WO2018035765A1 - Method and apparatus for detecting network abnormity - Google Patents

Method and apparatus for detecting network abnormity Download PDF

Info

Publication number
WO2018035765A1
WO2018035765A1 PCT/CN2016/096595 CN2016096595W WO2018035765A1 WO 2018035765 A1 WO2018035765 A1 WO 2018035765A1 CN 2016096595 W CN2016096595 W CN 2016096595W WO 2018035765 A1 WO2018035765 A1 WO 2018035765A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
traffic
network device
abnormality
detecting
Prior art date
Application number
PCT/CN2016/096595
Other languages
French (fr)
Chinese (zh)
Inventor
贾云健
唐亮
吴玉成
Original Assignee
深圳天珑无线科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳天珑无线科技有限公司 filed Critical 深圳天珑无线科技有限公司
Priority to PCT/CN2016/096595 priority Critical patent/WO2018035765A1/en
Publication of WO2018035765A1 publication Critical patent/WO2018035765A1/en

Links

Images

Definitions

  • the present application relates to the field of Internet communication technologies, and in particular, to a method and device for detecting network anomalies.
  • the present invention provides a method and device for detecting network anomalies. By monitoring various network devices in the network, detecting whether a traffic abnormality occurs in the network, reducing the detection time, and improving the sensitivity and accuracy of the detection.
  • the embodiment of the present application provides a method for detecting a network abnormality, including:
  • the network running status includes:
  • the traffic of the physical link in the network changes, the state of the network devices in the network, and the source of traffic for each IP address.
  • detecting, according to the running status of the network and the traffic status used by the service on the network device, whether the network abnormality occurs including:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • detecting, according to the running status of the network and the traffic status used by the service on the network device, whether the network abnormality occurs including:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the method further includes:
  • the embodiment of the present application further provides a network abnormality detecting apparatus, including:
  • the network monitoring module detects the running status of the network and the traffic status used by the service on the network device;
  • the abnormality identifying module detects whether a traffic abnormality occurs in the network according to the running state of the network and the traffic state used by the service on the network device.
  • the network running status includes:
  • the traffic of the physical link in the network changes, the state of the network device in the network, and each The source of traffic for the IP address.
  • the abnormality identification module is specifically configured to:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the abnormality identification module is specifically configured to:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the device further includes:
  • a type identifying module configured to determine that a network device that has failed in the network is detected when a traffic abnormality occurs in the network.
  • the embodiment of the present invention provides a method and a device for detecting a network abnormality, which is determined by detecting the running state of the network and the number of users using the network, and determining whether the network has abnormal traffic according to the running state of the network and the traffic state used by the service on the network device.
  • the technical solution can integrate and calculate the data detected by different modules in the network management system, automatically determine whether the network has abnormal traffic, reduce the detection time, improve the sensitivity and accuracy, and solve the prior art.
  • the method for identifying network anomalies caused by abnormal traffic is mostly dependent on manual judgment, which is likely to cause problems of low sensitivity, low accuracy, and long detection time.
  • Embodiment 1 is a schematic flowchart of Embodiment 1 of a method for detecting network anomaly provided by the present application;
  • Embodiment 2 is an application scenario diagram of Embodiment 1 of a method for detecting network anomaly according to the present application
  • FIG. 3 is a schematic flowchart of Embodiment 2 of a method for detecting network anomaly according to the present application
  • Embodiment 4 is a schematic structural diagram of Embodiment 1 of a network abnormality detecting apparatus provided by the present application;
  • FIG. 5 is a schematic structural diagram of Embodiment 2 of a device for detecting network anomaly according to the present application.
  • FIG. 1 is a schematic flowchart of Embodiment 1 of a network abnormality detecting method provided by the present application
  • FIG. 2 is a schematic application diagram of Embodiment 1 of a network abnormality detecting method provided by the present application, as shown in FIG. 1 and FIG.
  • the method for detecting a network abnormality provided by the embodiment may include the following steps:
  • a method for detecting a network abnormality that can be applied to the network management system is provided in the embodiment of the present application, so as to automatically detect whether an abnormality occurs in the network by using the network management system.
  • the network management system may include a network real-time status monitoring system, a network analysis system, and a DPI (Deep Packet Inspection) system.
  • a network real-time status monitoring system may include a network real-time monitoring system, a network analysis system, and a DPI (Deep Packet Inspection) system.
  • DPI Deep Packet Inspection
  • the network real-time status monitoring system can monitor all network devices in the network, obtain information of all network devices, real-time traffic of physical links, and network topology.
  • the DPI system can identify the data flow in the physical link in the network to obtain the source and flow of the traffic. The flow can also be carried out for business or type analysis.
  • the network analysis system can monitor whether the number of users changes, IP address utilization changes, traffic history data, and so on.
  • the data information is obtained through the network management system, and the obtained data information is analyzed and calculated, and the analysis and calculation results can reflect the real-time running state of the network, thereby detecting whether an abnormality occurs in the network.
  • the network running status may include, but is not limited to:
  • the traffic of the physical link in the network changes
  • the traffic change of the physical link in the network can be monitored by the network real-time state monitoring system.
  • the state of the network device in the network can be monitored by the network real-time state monitoring system, and the traffic source of each IP address can be Monitoring through the DPI system, the number of users using the network can be monitored and statistically analyzed by the network analysis system.
  • the network management system can perform real-time calculation and analysis on the network real-time status monitoring system, the data information monitored by the DPI system about the network running status, the number of users using the network analyzed by the network analysis system, and update the corresponding results in real time.
  • the network management system performs real-time calculation and analysis on the network running status and the traffic status used by the service on the network device, and detects whether the network generates traffic. abnormal.
  • the network abnormality is detected:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the network real-time status monitoring system can monitor and store the monitoring result of the physical link in the network, and the stored address can be in the database of the network analysis system, or It is a server in the network and can also be uploaded to the database of the network management system.
  • the network management system determines whether the traffic increase of the physical link in the network exceeds a preset traffic threshold within a specified duration.
  • the method for judging may be: calculating the traffic increase of the physical link in the network within a specified duration of the monitoring, and then comparing the traffic increase with the preset traffic threshold. If the traffic increase of the physical link in the network is greater than or equal to the traffic threshold, the network may be abnormal. If the traffic of the physical link in the network is smaller than the traffic threshold, the network may not be detected. The traffic is abnormal.
  • the traffic threshold is 80%
  • the monitoring time is 8:00:00
  • the traffic of the physical link in the network increases by more than 8:00:00 to 8:00:05.
  • the operation of the network device in the network may be changed by the running status of each network device in the network monitored by the network real-time state monitoring system.
  • the running state of the network device includes a fault or stops running, and the network state real-time monitoring system An alarm is generated for the device status change, and the IP address of the faulty device is unreachable.
  • Traffic flowing to the same IP address can be understood as the number of packets sent by the user to the same IP address is less than the preset number threshold.
  • the traffic reduction used by the service on the network device can be understood as the number of traffic drops of the physical link connected to the network device within a specified duration exceeds the drop threshold or falls to zero.
  • the network abnormality may be detected.
  • the embodiment of the present application provides a network abnormality detecting method, which is configured to detect a network running state and a number of users using a network, where the network running state may include a traffic change of a physical link in the network, a state of the network device in the network, and each IP address traffic source, then based on The network running status and the traffic status used by the service on the network device to determine whether the network has abnormal traffic.
  • This technical solution can integrate and calculate the data detected by different modules in the network management system, and automatically detect whether the network is abnormal. Quickly judge, reduce the detection time, improve the sensitivity and accuracy, and solve the prior art methods for identifying network anomalies caused by abnormal traffic, relying on manual judgment, which is easy to cause lower sensitivity and lower accuracy. And the problem of long detection time.
  • FIG. 3 is a schematic flowchart of a method for detecting a network abnormality according to a second embodiment of the present invention. As shown in FIG. 3, the method for detecting a network abnormality provided by the embodiment of the present application may include the following steps:
  • step 201 the specific process of step 201 is described in detail in step 101 in the foregoing embodiment.
  • the principle and implementation process in the embodiment of the present application are the same, and details are not described herein again.
  • step 202 In the embodiment of the present application, the specific process of step 202 is described in detail in step 102 in the foregoing embodiment. The principle and implementation process in the embodiment of the present application are the same, and details are not described herein again.
  • the cause of the traffic abnormality may be that the network device is faulty, such as the device hardware alarm, the IP unreachable, or the like, or may be caused by other devices actively attacking the network device in the network.
  • the probability that other devices actively attack the network devices in the network is low.
  • the operation of the network device in the network changes, such as the alarm that the network status real-time monitoring system sends a network device status change, and because the IP address of the faulty device is unreachable, the data packet sent by the user to the IP address cannot be received, resulting in the network.
  • the traffic used by the business on the device is reduced. Therefore, in the embodiment of the present application, when it is detected that the traffic abnormality occurs in the network, it may be determined that the traffic abnormality caused by the network is caused by a network device failure in the network.
  • the embodiment of the present application provides a network abnormality detecting method, which is configured to detect a network running state and a number of users using a network, where the network running state may include a traffic change of a physical link in the network, a state of the network device in the network, and each The traffic source of the IP address can be determined to be a network abnormality caused by a network device failure in the network after the traffic abnormal state is determined, and the network device is faulty.
  • the data detected by different modules in the network management system is integrated and calculated, which automatically determines whether the network is abnormal or not, improves the reliability of the network, reduces the detection time, improves the sensitivity and accuracy, and solves the existing
  • the method for identifying network anomalies caused by abnormal traffic is mostly dependent on manual judgment, which is likely to cause problems of low sensitivity, low accuracy, and long detection time.
  • FIG. 4 is a schematic structural diagram of Embodiment 1 of a network abnormality detecting apparatus provided by the present application.
  • the network abnormality detecting apparatus provided by the embodiment of the present application may include: a network monitoring module 11 and an abnormality identifying module 12.
  • the network monitoring module 11 detects the running status of the network and the traffic status used by the service on the network device;
  • the abnormality identification module 12 detects whether the network has abnormal traffic according to the network running status monitored by the network monitoring module 11 and the traffic status used by the service on the network device.
  • the network running status includes:
  • the change in traffic of physical links in the network the state of network devices in the network, and the source of traffic for each IP address.
  • the abnormality identification module 12 is specifically configured to:
  • a traffic anomaly on the network is detected when all of the following conditions are met:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the abnormality identification module 12 is specifically configured to:
  • the traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration
  • the network device operates in the network changes
  • the traffic used by the services on the network device is reduced.
  • the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 1 , and the implementation principle and technical effects are similar, and details are not described herein again.
  • FIG. 5 is a schematic structural diagram of a second embodiment of a network abnormality detecting apparatus according to the present application.
  • the network abnormality detecting apparatus provided by the embodiment of the present application may further include: a type according to the foregoing third embodiment.
  • the module module 13 is identified.
  • the type identification module module 13 is configured to determine that a network device that has a fault exists in the network when the network detecting module 12 detects that a traffic abnormality occurs in the network.
  • the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 3, and the implementation principle and technical effects are similar, and details are not described herein again.
  • the aforementioned program can be stored in a computer readable storage medium.
  • the program when executed, performs the steps including the foregoing method embodiments; and the foregoing storage medium includes various media that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
  • the device embodiments described above are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located in one place. Or it can be distributed to at least two network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment. Those of ordinary skill in the art can understand and implement without deliberate labor.

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided in the embodiments of the present application are a method and an apparatus for detecting a network abnormity. The method for detecting a network abnormity provided in the embodiments of the present application comprises: detecting the operation state of a network and the state of traffic used by services on a network device, and detecting, according to the operation state of the network and the state of traffic used by the services on the network device, whether a traffic abnormity occurs on the network. The method for detecting a network abnormity provided in the embodiments of the present application can integrate and calculate data detected by different modules in a network management system, automatically and quickly determine whether an abnormity occurs on the network, reducing detection time, and improving sensitivity and accuracy.

Description

网络异常的检测方法及装置Network abnormality detecting method and device 技术领域Technical field
本申请涉及互联网通信技术领域,尤其涉及一种网络异常的检测方法及装置。The present application relates to the field of Internet communication technologies, and in particular, to a method and device for detecting network anomalies.
背景技术Background technique
随着科学技术的飞速发展,互联网已经成为用户获取各种资源、查询各种信息等的重要手段,使得网络已经成为人类社会生活和经济生活中重要的基础设施。With the rapid development of science and technology, the Internet has become an important means for users to access various resources and query various information, making the network an important infrastructure in human social life and economic life.
由于用户对网络的依赖日益见长,使得网络中的流量利用率不断升高,网络负荷不断增大,流量的波动日渐频繁。网络中流量的波动是频繁发生的,流量的波动一般分为正常波动和异常波动。正常波动通常是因为网络中用户的增加或者业务使用量的增加产生的。这种波动比较平稳,并且呈现上升趋势。只要处理及时,流量的正常波动不会危害网络的稳定性和安全性。Due to the increasing reliance of users on the network, the traffic utilization rate in the network is increasing, the network load is increasing, and the traffic fluctuations are increasingly frequent. Fluctuations in traffic in the network occur frequently, and fluctuations in traffic are generally divided into normal fluctuations and abnormal fluctuations. Normal fluctuations are usually caused by an increase in users in the network or an increase in business usage. This kind of fluctuation is relatively stable and shows an upward trend. As long as the processing is timely, normal fluctuations in traffic will not compromise the stability and security of the network.
然而,当网络中的流量在较短时间内出现异常波动,会产生巨大的流量,甚至导致网络拥塞,现有技术中对于快速鉴别引起流量出现异常波动的原因的方法多依赖于人工进行判断,容易造成灵敏度、准确性较低的问题。However, when traffic in the network fluctuates abnormally in a short period of time, huge traffic may be generated, and even network congestion may occur. In the prior art, methods for quickly identifying the cause of abnormal fluctuations in traffic depend on manual judgment. It is easy to cause problems with low sensitivity and accuracy.
申请内容Application content
本申请提供一种网络异常的检测方法及装置,通过对网络中各个网络设备的监测,检测网络是否发生流量异常,降低了检测时间,提高了检测的灵敏度与准确性。The present invention provides a method and device for detecting network anomalies. By monitoring various network devices in the network, detecting whether a traffic abnormality occurs in the network, reducing the detection time, and improving the sensitivity and accuracy of the detection.
本申请实施例提供一种网络异常的检测方法,包括:The embodiment of the present application provides a method for detecting a network abnormality, including:
检测网络运行状态和网络设备上业务所使用的流量状态;Detecting the running status of the network and the traffic status used by the services on the network device;
根据所述网络运行状态和所述网络设备上业务所使用的流量状态,检测所述网络是否发生流量异常。 Detecting whether a traffic abnormality occurs in the network according to the running state of the network and the traffic state used by the service on the network device.
进一步地,上述方法中,所述网络运行状态,包括:Further, in the above method, the network running status includes:
所述网络中物理链路的流量变化、所述网络中网络设备的状态和每个IP地址的流量来源。The traffic of the physical link in the network changes, the state of the network devices in the network, and the source of traffic for each IP address.
进一步地,上述方法中,根据所述网络运行状态和所述网络设备上业务所使用的流量状态,检测所述网络是否发生流量异常,包括:Further, in the foregoing method, detecting, according to the running status of the network and the traffic status used by the service on the network device, whether the network abnormality occurs, including:
当满足以下所有条件时,检测出所述网络发生流量异常:When all the following conditions are met, the traffic abnormality of the network is detected:
在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
所述网络中网络设备运行发生变化;The network device operates in the network changes;
流向同一个IP地址的流量正常;以及,Traffic flowing to the same IP address is normal; and,
所述网络设备上业务所使用的流量减少。The traffic used by the services on the network device is reduced.
进一步地,上述方法中,根据所述网络运行状态和所述网络设备上业务所使用的流量状态,检测所述网络是否发生流量异常,包括:Further, in the foregoing method, detecting, according to the running status of the network and the traffic status used by the service on the network device, whether the network abnormality occurs, including:
当以下条件中存在至少一个不满足时,检测出所述网络没有发生流量异常:When at least one of the following conditions is not satisfied, it is detected that no traffic abnormality occurs in the network:
在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
所述网络中网络设备运行发生变化;The network device operates in the network changes;
流向同一个IP地址的流量正常;以及,Traffic flowing to the same IP address is normal; and,
所述网络设备上业务所使用的流量减少。The traffic used by the services on the network device is reduced.
进一步地,上述方法中,所述方法还包括:Further, in the above method, the method further includes:
当检测到所述网络发生流量异常时,确定所述网络中存在发生故障的网络设备。When it is detected that the network is abnormal in traffic, it is determined that there is a network device in the network that is faulty.
本申请实施例还提供一种网络异常的检测装置,包括:The embodiment of the present application further provides a network abnormality detecting apparatus, including:
网络监测模块,检测网络运行状态和网络设备上业务所使用的流量状态;The network monitoring module detects the running status of the network and the traffic status used by the service on the network device;
异常识别模块,根据所述网络运行状态和所述网络设备上业务所使用的流量状态,检测所述网络是否发生流量异常。The abnormality identifying module detects whether a traffic abnormality occurs in the network according to the running state of the network and the traffic state used by the service on the network device.
进一步地,上述装置中,所述网络运行状态,包括:Further, in the foregoing apparatus, the network running status includes:
所述网络中物理链路的流量变化、所述网络中网络设备的状态和每个 IP地址的流量来源。The traffic of the physical link in the network changes, the state of the network device in the network, and each The source of traffic for the IP address.
进一步地,上述装置中,所述异常识别模块,具体用于:Further, in the above device, the abnormality identification module is specifically configured to:
当满足以下所有条件时,检测出所述网络发生流量异常:When all the following conditions are met, the traffic abnormality of the network is detected:
在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
所述网络中网络设备运行发生变化;The network device operates in the network changes;
流向同一个IP地址的流量正常;以及Traffic flowing to the same IP address is normal;
所述网络设备上业务所使用的流量减少。The traffic used by the services on the network device is reduced.
进一步地,上述装置中,所述异常识别模块,具体用于:Further, in the above device, the abnormality identification module is specifically configured to:
当以下条件中存在至少一个不满足时,检测出所述网络没有发生流量异常:When at least one of the following conditions is not satisfied, it is detected that no traffic abnormality occurs in the network:
在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
所述网络中网络设备运行发生变化;The network device operates in the network changes;
流向同一个IP地址的流量正常;以及Traffic flowing to the same IP address is normal;
所述网络设备上业务所使用的流量减少。The traffic used by the services on the network device is reduced.
进一步地,上述装置中,所述装置还包括:Further, in the above device, the device further includes:
类型识别模块,用于当检测到所述网络发生流量异常时,确定所述网络中存在发生故障的网络设备。And a type identifying module, configured to determine that a network device that has failed in the network is detected when a traffic abnormality occurs in the network.
本申请实施例提供一种网络异常的检测方法及装置,通过检测网络运行状态和使用网络的用户数量,根据网络运行状态和网络设备上业务所使用的流量状态,进而确定网络是否发生流量异常,本技术方案可以对网络管理系统内不同的模块检测到的数据进行整合与计算,自动地对网络是否发生流量异常进行快速判断,降低了检测时间,提高了灵敏度与准确性,解决了现有技术中对于鉴别流量出现异常导致的网络异常的方法多依赖于人工进行判断,容易造成灵敏度较低、准确性较低以及检测时间比较长的问题。The embodiment of the present invention provides a method and a device for detecting a network abnormality, which is determined by detecting the running state of the network and the number of users using the network, and determining whether the network has abnormal traffic according to the running state of the network and the traffic state used by the service on the network device. The technical solution can integrate and calculate the data detected by different modules in the network management system, automatically determine whether the network has abnormal traffic, reduce the detection time, improve the sensitivity and accuracy, and solve the prior art. The method for identifying network anomalies caused by abnormal traffic is mostly dependent on manual judgment, which is likely to cause problems of low sensitivity, low accuracy, and long detection time.
附图说明DRAWINGS
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对 实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will be The drawings used in the embodiments or the description of the prior art are briefly introduced. It is obvious that the drawings in the following description are some embodiments of the present application, and no one is creative to those skilled in the art. Other drawings can also be obtained from these drawings on the premise of labor.
图1为本申请提供的网络异常的检测方法实施例一的流程示意图;1 is a schematic flowchart of Embodiment 1 of a method for detecting network anomaly provided by the present application;
图2为本申请提供的网络异常的检测方法实施例一的应用场景图;2 is an application scenario diagram of Embodiment 1 of a method for detecting network anomaly according to the present application;
图3为本申请提供的网络异常的检测方法实施例二的流程示意图;FIG. 3 is a schematic flowchart of Embodiment 2 of a method for detecting network anomaly according to the present application;
图4为本申请提供的网络异常的检测装置实施例一的结构示意图;4 is a schematic structural diagram of Embodiment 1 of a network abnormality detecting apparatus provided by the present application;
图5为本申请提供的网络异常的检测装置实施例二的结构示意图。FIG. 5 is a schematic structural diagram of Embodiment 2 of a device for detecting network anomaly according to the present application.
具体实施方式detailed description
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present application. It is a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.
实施例一Embodiment 1
图1为本申请提供的网络异常的检测方法实施例一的流程示意图,图2为本申请提供的网络异常的检测方法实施例一的应用场景图,如图1和图2所示,本申请实施例提供的网络异常的检测方法,可以包括如下步骤:FIG. 1 is a schematic flowchart of Embodiment 1 of a network abnormality detecting method provided by the present application, and FIG. 2 is a schematic application diagram of Embodiment 1 of a network abnormality detecting method provided by the present application, as shown in FIG. 1 and FIG. The method for detecting a network abnormality provided by the embodiment may include the following steps:
101、检测网络运行状态和网络设备上业务所使用的流量状态。101. Detect the running status of the network and the traffic status used by the service on the network device.
为了可以自动检测网络是否发生异常,在本申请实施例中提供一种可以应用于网络管理系统的网络异常的检测方法,以实现依靠网络管理系统自动地对网络是否发生异常进行检测。In order to automatically detect whether an abnormality occurs in the network, a method for detecting a network abnormality that can be applied to the network management system is provided in the embodiment of the present application, so as to automatically detect whether an abnormality occurs in the network by using the network management system.
在本申请实施例中,如图2所示,网络管理系统可以包含网络实时状态监控系统、网络分析系统和DPI(Deep Packet Inspection,深度包检测)系统。In the embodiment of the present application, as shown in FIG. 2, the network management system may include a network real-time status monitoring system, a network analysis system, and a DPI (Deep Packet Inspection) system.
其中,网络实时状态监控系统可以对网络中的所有网络设备进行监控,获取所有网络设备的信息、物理链路的实时流量、网络拓扑等。DPI系统可以对网络中物理链路中数据流进行识别,以获得流量的来源与流量 的流向,还可以进行业务或类型分析等。网络分析系统可以监测用户数量是否发生变化、IP地址利用率变化、流量历史数据等。The network real-time status monitoring system can monitor all network devices in the network, obtain information of all network devices, real-time traffic of physical links, and network topology. The DPI system can identify the data flow in the physical link in the network to obtain the source and flow of the traffic. The flow can also be carried out for business or type analysis. The network analysis system can monitor whether the number of users changes, IP address utilization changes, traffic history data, and so on.
本申请实施例中,通过网络管理系统获取数据信息,并对获取到的数据信息进行分析与计算,分析与计算的结果能够反映出网络的实时运行状态,进而对网络是否发生异常进行检测。In the embodiment of the present application, the data information is obtained through the network management system, and the obtained data information is analyzed and calculated, and the analysis and calculation results can reflect the real-time running state of the network, thereby detecting whether an abnormality occurs in the network.
具体地,在本申请实施例中,网络运行状态,可以包括但不限于:Specifically, in the embodiment of the present application, the network running status may include, but is not limited to:
网络中物理链路的流量变化;The traffic of the physical link in the network changes;
网络中网络设备的状态;以及The state of the network device in the network;
每个IP地址的流量来源。The source of traffic for each IP address.
在一个具体的实现过程中,网络中物理链路的流量变化可以通过网络实时状态监控系统进行监测,网络中网络设备的状态可以通过网络实时状态监控系统进行监测,每个IP地址的流量来源可以通过DPI系统进行监测,使用网络的用户数量可以通过网络分析系统进行监测并统计结果。In a specific implementation process, the traffic change of the physical link in the network can be monitored by the network real-time state monitoring system. The state of the network device in the network can be monitored by the network real-time state monitoring system, and the traffic source of each IP address can be Monitoring through the DPI system, the number of users using the network can be monitored and statistically analyzed by the network analysis system.
网络管理系统可以对网络实时状态监控系统、DPI系统监测到的关于网络运行状态、使用网络分析系统监测到的网络的用户数量等数据信息,进行实时计算与分析,并对相应的结果实时更新。The network management system can perform real-time calculation and analysis on the network real-time status monitoring system, the data information monitored by the DPI system about the network running status, the number of users using the network analyzed by the network analysis system, and update the corresponding results in real time.
102、根据网络运行状态和网络设备上业务所使用的流量状态,检测网络是否发生流量异常。102. Detect whether the network has abnormal traffic according to the running status of the network and the traffic status used by the service on the network device.
网络中的网络设备在运行一段时间会因为硬件损耗等原因而出现故障,直接会影响该网络设备的运行状态,进而导致网络流量发生波动,或者当其他网络设备对网络中的网络设备进行攻击时,也会导致网络流量发生波动,在本申请实施例中,利用网络管理系统对网络运行状态和网络设备上业务所使用的流量状态等数据信息进行实时计算与分析的结果,检测网络是否发生流量异常。When a network device in the network runs for a period of time, it may fail due to hardware loss, etc., which directly affects the running state of the network device, which may cause network traffic to fluctuate, or when other network devices attack the network device in the network. In the embodiment of the present application, the network management system performs real-time calculation and analysis on the network running status and the traffic status used by the service on the network device, and detects whether the network generates traffic. abnormal.
本申请实施例中,当满足以下所有条件时,检测出网络发生流量异常:In the embodiment of the present application, when all the following conditions are met, the network abnormality is detected:
在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
所述网络中网络设备运行发生变化;The network device operates in the network changes;
流向同一个IP地址的流量正常;以及Traffic flowing to the same IP address is normal;
所述网络设备上业务所使用的流量减少。 The traffic used by the services on the network device is reduced.
需要说明的是,网络实时状态监控系统对网络中物理链路的流量进行监测的同时还可以将监测的结果进行记录并存储起来,存储的地址可以是网络分析系统的数据库中,或者,也可以是网络中的服务器内,还可以上传至网络管理系统的数据库中。It should be noted that the network real-time status monitoring system can monitor and store the monitoring result of the physical link in the network, and the stored address can be in the database of the network analysis system, or It is a server in the network and can also be uploaded to the database of the network management system.
可以理解的是,网络管理系统判断在指定时长内所述网络中物理链路的流量增幅是否超过预设的流量阈值。在一个具体的实现过程中,判断的方法可以是:计算监测的指定时长内网络中物理链路的流量增幅,然后将该流量增幅与预设的流量阈值进行比较。若指定时长内网络中物理链路的流量增幅大于或者等于流量阈值,则可以判断出网络发生流量异常,若指定时长内网络中物理链路的流量增幅小于流量阈值,则可以判断出网络没有发生流量异常。It can be understood that the network management system determines whether the traffic increase of the physical link in the network exceeds a preset traffic threshold within a specified duration. In a specific implementation process, the method for judging may be: calculating the traffic increase of the physical link in the network within a specified duration of the monitoring, and then comparing the traffic increase with the preset traffic threshold. If the traffic increase of the physical link in the network is greater than or equal to the traffic threshold, the network may be abnormal. If the traffic of the physical link in the network is smaller than the traffic threshold, the network may not be detected. The traffic is abnormal.
例如,例如,设定指定时长为5秒,流量阈值为80%,监测时间点为8:00:00,如果8:00:00~8:00:05内网络中物理链路的流量增幅大于或者等于监测时刻对应的网络中物理链路的流量正常值的30%,即可以判断出网络没有发生流量异常。For example, if the specified duration is 5 seconds, the traffic threshold is 80%, and the monitoring time is 8:00:00, if the traffic of the physical link in the network increases by more than 8:00:00 to 8:00:05. Or it is equal to 30% of the normal traffic value of the physical link in the network corresponding to the monitoring time. That is, it can be determined that no traffic abnormality occurs on the network.
需要说明的是,网络中网络设备运行发生变化可以通过网络实时状态监控系统监测到的网络中各个网络设备的运行状态得出,网络设备的运行状态包括出现故障或者停止运行,网络状态实时监控系统会发出设备状态改变的告警,并提示故障设备的IP地址不可达。It should be noted that the operation of the network device in the network may be changed by the running status of each network device in the network monitored by the network real-time state monitoring system. The running state of the network device includes a fault or stops running, and the network state real-time monitoring system An alarm is generated for the device status change, and the IP address of the faulty device is unreachable.
流向同一个IP地址的流量正常可以理解为用户向同一IP地址发出的数据包的数量小于预设的数量阈值。Traffic flowing to the same IP address can be understood as the number of packets sent by the user to the same IP address is less than the preset number threshold.
网络设备上业务所使用的流量减少可以理解为在指定时长内与该网络设备连接的物理链路的流量下降数超过下降阈值或者下降为0。The traffic reduction used by the service on the network device can be understood as the number of traffic drops of the physical link connected to the network device within a specified duration exceeds the drop threshold or falls to zero.
本申请实施例中,认为在指定时长内,上述四个条件同时满足时,可以检测出网络发生流量异常。In the embodiment of the present application, it is considered that when the above four conditions are satisfied simultaneously within a specified time period, the network abnormality may be detected.
同理,当上述四个条件中存在至少一个不满足时,检测出网络没有发生流量异常。Similarly, when at least one of the above four conditions is not satisfied, it is detected that no traffic abnormality occurs in the network.
本申请实施例提供一种网络异常的检测方法,通过检测网络运行状态和使用网络的用户数量,其中,网络运行状态可以包括网络中物理链路的流量变化、网络中网络设备的状态和每个IP地址的流量来源,然后根据 网络运行状态和网络设备上业务所使用的流量状态,进而确定网络是否发生流量异常,本技术方案可以对网络管理系统内不同的模块检测到的数据进行整合与计算,自动地对网络是否发生异常进行快速判断,降低了检测时间,提高了灵敏度与准确性,解决了现有技术中对于鉴别流量出现异常导致的网络异常的方法多依赖于人工进行判断,容易造成灵敏度较低、准确性较低以及检测时间比较长的问题。The embodiment of the present application provides a network abnormality detecting method, which is configured to detect a network running state and a number of users using a network, where the network running state may include a traffic change of a physical link in the network, a state of the network device in the network, and each IP address traffic source, then based on The network running status and the traffic status used by the service on the network device to determine whether the network has abnormal traffic. This technical solution can integrate and calculate the data detected by different modules in the network management system, and automatically detect whether the network is abnormal. Quickly judge, reduce the detection time, improve the sensitivity and accuracy, and solve the prior art methods for identifying network anomalies caused by abnormal traffic, relying on manual judgment, which is easy to cause lower sensitivity and lower accuracy. And the problem of long detection time.
实施例二Embodiment 2
图3为本申请提供的网络异常的检测方法实施例二的流程示意图,如图3所示,本申请实施例提供的网络异常的检测方法,可以包括如下步骤:FIG. 3 is a schematic flowchart of a method for detecting a network abnormality according to a second embodiment of the present invention. As shown in FIG. 3, the method for detecting a network abnormality provided by the embodiment of the present application may include the following steps:
201、检测网络运行状态和网络设备上业务所使用的流量状态。201. Detect a network running state and a traffic state used by a service on the network device.
在本申请实施例中,步骤201的具体过程,详见上述实施例中步骤101中的描述,本申请实施例中其原理和实现过程相同,此处不再赘述。In the embodiment of the present application, the specific process of step 201 is described in detail in step 101 in the foregoing embodiment. The principle and implementation process in the embodiment of the present application are the same, and details are not described herein again.
202、根据网络运行状态和网络设备上业务所使用的流量状态,检测网络是否发生流量异常。202. Detect whether the network has abnormal traffic according to the running state of the network and the traffic state used by the service on the network device.
在本申请实施例中,步骤202的具体过程,详见上述实施例中步骤102中的描述,本申请实施例中其原理和实现过程相同,此处不再赘述。In the embodiment of the present application, the specific process of step 202 is described in detail in step 102 in the foregoing embodiment. The principle and implementation process in the embodiment of the present application are the same, and details are not described herein again.
203、当检测到网络发生流量异常时,确定网络中存在发生故障的网络设备。203. When it is detected that a traffic abnormality occurs in the network, determine that the network device that is faulty exists in the network.
在本申请实施例中,引起流量异常的原因可以是网络设备发生了故障,如设备硬件告警、IP不可达等,或者,也可以是因为其他设备主动攻击网络中的网络设备导致的。In the embodiment of the present application, the cause of the traffic abnormality may be that the network device is faulty, such as the device hardware alarm, the IP unreachable, or the like, or may be caused by other devices actively attacking the network device in the network.
当在时间阈值内网络中物理链路的流量在流量阈值内、流向同一个IP地址的流量正常,则可以理解为其他设备主动攻击网络中的网络设备的可能性概率较低。并且,网络中网络设备运行发生变化,如网络状态实时监控系统发出网络设备状态改变的告警,以及因为故障设备的IP地址不可达,用户向该IP地址所发送的数据包无法接收,导致该网络设备上业务所使用的流量减少。因此,本申请实施例中,当检测到网络发生流量异常时,可以判断出引起网络发生流量异常的原因是因为网络中的网络设备出现了故障导致的。 When the traffic of the physical link in the network is within the traffic threshold and the traffic to the same IP address is normal, the probability that other devices actively attack the network devices in the network is low. Moreover, the operation of the network device in the network changes, such as the alarm that the network status real-time monitoring system sends a network device status change, and because the IP address of the faulty device is unreachable, the data packet sent by the user to the IP address cannot be received, resulting in the network. The traffic used by the business on the device is reduced. Therefore, in the embodiment of the present application, when it is detected that the traffic abnormality occurs in the network, it may be determined that the traffic abnormality caused by the network is caused by a network device failure in the network.
本申请实施例提供一种网络异常的检测方法,通过检测网络运行状态和使用网络的用户数量,其中,网络运行状态可以包括网络中物理链路的流量变化、网络中网络设备的状态和每个IP地址的流量来源,对确定发生了流量异常状态后,对网络设备的运行状态发生变化以及业务流量减少可以确定出是由于网络中的网络设备出现了故障导致的网络异常,本技术方案可以对网络管理系统内不同的模块检测到的数据进行整合与计算,自动地对网络是否发生异常进行快速判断,提升了网络的可靠性,降低了检测时间,提高了灵敏度与准确性,解决了现有技术中对于鉴别流量出现异常导致的网络异常的方法多依赖于人工进行判断,容易造成灵敏度较低、准确性较低以及检测时间比较长的问题。The embodiment of the present application provides a network abnormality detecting method, which is configured to detect a network running state and a number of users using a network, where the network running state may include a traffic change of a physical link in the network, a state of the network device in the network, and each The traffic source of the IP address can be determined to be a network abnormality caused by a network device failure in the network after the traffic abnormal state is determined, and the network device is faulty. The data detected by different modules in the network management system is integrated and calculated, which automatically determines whether the network is abnormal or not, improves the reliability of the network, reduces the detection time, improves the sensitivity and accuracy, and solves the existing In the technology, the method for identifying network anomalies caused by abnormal traffic is mostly dependent on manual judgment, which is likely to cause problems of low sensitivity, low accuracy, and long detection time.
实施例三Embodiment 3
图4为本申请提供的网络异常的检测装置实施例一的结构示意图,如图4所示,本申请实施例提供的网络异常的检测装置可以包括:网络监测模块11和异常识别模块12。FIG. 4 is a schematic structural diagram of Embodiment 1 of a network abnormality detecting apparatus provided by the present application. As shown in FIG. 4, the network abnormality detecting apparatus provided by the embodiment of the present application may include: a network monitoring module 11 and an abnormality identifying module 12.
网络监测模块11,检测网络运行状态和网络设备上业务所使用的流量状态;The network monitoring module 11 detects the running status of the network and the traffic status used by the service on the network device;
异常识别模块12,根据网络监测模块11监测到的网络运行状态和网络设备上业务所使用的流量状态,检测网络是否发生流量异常。The abnormality identification module 12 detects whether the network has abnormal traffic according to the network running status monitored by the network monitoring module 11 and the traffic status used by the service on the network device.
具体地,在本申请实施例中,网络运行状态,包括:Specifically, in the embodiment of the present application, the network running status includes:
网络中物理链路的流量变化、网络中网络设备的状态和每个IP地址的流量来源。The change in traffic of physical links in the network, the state of network devices in the network, and the source of traffic for each IP address.
在本申请实施例中,异常识别模块12,具体用于:In the embodiment of the present application, the abnormality identification module 12 is specifically configured to:
当满足以下所有条件时,检测出网络发生流量异常:A traffic anomaly on the network is detected when all of the following conditions are met:
在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
所述网络中网络设备运行发生变化;The network device operates in the network changes;
流向同一个IP地址的流量正常;以及Traffic flowing to the same IP address is normal;
所述网络设备上业务所使用的流量减少。The traffic used by the services on the network device is reduced.
在本申请实施例中,异常识别模块12,具体用于: In the embodiment of the present application, the abnormality identification module 12 is specifically configured to:
当以下条件中存在至少一个不满足时,检测出网络没有发生流量异常:When at least one of the following conditions is not met, it is detected that no traffic abnormality occurs in the network:
在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
所述网络中网络设备运行发生变化;The network device operates in the network changes;
流向同一个IP地址的流量正常;以及Traffic flowing to the same IP address is normal;
所述网络设备上业务所使用的流量减少。The traffic used by the services on the network device is reduced.
本实施例的装置,可以用于执行图1所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 1 , and the implementation principle and technical effects are similar, and details are not described herein again.
实施例四Embodiment 4
图5为本申请提供的网络异常的检测装置实施例二的结构示意图,如图5所示,本申请实施例提供的网络异常的检测装置在上述实施例三的基础上,还可以包括:类型识别模块模块13。FIG. 5 is a schematic structural diagram of a second embodiment of a network abnormality detecting apparatus according to the present application. As shown in FIG. 5, the network abnormality detecting apparatus provided by the embodiment of the present application may further include: a type according to the foregoing third embodiment. The module module 13 is identified.
类型识别模块模块13,用于当网络检测模块12检测到网络发生流量异常时,确定网络中存在发生故障的网络设备。The type identification module module 13 is configured to determine that a network device that has a fault exists in the network when the network detecting module 12 detects that a traffic abnormality occurs in the network.
本实施例的装置,可以用于执行图3所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 3, and the implementation principle and technical effects are similar, and details are not described herein again.
本领域普通技术人员可以理解:实现上述各方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成。前述的程序可以存储于一计算机可读取存储介质中。该程序在执行时,执行包括上述各方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。One of ordinary skill in the art will appreciate that all or part of the steps to implement the various method embodiments described above may be accomplished by hardware associated with the program instructions. The aforementioned program can be stored in a computer readable storage medium. The program, when executed, performs the steps including the foregoing method embodiments; and the foregoing storage medium includes various media that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
以上所描述的装置实施例仅仅是示意性的,其中作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到至少两个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located in one place. Or it can be distributed to at least two network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment. Those of ordinary skill in the art can understand and implement without deliberate labor.
最后应说明的是:以上各实施例仅用以说明本申请的技术方案,而非 对其限制;尽管参照前述各实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。 Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present application, and not The present invention has been described in detail with reference to the foregoing embodiments, and those skilled in the art should understand that the technical solutions described in the foregoing embodiments may be modified, or some or all of the technologies may be modified. The features are equivalently substituted; and the modifications or substitutions do not detract from the essence of the technical solutions of the embodiments of the present application.

Claims (10)

  1. 一种网络异常的检测方法,其特征在于,包括:A method for detecting network anomalies, comprising:
    检测网络运行状态和网络设备上业务所使用的流量状态;Detecting the running status of the network and the traffic status used by the services on the network device;
    根据所述网络运行状态和所述网络设备上业务所使用的流量状态,检测所述网络是否发生流量异常。Detecting whether a traffic abnormality occurs in the network according to the running state of the network and the traffic state used by the service on the network device.
  2. 根据权利要求1所述的方法,其特征在于,所述网络运行状态,包括:The method of claim 1, wherein the network operating state comprises:
    所述网络中物理链路的流量变化、所述网络中网络设备的状态和每个IP地址的流量来源。The traffic of the physical link in the network changes, the state of the network devices in the network, and the source of traffic for each IP address.
  3. 根据权利要求2所述的方法,其特征在于,根据所述网络运行状态和所述网络设备上业务所使用的流量状态,检测所述网络是否发生流量异常,包括:The method according to claim 2, wherein detecting whether the network has abnormal traffic occurs according to the network operating state and the traffic state used by the service on the network device, including:
    当满足以下所有条件时,检测出所述网络发生流量异常:When all the following conditions are met, the traffic abnormality of the network is detected:
    在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
    所述网络中网络设备运行发生变化;The network device operates in the network changes;
    流向同一个IP地址的流量正常;以及,Traffic flowing to the same IP address is normal; and,
    所述网络设备上业务所使用的流量减少。The traffic used by the services on the network device is reduced.
  4. 根据权利要求2所述的方法,其特征在于,根据所述网络运行状态和所述网络设备上业务所使用的流量状态,检测所述网络是否发生流量异常,包括:The method according to claim 2, wherein detecting whether the network has abnormal traffic occurs according to the network operating state and the traffic state used by the service on the network device, including:
    当以下条件中存在至少一个不满足时,检测出所述网络没有发生流量异常:When at least one of the following conditions is not satisfied, it is detected that no traffic abnormality occurs in the network:
    在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
    所述网络中网络设备运行发生变化;The network device operates in the network changes;
    流向同一个IP地址的流量正常;以及,Traffic flowing to the same IP address is normal; and,
    所述网络设备上业务所使用的流量减少。The traffic used by the services on the network device is reduced.
  5. 根据权利要求1至3中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 3, further comprising:
    当检测到所述网络发生流量异常时,确定所述网络中存在发生故障的网络设备。When it is detected that the network is abnormal in traffic, it is determined that there is a network device in the network that is faulty.
  6. 一种网络异常的检测装置,其特征在于,包括: A device for detecting network anomalies, comprising:
    网络监测模块,检测网络运行状态和网络设备上业务所使用的流量状态;The network monitoring module detects the running status of the network and the traffic status used by the service on the network device;
    异常识别模块,根据所述网络运行状态和所述网络设备上业务所使用的流量状态,检测所述网络是否发生流量异常。The abnormality identifying module detects whether a traffic abnormality occurs in the network according to the running state of the network and the traffic state used by the service on the network device.
  7. 根据权利要求6所述的装置,其特征在于,所述网络运行状态,包括:The device according to claim 6, wherein the network operating state comprises:
    所述网络中物理链路的流量变化、所述网络中网络设备的状态和每个IP地址的流量来源。The traffic of the physical link in the network changes, the state of the network devices in the network, and the source of traffic for each IP address.
  8. 根据权利要求7所述的装置,其特征在于,所述异常识别模块,具体用于:The device according to claim 7, wherein the abnormality identifying module is specifically configured to:
    当满足以下所有条件时,检测出所述网络发生流量异常:When all the following conditions are met, the traffic abnormality of the network is detected:
    在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
    所述网络中网络设备运行发生变化;The network device operates in the network changes;
    流向同一个IP地址的流量正常;以及Traffic flowing to the same IP address is normal;
    所述网络设备上业务所使用的流量减少。The traffic used by the services on the network device is reduced.
  9. 根据权利要求7所述的装置,其特征在于,所述异常识别模块,具体用于:The device according to claim 7, wherein the abnormality identifying module is specifically configured to:
    当以下条件中存在至少一个不满足时,检测出所述网络没有发生流量异常:When at least one of the following conditions is not satisfied, it is detected that no traffic abnormality occurs in the network:
    在指定时长内所述网络中物理链路的流量增幅未超过预设的流量阈值;The traffic increase of the physical link in the network does not exceed a preset traffic threshold within a specified duration;
    所述网络中网络设备运行发生变化;The network device operates in the network changes;
    流向同一个IP地址的流量正常;以及Traffic flowing to the same IP address is normal;
    所述网络设备上业务所使用的流量减少。The traffic used by the services on the network device is reduced.
  10. 根据权利要求6至8中任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 6 to 8, wherein the device further comprises:
    类型识别模块,用于当检测到所述网络发生流量异常时,确定所述网络中存在发生故障的网络设备。 And a type identifying module, configured to determine that a network device that has failed in the network is detected when a traffic abnormality occurs in the network.
PCT/CN2016/096595 2016-08-24 2016-08-24 Method and apparatus for detecting network abnormity WO2018035765A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/096595 WO2018035765A1 (en) 2016-08-24 2016-08-24 Method and apparatus for detecting network abnormity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/096595 WO2018035765A1 (en) 2016-08-24 2016-08-24 Method and apparatus for detecting network abnormity

Publications (1)

Publication Number Publication Date
WO2018035765A1 true WO2018035765A1 (en) 2018-03-01

Family

ID=61246034

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/096595 WO2018035765A1 (en) 2016-08-24 2016-08-24 Method and apparatus for detecting network abnormity

Country Status (1)

Country Link
WO (1) WO2018035765A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110633165A (en) * 2019-08-15 2019-12-31 平安普惠企业管理有限公司 Fault processing method, device, system server and computer readable storage medium
CN112242971A (en) * 2019-07-16 2021-01-19 中兴通讯股份有限公司 Flow abnormity detection method, device, network equipment and storage medium
CN112311765A (en) * 2020-09-29 2021-02-02 新华三信息安全技术有限公司 Message detection method and device
CN116193202A (en) * 2022-12-05 2023-05-30 百鸟数据科技(北京)有限责任公司 Multichannel video observation system for field observation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1529462A (en) * 2003-10-21 2004-09-15 中兴通讯股份有限公司 Device and method for realizing abnormal flow control
CN102082727A (en) * 2010-05-28 2011-06-01 烽火通信科技股份有限公司 Packet transport network (PTN) traffic flow management method
EP2521306A1 (en) * 2009-12-29 2012-11-07 ZTE Corporation Ethernet traffic statistical analysis method and system
CN103391254A (en) * 2012-05-09 2013-11-13 百度在线网络技术(北京)有限公司 Method and device for managing distributed CDN flows

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1529462A (en) * 2003-10-21 2004-09-15 中兴通讯股份有限公司 Device and method for realizing abnormal flow control
EP2521306A1 (en) * 2009-12-29 2012-11-07 ZTE Corporation Ethernet traffic statistical analysis method and system
CN102082727A (en) * 2010-05-28 2011-06-01 烽火通信科技股份有限公司 Packet transport network (PTN) traffic flow management method
CN103391254A (en) * 2012-05-09 2013-11-13 百度在线网络技术(北京)有限公司 Method and device for managing distributed CDN flows

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112242971A (en) * 2019-07-16 2021-01-19 中兴通讯股份有限公司 Flow abnormity detection method, device, network equipment and storage medium
CN112242971B (en) * 2019-07-16 2023-06-16 中兴通讯股份有限公司 Traffic abnormality detection method and device, network equipment and storage medium
CN110633165A (en) * 2019-08-15 2019-12-31 平安普惠企业管理有限公司 Fault processing method, device, system server and computer readable storage medium
CN110633165B (en) * 2019-08-15 2022-08-23 平安普惠企业管理有限公司 Fault processing method, device, system server and computer readable storage medium
CN112311765A (en) * 2020-09-29 2021-02-02 新华三信息安全技术有限公司 Message detection method and device
CN116193202A (en) * 2022-12-05 2023-05-30 百鸟数据科技(北京)有限责任公司 Multichannel video observation system for field observation
CN116193202B (en) * 2022-12-05 2023-07-18 百鸟数据科技(北京)有限责任公司 Multichannel video observation system for field observation

Similar Documents

Publication Publication Date Title
JP5767617B2 (en) Network failure detection system and network failure detection device
CN106656627A (en) Performance monitoring and fault positioning method based on service
KR100561628B1 (en) Method for detecting abnormal traffic in network level using statistical analysis
WO2018035765A1 (en) Method and apparatus for detecting network abnormity
CN111092786B (en) Network equipment safety authentication service reliability enhancing system
CN108092836A (en) The monitoring method and device of a kind of server
CN105959144A (en) Safety data acquisition and anomaly detection method and system facing industrial control network
CN105515180A (en) Intelligent substation communication network dynamic monitoring system and monitoring method thereof
US7903657B2 (en) Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor
CN105049291A (en) Method for detecting network traffic anomaly
CN110716842A (en) Cluster fault detection method and device
WO2017000536A1 (en) Bfd method and apparatus
CN113438110B (en) Cluster performance evaluation method, device, equipment and storage medium
JP2018007179A (en) Device, method and program for monitoring
CN108306747A (en) A kind of cloud security detection method, device and electronic equipment
CN103634166B (en) Equipment survival detection method and equipment survival detection device
CN115529595A (en) Method, device, equipment and medium for detecting abnormity of log data
CN106453504A (en) Monitoring system and method based on NGINX server cluster
KR102150622B1 (en) System and method for intelligent equipment abnormal symptom proactive detection
KR101433045B1 (en) System and method for detecting error beforehand
CN103731315A (en) Server failure detecting method
Rafique et al. TSDN-enabled network assurance: A cognitive fault detection architecture
CN112835780B (en) Service detection method and device
CN114095394A (en) Network node fault detection method and device, electronic equipment and storage medium
CN107451468A (en) A kind of safety on line detection implementation method of control device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16913788

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16913788

Country of ref document: EP

Kind code of ref document: A1