JP2017139580A - Communication analyzing apparatus and communication analysis program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To estimate an application and its utilization state relating to a sensory quality of a user.SOLUTION: The present invention relates to a communication analyzing apparatus for analyzing traffic of a communication. The communication analyzing apparatus is characterized in that the traffic is divided for each flow, a feature amount for each flow is acquired based on divided flow data, and a corresponding application and a utilization state of the application are estimated for each flow based on the acquired feature amount. Transition information describing a parameter value indicating easiness of transition from a first utilization state to a second utilization state is held for each application, an estimation result of a utilization state estimation part is classified for each user, an application corresponding to each user is discriminated, and transition probability information corresponding to the application is used to discriminate the utilization state of the application.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a communication analysis apparatus and a communication analysis program, and can be applied to, for example, a network monitoring apparatus that performs network monitoring using communication traffic statistics.

  As a network monitoring device for monitoring a network using a result of analyzing conventional traffic (communication analysis), a so-called 5-tuples (source address and port, destination address) is referred to without referring to the payload (data portion) of communication traffic. And a port and a protocol number) are analyzed as a series of flows. As a conventional apparatus for analyzing the flow of communication traffic, there is an apparatus described in Patent Document 1.

  In the device (traffic monitoring device) described in Patent Document 1, the statistical values (minimum value, 25% value, median value, 75% value, maximum value, average value) of the packet size of packets transmitted and received as the statistical value of the flow. , Dispersion value, etc.) and packet arrival interval statistic values (minimum value, 25% value, median value, 75% value, maximum value, average value, dispersion value, etc.) at the time of a specific number of packets And an application estimation unit for estimating the application to be used based on the degree of similarity between data provided as teacher data prepared in advance.

JP 2013-127504 A

  However, if the application generates multiple flows and uses different flows for different purposes, such as a flow for starting control of the application, a flow for transferring data, a flow for updating information by user operation, etc. In the apparatus (for example, the traffic monitoring apparatus of Patent Document 1), each flow is identified as a different application, and therefore there is a problem that an estimation result different from the application used by the user may be obtained. It was. As a result, in the conventional apparatus, priority control of communication is not performed as an application, but priority control of individual flows is performed, and there is a problem in that the quality of experience of the user cannot be improved. For example, when an advertisement moving image content is included in a normal web service, there is a possibility that priority is given to the flow of transferring the advertisement moving image. In this case, since the priority of the web service used by the user is relatively lowered, it is considered that the user's quality of experience is deteriorated. However, it has been difficult to detect this point with a conventional apparatus.

  Therefore, there is a demand for a communication analysis device and a communication analysis program that can estimate an application related to a user's quality of experience and a usage state thereof.

  The communication analysis device according to the first aspect of the present invention includes (1) a flow dividing unit that divides data of traffic to be analyzed for each flow and obtains flow data, and (2) statistical information of flow data for each flow. (3) a usage state estimation unit that estimates an application usage state of an application corresponding to the flow based on the acquired feature amount for each flow; and (4) an application. A transition information holding unit that holds transition information in which a parameter value indicating the ease of transition from the first usage state to the second usage state is described, and (5) an estimation result of the usage state estimation unit Are classified for each user, the application corresponding to each user is determined, and the transition information corresponding to the application is used to use the application. And having a determination unit for determining status.

  The communication analysis program according to the second aspect of the present invention includes: (1) a flow dividing unit that acquires flow data by dividing traffic data to be analyzed for each flow; and (2) flow data for each flow. (3) a usage state estimation unit that estimates an application usage state of an application corresponding to the flow based on the acquired feature amount for each flow; 4) a transition information holding unit that holds transition information in which parameter values indicating ease of transition from the first usage state to the second usage state are described for each application; and (5) the usage state estimation unit. Categorize the estimation results for each user, determine the application corresponding to each user, and use the transition information corresponding to the application Characterized in that to function usage state of the application as a determination unit.

  The communication analysis program according to the third aspect of the present invention includes (1) a flow dividing unit that divides data of traffic to be analyzed for each flow and obtains flow data, and (2) statistical information of flow data for each flow. A feature amount extraction unit that acquires a feature amount that includes: (3) a usage state estimation unit that estimates an application corresponding to the flow and a usage state of the application based on the acquired feature amount for each flow; and (4 ) For any one of the flow data for each flow acquired by the flow dividing unit or the feature amount acquired by the feature amount extraction unit, an attention flow based on a predetermined condition is extracted, and the utilization state estimation other than the attention flow is performed And a target flow extraction unit that performs processing to be excluded from the flow processed by the unit.

  A communication analysis program according to a fourth aspect of the present invention includes: (1) a flow dividing unit that acquires flow data by dividing traffic data to be analyzed for each flow; and (2) flow data for each flow. A feature amount extraction unit that acquires a feature amount including the statistical information, and (3) a usage state estimation unit that estimates an application corresponding to the flow and a usage state of the application based on the acquired feature amount for each flow, (4) For any one of the flow data for each flow acquired by the flow dividing unit or the feature amount acquired by the feature amount extraction unit, an attention flow based on a predetermined condition is extracted, and other than the attention flow It is made to function as an attention flow extraction part which performs the process excluded from the flow which a utilization state estimation part processes.

  ADVANTAGE OF THE INVENTION According to this invention, the application relevant to a user's bodily sensation quality and its utilization condition can be estimated.

It is the block diagram shown about the functional structure of the network monitoring apparatus which concerns on 1st Embodiment. It is the block diagram shown about the example of the connection structure of the network monitoring apparatus periphery which concerns on 1st Embodiment. It is explanatory drawing (state transition diagram) shown about the transition of the utilization state of the application (ServiceA) used as the analysis object in the network monitoring apparatus which concerns on 1st Embodiment. It is explanatory drawing shown about the example of the state transition probability table | surface of the application (ServiceA) used as the analysis object in the network monitoring apparatus which concerns on 1st Embodiment. It is the flowchart shown about the operation | movement which the network monitoring apparatus which concerns on 1st Embodiment determines an application and an application utilization condition. It is the block diagram shown about the functional structure of the network monitoring apparatus which concerns on 2nd Embodiment. It is the block diagram shown about the functional structure of the network monitoring apparatus which concerns on 3rd Embodiment. It is the flowchart shown about the operation | movement at the time of the network monitoring apparatus in the modification of 1st Embodiment detecting application switching.

(A) First Embodiment Hereinafter, a first embodiment of a communication analysis device and a communication analysis program according to the present invention will be described in detail with reference to the drawings. Below, the example which applied the communication analysis apparatus and communication analysis program of this invention to the network monitoring apparatus is demonstrated.

(A-1) Configuration of the First Embodiment FIG. 2 is an explanatory diagram showing an example of a connection configuration of the network monitoring apparatus 10 according to the first embodiment. In FIG. 2, the reference numerals in parentheses are those used in the second and third embodiments described later.

  As shown in FIG. 2, the network monitoring apparatus 10 of this embodiment acquires information on network traffic from the router 30 and performs analysis processing.

  As shown in FIG. 2, the router 30 is assumed to be a gateway that relays between the network N1 and the network N2. As shown in FIG. 2, it is assumed that N terminals 20 (20-1 to 20-N) (N is an arbitrary integer equal to or greater than 1) are connected to the network N1. As shown in FIG. 2, it is assumed that L communication devices 40 (40-1 to 40-L) are connected to the network N2 (L is an arbitrary integer equal to or greater than 1). The number of devices connected to the networks N1 and N2 is not limited. Further, the network configuration from the router 30 to each terminal 20 and the network configuration from the router 30 to each communication device 40 are not limited.

  The terminal 20 is assumed to be a computer (for example, a PC, a tablet, a smart phone, etc.) in which the application 21 connected to any one of the communication devices 40 is installed. The number and types of applications installed in each terminal 20 are not limited. In this embodiment, in order to simplify the description, as a representative of each terminal 20, M (M is an arbitrary integer of 1 or more) applications 21 (21-1 to 21-M) are installed in the terminal 20-1. It will be described as being. In the terminal 20-1, one or a plurality of applications 21 are simultaneously executed, and communication processing with any one of the communication devices 40 is executed as necessary.

  The terminal 20 is a terminal used by a user (subscriber) connected to a communication carrier, for example. In this embodiment, it is assumed that each terminal 20 is assigned a separate IP address. In the following description, it is assumed that the IP addresses of the terminals 20-1 to 20-N are X1 to XN, respectively. In other words, in this embodiment, the network monitoring apparatus 10 performs network monitoring (analysis of communication traffic) by regarding each terminal 20 (each IP address) as one user. Specifically, the network monitoring device 10 of this embodiment is a device that monitors (analyzes) each user's traffic (traffic transmitted / received using the IP address of each terminal 20) as a monitoring target (analysis target). It shall be. Then, the network monitoring apparatus 10 analyzes each user's traffic (traffic transmitted / received using the IP address of each terminal 20), and in each user (the terminal 20 used by each user) It determines (estimates) the related application and its usage state, and outputs the determination result. The output destination of the determination result of the network monitoring device 10 is not limited, and may be output to, for example, a bandwidth control device (not shown) or a communication control device (controller) that manages bandwidth control settings. Then, in the output destination device, bandwidth control for each user (for each IP address of each terminal 20) using the determination result of the network monitoring device 10 (for example, processing for preferentially allocating the bandwidth to the flow corresponding to the determination result, etc. ) Can improve the user's quality of experience.

  The communication device 40 is a device that communicates with the terminal 20 (application 21). Although the configuration of the communication device 40 is not limited, for example, a server (computer) that provides various services (for example, a Web service, a database service, etc.) to the terminal 20, and an IP that performs telephone communication with the terminal 20 Applicable to telephone terminals.

  In this embodiment, it is assumed that the router 30 includes at least three interfaces 31, 32, and 33. The specifications of the interfaces 31, 32, and 33 are not limited. For example, various Ethernet (registered trademark) interfaces can be applied. In the example of this embodiment, in the router 30, the interface 31 is an interface connected to the network on the terminal 20 side, the interface 32 is an interface connected to the communication device 40 side, and the interface 33 is connected to the network monitoring device 10. It is assumed to be an interface. In FIG. 2, only the communication between the terminal 20 and the communication device 40 is shown as the traffic relayed by the router 30 for the sake of simplicity. However, the router 30 does not communicate with other nodes. Of course, it may be configured to relay.

  In this embodiment, the router 30 is set so that traffic (packets) of the interface 31 is copied and output to the interface 32 in real time by the mirroring function or the like (for example, setting by the port mirror function). It shall be. As a result, the network monitoring apparatus 10 can acquire traffic (packet) data of the router 30 (interface 31). Note that the configuration for the network monitoring device 10 to acquire traffic data is not limited to the configuration in FIG. For example, the network monitoring device 10 may be arranged in the previous stage of the router 30 (between the router 30 and the terminal 20) to copy traffic (packets) input / output by the router 30 (interface 31). Then, a signal supplied to the router 30 from the terminal 20 side is branched by a tap (splitter) or the like, and traffic (packets) input / output by the router 30 (interface 31) is supplied to the network monitoring device 10. Also good.

  Next, the internal configuration of the network monitoring apparatus 10 will be described with reference to FIG.

  The network monitoring device 10 includes a flow dividing unit 11, an estimating unit 12, a UX determining unit 13, and a state transition probability table storage unit 14. The estimation unit 12 includes an application switching detection unit 121, a feature amount extraction unit 122, and an application usage state estimation unit 123.

  For example, the network monitoring apparatus 10 may be realized by installing a program (including the communication analysis program according to the embodiment) in a computer having a processor and a memory. Further, in the network monitoring apparatus 10, a part or all of the processing may be realized by hardware (for example, a dedicated semiconductor chip).

  The flow division unit 11 performs a process of dividing (classifying) the traffic to be monitored (in this embodiment, traffic input to and output from the interface 31 of the router 30) for each flow. The flow dividing unit 11 performs a process of dividing (classifying) each flow that is a set of a series of data distinguished by, for example, 5 tuples (src IP address, dst IP address, src port, dst port, protocol). Various division methods (classification methods) can be applied to the process in which the flow dividing unit 11 classifies the traffic data for each flow. Hereinafter, the traffic data of each flow divided (classified) by the flow dividing unit 11 is also referred to as “flow data”.

  The feature quantity extraction unit 122 acquires a feature quantity (for example, various statistical values) for the flow data of each flow divided (classified) by the flow division unit 11 and supplies the feature quantity to the application usage state estimation unit 123. The feature amount extraction unit 122 includes a flow data storage unit 122a for storing the flow data supplied from the flow dividing unit 11 for each flow (for each flow ID). The feature amount extraction unit 122 performs a process of acquiring a feature amount for the flow data stored in the flow data storage unit 122a. As a feature quantity of the flow acquired by the feature quantity extraction unit 122. For example, statistical values of packet size in the flow (for example, minimum value, 25% value, median value, 75% value, maximum value, average value, variance value, etc.) and statistical values of packet arrival intervals (for example, minimum value, 25 % Value, median value, 75% value, maximum value, average value, dispersion value, etc.).

  The application usage state estimation unit 123 estimates the corresponding application usage state (the application corresponding to the flow and the usage state of the application) for each flow based on the feature amount for each flow supplied from the feature amount extraction unit 122. I do. The estimation processing method performed by the feature amount extraction unit 122 is not limited. For example, the most acquired feature amount based on teacher data in which the application usage state corresponding to the feature amount (statistical value) of the flow data is learned in advance. An application usage state similar to (correct answer data) is estimated, and the estimation result is supplied to the UX determination unit 13.

  The processing method in which the application usage state estimation unit 123 estimates the application usage state based on the feature amount for each flow is not limited. For example, the application usage state estimation unit 123 uses the machine learning device (not shown) that learns the teacher data in which the feature amount and the application usage state are associated in advance, and has the highest similarity to the teacher data. The application usage state may be output as an estimation result. Examples of general machine learners include a decision tree, a Bayesian network, and a support vector machine.

  The concept of the application estimated (determined) by the network monitoring apparatus 10 (the application usage state estimation unit 123 and the UX determination unit 13) is not limited to the type of the application 21 operating on the terminal 20, but on the application 21. It may be set as a result of classifying the contents to be processed in. For example, when the application 21-1 running on the terminal 20-1 is a Web browser, the network monitoring apparatus 10 uses the type of service accessed by the Web browser (application 21-1) (for example, EC site (electronic (Commerce transaction site), video browsing site, electronic bulletin board site, etc.) may be classified and application estimation (determination) processing may be performed. Further, the network monitoring apparatus 10 performs an estimation (determination) process for classifying a specific site (for example, an access destination URL) accessed by the Web browser as one application, not the type of service accessed by the Web browser. You may make it perform. As described above, the network monitoring apparatus 10 may classify the general-purpose application 21 such as a Web browser to the content that operates in the application 21 and determine it as one application.

  The state transition probability table storage unit 14 stores a state transition probability table 141 (transition information) used by the UX determination unit 13 described later for each application. The state transition probability table storage unit 14 stores a state transition probability table 141 for each application to be determined by the UX determination unit 13. A specific configuration of the state transition probability table 141 will be described later.

  The UX determination unit 13 acquires application usage state estimation results of a plurality of flows from the feature amount extraction unit 122, and relates to the user's quality of experience for each user based on the acquired application usage state estimation results of the plurality of flows. One application (for example, an application being operated by the user) and the application usage state are estimated. For example, when a set of flows from a specific source IP address is regarded as a trend of one user, a plurality of flows exist for a specific source IP address. In other words, the UX determination unit 13 receives application usage state estimation results of a plurality of flows (flow IDs), groups the received estimation results for each source IP address, and regards one IP address as one user. Thus, one application and the application usage state are determined (estimated) for each user. That is, the application usage state estimation unit 123 estimates the application and the application usage state for each flow, but the UX determination unit 13 determines the application and the application usage state for each user (each IP address) classified by the IP address. (decide. For example, the UX determination unit 13 regards a flow including the IP address X1 assigned to the terminal 20-1 as a transmission source or a transmission destination as a flow for one user, and an application (for example, the user concerned) ) And the usage state of the application.

  The UX determination unit 13 holds the supplied application usage state estimation result in the estimation data holding unit 131 in a format that can be managed for each user (for each IP address). Then, the UX determination unit 13 determines, for each user, one application (for example, an application that is estimated to be operated by the user) based on the application usage state estimation result held in the estimated data holding unit 131, and Determine usage status.

  Further, when estimating the user application usage state, the UX determination unit 13 acquires the state transition probability table 141 corresponding to the determined application from the state transition probability table 141, and based on the acquired state transition probability table 141. To determine at least one application usage state of the user. In the UX determination unit 13, based on the referenced state transition probability table 141, the degree of ease of state transition from the current usage state to the next usage state (for example, the state from the current usage state to the next usage state) Considering the probability of transition), a likely state is estimated as a user application use state.

  In this embodiment, the estimation data holding unit 131 is described as holding an application usage state estimation result supplied during the most recent predetermined period (for example, the period of the past 5 seconds to 10 seconds). That is, the estimated data holding unit 131 discards the application usage state estimation result supplied before a predetermined period (hereinafter, this period is expressed as “T1”) from the current time point, and the application usage state for the latest T1 period. Based on the estimation result, a process for determining each user's application and application usage state is performed. Further, in this embodiment, the estimated data holding unit 131 is based on the application usage state estimation result held in the estimated data holding unit 131 for each predetermined period (hereinafter, this period is expressed as “T2”). It is assumed that processing for determining a user application and an application usage state is performed. Although the period of T1 and T2 is arbitrary, in this embodiment, T2 is demonstrated as a period below T1.

  The application switching detection unit 121 detects in the UX determination unit 13 that a user whose application has been switched has occurred, controls the feature amount extraction unit 122, and resets (ends) the feature amount extraction of the flow corresponding to the user. )

  For example, when the UX determination unit 13 detects that a user whose application has been switched has occurred, the application switching detection unit 121 may notify the feature amount extraction unit 122 of the flow ID related to the user. Then, the feature quantity extraction unit 122 may stop the feature quantity extraction of the notified flow ID and discard the retained flow data.

  Further, when a user whose application has been switched occurs in the UX determination unit 13, the application usage state estimation result relating to the user held in the estimated data holding unit 131 may be discarded.

  Next, the detailed configuration of the state transition probability table 141 will be described with reference to FIGS.

  In the following, it is assumed that the application 21-1 on the terminal 20 is a Web browser as an example of the application. In the following, the application 21-1 (Web browser) on the terminal 20 accesses an arbitrary EC site (electronic commerce site) and performs service processing as one application (hereinafter, the identifier of the application is “ServiceA”). A description will be given of an example.

  FIG. 3 is an explanatory diagram showing state transitions when the application usage status of ServiceA is classified into any of the six types of top, click, search, view_cart, login, checkout, and logout.

  Hereinafter, examples of application usage states of Service A will be described. Here, it is assumed that Service A is not particularly limited, and various EC sites (electronic commerce sites) can be applied. Note that the network monitoring apparatus 10 may determine only a specific EC site as Service A.

  Here, “top” indicates a state in which the terminal 20 (application 21-1) accesses the top page of Service A (EC site) and displays the top page.

  “Click” indicates a state in which an operation of clicking a button for adding any product to the cart is performed on Service A (EC site) and processing for adding the product to the cart is performed.

  “Search” is a state in which an operation for searching for a product (for example, inputting a keyword and pressing the “search” button) is performed in Service A (EC site), and search processing and search result display processing are performed. It shall be shown.

  “View_cart” indicates a state in which an operation for confirming the contents of the cart is performed in Service A (EC site) and processing for displaying the contents of the cart is performed.

  “Login” indicates a state in which a login operation (for example, a login ID and password input operation) is performed in Service A (EC site) and the login is executed.

  “Checkout” indicates a state in which an operation for purchasing a product purchase in the cart (for example, receiving an operation for a delivery destination or a payment method) is executed in Service A (EC site), and a settlement process for the product purchase is executed. Shall.

  “Login” indicates a state where a logout operation (for example, a button pressing operation corresponding to logout) is performed and logoff is performed in Service A (EC site).

  As shown in FIG. 3, it is assumed that the application usage states (top, click, search, view_cart, login, checkout, and logout) that constitute ServiceA are all capable of transiting to each other. For example, as shown in FIG. 3, it is possible to transition from “top” of Service A to all other usage states (click, search, view_cart, login, checkout, logout). As shown in FIG. 3, it is possible to similarly transition from the application usage state other than the top to all other application usage states.

  Then, when the service A state transition probability table 141 is represented, for example, the contents are as shown in FIG.

  The state transition probability table 141 of Service A shown in FIG. 4 represents a transition probability from each application usage state to the next application usage state (including a probability that the next application usage state is the same as the current one) in a matrix format. It has become the contents.

  For example, in FIG. 4, when the current application usage state is “top”, the transition probability that the application usage state is “top” again (for example, the probability that a web browser is reloaded) is 0.01. Yes. Similarly, in FIG. 4, the transition probability from “top” to “click” is 0.3, the transition probability from “top” to “search” is 0.3, and the transition probability from “top” to “view_cart” is 0.2, the transition probability from “top” to “login” is 0.1, the transition probability from “top” to “checkout” is 0.01, and the transition probability from “top” to “logout” is 0. 05. In the matrix shown in FIG. 4, the parameter values of the transition probabilities for the next application usage state are registered in the same manner for other application usage states (click, search, view_cart, login, checkout, logout).

  For each numerical value set in the state transition probability table 141, an arbitrary value may be set based on an application state transition (for example, a state transition diagram as shown in FIG. 3) or an actual user usage tendency. Good. Further, the actual usage situation of the user may be analyzed, and the totaled result may be reflected in the state transition probability table 141. The parameter value set in the state transition probability table 141 is not limited to the transition probability as long as it is a parameter value indicating the degree of ease of state transition, and simply indicates the weight (degree of ease of state transition). It may be a coefficient (weighting coefficient), and it is only necessary that the table is matched (matched as a relative value).

(A-2) Operation of First Embodiment Next, the operation of the network monitoring device 10 of the first embodiment having the above configuration will be described.

  First, an outline of the operation of the network monitoring apparatus 10 will be described with reference to FIGS. 1 and 2.

  Hereinafter, a case where the above-described Service A (EC site) is executed as an application by the application 21-1 (Web browser) of the terminal 20-1 will be described as an example.

  First, the application 21-1 (Web browser) is operated by a user operation on the terminal 20-1, and traffic (packet transmission / reception) occurs between the terminal 20 (application 21-1) and the communication device 40-1. Shall.

  When traffic is generated between the terminal 20-1 and the communication device 40-1, traffic (packets) of the router 30 (interface 31 connected to the terminal 20 side) is supplied to the network monitoring device 10 (flow dividing unit 11). Will be.

  When the traffic is supplied, the flow dividing unit 11 of the network monitoring apparatus 10 supplies the flow data obtained by classifying the traffic (packet) for each flow to the estimating unit 12 (feature amount extracting unit 122). At this time, the flow dividing unit 11 divides and manages a set of packets distinguished by, for example, 5-tuples as a flow.

  In the estimation unit 12, the flow data supplied from the flow division unit 11 is acquired by the feature amount extraction unit 122. The feature amount extraction unit 122 manages flow data by assigning an ID to each flow. The feature quantity extraction unit 122 manages each flow (each flow ID) stored in the flow data storage unit 122a. Then, the feature amount extraction unit 122 acquires the feature amount (statistical value) of each flow based on the flow data stored in the feature amount extraction unit 122.

  The feature amount extraction unit 122 manages the flow data for each flow ID, extracts the feature amount for the flow for which a predetermined timing has passed, and supplies the extracted feature amount information to the application usage state estimation unit 123. For example, with respect to a TCP flow, the feature amount extraction unit 122 generates a timing when a packet in which a specific flag is set in a header (for example, a packet in which Fin / Rst is set in a TCP header) or a packet does not arrive. The feature amount may be calculated in response to a timing when the period has elapsed for a certain time or more. At this time, the feature quantity extraction unit 122 calculates information that can identify 5 tuples in the flow feature quantity (if the flow ID and 5 tuples are managed in association with each other, the flow ID alone may be used), or may be calculated. Add information related to the packet of the flow data that is the source of the feature value (for example, information such as the number of packets from the beginning and the feature value based on the number of packets from the first packet) The application usage state estimation unit 123 may be supplied.

  The application usage state estimation unit 123 estimates the application usage state corresponding to the flow based on the information including the flow feature amount supplied from the feature amount extraction unit 122. Then, the application usage state estimation unit 123 supplies the application usage state estimation result to the UX determination unit 13 for each flow ID.

  The UX determination unit 13 receives the application usage state estimation results of a plurality of flows (flow IDs) from the estimation unit 12. Then, the UX determination unit 13 classifies the received application usage state estimation results for each user and stores them in the estimated data holding unit 131. Then, the UX determination unit 13 determines one application and the application usage state of the application for each user based on the application usage state estimation result stored in the UX determination unit 13.

  Next, an example of the operation of the UX determination unit 13 will be described using the flowchart of FIG.

  Hereinafter, an example in which the determination is performed on the terminal 20-1 (user of the IP address X1) will be described.

  Here, first, it is assumed that the application usage state estimation unit 123 starts supplying the application usage state estimation result of the terminal 20-1 (the user of the IP address X1) to the UX determination unit 13. The UX determination unit 13 classifies the received application usage state estimation result as a user of the IP address X1, and stores the result in the estimation data holding unit 131. Then, the UX determination unit 13 performs processing for determining one application and an application usage state of the application for the user of the IP address X1 (S101).

  At this time, the UX determination unit 13 determines the application with the largest number of application usage state estimation results (the number held in the estimated data holding unit 131) and the application usage state with the largest number of the applications as an initial determination result. You may make it.

  Next, the UX determination unit 13 acquires the state transition probability table 141 corresponding to the application determined in step S101. Then, the UX determination unit 13 acquires a state transition probability from the application usage state determined last time to each application usage state, and calculates an evaluation value indicating the likelihood of transition to each application usage state (S102).

  The UX determination unit 13 determines transition of the application usage state (determination within the same application as the previous time) based on the calculated evaluation value and determination of application change (S103). When the application change is not determined (detected), the UX determination unit 13 determines the application use state based on the calculated total value as the current determination result, and returns to step S102 to operate. Moreover, the UX determination part 13 returns to above-mentioned step S101, and operate | moves, when the change of an application is determined (detected).

  Next, the application usage state determination process performed by the UX determination unit 13 in steps S102 and S103 described above will be described.

  The UX determination unit 13 uses the value obtained by multiplying the number of each application usage state (the number of application usage state estimation results held in the estimated data holding unit 131 for each application usage state) by the acquired transition probability. Acquired as an evaluation value of usage status. In this case, the number of application usage states (the number of application usage state estimation results held in the estimated data holding unit 131 for each application usage state) indicates the number of flows generated for the application usage state. . For example, it is assumed that the application use state determined last time (including the result determined as the initial state) is the top state of ServiceA. In this case, the UX determination unit 13 calculates an evaluation value of each application usage state by a calculation process of (number of top flows) x (transition probability), (number of click flows) x (transition probability),. To do. Then, the UX determination unit 13 determines the application usage state having the highest evaluation value as the current application usage state.

  Here, as a specific example, it is assumed that Service A as the previous application and “top” as the application usage state are determined for the user of the IP address X1. As shown in FIG. 4, the transition probability to each application usage state in the case of Top of Service A is “top: 0.01, click: 0.3, search: 0.3, view_cart: 0.2, login: 0.1, checkout: 0.01, logout 0.05 ". Here, it is assumed that the number of flows in each application usage state is “top: 0, click: 1, search: 3, view_cart: 1, login: 1, checkout: 0, logout: 0”. Then, the evaluation value of each application usage state is “top: 0, click: 0.3, search: 0.9, view_cart: 0.2, login: 0.2, checkout: 0, logout: 0”. Therefore, in this case, the UX determination unit 13 determines the search having the largest evaluation value as the current application usage state of the user having the IP address X1.

  Next, the application change detection process performed by the UX determination unit 13 in step S103 described above will be described.

  For example, the UX determination unit 13 changes the application (the application operated by the user) based on the number of flows for each application (the number of application usage state estimation results held in the estimation data holding unit 131 for each application usage state). Change).

  For example, the UX determination unit 13 may detect an application change by using the same application and flow number as the previously determined application. Specifically, the UX determination unit 13 calculates, as an index, (number of flows estimated to be the same application as the previous time) / (number of flows estimated to be an application different from the previous time). If it is small, it may be detected that the application has been changed, and if the index is 1 or more, it may be detected that the application has not been changed. Further, for example, when there is an application having a larger number of flows than the previously determined application, the UX determination unit 13 may detect a change in the application.

  As described above, the UX determination unit 13 continues the application use state determination process using the same state transition probability table for each user while it is determined as the same application, and changes to another application. If it is determined, the process is restarted from the application determination process.

  Then, when the application switching detection unit 121 detects a user whose application change is determined by the UX determination unit 13, the application switching detection unit 121 controls the flow feature amount extraction unit 122 to feature the user (IP address) whose application has been changed. The amount calculation is reset, and the feature amount calculation for the application after switching is started.

(A-3) Effects of First Embodiment According to the first embodiment, the following effects can be achieved.

  The network monitoring apparatus 10 can estimate one application and its use state for one user by considering one IP address as one user (terminal) instead of application estimation for each flow.

  In addition, since the network monitoring apparatus 10 can perform estimation with high accuracy in consideration of the transition probability for each application, even when the determination result of the network monitoring apparatus 10 is used for bandwidth control or the like, the user experience quality is unlikely to deteriorate. There is an effect.

(B) Second Embodiment Hereinafter, a second embodiment of a communication analysis apparatus and a communication analysis program according to the present invention will be described in detail with reference to the drawings. Below, the example which applied the communication analysis apparatus and communication analysis program of this invention to the network monitoring apparatus is demonstrated.

(B-1) Configuration of Second Embodiment An example of the overall configuration of the second embodiment can also be shown using FIG. 2 described above.

  FIG. 6 is an explanatory diagram showing the functional configuration of the network monitoring apparatus 10A of the second embodiment, and the same or corresponding parts are denoted by the same or corresponding reference numerals. Hereinafter, the difference between the network monitoring apparatus 10A of the second embodiment and the first embodiment will be described.

  The network monitoring device 10A according to the second embodiment includes a flow dividing unit 11, an estimating unit 12A, an application switching detecting unit 121A, and an attention flow extracting unit 15. Further, the estimation unit 12A includes a feature amount extraction unit 122 and a flow data storage unit 122a.

  Since the flow dividing unit 11 has the same configuration as that of the first embodiment, detailed description thereof is omitted. The flow dividing unit 11 supplies the flow data divided for each flow to the target flow extracting unit 15.

  The target flow extraction unit 15 receives the flow data from the flow division unit 11, divides the flow into a flow to be estimated by the estimation unit 12A and a flow not to be estimated, and supplies only the flow to be estimated to the estimation unit 12A. In other words, the attention flow extraction unit 15 excludes a flow that does not need to be estimated (a flow that can be regarded as not related to the user's quality of experience) and extracts only a flow that needs to be estimated (a flow that should be noted). I do. Also, the attention flow extraction unit 15 changes the extraction method of the attention flow when receiving the application switching from the application switching detection unit 121A. Details of the flow extraction method by the attention flow extraction unit 15 will be described later.

  Since the feature quantity extraction unit 122 itself of the estimation unit 12A has the same configuration as that of the first embodiment, detailed description thereof will be omitted. The feature amount extraction unit 122 extracts feature amounts from the flow data of the flow extracted by the attention flow extraction unit 15, and supplies the extraction result to the application usage state estimation unit 123A.

  The application usage state estimation unit 123A performs processing for estimating the application and the application usage state of the application for each feature amount (for each flow) supplied from the feature amount extraction unit 122, and the estimation result (the application and the application state). A process of outputting (application usage status) (outputting as a determination result of the network monitoring apparatus 10A) is performed. Then, the application usage state estimation unit 123A also supplies the application usage state estimation result to the application switching detection unit 121A.

  The application usage state estimation unit 123A also supplies the estimation result to the application switching detection unit 121A.

  Further, the application usage state estimation unit 123A performs a process of feeding back information of a flow that does not require estimation to the attention flow extraction unit 15. For example, when the application usage state estimation unit 123A performs an estimation process on a certain flow and the type of application is not related to the user's experience quality (for example, a list of applications related to the user's experience quality is registered in advance. If the application is not in the list, the flow may be determined as a flow that does not require estimation. When the flow information that does not need to be estimated is fed back from the application usage state estimation unit 123A, the attention flow extraction unit 15 excludes the corresponding flow from the attention flow.

  The application switching detection unit 121A detects application switching for each user (for each IP address) based on data received from the feature amount extraction unit 122 and the application usage state estimation unit 123A. Then, the application usage state estimation unit 123 </ b> A controls the flow extraction contents to be reset for the user (IP address) for which application switching has occurred.

(B-2) Operation of Second Embodiment Next, the operation of the network monitoring apparatus 10A of the second embodiment having the above configuration will be described.

  First, when traffic is supplied, the flow dividing unit 11 of the network monitoring apparatus 10 </ b> A classifies the traffic (packet) for each flow, and supplies the classified flow data to the target flow extracting unit 15.

  The flow-of-interest extraction unit 15 divides the flow into the flow to be sent to the estimation unit 12A and the flow not to be sent according to the input features for each flow. By the way, the network monitoring apparatus of the present invention mainly performs an application usage state estimation for the purpose of improving the user's experience quality, and therefore, it is desirable to perform processing focusing on the flow generated by the user operation as much as possible. . Therefore, it is desirable that the attention flow extraction unit 15 selects (extracts) a flow having a high degree of contribution to the user's experience quality for each user. For example, the target flow extraction unit 15 performs Fourier transform on the packet arrival interval, and if the periodicity can be confirmed, it is regarded as a mechanically transmitted flow (for example, a file transfer or periodic synchronization processing flow) and is estimated. Processing that is not sent to the unit 12A (excluded from the attention flow) may be performed. Further, for example, the attention flow extraction unit 15 may select (extract) 10% of the flows transmitted and received by each user (each IP address) based on the flow generation time and the like. For example, the attention flow extraction unit 15 selects 10% of each user (each IP address) from the newest generated time (communication start time) in order from the newest time, thereby stabilizing the long-lasting data. It is also possible to select (extract) flows that are likely to affect the user's quality of experience by excluding flows that have been transferred or flows that have already timed out.

  The feature amount extraction unit 122 of the estimation unit 12A acquires the feature amount of each flow based on each flow data supplied from the target flow extraction unit 15 (acquired by the same process as in the first embodiment), and uses the application. It supplies to state estimation part 123A. In addition, when the feature amount extraction unit 122 detects the end of the flow (for example, when the flow data includes a packet including a flow end flag such as Fin / Rst), the feature switching unit 122 notifies that fact. It supplies to 121A.

  Based on the feature amount for each flow supplied from the feature amount extraction unit 122, the application use state estimation unit 123A obtains the application for each flow and the application use state estimation result of the application. Then, the application usage state estimation unit 123A outputs the estimation result (the application and the application usage state estimation result of the application) as the determination result of the network monitoring device 10A. The application usage state estimation unit 123A also supplies the above estimation result to the application switching detection unit 121A.

  The application switching detection unit 121A detects switching of each user's application based on information supplied from the feature amount extraction unit 122 and the application usage state estimation unit 123A. For example, for each user, the application switching detection unit 121A calls the number of all (all applications) flows (for example, flows that have not been completed before a predetermined time from now) (hereinafter referred to as “total number of flows”). ) And the number of flows that have already ended for each application (for example, flows that have not ended before a predetermined time and have already ended) (hereinafter referred to as “the number of ended flows”) Application switching may be detected based on the total number of flows and the number of end flows of each application.

  For example, the application switching detection unit 121A detects that application switching has occurred for a user whose application has an end flow number of a predetermined ratio or more (for example, 50% or more) with respect to the total number of flows. It may be. For example, the application switching detection unit 121A may determine that application switching has occurred when the total number of flows is 100 and an end flow number of 50% or more (50 or more) occurs in one application.

  Further, for example, the application switching detection unit 121A uses (the number of end flows of the application with the largest number of end flows) / (number of flows of other applications) as an index, and the index is in a state equal to or less than a threshold (for example, from 1 Application switching may be detected for a user in a small state. For example, when the threshold for the above index is 1, the application switching detection unit 121A may detect application switching for a user whose index is 1 or more and less than 1.

  Then, when the application switching detection unit 121A detects a user (IP address) in which application switching has occurred, the application switching detection unit 121A notifies the attention flow extraction unit 15 to reset the processing for the user (the IP address).

  Upon receiving the notification from the application switching detection unit 121A, the attention flow extraction unit 15 maintains the estimation accuracy of the entire apparatus by restarting the extraction process including the flow excluded for the IP address.

(B-3) Effects of Second Embodiment According to the second embodiment, the following effects can be achieved.

  In the network monitoring apparatus 10A of the second embodiment, the user experience quality is not affected for a plurality of flow inputs, and therefore, an estimation unit 12A having a high computer load is excluded by eliminating a flow that can be regarded as unnecessary processing from an estimation target. The calculation cost can be reduced.

  Further, in the network monitoring apparatus 10A of the second embodiment, when the application is switched, the characteristics of the attention flow may be changed. Therefore, resetting the extraction of the attention flow may change the application used. The application usage state can be estimated by following the process.

(C) Third Embodiment Hereinafter, a third embodiment of a communication analysis device and a communication analysis program according to the present invention will be described in detail with reference to the drawings. Below, the example which applied the communication analysis apparatus and communication analysis program of this invention to the network monitoring apparatus is demonstrated.

  An example of the overall configuration of the third embodiment can also be shown using FIG. 2 described above.

  FIG. 7 is an explanatory diagram showing a functional configuration of the network monitoring apparatus 10B of the third embodiment, and the same or corresponding parts are denoted by the same or corresponding reference numerals. Below, the difference with 2nd Embodiment is demonstrated about the network monitoring apparatus 10B of 3rd Embodiment.

  The attention flow extraction unit 15 of the second embodiment is arranged in the preceding stage of the feature amount extraction unit 122 (after the flow dividing unit 11). On the other hand, the attention flow extraction unit 15B of the third embodiment is arranged at the subsequent stage of the feature amount extraction unit 122 (the previous stage of the application usage state estimation unit 123A).

  The target flow extraction unit 15 of the second embodiment extracts flows based on the flow data (contents of packets of each flow) for each flow supplied from the flow division unit 11. On the other hand, the attention flow extraction unit 15B of the third embodiment extracts a flow based on the feature amount for each flow supplied from the feature amount extraction unit 122. The standard of flow extraction performed by the target flow extraction unit 15B is the same as that in the second embodiment, but in the third embodiment, data of a flow to be extracted is a feature amount. Therefore, the feature amount extraction unit 122 of the third embodiment needs to include processing for extracting feature amounts of items necessary for the flow extraction processing by the attention flow extraction unit 15B.

(D) Other Embodiments The present invention is not limited to the above-described embodiments, and may include modified embodiments as exemplified below.

  (D-1) In the first embodiment, the configuration in which the application switching detection is performed by the UX determination unit 13 has been described. However, the application switching detection may be performed using the output result of the feature amount extraction unit 122. Good.

  FIG. 8 is a flowchart showing processing of the network monitoring apparatus 10 according to the modification of the first embodiment.

  The feature quantity extraction unit 122 obtains a flow ID (5 tuples) and a feature quantity indicating the flow end when the feature quantity indicating the flow end such as Fin / Rst of the TCP flag related to the application switching is obtained. Suppose that it supplies to 121 (S201).

  When the information indicating the end of the flow supplied from the feature amount extraction unit 122 (the feature amount indicating the end of the flow and the flow ID) is supplied, the application switching detection unit 121 determines the application switching of the user corresponding to the ID. (S202). Then, the application switching detection unit 121 operates from step S203 described later when a user who has performed application switching is detected, and ends the current process when application switching is not detected. The application switching detection unit 121 switches the application when, for example, a predetermined flow or more (for example, 50% or more) is completed with respect to the total number of flows transmitted and received for each user (for each specific IP address). May be detected.

  When the application switching detection unit 121 detects application switching, the application switching detection unit 121 notifies the UX determination unit 13 of the user (IP address) in which the application switching has occurred. Then, the UX determination unit 13 resets the application and the application usage state for the IP address (S203). Thereby, the UX determination unit 13 can start estimation from the initial state for the user who has switched the application, follow the change of the application used with high accuracy, and improve the estimation accuracy of the application usage state. it can.

  DESCRIPTION OF SYMBOLS 10 ... Network monitoring apparatus, 11 ... Flow division | segmentation part, 12 ... Estimation part, 121 ... Application switching detection part, 122 ... Feature-value extraction part, 122a ... Flow data storage part, 123 ... Application utilization state estimation part, 13 ... UX determination , 131 ... Estimated data holding unit, 14 ... State transition probability table, 141 ... State transition probability table, 20, 20-1 to 20-N ... Terminal, 21, 212-1 to 21-M ... Application, 40, 40 -1 to 40-M ... communication device 30, 31, 32, 33 ... router.

Claims (10)

A flow splitting unit that divides the traffic data to be analyzed for each flow and obtains flow data;
For each flow, a feature amount extraction unit that acquires feature amounts including statistical information of flow data;
For each flow, a usage state estimation unit that estimates an application usage state of an application corresponding to the flow based on the acquired feature amount;
A transition information holding unit that holds transition information in which a parameter value indicating the ease of transition from the first usage state to the second usage state is described for each application;
A determination unit that classifies the estimation result of the usage state estimation unit for each user, determines an application corresponding to each user, and determines a usage state of the application using transition information corresponding to the application. A communication analyzer characterized by the above.   The communication analysis apparatus according to claim 1, wherein the determination unit determines a current use state from a use state determined last time using the transition information.   The determination unit counts the number of flows for each usage state in the estimation result of the usage state estimation unit, and changes the number of flows for each usage state to the usage state determined from the previous determination to each usage state. The communication analysis apparatus according to claim 2, wherein an evaluation value multiplied by the value is calculated, and the usage state with the highest evaluation value is determined as the current usage state.   The detection of a change of an application for each user, and causing the feature amount extraction unit and the determination unit to reset the processing of the user who has detected a change in the application. Communication analysis device. Computer
A flow splitting unit that divides the traffic data to be analyzed for each flow and obtains flow data;
For each flow, a feature amount extraction unit that acquires feature amounts including statistical information of flow data;
For each flow, a usage state estimation unit that estimates an application usage state of an application corresponding to the flow based on the acquired feature amount;
A transition information holding unit that holds transition information in which a parameter value indicating the ease of transition from the first usage state to the second usage state is described for each application;
As a determination unit that classifies the estimation result of the usage state estimation unit for each user, determines an application corresponding to each user, and determines the usage state of the application using transition information corresponding to the application. A communication analysis program characterized by functioning. A flow splitting unit that divides the traffic data to be analyzed for each flow and obtains flow data;
For each flow, a feature amount extraction unit that acquires feature amounts including statistical information of flow data;
For each flow, based on the acquired feature amount, an application corresponding to the flow and a usage state estimation unit that estimates a usage state of the application,
For any one of the flow data for each flow acquired by the flow dividing unit or the feature amount acquired by the feature amount extraction unit, the attention flow based on a predetermined condition is extracted and the usage state estimation unit other than the attention flow is extracted. And a target flow extraction unit that performs processing to be excluded from the flow to be processed.   The communication analysis apparatus according to claim 6, wherein the target flow extraction unit excludes a periodic flow from the target flow by performing frequency analysis based on a packet arrival interval for each flow.   The communication analysis apparatus according to claim 7, wherein the attention flow extraction unit excludes a flow generated before a predetermined period from the attention flow.   The attention flow extraction unit detects that an application has been switched for each user, and causes the attention flow extraction unit to perform a reset process for temporarily returning a flow that has been excluded for a user who has detected a change in the application to the attention flow. The communication analysis apparatus according to claim 6, wherein the communication analysis apparatus is characterized. Computer
A flow splitting unit that divides the traffic data to be analyzed for each flow and obtains flow data;
For each flow, a feature amount extraction unit that acquires feature amounts including statistical information of flow data;
For each flow, based on the acquired feature amount, an application corresponding to the flow and a usage state estimation unit that estimates a usage state of the application,
For any one of the flow data for each flow acquired by the flow dividing unit or the feature amount acquired by the feature amount extraction unit, the attention flow based on a predetermined condition is extracted and the usage state estimation unit other than the attention flow is extracted. A communication analysis program that functions as an attention flow extraction unit that performs processing to be excluded from the processing flow.

Images