and the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by the processor to implement the abnormality recognition method of the network device provided in the above method embodiment.
The memory may be used to store software programs and modules, and the processor may execute various functional applications and data processing by operating the software programs and modules stored in the memory. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system, application programs needed by functions and the like; the storage data area may store data created according to use of the apparatus, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory may also include a memory controller to provide the processor access to the memory.
The embodiment of the application also provides an architecture diagram for anomaly identification. Specifically, as shown in fig. 15, as seen from the architecture diagram of fig. 15, through various algorithms for identifying an anomaly, an anomaly data source (anomalous network communication data) is reported to a template engine (a module in an anomaly identification server) through an application program interface service, and then the template engine loads a template from a database and performs anomaly event template matching of the anomaly data source (before matching, the anomaly data source may be converted into standard format data that can be identified by the template engine); if the abnormal events are matched (hit), key fields are extracted from the standard format data, standard representation data representing the specific conditions of the abnormal events are generated and transmitted to the front end, the abnormal event query service of the front end is realized, and in addition, the analysis of multi-dimensional network communication data can be realized at the front end based on the standard representation data. And otherwise, if the template is not matched, carrying out new type reminding so that the front end can update the template and realize the template management of the front end.
The method provided by the embodiment of the application can be executed in a mobile terminal, a computer terminal, a server or a similar operation device. Taking the example of the application running on a server, fig. 16 is a hardware structure of the server of the method for identifying an abnormality of a network device according to the embodiment of the present applicationAnd (5) constructing a block diagram. As shown in fig. 16, the server 1600 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 1610 (the processor 1610 may include but is not limited to a Processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 1630 for storing data, and one or more storage media 1620 (e.g., one or more mass storage devices) for storing applications 1623 or data 1622. Memory 1630 and storage media 1620 may be transient or persistent storage, among others. The program stored in the storage medium 1620 may include one or more modules, and each module may include a series of instruction operations in a server. Further, the central processor 1610 may be configured to communicate with the storage medium 1620, and execute a series of instruction operations in the storage medium 1620 on the server 1600. The Server 1600 may also include one or more power supplies 1660, one or more wired or wireless network interfaces 1650, one or more input-output interfaces 1640, and/or one or more operating systems 1621, such as a Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTMAnd so on.
The input/output interface 1640 may be used to receive or transmit data over a network. Specific examples of such networks may include wireless networks provided by the communications provider of server 1600. In one example, i/o Interface 1640 includes a Network adapter (NIC) that may be coupled to other Network devices through a base station to communicate with the internet. In one example, the input/output interface 1640 may be a Radio Frequency (RF) module, which is used to communicate with the internet via wireless.
It will be understood by those skilled in the art that the structure shown in fig. 16 is merely illustrative and is not intended to limit the structure of the electronic device. For example, server 1600 may also include more or fewer components than shown in FIG. 16, or have a different configuration than shown in FIG. 16.
Embodiments of the present application further provide a storage medium, where the storage medium may be disposed in a server to store at least one instruction, at least one program, a code set, or a set of instructions related to implementing an anomaly identification method for a network device in the method embodiments, where the at least one instruction, the at least one program, the code set, or the set of instructions are loaded and executed by the processor to implement the anomaly identification method for a network device provided in the method embodiments.
Alternatively, in this embodiment, the storage medium may be located in at least one network server of a plurality of network servers of a computer network. Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
As can be seen from the above embodiments of the method, apparatus, device, server, or storage medium for identifying an anomaly of a network device provided by the present application, in the present application, by acquiring network communication data of at least one data type, the anomaly data therein is converted into data of a standard format, so that different anomaly data can be uniformly identified; then, matching the abnormal event template of the abnormal event corresponding to the abnormal data by combining with a first regular expression which defines the character string matched with the abnormal event template; and then, extracting key fields from the standard format data in combination with a second regular expression defining key character strings matching the abnormal events, and finally generating standard characterization data capable of characterizing the specific conditions of the abnormal events of the network equipment based on the key fields. By utilizing the technical scheme provided by the embodiment of the specification, the abnormity analysis of the multidimensional network equipment can be rapidly carried out, the abnormity analysis efficiency can be greatly improved, and the manpower consumption is reduced.
It should be noted that: the sequence of the embodiments of the present application is only for description, and does not represent the advantages and disadvantages of the embodiments. And specific embodiments thereof have been described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the device and server embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the partial description of the method embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware to implement the above embodiments, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk, an optical disk, or the like.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (13)

1. An anomaly identification method for a network device, the method comprising:
obtaining network communication data of at least one data type of a network device;
when abnormal data exists in the network communication data of the at least one data type, converting the abnormal data into standard format data;
matching the abnormal event template to the standard format data based on a first regular expression corresponding to the abnormal event template in an abnormal event template library, wherein the first regular expression defines a character string matched with the abnormal event template, and the abnormal event template library is obtained by adopting the following method: creating a plurality of initial event setting templates corresponding to the abnormal events; setting abnormal template parameters in each initial event setting template, wherein the abnormal template parameters comprise a first regular expression, a second regular expression, a form of standard representation data of an abnormal event and basic data of the abnormal event; generating an abnormal event template of each abnormal event based on each initial event setting template with the set abnormal template parameters; constructing the abnormal event template library based on the abnormal event template of each abnormal event;
extracting key fields in the standard format data by using a second regular expression corresponding to the matched abnormal event template, wherein the second regular expression defines key character strings matched with abnormal events;
generating standard characterization data for the network device's exceptional events based on the key fields.
2. The method of claim 1, wherein the network communication data includes at least one of the following types of data:
log data of the network device, execution command data of the network device, network diagnostic data of the network device, network management data of the network device.
3. The method of claim 1, wherein converting the anomaly data into standard format data comprises:
determining a data type of the abnormal data;
acquiring a standard format template corresponding to the data type, wherein the standard format template comprises a key field object for representing an abnormal event;
converting the exception data into the standard format data based on the standard format template.
4. The method of claim 1, wherein the matching of the abnormal event template to the standard format data based on the first regular expression corresponding to the abnormal event template in the abnormal event template library comprises:
determining a first regular expression corresponding to an abnormal event template in an abnormal event template library;
judging whether the standard format data comprises a character string defined by a first regular expression corresponding to an abnormal event template;
and when the standard format data comprises a character string defined by a first regular expression corresponding to the abnormal event template, taking the abnormal event template corresponding to the character string defined by the first regular expression in the standard format data as the matched abnormal event template.
5. The method of claim 1, wherein the extracting key fields in the standard-format data by using the second regular expression corresponding to the matched abnormal event template comprises:
determining a second regular expression corresponding to the matched abnormal event template;
and extracting key fields in the standard format data based on the key character strings defined by the second regular expression.
6. The method of claim 1, wherein after obtaining network communication data of at least one data type of a network device, the method further comprises:
determining an anomaly identification algorithm group corresponding to the data type of the network communication data;
and performing anomaly identification on the data of the data type based on the anomaly identification algorithm group.
7. The method of claim 1, wherein the exception template parameters further comprise: a self-healing interface for abnormal events;
the method further comprises the following steps: and setting a self-healing interface of the abnormal event in each initial event setting template.
8. The method of claim 1, further comprising:
acquiring standard representation data of an abnormal event of network equipment in a target network link;
determining a transmission direction of the target network link;
and determining abnormal source equipment of the target network link based on the transmission direction of the target network link and the standard characterization data of the abnormal event of the network equipment.
9. The method of claim 8, further comprising:
calling a self-healing strategy by using a self-healing interface in an abnormal event template corresponding to the abnormal source equipment;
and carrying out self-healing treatment on the abnormal source equipment based on the self-healing strategy.
10. The method of claim 1, further comprising:
and displaying standard characterization data of the abnormal events of the network equipment.
11. An abnormality recognition apparatus of a network device, characterized in that the apparatus comprises:
the network communication data acquisition module is used for acquiring network communication data of at least one data type of the network equipment;
the data format conversion module is used for converting the abnormal data into standard format data when the abnormal data exists in the network communication data of the at least one data type;
an abnormal event template matching module, configured to perform abnormal event template matching on the standard format data based on a first regular expression corresponding to an abnormal event template in an abnormal event template library, where the first regular expression defines a character string matching the abnormal event template, and the abnormal event template library is obtained by using the following modules: the initial event setting template creating module is used for creating a plurality of initial event setting templates corresponding to the abnormal events; the first model setting module is used for setting abnormal template parameters in each initial event setting template, wherein the abnormal template parameters comprise a first regular expression, a second regular expression, a form of standard representation data of an abnormal event and basic data of the abnormal event; the abnormal event template generating module is used for generating an abnormal event template of each abnormal event based on each initial event setting template with the set abnormal template parameters; the abnormal event template library construction module is used for constructing the abnormal event template library based on the abnormal event template of each abnormal event;
the key field extraction module is used for extracting the key fields in the standard format data by using a second regular expression corresponding to the matched abnormal event template, wherein the second regular expression defines a key character string matched with the abnormal event;
and the abnormity characterization module is used for generating standard characterization data of the abnormal events of the network equipment based on the key fields.
12. An anomaly recognition device of a network device, characterized in that said device comprises a processor and a memory, said memory having stored therein at least one instruction, at least one program, set of codes or set of instructions, said at least one instruction, said at least one program, set of codes or set of instructions being loaded and executed by said processor to implement the anomaly recognition method of a network device according to any one of claims 1 to 10.
13. A computer-readable storage medium, having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by a processor to implement the method of anomaly identification for a network device according to any one of claims 1 to 10.
CN201910730389.8A 2019-08-08 2019-08-08 Method, device, equipment and storage medium for identifying abnormality of network equipment Active CN111181759B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910730389.8A CN111181759B (en) 2019-08-08 2019-08-08 Method, device, equipment and storage medium for identifying abnormality of network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910730389.8A CN111181759B (en) 2019-08-08 2019-08-08 Method, device, equipment and storage medium for identifying abnormality of network equipment

Publications (2)

Publication Number Publication Date
CN111181759A CN111181759A (en) 2020-05-19
CN111181759B true CN111181759B (en) 2021-09-14

Family

ID=70657064

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910730389.8A Active CN111181759B (en) 2019-08-08 2019-08-08 Method, device, equipment and storage medium for identifying abnormality of network equipment

Country Status (1)

Country Link
CN (1) CN111181759B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006099249A (en) * 2004-09-28 2006-04-13 Fujitsu Ltd Fault management device and fault management method
KR100604074B1 (en) * 2004-07-30 2006-07-24 주식회사 팬택 Failure data management system and method of controlling the same
CN104239158A (en) * 2013-06-07 2014-12-24 Sap欧洲公司 Analysis engine for automatic analysis and error log linking
CN106130786A (en) * 2016-07-26 2016-11-16 腾讯科技(深圳)有限公司 The detection method of a kind of network failure and device
US9552249B1 (en) * 2014-10-20 2017-01-24 Veritas Technologies Systems and methods for troubleshooting errors within computing tasks using models of log files
CN106897185A (en) * 2016-07-08 2017-06-27 阿里巴巴集团控股有限公司 A kind of method and device of output abnormality
CN106940679A (en) * 2017-02-23 2017-07-11 中科创达软件股份有限公司 Data processing method and device
CN109213656A (en) * 2018-07-23 2019-01-15 武汉智领云科技有限公司 A kind of interactive mode big data dysgnosis detection system and method
CN109284269A (en) * 2018-10-17 2019-01-29 Oppo广东移动通信有限公司 Abnormal log analysis method, device, storage medium and server
CN109343993A (en) * 2018-09-28 2019-02-15 郑州云海信息技术有限公司 A kind of error message processing method and processing device of cloud platform
CN109560970A (en) * 2018-12-24 2019-04-02 大唐软件技术股份有限公司 A kind of network failure healing process, device and system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007073759A1 (en) * 2005-12-28 2007-07-05 Telecom Italia S.P.A. A method for the approximate matching of regular expressions, in particular for generating intervention workflows in a telecommunication network
CN105959324A (en) * 2016-07-15 2016-09-21 江苏博智软件科技有限公司 Regular matching-based network attack detection method and apparatus
CN106453438B (en) * 2016-12-23 2019-12-10 北京奇虎科技有限公司 Network attack identification method and device
CN108683687B (en) * 2018-06-29 2021-08-10 北京奇虎科技有限公司 Network attack identification method and system
CN110012005B (en) * 2019-03-29 2022-05-06 新华三大数据技术有限公司 Method and device for identifying abnormal data, electronic equipment and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100604074B1 (en) * 2004-07-30 2006-07-24 주식회사 팬택 Failure data management system and method of controlling the same
JP2006099249A (en) * 2004-09-28 2006-04-13 Fujitsu Ltd Fault management device and fault management method
CN104239158A (en) * 2013-06-07 2014-12-24 Sap欧洲公司 Analysis engine for automatic analysis and error log linking
US9552249B1 (en) * 2014-10-20 2017-01-24 Veritas Technologies Systems and methods for troubleshooting errors within computing tasks using models of log files
CN106897185A (en) * 2016-07-08 2017-06-27 阿里巴巴集团控股有限公司 A kind of method and device of output abnormality
CN106130786A (en) * 2016-07-26 2016-11-16 腾讯科技(深圳)有限公司 The detection method of a kind of network failure and device
CN106940679A (en) * 2017-02-23 2017-07-11 中科创达软件股份有限公司 Data processing method and device
CN109213656A (en) * 2018-07-23 2019-01-15 武汉智领云科技有限公司 A kind of interactive mode big data dysgnosis detection system and method
CN109343993A (en) * 2018-09-28 2019-02-15 郑州云海信息技术有限公司 A kind of error message processing method and processing device of cloud platform
CN109284269A (en) * 2018-10-17 2019-01-29 Oppo广东移动通信有限公司 Abnormal log analysis method, device, storage medium and server
CN109560970A (en) * 2018-12-24 2019-04-02 大唐软件技术股份有限公司 A kind of network failure healing process, device and system

Also Published As

Publication number Publication date
CN111181759A (en) 2020-05-19

Similar Documents

Publication Publication Date Title
US10084681B2 (en) Method and system for monitoring server cluster
WO2019223062A1 (en) Method and system for processing system exceptions
CN107508722B (en) Service monitoring method and device
CN108521339B (en) Feedback type node fault processing method and system based on cluster log
CN111162950B (en) Fault event processing method, device and system
CN110620790A (en) Network security device linkage processing method and device
CN111866016A (en) Log analysis method and system
CN112769605B (en) Heterogeneous multi-cloud operation and maintenance management method and hybrid cloud platform
CN111767173A (en) Network equipment data processing method and device, computer equipment and storage medium
CN111147306B (en) Fault analysis method and device of Internet of things equipment and Internet of things platform
CN113704052A (en) Micro-service architecture operation and maintenance system, method, equipment and medium
CN113760677A (en) Abnormal link analysis method, device, equipment and storage medium
US9922539B1 (en) System and method of telecommunication network infrastructure alarms queuing and multi-threading
CN113419935B (en) Mobile terminal performance monitoring method, device, equipment and storage medium
CN111181759B (en) Method, device, equipment and storage medium for identifying abnormality of network equipment
CN115202958A (en) Power abnormity monitoring method and device, electronic equipment and storage medium
CN110609761B (en) Method and device for determining fault source, storage medium and electronic equipment
CN104516970B (en) A kind of method and apparatus for carrying out log analysis
CN115102838B (en) Emergency processing method and device for server downtime risk and electronic equipment
CN116192607A (en) Fault alarm method and device
CN113722135A (en) Error log acquisition system, method, device and medium
CN114650211A (en) Fault repairing method, device, electronic equipment and computer readable storage medium
CN115705259A (en) Fault processing method, related device and storage medium
CN209746400U (en) IT equipment monitoring and management system
CN112769923A (en) Method, device and storage medium for monitoring network equipment performance index in big data scene

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant