WO2019177264A1

WO2019177264A1 - Method for analyzing multilayer-based network traffic visualization

Info

Publication number: WO2019177264A1
Application number: PCT/KR2019/001136
Authority: WO
Inventors: 양미선
Original assignee: 마인드서프 주식회사
Priority date: 2018-03-14
Filing date: 2019-01-27
Publication date: 2019-09-19
Also published as: KR101893475B1

Abstract

The present invention generally relates to a technology for synthetically monitoring a network state so as to assist network management. More specifically, the present invention relates to a technology in which: a relationship between network elements is analyzed on the basis of SNMP collection information so as to automatically generate a network topology map; a network state is periodically stored in the form of a screen shot so as to enable a network state change to be continuously checked; on the basis of machine learning, network state information is learned and an abnormal symptom is analyzed; and on the basis of routing information, a traffic path for a specific IP is identified, so as to visualize a network state.

Description

Multi-layered Network Traffic Visualization Analysis Method

The present invention relates generally to techniques for assisting network management by comprehensively monitoring network conditions.

More specifically, the present invention analyzes the relationship between the network elements from the SNMP collection information to automatically generate a network topology map, and periodically save the network state in the form of screenshots to continuously check the network state changes and to machine learning The present invention relates to a technique for visualizing network state by learning network state information on the basis, analyzing abnormal symptoms, and identifying a traffic path to a specific IP based on routing information.

In general, network management refers to monitoring network status in real time to collect information on configuration, performance, and failure of network elements, and to operate and maintain the network accordingly. The network management system (NMS) stores management information such as shape information and service information about network elements, and provides management information to a system administrator in need.

In the field of network management, nodes, which are components of a network, such as a switch, a transmission device, a subscriber device, a telephone station, a building, and an antenna, are called nodes. The NMS monitors the operational status of these nodes and manages and controls the traffic flowing through the network for smooth data communication between the nodes.

The system administrator checks the current status of the network through the monitoring screen of the NMS and takes countermeasures when necessary. However, the NMS of the prior art is a two-dimensional (2D) type of dashboard and a limited kind of information, such as merely showing a situation at a particular point in time. Therefore, in the prior art, it is not possible to monitor how the network status changes over time, it is difficult to intuitively grasp the network status from the display of the monitoring screen of the system administrator, and it is difficult to track and analyze specific traffic. In addition, there is a problem that a user must draw a picture by not providing a network topology.

The prior art has solved this problem through the experience and skill of the system administrator. However, this approach is not only inefficient in terms of cost and time, but also above all inherent in the risk of mistakes if the system administrator's skills or fatigue accumulate. Accordingly, there is a need for a technology capable of solving the above problems of the prior art by improving the function of the network management system (NMS).

SUMMARY OF THE INVENTION An object of the present invention is generally to provide a technique for assisting network management by comprehensively monitoring network status.

In particular, an object of the present invention is to automatically generate a network topology map by analyzing the relationship between network elements from SNMP collection information, and periodically store the network state in the form of a screenshot to continuously check the network state change and based on machine learning. It provides a technology to visualize network status by learning network status information, analyzing abnormal symptoms, and identifying traffic paths for specific IP based on routing information.

In order to achieve the above object, a multilayer-based network traffic visualization analysis method according to the present invention comprises: collecting information of network elements (hereinafter referred to as 'SNMP collection information') through SNMP and storing the information in a collection information database; Stage 1; Analyzing a relationship between network elements based on SNMP collection information to automatically generate a network topology map including a plurality of nodes representing network elements and a plurality of relations representing connection paths between network elements; A third step of multilayer-visualizing the plurality of nodes and relations constituting the network topology map on the monitoring screen by reflecting the network state according to the SNMP collection information; A fourth step of periodically storing screenshots of the networked state information visualized at each time point according to a preset schedule; And a fifth step of learning through machine learning a series of network status information according to SNMP collection information stored in the collection information database and identifying a network abnormality indication based thereon.

In this case, the second step may include a twenty-first step of analyzing, by the network modeling unit, SNMP collection information; A twenty-second step of identifying a plurality of systems existing in the network and setting them as nodes on a system layer; A twenty-third step of identifying an interface included in each of the plurality of systems and setting it as a node on the NIC layer; A twenty-fourth step of establishing a relationship between an interface-to-interface, an interface-to-system, and a system-to-system between a plurality of nodes with reference to a routing table; The topology automatic generation unit 400 generates a network topology map by arranging a plurality of nodes according to a layer and establishing a connection relationship between nodes for each layer based on a relation between an interface-to-interface, an interface-to-system, and a system-to-system. It is configured to include.

In this case, the twenty-fourth step may include: establishing a relation between a system and an interface provided in the system for each of the plurality of systems existing in the network based on the SNMP collection information; Establishing a relation between interfaces bound to the same VLAN; Establishing a relation between connected interfaces with reference to a routing table; Analyzing the IP address of the ARP table, identifying one or more systems and interfaces not found in the SNMP collection information, and additionally configuring each node as a node on a system layer or a NIC layer; Establishing a relation between a system and an interface provided in the system for each of the systems additionally set by the ARP table; Establishing a relation between the interfaces connected by referring to the routing table between the interface additionally set by the ARP table and the interface set by the SNMP collection information; If there is a relation between the interface to which it belongs, establishing a relation between the systems; and is configured.

On the other hand, the computer program according to the present invention is stored in a medium in combination with hardware to execute the multilayer-based network traffic visualization analysis method as described above.

According to the present invention, there is an advantage of improving network management efficiency through visualization of network traffic. In particular, the network topology can be automatically generated based on the collected information of the network status, and screenshots of the network status can be saved to check network status changes over a specific period, as well as to learn network status information and to identify abnormal symptoms. have.

In addition, according to the present invention has the advantage that it is possible to quickly trace the problem point to the traffic path tracking for a specific IP.

In addition, since the network traffic visualization analysis technology according to the present invention can be implemented based on the standard protocol (SNMP), scalability and compatibility are secured by itself.

1 is a flow chart showing the overall process of the network traffic visualization analysis method according to the present invention.

2 conceptually illustrates a system architecture for implementing network traffic visualization analysis in accordance with the present invention.

3 conceptually illustrates the operation of the network information collecting unit in the present invention;

4 is a view summarizing the SNMP collection system in the present invention.

5 is a view summarizing the properties used for network information in the present invention.

6 conceptually illustrates the operation of the network modeling unit in the present invention;

7 conceptually illustrates nodes and relations in the present invention.

8 is a diagram illustrating an example of an object attribute for a node and a relation in the present invention.

FIG. 9 is a diagram illustrating a process in which a network modeling unit creates a node on a multilayer and sets a relation in the present invention. FIG.

10 is a diagram showing an example of a network topology presentation method of the prior art.

11 is a view conceptually showing the operation of the topology automatic generation unit in the present invention.

FIG. 12 is a diagram illustrating an example of a multilayer network topology that is automatically generated by the topology automatic generation unit in the present invention. FIG.

FIG. 13 conceptually illustrates a traffic path identification process performed by the traffic path analyzer in the present invention. FIG.

14 is a view conceptually showing the operation of the traffic visualization processor in the present invention.

15 is a diagram illustrating an example of displaying a network topology map on a monitoring screen in the present invention.

16 is a diagram showing an example of a network status inquiry screen for a specific node in the present invention.

FIG. 17 is a diagram illustrating an example in which the overall network state is displayed in a multilayer form in the present invention. FIG.

18 is a block diagram showing the internal functional configuration of the artificial intelligence analysis unit in the present invention.

19 is a view conceptually showing the operation of the artificial intelligence analysis unit in the present invention.

20 conceptually illustrates a cooperative operation of internal components of a network management system in the present invention.

21 is a view conceptually illustrating a multimedia visualization presentation process in the present invention.

Problem solving approach and functional characteristics of the network traffic visualization analysis technology according to the present invention are as follows.

(1) Model the network status in three-dimensional (3D) form so that the system administrator can intuitively grasp the network status and express the network status in detail by separating layers by layers.

(2) Collect various data from network through SNMP (Simple Network Managemet Protocol) and analyze the relationship between network elements (nodes) based on this, and automatically generate topology map showing network connection status and provide it to monitoring screen of system administrator. do.

(3) Save network status of each time point as a screenshot periodically (eg every 30 seconds). This makes it possible for the system administrator to continuously see changes in network status over a certain period of time, if necessary.

(4) Network data can be stored in a database and machine learning can be applied to it for status information learning and anomaly analysis.

(5) Display each element (node) of network on network topology map, and when system administrator selects source node and destination node in topology map, traffic path is automatically identified based on routing information.

In addition, the advantages of the present invention obtained by adopting such a functional feature is summarized as follows.

(1) Intuition: The system administrator displays the structure of the system in multiple layers on the monitoring screen of the system administrator, and expresses the network status such as traffic status, system status by color, shape, size, etc. You can understand it intuitively.

(2) Convenience: The network topology map is automatically generated and provided on the monitoring screen, and machine learning is used to make network management easier by automatically determining the network abnormality based on the continuous change of the network status for a certain time or a certain period of time. can do.

(3) Enhancement of analysis function: Network status analysis has been enhanced because it can continuously track changes in network status over a period of time.

(4) Enhanced troubleshooting function: It is possible to identify the traffic route to a specific IP address by using the routing information of the network system, so that in case of a network failure, it is possible to quickly find the problem spot that caused the failure. Therefore, the problem can be solved quickly.

Hereinafter, with reference to the drawings will be described in detail the present invention.

1 is a flowchart illustrating a network traffic visualization analysis process according to the present invention.

The present invention is generally a technique for a network management system (NMS) to monitor network conditions and take appropriate action in response. Compared with the prior art, the present invention is characterized by reducing the intervention of a system administrator for displaying network status, visualizing the network status in a multilayered form, and analyzing and detecting abnormal symptoms based on artificial intelligence.

Hereinafter, the overall process of the network traffic visualization analysis method according to the present invention will be described.

Step S100: First, the network management system (NMS) collects information related to a plurality of network elements through SNMP. In this specification, the collected information is referred to as 'SNMP collection information'.

The present invention utilizes SNMP to collect various data in the network, thereby ensuring compatibility. At this time, the collection target is all devices that support SNMP, for example, network equipment, security equipment, servers (Windows, Linux, Unix, etc.). In addition, the collected contents include system information, network interface information, routing information, ARP information, network traffic usage information, and the like. The configuration of the SNMP collection information will be described later in detail with reference to FIGS. 3 to 5.

Meanwhile, the network management system (NMS) continuously collects SNMP collection information and stores it in a database.

Step S200: The network management system (NMS) analyzes a plurality of network elements constituting a network and relationships among them from SNMP collection information, and automatically generates a network topology map by using the analysis result.

SNMP collections contain information about the various elements that make up the network and their interrelationships. Accordingly, network elements are discovered and modeled as nodes based on SNMP collection information, and connection paths between these elements are modeled as relations. The network topology map can then be constructed by geometrically placing these plurality of nodes and visually representing the relation between them. A process of modeling a network and automatically generating a network topology map will be described in detail later with reference to FIGS. 6 to 12.

Meanwhile, in the present invention, the network topology map is expressed in a three-dimensional multilayer format so that intuitive grasp is convenient. The multilayer structure may include a system layer and a NIC layer. In addition, the multilayer structure may further include a business layer, a service layer, and the like, depending on the implementation. In addition, the present invention is configured to automatically generate a network topology map in software.

Step S300: The network management system (NMS) visualizes the plurality of nodes and relations constituting the network topology map in a multilayer form on a monitoring screen by reflecting the network status according to the SNMP collection information. That is, the nodes and relations constituting the network topology map are displayed on the display screen of the system administrator, but the intuition is enhanced by reflecting each state in size, thickness, color, and the like. This will be described later with reference to FIGS. 14 to 17.

Step S400: The network management system NMS stores the above visualized network state information in a form of a screenshot in a database form periodically at every time point, for example, every 30 seconds, for example, every 30 seconds. This makes it possible for system administrators to continuously see network status changes that have occurred over a period of time as needed.

Step S500: The network management system (NMS) learns state information of a corresponding network by performing machine learning by using SNMP collection information stored in a database. Based on the learning result, network abnormalities are identified and notified to the system administrator. Such abnormal symptom notification occurs when a specific event such as interface up / down, object setting (routing information, etc.) change, object addition or deletion occurs, and the like. Machine learning will be described later in detail with reference to FIGS. 18 and 19.

Step S600: The network management system (NMS) identifies a traffic route and a traffic attribute between the source IP address and the destination IP address based on routing information among the SNMP collection information in response to the source IP address and the destination IP address setting, and determines the network topology. Multi-layer visualization on the map. In this case, the traffic path means a transmission / reception path of a network packet between a specific node and the node.

At this time, the setting of the source IP address and the destination IP address may be performed by a system administrator, or may be sequentially selected from a plurality of nodes included in the network topology map. The former situation may occur when a system administrator looks at a particular node for troubleshooting, for example. In other words, when the system administrator selects a source and a destination through a mouse operation on a network topology map, the traffic manager identifies traffic routes based on routing information. The latter situation, on the other hand, can occur when real-time monitoring of traffic conditions between nodes in a network topology map. The process of tracking the traffic path in the present invention will be described in detail later with reference to FIG.

2 conceptually illustrates a system architecture for implementing network traffic visualization analysis in accordance with the present invention. Referring to FIG. 2, the overall system architecture for implementing the present invention includes a network information collecting unit 100, a network modeling unit 200, a collection information database 310, a graphic database 320, and a topology automatic generation unit 400. The traffic path analysis unit 500, the traffic visualization processing unit 600, the artificial intelligence analysis unit 700, the abnormal symptom analysis unit 800, and the multilayer dashboard 900 are configured to be included.

Hereinafter, each component will be described.

First, the network information collecting unit 100 is a component that collects data on various elements constituting the network by using SNMP. The network information collecting unit 100 periodically collects network information and stores it in a database, which is referred to herein as 'SNMP collection information'.

At this time, the information collection target includes all systems connected to the network and supporting SNMP, such as network equipment, security equipment, and server (Windows, Linux, Unix, etc.) devices. Information collected includes system information (e.g. CPU usage, memory usage), interface information (e.g. interface name, IP address, MAC address, VLAN information), routing information (e.g. routing table), ARP ( Address resolution protocol) information (eg, MAC table), network traffic usage information (eg, transmission / reception (TX / RX) traffic usage by interface), and the like.

3 is a diagram conceptually illustrating an operation of the network information collecting unit 100 in the present invention. In FIG. 3, the network information collection unit 100 is implemented in the form of an SNMP server. An SNMP response packet (SNMP) is periodically transmitted by the target systems in response to a broadcast of an SNMP request packet on a network. Receive Response Packets). The network information collecting unit 100 obtains information on the corresponding system by analyzing the contents of the SNMP response packet.

The network information collecting unit 100 periodically acquires and transmits SNMP collection information to the network modeling unit 200, and accumulates and stores it in the collection information database 310. The network modeling unit 200 automatically generates a network topology map based on the SNMP collection information, and the data stored in the collection information database 310 is used for machine learning and anomaly analysis.

FIG. 4 is a diagram illustrating an example of arranging an SNMP collection system in the present invention, and FIG. 5 is a diagram illustrating an example of various properties used for network information in the present invention. In the present specification, a system is a concept of a device or an equipment, and an interface is a concept of a device, such as an Ethernet module or a WLAN module, that is in charge of a network connection in each system. In the present specification, systems and interfaces are treated as elements constituting a network.

With reference to FIG. 4, we identify what systems exist on the network and collect available information (ie system information) about these systems. It then identifies what interfaces exist in each system and gathers available information about those interfaces (ie, interface information). In general, since a network device or a server device includes a plurality of Ethernet ports and a WLAN module, a plurality of interfaces are mapped to each system in FIG. 4.

In one embodiment, the system information includes a category, a system name, an IP address, a default gateway, a link layer discovery protocol (LLDP) MAC address (lldpMacAddress), and a CPU usage (CPU). Usage).

In addition, the interface information may include category, interface name, destination IP band (DestinationIPBand, routing table), interface transmit / receive packet amount (If In / Out Octets), interface transmit / receive error amount (If In / Out Errors), Interface communication speed (Speed), network interface card (NIC) MAC address (MacAddress), MAC table (connectedMac), NIC up / down status (Status), interface IP address (IP Addr), port number (Port), NextHop in the communication path, VLAN information (VLAN) that the interface is bound, etc.

4 and 5, it is possible to determine what systems and interfaces exist in the current network from the SNMP collection information. In this specification, these are called network elements and mapped to nodes in a network topology map. In addition, by analyzing the SNMP collection information it is possible to determine the connection relationship or connection status between these nodes, which is referred to herein as a relation. For example, Jsons format parsing can be used to analyze SNMP collection information.

The network modeling unit 200 is a component for identifying and modeling an internal configuration and interconnection relationship of a network based on SNMP collection information provided by the network information collecting unit 100. The network modeling unit 200 identifies which network elements currently exist on the network, and based on the result of analyzing the SNMP collection information, the relation between them, that is, interface-to-interface, interface-to-system, and system-to-system relation Set.

The concept of establishing a relation between network elements is to establish a connection between interfaces if ARP is connected.If a connection is established between interfaces of each system, a connection is also established between the corresponding systems, and an interface establishes a connection with a system to which it belongs. . An example of setting the relation by the network modeling unit 200 will be described in detail later with reference to FIG. 9.

6 conceptually illustrates an operation performed by the network modeling unit 200 in the present invention. Referring to FIG. 6, the network modeling unit 200 receives the SNMP collection information from the network information collecting unit 100 to perform the collection data modeling operation and the modeling data analysis operation, and collect the modeling data generated through the collection information database 310. ) And the graphic database 320. To this end, the network modeling unit 200 includes a data modeling module 210, a relation analysis module 220, and a modeling data management module 230.

The data modeling module 210 performs preprocessing and parsing operations on the SNMP collection information provided by the network information collecting unit 100. The SNMP collection information has properties such as those illustrated in FIG. 5, and the data modeling module 210 parses the SNMP collection information, which is a data set, into a data structure and data format suitable for processing by the network modeling unit 200. Convert.

The relation analysis module 220 identifies network elements (ie, systems, interfaces) and establishes relations between them based on the SNMP collection information. Network element identification and relation establishment are repeated periodically, resulting in an updated network state. In addition, how the relations established between the network elements are connected and the communication path is obtained. In this case, the routing table (DestinationIPBand) of the SNMP collection information may be well utilized.

The modeling data management module 230 stores data generated by the data modeling module 210 and the relation analysis module 220 in the collection information DB 310 and the graphic DB 320 to be used by other components.

7 is a diagram conceptually illustrating a node and a relation in the present invention. Each system has one or more hardware NICs, which constitute a network interface, which are modeled as nodes. A relation is basically set between a system and one or more interfaces belonging to it, a relation is set between an interface currently transmitting and receiving data on a network, and a relation is set between interfaces bound to the same VLAN. In addition, when relations are established between interfaces, relations are established between systems to which each interface belongs.

FIG. 8 is a diagram illustrating an example of object attributes of a node and a relation generated by the relation analysis module 220 of the network modeling unit 200 according to the present invention. The object attributes for the node are as described above with reference to FIG. 5 and these attributes are obtained via SNMP. The relation is divided into a system relation and an interface relation. The system relation includes information about how the systems are connected to each other, and the interface relation includes information on how communication is actually performed. The system relation is obtained by combining the information obtained at the IP layer and the physical layer, and the interface relation is obtained from the routing table and the MAC table.

On the other hand, the relation is also referred to herein as an edge (edge).

FIG. 9 is a diagram illustrating a process of generating a plurality of nodes on a multilayer and setting relations between them based on a result of analyzing the SNMP collection information by the network modeling unit 200 in the present invention. Since a serial number is displayed in each step in FIG. 9, the following description also describes a node generation and relation setting process according to the serial number.

(1) Based on the SNMP collection information, a plurality of systems existing in the network are identified and set as nodes on the system layer. In addition, the interface included in each system is identified and configured as a node on the NIC layer.

(2) Identifies the interface belonging to each of the plurality of systems, and establishes a relation between the system and the interface belonging to it.

(3) Set relation between interfaces belonging to same VLAN.

(4) Set up relations between connected interfaces by referring to routing table. Referring to FIG. 5, destination IP band (DestinationIPBand, routing table) information related to an interface among SNMP collection information may be usefully used at this stage.

(5) Since the SNMP protocol does not guarantee completeness, there is a possibility that there are missing network elements that are not found and missed by SNMP. Accordingly, the network modeling unit 200 analyzes the IP address of the ARP table, identifies one or more systems and interfaces not found in the SNMP collection information, and additionally sets them as nodes on the system layer or the NIC layer, respectively.

(6) A relation is established between each system and the interface belonging to the system additionally set by the ARP table.

(7) Set relation between connected interfaces by referring to routing table between interface additionally set by ARP table and interface set by SNMP collection information.

(8) View connected relations of each system interface and set up relations between systems. That is, if a relation exists between the interfaces to which it belongs, the relation is also set between systems.

The collection information database 310 stores the SNMP collection information continuously provided by the network information collecting unit 100 and the node and relation generation information (setting information) provided by the network modeling unit 200. The information stored by the collected information DB 310 may be loaded by the artificial intelligence analysis unit 700 and used for machine learning.

The graphic database 320 stores information about correlations between the nodes constituting the network and relations.

The topology automatic generation unit 400 automatically generates a connection structure of the corresponding network, that is, a network topology map, in a multilayer format based on the node and relation setting information provided by the network modeling unit 200.

First, with reference to Figure 10 looks at the network topology presentation method that has been manually created in the prior art. FIG. 10A is a spectral layout, which is generally suitable for showing a network configuration diagram. In spectral placement, the length of the edge is determined first and the relative distribution of the nodes is determined accordingly, which has the disadvantage that the length of the edge is flexible and the position is difficult to determine.

FIG. 10B is an orthogonal layout, which is generally suitable for showing a network configuration. Orthogonal layout is convenient because it can draw a network with only edge and node information, but it generates randomness without specifying node coordinates.

In addition, various network topology expression methods have been used in the past, including (c) and (d) of FIG. 10. However, these conventional topology presentation methods are applicable to simple networks because they generate node coordinates randomly. However, when the network structure is slightly complicated, readability and intuition are remarkably inferior. Accordingly, the present invention attempts to increase the intuitiveness of a complex network by calculating the node position and placing it at the optimum position.

11 is a diagram conceptually illustrating an operation of the topology automatic generation unit 400 according to the present invention. A plurality of edge information is provided to the input of the topology automatic generation unit 400, an edge corresponding to a relation herein. In the present invention, a graph theory is applied to automatic topology generation, and the term 'edge' used in the graph theory is applied. The edge is represented by a combination of 'a' and 'b', indicating that it is a relation connecting node a and node b.

The topology automatic generation unit 400 extracts nodes, which are network elements, from the plurality of edges, and draws a connection relationship between them to create a network topology map using a block puzzle-like approach. In particular, the network topology is generated in a multi-layer format, and the topology is preferably generated by descending from an upper layer to a lower layer.

Hereinafter, a process in which the topology automatic generation unit 400 automatically generates a network topology map from a plurality of edge information will be described.

First, nodes which are network elements are extracted from a plurality of edges, and shapes having a closed shape are extracted by using the plurality of nodes. In other words, a plurality of nodes are used as vertices to create a closed graphic such as a straight line, a triangle, a rectangle, or the like.

Then assign initial coordinates for each node. In terms of intuition, it is preferable that a plurality of nodes have a form sufficiently separated from each other without being concentrated at any one point. To this end, a method of setting a circle for each layer and assigning initial coordinates of each vertex so as not to overlap each other for a plurality of figures on the coordinates inscribed on the circle is adopted.

Specifically, when the length of one side of the equilateral triangle included in the circle of radius R is N, the Python code for calculating the length of the straight side is

int (R * math.cos (math.radians (30))) * 2;

Python code to get the length of the sides of a rectangle

int (math.sqrt (1.5 * math.pow (R, 2)));

The length of the sides of the triangle is N. Shapes are placed in non-overlapping positions for all the extracted shapes. In this case, since one node may be utilized in a plurality of figures, the arrangement of the nodes may overlap.

Then, when a plurality of figures are duplicated for the same edge, the duplicate figures are removed according to a preset priority. In other words, if one edge is used in multiple shapes, only one is left and the other is removed. Removal of duplicated figures is done in order of priority. For example, if a straight line and a triangle or rectangle overlap, the straight line is removed. If the triangle and the rectangle overlap, the triangle is removed. That is, it leaves a figure with high relation with other nodes.

Initial positioning for the network topology map was performed through the above processes, that is, node extraction, creation of a closed figure, initial coordinate assignment, and elimination of duplicated figures. In the following, the batch adjustment process is performed in two steps to increase the intuitiveness of the network topology map.

First, a plurality of figures, preferably two figures, having one or more points coincident with each other are selected, and the figure matching is repeated by repeating the movement and swapping nodes in the figure.

Next, a top node located at the highest point in coordinates is extracted while all nodes are connected. The top node is the topmost geometrically placed node in the network topology map, starting with this top node and descending to the bottom node to adjust the node placement.

First, a top node is set as a reference node, and a position to place a child node (hereinafter, referred to as a 'direct node') directly connected to the reference node is selected. In the present invention, the number of immediate nodes (M) Reflect M to set M coordinates.

At this time, it is preferable to equally distribute the first coordinate axis (for example, the X axis). That is, M X coordinates are set to equally space the distance between the minimum value min (x) and the maximum value max (x) of the initially assigned X axis coordinates for the immediate node.

In addition, candidate coordinates are selected to be secondly spaced apart from the circle set in the initial coordinate allocation with respect to the layer to which the child node belongs to the second coordinate axis (for example, the Y axis), and the same applies to the child node. Expressed in Python code, the direction from the reference node to the second axes

int (R * math.cos (math.radians (30))) * 2;

Set the Y-axis coordinates so that it goes down by.

Through the above process, M candidate coordinates in which M direct nodes are to be arranged are set. Next, M candidate coordinates are sequentially mapped to M direct nodes in a one-to-one manner. To this end, one candidate coordinate located at the closest distance to another node directly connected to itself is selected and allocated among M candidate nodes. That is, among the nodes KE that are determined to be directly connected from the edge information for each currently selected node K, the coordinates which are closest among the above M candidate coordinates for the nodes that are already positioned, that is, are not included in the current node K set. Calculate and assign to node KE.

Through the above process, coordinates on the network topology map are specified for M subnodes directly connected to the reference node. If there are additional coordinate unassigned subnodes, the candidate node which has just been assigned immediately as the reference node is used as the reference node and proceeds to the candidate coordinate selection step. That is, the coordinates for the connected lower nodes are assigned by using the direct node to which the coordinates are assigned as the top node, and the coordinates are allocated to all nodes by repeating this process.

12 is a diagram illustrating an example of a multilayer network topology automatically generated by the topology automatic generation unit 400 in the present invention. Referring to FIG. 12 , the multilayer network topology according to the present invention is similar in appearance to the conventional network structure, but the network structure is intuitively illustrated because the multilayer structure and the node positions are appropriately selected on each layer. It is characteristic. In particular, it is superior to the prior art in that this advantage can be maintained even if the network is complicated because it is automatically generated by a single algorithm rather than manually.

The traffic path analysis unit 500 is a component that identifies the traffic paths between the IP addresses, that is, the routing IP when the source IP address and the destination IP address are specified. The setting of the source IP address and the destination IP address may be performed by the system administrator selecting both nodes on the monitoring screen to solve the network failure. It may also be sequentially selected from a plurality of nodes included in the network topology map for displaying the network status.

13 is a diagram conceptually illustrating a traffic path identification process performed by the traffic path analyzer 500 in the present invention. Since a serial number is displayed in each step in FIG. 13, the following describes the traffic path identification process sequentially according to the serial number.

(1) When the source IP address and the destination IP address are identified, check whether these Start IP and End IP addresses are internal addresses, internal band addresses, or external addresses. The number of cases is nine, but since the source and destination IP addresses cannot both be external addresses, there can be eight cases after all except this one.

(2) If the source IP address belongs to an external network, the IP address is exchanged between the destination IP address and the source IP address so that the source IP address is always an internal address or an internal band address. For example, if the source IP address is 8.8.8.8 for the external network and the destination IP address is 192.168.0.90 for the internal address, exchange the IP addresses to set the source IP address to 192.168.0.90 and the destination IP address to 8.8.8.8. It is to be processed as possible.

(3) When the source IP address belongs to the internal network, the system (System 1) to which the source interface (Interface 1-1) corresponding to the source IP address belongs is searched and set as the source system.

When the source IP address belongs to the internal band network, the source IP address is searched for the interface belonging to the band and the system (System 1) to which the interface belongs is set as the source system.

(4) The interface (Interface 1-2) having the address band (see DestinationIPBand property) of the destination IP address among the interfaces belonging to the source system (System 1) is searched and set as the first relay interface.

(5) If no interface with the address band of the destination IP address is found, the interface with the default gateway (see defaultGateway property) of the source system (System 1) is searched. In addition, among the interfaces bound by the interface and the VLAN, an interface (Interface 1-2) whose IP address is the destination IP address is searched for and set as the second relay interface. If there is no such interface, the interface connected to the default gateway is found and set as the second relay interface.

(6) The other interface (Interface 2-1) connected with the first relay interface or the second relay interface is searched for. Although only one counterpart interface is illustrated in FIG. 13, in general, a plurality of counterpart interfaces connected to the first or second relay interface may be searched.

(7) A plurality of counterpart systems (System 2) to which the plurality of counterpart interfaces (Interface 2-1) belong are identified. Similarly, although only one counterpart system is shown in FIG. 13, a plurality of counterpart systems may be searched.

(8) The plurality of counterpart systems identify the interface (Interface 2-2) having the destination IP address by checking the IP address of the interface belonging to each other, and set it as the destination interface. The system having the destination interface (System 2) is set as the destination system.

(9) In the above process, the relation combination that passes from the source interface (Interface 1-1) to the destination interface (Interface 2-2) becomes a traffic path for the source IP address and the destination IP address.

The traffic visualization processor 600 is a component that visually expresses the information derived by the network modeling unit 200, the topology automatic generation unit 400, and the traffic path analysis unit 500. In addition, as will be described later, when the abnormal symptom analysis unit 800 detects an abnormal symptom based on the machine learning learning result, the system administrator visualizes the contents in a form that can be recognized by the system administrator.

The traffic visualization processor 600 visually expresses a plurality of nodes (systems, interfaces) and relations constituting the network topology map, and the traffic paths, traffic information, system status, network operation information (utilization rate, traffic) between the nodes thereon. Visualize your back.

14 conceptually illustrates an operation of the traffic visualization processor 600 in the present invention.

Referring to FIG. 14, the traffic visualization processor 600 visualizes traffic information. Displays network usage by system using the network usage using the transmission / reception (TX, RX) information of the interface and the network usage of the interfaces belonging to the system.In particular, the network usage is reflected in the thickness or color of the relation to be visually identified. do.

In addition, the traffic visualization processor 600 visualizes the network state. It displays the resource utilization rate of the system in graphs and numbers, displays the up / down status of the interface visually, and processes the system usage to be visually identified by reflecting the usage of the system in the size of the node.

In addition, the traffic visualization processor 600 visualizes the traffic path. When the source IP address and the destination IP address are specified, the traffic path analyzer 500 derives a traffic path based on the routing information, and the traffic visualization processor 600 compares the derived traffic path with a thickness or color different from the relation. Visually represent traffic paths by setting them apart.

FIG. 15 is a diagram illustrating an example of displaying a network topology map on a monitoring screen, and FIG. 16 is a diagram illustrating an example of a network state inquiry screen for a specific node in the present invention. On the multilayer network topology map, network traffic conditions are divided into IN / OUT directions for each interface and system, thereby providing traffic monitoring.

17 is a diagram illustrating an example in which the overall network state is displayed in a multilayer form according to the present invention.

The AI analysis unit 700 learns network state information continuously derived from the network through machine learning, and establishes a standard for distinguishing whether the network is in a normal state or in a situation in which abnormal symptoms are suspected. It is an outgoing component. 18 and 19, the artificial intelligence analysis unit 700 includes a feature selector 710, an ML module selector 720, a hyper parameter selector 730, and a machine learning tester 740.

18 is a block diagram showing the internal functional configuration of the artificial intelligence analysis unit 700 in the present invention. The property selector 710 parses and preprocesses network state information continuously provided from the collection information database 310. The machine learning module selector 720 selects one algorithm from a plurality of machine learning algorithms prepared in advance in response to an operation of a system administrator. The artificial intelligence analysis unit 700 outputs artificial intelligence processing data and classification and regression results after performing the artificial intelligence analysis.

19 is a view conceptually illustrating the operation of the artificial intelligence analysis unit 700 in the present invention.

The feature selector 710 continuously receives a data set corresponding to the network state information, such as SNMP collection information, over time. The property selector 710 includes a data parser and a data loader. The data parser parses raw dataset of SNMP collection information and extracts a plurality of feature factors. In one embodiment, a total of twelve property factors ip.src, ip.dst, ip.ver, ip.tos, ip.len, ip.ttl, ip.flag, ip.proto, tcp.sport, tcp.dport, tcp Here is an example of extracting .flags and tcp.raw. Tcp.raw is of type string and the remaining 11 are of type real number.

The data loader performs preprocessing, normalization, and dimensionality reduction on a plurality of feature factors extracted by the data parser. First, the eleven real type attribute factors (ip.src to tcp.flags) exemplified above are expressed in a matrix. The string type tcp.raw is vectorized with the TfidfVectorize algorithm and reduced in one dimension using the SVD algorithm. Then, 11 feature arguments of the real type and 1 feature argument of the primitive type are concatenated to form a feature factor matrix. Real type is inconvenient for mathematical operation, so normalize each element of characteristic factor matrix through minmax_scale (range: 0 ~ 10), and achieve dimension reduction in two dimensions through PCA (Principal Component Analysis) algorithm for graph representation .

In this case, the characteristic selector 710 may be configured to automatically select some of the characteristic factors derived by the data parser and the data loader.

The machine learning module selector 720 selects one algorithm from a plurality of machine learning algorithms prepared in advance in response to an operation of a system administrator. Optional options for the machine learning algorithm module include libraries (sklearn, tensorflow), machine learning algorithms, deep learning algorithms, logistic, linear, MLP (DL), CNN, RNN, and non-supervised learning (Clustering, Auto- encoder) and ring diagram learning. In addition, clustering algorithms include Kmeans, Dbscan, Meanshift, and Birch, and one of these algorithm modules is selected. In addition, several algorithms can be selected for PCA (Principal Component Analysis), SVD (Singular Value Decomposition), NMF (Non-negative Matrix Factorization), Logistic, and so on. On the other hand, it may be implemented to automatically select the algorithm with the highest accuracy for each data set based on previous execution experience among various machine learning algorithms.

When the machine learning module selector 720 selects a particular machine learning algorithm module, the selected machine learning algorithm module performs machine learning according to its machine learning algorithm on the downsized feature factor that the feature selector 710 outputs. To perform. SNMP collection information is continuously provided to the artificial intelligence analysis unit 700 over time, and this process is repeatedly performed. Through this repetitive learning, the learning is gradually performed to classify whether the network state is normal or if there is something abnormal.

The hyper parameters selector 730 selects hyperparameter values for setting the conditions under which the selected machine learning algorithm module operates in response to the operation of the system administrator. 19 lists examples of hyperparameters for such a machine learning algorithm.

The ML tester 740 inputs a new data set to the machine learning result and outputs the result as the calculation is performed. This will be described later with reference to the abnormal symptom analyzer 800.

The abnormal symptom analyzer 800 is a component that automatically determines whether the network is in a normal state or a situation in which an abnormal symptom is suspected by using the machine learning result performed by the artificial intelligence analyzer 700.

The abnormal symptom analyzer 800 receives the SNMP collection information in real time, that is, at that time, and transmits the information about the continuous network state change for a specific time point or period to the machine learning tester 740.

The machine learning tester 740 inputs the SNMP collection information provided in real time from the abnormal symptom analyzing unit 800 with respect to the result of the machine learning previously performed, performs an operation according to the corresponding machine learning algorithm, and then outputs the clustering result.

The abnormal symptom analyzer 800 automatically detects whether the network condition is normal or a situation in which abnormal symptom is suspected depending on which clustering result the machine learning tester 740 outputs.

Meanwhile, the abnormal symptom analyzer 800 stores the above-visited network state information at each time point in a database in a screenshot form, for example, periodically every 30 seconds according to a preset schedule. This makes it possible for system administrators to continuously check network status changes that have occurred over a certain period of time as needed and to analyze whether there are any abnormal symptoms.

20 is a traffic path analyzer 500, a traffic visualization processor 600, an AI analyzer 700, an abnormal symptom analyzer 800, and a multilayer dashboard, which are internal components of the network management system according to the present invention. A conceptual diagram illustrating a cooperative operation performed by 900.

The artificial intelligence analysis unit 700 learns modeling data using an artificial intelligence network (eg, CNN, ANN, etc.), and the abnormal symptom analysis unit 800 detects abnormal symptoms in a network state by using the machine learning results. I can do it. In addition, the abnormal symptom analysis unit 800 may automatically detect a situation in which a certain impact is applied to the network state, for example, an interface state change (up / down), a change in the use state of system resources, etc. using the machine learning result. have.

The traffic visualization processor 600 performs data processing to visually display modeling data, abnormal symptom analysis results, and traffic path extraction results on a monitoring screen of a system administrator.

The multilayer dashboard 900 displays the data visualized through the multilayer visualization engine 910 on an actual screen. In the present invention, the multilayer dashboard 900 is a component that includes a multilayer visualization engine 910 and a dash mode module 920 to visually express various types of information.

21 is a diagram conceptually illustrating a multimedia visualization presentation process according to the present invention. The multilayer dashboard 900 constructs a multilayer-based 3D stereoscopic visualization screen based on SNMP collection information and analysis information. That is, a plurality of layers may be implemented by including an interface layer and a system layer, and further including a service layer and a work layer, depending on the implementation example. In this case, the information may be expressed not only in the overall layer but also in the individual layer unit designated by the system administrator. In this case, the multilayer visualization engine 910 may be configured as a WebGL / 3D engine, and the dashboard module 920 may be implemented through various web-based page components.

Meanwhile, the present invention may be embodied in the form of computer readable codes on a computer readable nonvolatile recording medium. Such nonvolatile recording media include various types of storage devices, such as hard disks, SSDs, CD-ROMs, NAS, magnetic tapes, web disks, cloud disks, etc., and code is distributed in a plurality of networked storage devices. Forms that are implemented and executed may also be implemented. In addition, the present invention may be implemented in the form of a computer program stored in a medium in combination with hardware to execute a specific procedure.

Claims

Multi-layered network traffic visualization analysis method performed by network management system,

A first step of collecting information on network elements (hereinafter referred to as 'SNMP collection information') through SNMP and storing the information in a collection information database;

Analyzing a relationship between network elements based on the SNMP collection information, and automatically generating a network topology map including a plurality of nodes representing the network elements and a plurality of relations representing connection paths between the network elements;

A third step of multilayer-visualizing the plurality of nodes and the relation constituting the network topology map on a monitoring screen by reflecting a network state according to the SNMP collection information;

A fourth step of storing screenshots of the visualized network state information at each time point periodically according to a preset schedule;

A fifth step of learning through machine learning a series of network status information according to SNMP collection information stored in the collection information database and identifying a network abnormality indication based on the learning;

It is configured to include,

The second step,

A twenty-first step of analyzing, by the network modeling unit, the SNMP collection information;

A twenty-second step of identifying a plurality of systems existing in the network and setting them as nodes on a system layer;

A twenty-third step of identifying an interface included in each of the plurality of systems and setting it as a node on a NIC layer;

Establishing a relation between an interface-to-interface, an interface-to-system, and a system-to-system between the plurality of nodes with reference to a routing table;

The topology generation unit 400 generates the network topology map by arranging the plurality of nodes according to the layer and setting the connection relationship between the nodes for each layer based on the relation between the interface-to-interface, interface-to-system, and system-to-system. A twenty-fifth step;

It is configured to include,

The twenty-fourth step,

Setting a relation between a system and an interface provided in the system for each of the plurality of systems existing in the network based on the SNMP collection information;

Establishing a relation between interfaces bound to the same VLAN;

Establishing a relation between connected interfaces with reference to a routing table;

Analyzing the IP address of the ARP table, identifying one or more systems and interfaces not found in the SNMP collection information, and additionally configuring the nodes as system nodes or NIC layers;

Establishing a relation between a system and an interface provided in the system for each of the additionally set systems by an ARP table;

Establishing a relation between interfaces connected by referring to a routing table between the additionally set interface and an interface set by the SNMP collection information by an ARP table;

Establishing a relation even between systems if a relation exists between the interfaces to which the interface belongs;

Multilayer-based network traffic visualization analysis method comprising a.
The method according to claim 1,

A sixth step of identifying a traffic path between the source IP address and the destination IP address based on routing information of the SNMP collection information in response to a source IP address and a destination IP address setting;

A seventh step of identifying a traffic attribute of a traffic path between the source IP address and the destination IP address based on the SNMP collection information;

An eighth step of visualizing the traffic path and the traffic attribute on the network topology map;

Multilayer-based network traffic visualization analysis method, characterized in that further comprises.
The method according to claim 2,

The 25th step,

Step 251, extracting a plurality of figures having a closed shape from the plurality of nodes;

Setting a circle having a predetermined radius for each layer and allocating initial coordinates of each vertex so as not to overlap each other with respect to the plurality of figures on a coordinate inscribed to the circle;

Step 253, when the plurality of figures are overlapped with respect to the same edge, removing duplicate figures according to a preset priority;

Step 254, selecting a plurality of figures that match one or more points to repeat the movement of the figure and replacing the nodes in the figure to match the figures;

Extracting a top node located at the highest point in coordinates in a state where all nodes are connected to each other (255);

Setting the top node as a reference node (256);

257. The candidate coordinates are selected to be equally distributed in the first coordinate axis and to be spaced apart by the same value in the second coordinate axis so as to correspond to the number of lower nodes (hereinafter, referred to as 'direct nodes') directly connected to the reference node. step;

A step 258 of sequentially selecting and assigning coordinates to each of the immediate nodes by selecting one candidate coordinate located closest to the other node directly connected to the candidate among the candidate coordinates;

Step 259, when the coordinate unassigned lower node further exists, proceeding to step 257 after setting the immediate node assigned to coordinates as the reference node in step 258;

Multilayer-based network traffic visualization analysis method comprising a.
The method according to claim 2,

The sixth step,

Identifying, by the traffic path analyzer 500, a source IP address and a destination IP address;

Determining whether the source IP address and the destination IP address belong to an internal network, an internal band network, or an external network;

Exchanging an IP address between the destination IP address and the source IP address if the source IP address belongs to an external network;

If the source IP address belongs to an internal network, searching for a system to which a source interface corresponding to the source IP address belongs and setting the source system as a source system;

If the source IP address belongs to an internal band network, after searching for an interface in which the source IP address belongs to a band, searching for a system to which the searched interface belongs and setting it as a source system;

Searching for an interface having an address band of the destination IP address among at least one interface belonging to the source system and setting the interface as a first relay interface;

If there is no interface having an address band of the destination IP address, the interface having the default gateway of the source system and the VLAN bound interface is searched for an interface whose IP address is the destination IP address to the second relay interface. Setting up;

Searching for a plurality of counterpart interfaces connected with the first or second relay interface;

Identifying a plurality of counterpart systems to which the plurality of counterpart interfaces belong;

Searching for a system having an interface having the destination IP address among the plurality of counterpart systems and setting the destination system;

Searching for an interface having the destination IP address among the interfaces belonging to the destination system and setting it as a destination interface;

Multilayer-based network traffic visualization analysis method comprising a.
The method according to claim 2,

The third step,

Obtaining, by the traffic visualization processor (600), information on the node-to-node relation, network usage by interface, resource usage by system, and up / down status of an interface from the SNMP collection information;

Displaying a plurality of nodes and a plurality of relations in multiple layers in correspondence with the network topology map;

Calculating first network usage by using TX and RX information for each interface and visually displaying the first network usage through one or more of thickness and color in a relation corresponding to each interface;

Calculating second network usage by synthesizing network usage for each system, and visualizing and displaying the second network usage through at least one of size and color to a node corresponding to each system;

Displaying a resource utilization dashboard for each system;

Visually displaying an up / down state of the interface;

Multilayer-based network traffic visualization analysis method comprising a.
The method according to claim 5,

The fifth step,

The artificial intelligence analyzer 700 parses the SNMP collection information stored in the collection information database and extracts a plurality of characteristic factors;

A 52nd dimension reduction on the plurality of characteristic factors through matrixing, vectorization, singular value decomposition, normalization, and principal component analysis;

A fifty-third step of performing machine learning on the dimension reduced feature factor;

Repeatedly performing the steps 51-53 based on SNMP collection information over time;

Receiving an abnormal symptom analyzer 800 in real time from the SNMP collection information;

A machine learning tester (740) inputting the SNMP collection information provided in real time on the machine learning result;

Detecting network abnormality in response to the clustering result output from the machine learning tester 740;

Multilayer-based network traffic visualization analysis method comprising a.
A computer program stored in a medium in combination with hardware for executing the multilayer-based network traffic visualization analysis method according to any one of claims 1 to 6.