CN101483547B - Evaluation method and system for network burst affair - Google Patents

Abstract

The present invention discloses a method for measuring and evaluating network burst damage event, wherein the method comprises the following steps: passive perceiving and active detecting burst event; filtering and analyzing after merging the result; dividing the event grade according to the merging result, realizing the positioning to the fault reason; determining whether an adjustment of protocol mechanism should be executed according to the grade; and checking the whole condition of adjusted network for ensuring the correctness. The invention also provides a system for measuring the network burst damage event. The system comprises a router control module, an array management algorithm module, a network management module and an off-line calculating module. The problem to be settled by the invention is cause that the router has a flow perceiving capability, realize whether the full-network link and node operate normally and whether the burst damage event is generated. The result is notified in time for adjusting the protocol mechanism. The invention provides criterion for the protocol adjustment thereby increasing the usability and reliability of network node and link and finally guaranteeing the service quality of network.

Description

A kind of network burst affair appraisal procedure and system

Technical field

The present invention relates to computer network and information security field, be specifically related to a kind of tolerance and appraisal procedure and system of network accident.

Background technology

Along with rapid development of network technology, the multi-next-hop procotol is arisen at the historic moment.Network environment under the multi-next-hop procotol, flow equalization realize by parallel transmission.

For realize that network self-healing need detect, fault in the fixer network, fault detect fast and effectively and accurately promptly to discern fault type be basis and the important means that improves network availability, reliability and guaranteed qos.

Provide in the prior art a kind of based on the fault management in the network system of SNMP detect, fault in the fixer network.

By poll with receive Trap (catching) message, obtain fault message, but because the alarm duplicate message does not too much provide trouble correlation analytic again, make the network management configuration complexity, the manual operations amount is big.Flexibility for want of of network failure management pattern and adaptability are difficult to adapt to the needs of the fault management of modern network; Fault message complexity in network, certain event of failure often produces a series of fault warning, these alarms is not added issue the net administrator with handling, certainly will cause net administrator's working strength overweight, redundant information is too much, takies network bandwidth resources, form vicious circle, network management efficiency is low.

Also can follow the tracks of fault in (Trace Router) technology for detection, the fixer network in the prior art by network diagnosis program Ping and route.

Ping is a kind of network diagnosis program (order) commonly used, is used for determining whether local host can exchange (send and receive) data with another main frame.But whether the link that can only detect between certain two node by the Ping order has fault, but can't the origination point of fault be positioned.Therefore, industry positions fault by traceroute device Trace Router technology.In actual applications, warp Ping commonly used counts and judges the link break-make, comes the fault location point with Trace Router.In the link situation that breaks down, Ping for big flow but the once in a while situation of packet loss is difficult to detect; Ping and Trace Router containing easily cause wrong report; The Ping technology can not send Ping fast for a long time and detect bag, generally all limits, and causes detection inaccurate; When a lot of bar Lu Keda was arranged in the middle of detected link, the Ping bag can only be walked wherein link, when the link that exists the link that detects and real data to walk is inconsistent, caused testing result invalid; If make Trace Router fast, need the Bao Caineng of several times of transmissions to detect fault, bigger to consumption of broadband.

Moreover, also adopt the fault in two-way forwarding detection (BFD, BidirectionalForwarding Detection) technology for detection, the fixer network in the prior art.

BFD is a kind of Hello machine contracting system, by judging whether to lose continuously the packet of predetermined number, and then judges the mechanism that link is whether available.But for link is situation available, that just be interrupted packet loss once in a while, then can't realize detecting and reporting; BDF is the mechanism that a kind of point-to-point detects, and can't realize the quick location to link failure point; When between the source and destination mulitpath being arranged, detect bag and can only walk wherein one, may be different with path that actual data packet is walked, therefore produce and report by mistake.

In addition, the multiprotocol label switching (mpls) of also adopting International Telecommunication Union to propose in the prior art can be operated maintainability (OAM) technology and carries out that network failure detects, the location.

Because the label switched path (LSP, Label Switching Path) of MPLS is one section and connects one section foundation, and LSP can be nested, by forward faults indication (FDI, Forwaod DefectIndicator) machine-processed detection and location fault.But only effective to the MPLS network, invalid to IP network.Therefore can't realize fault detect in existing IP network; Also be a kind of by judging continuous packet loss, and then judge the testing mechanism that link is whether available, owing to adopt FDI mechanism, depend on the FDI bag that outer LSP sends for failure location, when outer LSP does not move OAM mechanism, then can't carry out fault location to the node in the link.

Other network fault detecting methods of the prior art under single next-hop network environment, mainly are the detections at network connectivity failure mostly, and the fault urgency are not carried out classification, and can't tackle happens suddenly to ruin hits the sexual behavior part.Therefore, the existing fault detection method can not simply be transplanted to the multi-next-hop network.Because the characteristics of accident are the sudden of it, therefore to it fast with measure accurately and assessment is that it can be found timely and effectively, and the final basis that node and link reliability is not threatened, so concerning the incident of hitting was ruined in the burst of IP network, fault detect speed was more important than accuracy.Whether the problem that need solve at the multi-next-hop network is how to make router have the flow perception, understands whether operate as normal of total network links and self node, having burst to ruin the incident of hitting and taking place.

Summary of the invention

In view of this, the invention provides a kind of tolerance and appraisal procedure and system of accident, can in time detect and accurately judge the network accident.

The tolerance and the appraisal procedure of a kind of network accident that the embodiment of the invention provides comprise:

Detect and obtain each relevant link flow change information of router;

Router is transmitted the conceptual data amount detect, obtain the conceptual data quantitative change information of forwarding;

Each the link flow information obtained and the total amount of data change information of forwarding are carried out merger and analysis;

Judge whether to take place accident according to merger and analysis result.

The embodiment of the invention also provides a kind of tolerance and evaluating system of network accident, comprising:

First detecting unit is used to detect and obtain each relevant link flow change information of router;

Second detecting unit is used to detect router and transmits the conceptual data amount, obtains the conceptual data quantitative change information of forwarding;

Processing unit is used for merger and analyzes each the link flow information obtained and the total amount of data change information of forwarding;

Identifying unit judges whether to take place accident according to merger and analysis result.

The tolerance and the appraisal procedure of the incident of hitting ruined in the burst that the embodiment of the invention provides, by detecting and obtain each relevant link flow change information of router; Router is transmitted the conceptual data amount detect, obtain the conceptual data quantitative change information of forwarding; Each the link flow information obtained and the total amount of data change information of forwarding are carried out merger and analysis; Thereby judge whether to take place accident.

The present invention adopts distributed traffic abnormality detection strategy, and each node is finished volume forecasting and abnormality detection independently in data acquisition, and offered load is little.Hardware supports that need be extra not, resource overhead is few.Has reliability, the availability of the fail safe of assurance itself and the network segment of managing; In time detecting network burst ruins and hits the sexual behavior part and provide early warning information for emergency response personnel.

Description of drawings

Fig. 1 is that network burst is ruined and hit incident metric evaluation system architecture schematic diagram;

Fig. 2 is that network provided by the invention burst is ruined and hit incident metric evaluation schematic diagram;

Fig. 3 is that the network burst that provides in the embodiment of the invention is ruined and hit incident metric evaluation method flow diagram;

Fig. 4 is relevant each link flow sudden change testing process of router figure in the embodiment of the invention;

Fig. 5 is that router is transmitted conceptual data amount sudden change testing process figure in the embodiment of the invention.

Embodiment

Link flow that the present invention causes this because fault or router transmit the sudden change of packet and may cause congestedly be defined as burst and ruin and hit the sexual behavior part, detection by router self is taken precautions against, and assess, and do not increase extra equipment by prediction.

In network system 100, be provided with as lower module:

Network management unit 110, mainly be existing snmp management protocol module, read the required amount of correlated information of detection in its MIB storehouse, transmit data volume and each link flow etc. as router, provide corresponding data information to administrative unit, also calculating for off-line threshold provides data message.

Administrative unit 120 mainly is made up of detection module 121 and sensing module 122, and wherein sensing module 122, and being equivalent to increases the forwarding state detection module on router, can improve himself reliability of applying and controllability in network environment.After just packet being carried out rule match in the present router, decision is transmitted and is still abandoned, not to transmitting the unusual detectability of data volume.When router can detect the unexpected variation of transmitting data volume, whether then can judge to transmit this moment has unusually, if any reason unusually so may be attack or network in neighbor node equipment lost efficacy, send warning information this moment, and reason announced other neighbours, take corresponding strategy according to the accident reason.Here be attribute of sudden change definition, the definition router is transmitted the amplitude of variation μ of data volume, is the normal variation of special occasion network peak period less than the variation of μ.μ discloses the sensitivity of algorithm to accident, and the sudden change amplitude then is greater than μ.After getting rid of normal possibility, the sudden change of appearance is considered as without exception unusually.This is a passive sensing module problem to be solved, just at the perception of router forwarding state.

Detection module 121 in the administrative unit 120 active perception Link State in router, link utilization situation just, detection by sudden change learns whether link flow is unusual, equally in time send warning information, take corresponding measure according to warning information, reach the purpose of avoiding unusual link.Be to judge whether congestedly by the detecting link utilance mostly to the detection of link at present, but this method can increase offered load, brings extra expense.The present invention detects the sudden change of the rising and the two kinds of trend that descend according to the link flow feature, not only detects the situation that congestion condition also comprises link failure.And at present big multimutation detection algorithm can only detect monolateral sudden change.Here be two attributes of sudden change definition: the one, the duration T p of sudden change is considered to normal flow white noise less than the sudden change of Tp; The 2nd, the amplitude of variation δ of sudden change is the normal variation that network self trend takes place less than the variation of δ.Tp and δ are two artificial parameters of adjusting, and they disclose the sensitivity of algorithm to accident, and the duration of fault detect is greater than Tp, and the sudden change amplitude then is greater than δ.After getting rid of normal possibility, the sudden change of appearance is considered as without exception unusually.This is an active detecting module problem to be solved, just to the perception of link utilization.

Router control unit 130 mainly comprises tracking prediction module 131, alarm module 132 and control module 133.Because front detection module 121 and sensing module 122 just to the detection of network part, so when with the abnormal results announcement, after agreement is adjusted, also need to carry out tracking prediction, are verified the correctness of adjusting the result.Tracking prediction module 131 is held by the integral body to state of network traffic, in conjunction with adjusted route matrix, can learn whether the link of fault in the network or node are avoided, and whether adjusted network traffics overall state is normal.This is tracking prediction module 131 problems to be solved, just the grasp of the whole network flow is controlled.Alarm module is mainly collected the warning information of detection module 121 and sensing module 122 announcements, and carries out filter analysis.133 of control modules are to the processing of warning information and carry out the orientation announcement, and hold the whole network situation according to the information that tracking prediction module 131 is submitted to.

Off-line threshold computing unit 140, mainly be collect in the SNMP network management protocol the MIB storehouse in interface group variable: ifInOctets (byte per second), ifOutOctets (byte per second), IP organizes variable: ipForwDatagrams (bag/second), ipInReceives (bag/second), and the threshold value of judgement is provided for online sensing module by computing formula.Simultaneously, record trouble link or node, and its probability of malfunction of statistical analysis are regularly announced the whole network with the node or the link that often break down, can avoid this category node or link when route selection or flow equalization.Failure cause is added up, thus the distribution situation of awareness network failure cause.

The present invention is described in further detail below in conjunction with accompanying drawing.

The present invention detects the sudden change of the rising and the two kinds of trend that descend according to the link flow information of obtaining, and not only detects the situation that congestion condition also comprises link failure.

Particularly, the embodiment of the invention is ruined the detection of the incident of hitting based on distributed burst, threshold value is by the calculating of off-line, reduce the amount of calculation of router, and by the fault location link, or malfunctioning node, avoid the Link State storm by carrying out the orientation announcement, each link failure probability of final entry determines bottleneck link.Provide foundation for optimizing whole Internet resources, when taking place, burst ruins the incident of hitting, network enters a kind of new stable state again after the agreement adjustment, fault detect this moment is the variation that will measure system mode, and need after state changes, still not alarm, avoid this kind situation by producing a back off timer in the embodiment of the invention.

Referring to Fig. 2 and Fig. 3, the burst of network that the embodiment of the invention provides is ruined and is hit incident metric evaluation method flow and comprise following concrete steps:

Step S01, detect and obtain relevant each link flow change information of router;

Referring to Fig. 4, above-mentioned sudden change to relevant each link flow of router detects by the following method and realizes that concrete steps are:

Accomplish that sudden change detects fast, will reduce time overhead, the embodiment of the invention is started with from division and maintenance required time of bucket for this reason, reduces time cost in this regard.

Step 101, read the flow information of the statistics of snmp management agreement in the webmaster module, form data flow x ₁, x ₂... ..x _n

Step 102, to data flow x ₁, x ₂... ..x _nIn each element ask and carry out its prefix and computing, x _i'=f _Ss(i), promptly

$f_{\mathrm{ss}}\left(i\right)=\underset{j=1}{\overset{i}{\mathrm{\Σ}}}{x}_j$

Obtain another one data flow x ₁', x ₂' ... ..x _n';

Step 103, data flow is divided into Preserve in the individual bucket, the division principle of bucket is with x ₁' put into a bucket, all the other every adjacent two data are put into a bucket, specifically as shown in the figure:

When n is even number:

When n is odd number:

Step 104, when new data arrives, be added to successively on the data with existing value, at this moment cluster set is respectively that length of window is 2 to the value of n+1;

Step 105, in order to determine whether to take place the data traffic sudden change fast, be on the data flow of n in length with detection limit in the embodiment of the invention, so lose the cluster set that length of window is n+1, with the length of window that newly obtains is that the cluster set of n is put into the corresponding position of original bucket, carry out this step successively, at this moment first bucket is empty, and the data that newly obtain are put into first bucket, Tong number is constant like this, and keeping cluster set in the bucket represent length of window simultaneously still is 1 to arrive n;

Limit the length of data flow n, just keep the number of bucket constant, that preserve in the up-to-date bucket is prefix and x ₁', x ₂' ... ..x _n' middle maximum data, when new data arrives, upgrade the window minimal data at first, just the value in first barrel.The reason of doing like this is according to the principle that detects: if length is not undergo mutation on the window of L, will not detect length be L+1 and later window thereof to algorithm so, and later sudden change can be thought to cause by jolting.Jolting is meant that the data on some time point have reached certain value in the data flow, but also is not enough to become the situation of sudden change.When on long time window, detecting sudden change, be mistaken as sudden change probably after these little variation accumulation.So preferentially upgrade the cluster set of wicket, accelerate detection speed.

Step 106, all results store with the form of table, the information of a bucket of every row storage, and two row divide odd even to store.When calling cluster set, F (2w _i) only need search even column and get final product.As long as the position of corresponding length of window value correspondence is found in all the other inquiries, accelerated searching speed like this.

Step 107, known length are the i (aggregate function F (w on the sliding window of 0≤i≤n) _i) result of calculation obtains by above-mentioned steps.Aggregate function F is summation operation sum.Because $F\left(w_i\right)=\underset{i=1}{\overset{i}{\mathrm{\Σ}}}{x}_j,$ So with inequality F (w _i) 〉=β (F (w _2i)-F (w _i)) (β＞1) describe the sudden change with ascendant trend, with inequality F (w _i)≤α (F (w _2i)-F (w _i)) (0＜α＜1) describe the sudden change with downward trend.These two inequality distortion are obtained following formula:

F(w _2i)≥(β+1)(F(w _2i)-F(w _i))(β＞1)

F(w _2i)≤(α+1)(F(w _2i)-F(w _i))(0＜α＜1)

Step 108, in data flow new element x _nWhen arrival and insertion histogram, just move this algorithm, in order to detect x _nWhether cause the generation that suddenlys change.This algorithm layering is carried out, since the 1st layer until the n/2 layer, each layer comprises data flow x and goes up two nearest adjacent isometric sliding windows.With the i layer is example, and algorithm is long for detecting on the sliding window of i whether the sudden change generation is arranged at two.Testing process was finished by two steps, at first calculated aggregate function F (w _i) value and F (2w _i) value, whether set up by detecting above-mentioned two inequality, judged whether that sudden change takes place, and output alarm signal.

Such as, window length is 1, then compares x ₁' and (x ₂'-x ₁') value;

Window length is 2, then compares x ₂' and (x ₄'-x ₂') value;

Window length is 3, then compares x ₃' and (x ₆'-x ₃') value.

Carry out successively up to detecting sudden change, length of window stops to detect up to n/2, and initiate data are proceeded same calculating relatively.

Step 109, note the link that breaks down, deposit in the server of calculated off-line threshold value, carry out statistical analysis, obtain its probability of malfunction, the link that often breaks down is regularly announced the whole network, when routing or flow equalization, can avoid this type of link.Also carry out statistical analysis to the overload link takes place equally, give each link weighted value according to the result, the routing during for flow equalization provides foundation.

Step S02, router is transmitted the conceptual data amount detect, obtain the conceptual data quantitative change information of forwarding;

Referring to Fig. 3, concrete steps are:

With a time series is example, in a sequence, be reference with a sliding window, detect the next adjacent measured value of this sliding window whether ANOMALOUS VARIATIONS takes place, whether fall in the adaptive threshold confidential interval up and down according to detected point, judge whether current point is unusual, just think that when amplitude of variation exceeds confidential interval this measured value is unusual.When sliding window moves forward in sequence step by step in turn, each point in the flow sequence of observations all will be detected.The decision function of detection algorithm is the likelihood ratio about a point and sliding window, it is the ANOMALOUS VARIATIONS between point of check and the sliding window, be the variation relation that detects between indivedual and the part, it can give prominence to the ANOMALOUS VARIATIONS situation in the short time, and can not miss other ANOMALOUS VARIATIONS incident.

Step 201, from snmp management information base MIB fetch interface group variable regularly: ifInOctets (byte per second), ifOutOctets (byte per second), IP organizes variable: ipForwDatagrams (bag/second), ipInReceives (bag/second), and they are the indication equipment interface per second byte number that receives and send, the router number-of-packet that receives and transmit each second respectively.

Step 202, employing sliding window model are exactly only to be concerned about the individual data of N up-to-date in the management information bank (sliding window size), and along with data constantly arrive, statistical information is brought in constant renewal in, the continuous translation of window data.

Step 203: to the mib variable in the sliding window, just four variablees in the step 301 are carried out adaptively sampledly, be arranged in a time series then in chronological order respectively, each time series is exactly a flow sequence of observations like this.

Step 204, at time point ... t _N-1, t _n, t _N+1... a sequence of observations

...X(t _n-1)、X(t _n)、X(t _n+1)...

Make X (t _n)=y _t, the measured value during expression t=n, suppose ... y _T+1, y _T+2... y _T+N+1Be the part stably, to time slip-window ... y _T+1, y _T+2... y _T+N+1Carry out zero-meanization, promptly do following processing:

$\stackrel{\‾}{y}=\frac{1}{N}\underset{i=1}{\overset{N+1}{\mathrm{\Σ}}}{y}_{t+1}$

x _t+i＝y _i+i-y i＝1，2......N+1

Step 205: to the sequence after the zero-meanization with AR (2) model match obtain difference ... e _T+1, e _T+2... e _T+N, e _T+N+1}:

I=1,2 ... .N+1

Be model coefficient.

Step 206: determine decision function W _t(N+1)

$W_t(N+1)=\frac{e_{t+N+1}}{\widehat{\mathrm{\δ}}}$

Wherein $\widehat{\mathrm{\δ}}=(e_{t+1}^2+e_{t+2}^2+...+e_{t+N+1}^2)/(N+1)$

Step 207: adaptive threshold U (t+1), L (t+1) determine.

The flush mechanism of describing by following formula superposes into behavior before:

p(t+1)＝α[y _t+N+1-y _t+N]+y _t+N

Wherein p (t+1) is exactly the threshold value predicted value of t+1 constantly, i.e. t+1 normal model constantly, y _T+NBe t measured value constantly, y _T+N+1Be t+1 measured value constantly, α is a weighting constant, its control new data shared proportion in model, and controlling models adapts to the speed degree of local behavior.

Step 208, so at first set up modeled normal behaviour, also comprised refreshing of normal model, when if current measured value meets this normal model fully, this measured value obviously is normal so, but this judgement is crossed and is harshness, and actual conditions can not meet theoretical model fully, so set a tolerance boundary, confidential interval just, as long as in this confidential interval, then be judged to be normal:

U (t+1)=p (t+1)+3 standard deviation

L (t+1)=p (t+1)-3 standard deviation

The scope of confidential interval also need calculate to set up the identical method of normal behaviour model, difference is that the data of normal behaviour are from measured value itself, the data of fiducial interval range are then obtained by the standard deviation of these measured values, for example, synchronization in every day, a measured value is all arranged, each of a week just has 7 measured values constantly so in the past, these measured values can be calculated their standard deviation, after obtaining this standard deviation, it is added on the model of normal behaviour, obtains coboundary U (t+1), deduct this standard deviation by normal behaviour again, obtain lower boundary L (t+1).According to adding standard deviation number difference, can obtain the range of tolerable variance of different stage.Ordinary circumstance adopts 2-3 times of standard deviation.So judgment criterion is:

When-L (t+1)≤W _t(N+1)≤during U (t+1), be judged as normal

Work as W _t(N+1)＞U (t+1) or W _t(N+1)＜-during L (t+1), be judged as unusual.

Wherein standard deviation calculation formulas is:

$d_m=\frac{1}{n}(d_1+d_2+...+d_n)$

n＝7

The establishing method that step 209, parameter are selected, it is given that this model has three parameters to need, i.e. the big or small N of the exponent number p of AR model, sliding window and weighting constant α.According to Time-series Theory, in actual applications, the exponent number of AR model is no more than 2.General AR exponent number p and sequence length N must satisfy following constraints:

0≤p≤0.1N

Choose N=20 at this, just the size of sliding window is 20, and weighting constant α is 1.1.

Step 210, note the node ID number that breaks down, deposit in the server of calculated off-line threshold value, carry out statistical analysis, obtain its probability of malfunction, the node that often breaks down is regularly announced the whole network, when routing or flow equalization, can avoid this category node.

Step S03, each the link flow information obtained and the total amount of data change information of forwarding are carried out merger and analysis;

Concrete grammar is as follows:

If the router of four ports, and,, do not comprise concurrent fault so hypothesis only is single link or node failure at this moment because the simultaneous probability of various faults is very little:

Situation one: step 101 testing result is the sudden change of downward trend, supposes link 1 Traffic Anomaly herein, and step 102 testing result is the sudden change of downward trend, is judged to be this link failure this moment.Reason is a link failure, and flow reduces, and so corresponding router is transmitted the conceptual data amount and reduced, because only consider the single fault situation, this moment, other links and node were normal.

Situation two: step 101 testing result is the sudden change of downward trend, supposes link 1 Traffic Anomaly herein, and step 102 testing result is the sudden change of ascendant trend, is judged to be that this is congested this moment.Because different with situation 1, router is transmitted the conceptual data amount to be increased, and so at first node is normal, after the reason that increases is link 1 fault, because re-route traffic is loaded into other links, cause the adjacent link flow to increase, directly show the increase of router transfer amount.And link 1 flow anticlimax is because the congested performance that causes packet loss.

Situation three: step 101 testing result is the sudden change of ascendant trend, supposes link 1 Traffic Anomaly herein, and step 102 testing result is the sudden change of ascendant trend, is judged to be attack this moment.Because attack generally at node, but attack traffic arrives node through link, and both increase simultaneously, so be judged to be attack.Different with situation 2, to transmit the conceptual data amount and increase though be router, the relevant link flow reduces in the situation 2, and this is not meet to attack the actual conditions that take place.

Situation four: step 101 testing result is the sudden change of ascendant trend, supposes link 1 Traffic Anomaly herein, and step 102 testing result is the sudden change of downward trend, is judged to be this node failure this moment.Though because link flow is increasing, router is transmitted data volume and is being reduced, node this moment fault, flow can not normally be transmitted, and the increase of single link flow can't operate as normal cause because of node.

Merger is carried out in step 101,102 gained results and above analysis handled, divide exception level, shown in the table specific as follows:

Step S02, S03 gained result are carried out grade classification, shown in the table specific as follows:

The gained result	Code	The analysis of causes	Grade classification
				Link flow is that the total amount of data sent out of turn reducing is for subtracting	00	Link failure	The III level
Link flow is that the total amount of data sent out of turn reducing is for increasing	01	Congested	The I level
				Link flow is to increase the total amount of data of forwarding for increasing	10	Attack	The II level
Link flow is to increase the total amount of data of forwarding for subtracting	11	Neighbor node lost efficacy	The IV level

More than be that the merger result divides exception level, but need be to the further filter analysis of result.Filtration is meant to reducing false alarm information, carries out certain warning message earlier and filters, and defines three threshold values herein, and false alarms information is got rid of.Step 101 is the sudden change detections to link flow, and the not necessarily unusual certain generation of sudden change, so duration T p and two decision thresholds of amplitude of variation δ of the sudden change of definition flow.When mutation time less than Tp, then think normal flow white noise; When the amplitude of variation of flow sudden change less than δ, then think the normal variation that network self trend takes place.Step 102 is the detections to the overall transfer amount of router, though confidential interval has been set, but still might be the abnormal results that the network normal variation causes, so the definition router is transmitted the amplitude of variation μ of data volume, when amplitude of variation less than μ, then think the normal variation of special occasion network peak period.And the obtaining and to decide in conjunction with the actual conditions of application network of three threshold values.Filter only is to analyze after alarm draws herein, can not eliminate false-alarm and mistake police fully.

Step S04, judge whether to exist burst to ruin according to the merger result to hit the sexual behavior part;

Concrete grammar is:

Here define a tlv triple vector A _i=＜L _j, R _j, t 〉, A wherein _iExpression warning group, L _j, R _jThe expression fault type, t represents the time that fault takes place.The total amount of data of transmitting shown in the above-mentioned table middle grade I then tentatively being judged as burst and ruining and hit the sexual behavior part for increasing, and the connectedness of network is impacted, and the above trigger mechanism that produces of table middle grade II carries out the agreement adjustment.Ruin when hitting the sexual behavior part when detecting burst in the network, detect unusual router and send this tlv triple vector information to neighbor node, the reason of directive sending message is to avoid the Link State Advertisement storm.When the needs agreement was adjusted, initiator's node produced one and adjusts message, and this message sends along the Route Selection direction, and each intermediate node is adjusted accordingly according to protocol after receiving and adjusting message.Start back off timer simultaneously, this node or link are not detected in the timer time, when avoiding fault detect to measure the variation of system mode, when state is adjusted, still alarm.

Step S05, the whole flow of adjusted network is assessed, verified its correctness.

Concrete steps are as follows:

Step 501, describe according to Kalman filtering algorithm, whole network is regarded as a system, the flow of each link is the amount of being concerned about, then to this system modelling.System control amount is generally 0, ignores system noise here, and observation noise is an additive white Gaussian noise, and the state expression formula of a certain moment k system is as follows,

β(k|k-1)＝F(k，k-1)β(k-1|k-1)

P(k|k-1)＝FP(k-1|k-1)F’

Step 502, the value of measuring are that Network Management Protocols SNMP is resulting, and calcaneus rete network flow is directly corresponding, so observing matrix C=1.Obtain following recursive calculation formula:

β(k|k)＝β(k|k-1)+Kg(k)(x(k)-β(k|k-1))

Kg(k)＝P(k|k-1)/(P(k|k-1)+R)

P(k|k)＝(I-Kg(k))P(k|k-1)

Step 503, obtain the amount of model correspondence;

How amount with the model correspondence obtains doing description one by one below.

(k k-1) is state-transition matrix to F, and the transfer matrix of system is a route matrix here; β (k) is a k system mode constantly, and x (k) is a measured value, can measure by SNMP; P (k) is an estimation error covariance, can be calculated by β (k)-β (k|k).

Step 504, starting working in order to make Kalman filter, need tell the Kalman two zero initial values constantly, is X (0|0) and P (0|0), just will select initial moment value.Here with K constantly as the initial moment, so each the link flow value of network that makes X (0|0) read from SNMP constantly for K, P (0|0) is 0 constant, estimates the value of K+2....... network integral body flow constantly thus.

Step 505, when network topology changes, need be according to the route matrix after changing recursive calculation again.

Step 506, to the assessment of model with least mean-square error (MSE), δ is for estimating the poor of evaluation and actual value in definition, i.e. δ=Xi-Xi ', so

$\mathrm{MSE}=\underset{i=1}{\overset{n}{\mathrm{\Σ}}}\left({\mathrm{\δ}}^2\right)/n$

Prediction is about to the flow value of arrival, afterwards real traffic and the predicted flow rate that obtains is compared, and judges whether both absolute difference have surpassed predetermined threshold value.If threshold value is T, moment t real traffic X _tWith predicted flow rate X _t ^*Difference be dt=|X _t-X _t ^*|, this species diversity is changed into the fault amount do further judgement, when dt-ε＞T, show the generation Traffic Anomaly, the adjusted network of agreement still exists unusual link or node.ε=E[e wherein _t ²] be predicated error.

The embodiment of the invention also provides a kind of network burst to ruin tolerance and the evaluating system that hits the sexual behavior part, comprising:

First detecting unit is used to detect and obtain each relevant link flow change information of router;

Second detecting unit is used to detect router and transmits the conceptual data amount, obtains the conceptual data quantitative change information of forwarding;

Processing unit is used for merger and analyzes each the link flow information obtained and the total amount of data change information of forwarding;

Identifying unit judges whether to take place accident according to merger and analysis result.

This system also comprises:

The route adjustment unit is used to adjust route; When judging that described link failure, neighbor node lost efficacy or the interdependent node of described link is under attack, then relevant route is adjusted.

The tolerance and the appraisal procedure of the incident of hitting ruined in the burst that the embodiment of the invention provides, by detecting and obtain each relevant link flow change information of router; Router is transmitted the conceptual data amount detect, obtain the conceptual data quantitative change information of forwarding; Each the link flow information obtained and the total amount of data change information of forwarding are carried out merger and analysis; Thereby judge whether to take place accident.

The present invention adopts distributed traffic abnormality detection strategy, and each node is finished volume forecasting and abnormality detection independently in data acquisition, and offered load is little.Hardware supports that need be extra not, resource overhead is few.Has reliability, the availability of the fail safe of assurance itself and the network segment of managing; In time detecting network burst ruins and hits the sexual behavior part and provide early warning information for emergency response personnel.

Obviously, those skilled in the art should be understood that, above-mentioned each unit of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of unit in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.

The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.All any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all be included in protection scope of the present invention.

Claims (8)

1. the tolerance of a network accident and appraisal procedure is characterized in that, comprising:

Detect and obtain each relevant link flow change information of router;

Router is transmitted the conceptual data amount detect, obtain the conceptual data quantitative change information of forwarding;

Each the link flow change information that obtained and the total amount of data change information of forwarding are carried out merger and analysis;

Judge whether to take place accident according to merger and analysis result;

Ruin when hitting the sexual behavior part when detecting burst in the network, detect unusual router and send the tlv triple vector information to neighbor node; When the needs agreement was adjusted, initiator's node produced one and adjusts message, and described adjustment message sends along the Route Selection direction, and each intermediate node is adjusted accordingly according to protocol after receiving and adjusting message.

2. the method for claim 1 is characterized in that, described detection is also obtained each relevant link flow change information of router, specifically comprises:

Collect the link flow value relevant with router, the data flow that obtains is assembled calculating;

To assemble result's branch odd even deposits, the cluster set that utilizes this gathering result to carry out adjacent isometric window as the threshold value of weighing the variation size again compares, at the fixed time in the length, the amplitude of variation that network traffics are compared with the historical flow in past, judged whether to happen suddenly to ruin and hit the incident generation, and the link that record breaks down is a faulty link.

3. the method for claim 1 is characterized in that, describedly router is transmitted the conceptual data amount detects, and obtains the conceptual data quantitative change information of forwarding, specifically comprises:

Collect the data amount information that router is transmitted, it is adaptively sampledly obtained a time series;

Choosing a sliding window in this time series is reference, detect the next adjacent measured value of this sliding window, obtain the data traffic amplitude of variation, judge then that when amplitude of variation exceeds confidential interval this measured value is unusual, and the node that record breaks down is a malfunctioning node.

4. the method for claim 1 is characterized in that, describedly judges whether to take place accident according to merger and analysis result, specifically comprises:

If the link flow sudden change also reduces to predetermined value, the total amount of data sudden change of forwarding also reduces to scheduled volume, then judges described link failure;

If the link flow sudden change also reduces to predetermined value, the total amount of data sudden change of forwarding also is increased to scheduled volume, then judges described link congestion;

If the link flow sudden change also is increased to predetermined value, the total amount of data sudden change of forwarding also reduces to scheduled volume, judges that then neighbor node lost efficacy;

If the link flow sudden change also is increased to predetermined value, the total amount of data sudden change of forwarding also is increased to scheduled volume, judges that then the interdependent node of described link is under attack.

5. method as claimed in claim 4 is characterized in that,

The duration that described link flow sports flow to be increased or reduce reaches scheduled duration and flow increases or the amplitude of minimizing reaches predetermined threshold.

6. the method for claim 1 is characterized in that, further comprises:

When judging that described link failure, neighbor node lost efficacy or the interdependent node of described link is under attack, then carry out the route adjustment.

7. the tolerance of a network accident and evaluating system is characterized in that, comprising:

First detecting unit is used to detect and obtain each relevant link flow change information of router;

Second detecting unit is used to detect router and transmits the conceptual data amount, obtains the conceptual data quantitative change information of forwarding;

Processing unit is used for merger and analyzes each the link flow change information obtained and the total amount of data change information of forwarding;

Identifying unit judges whether to take place accident according to merger and analysis result; Ruin when hitting the sexual behavior part when detecting burst in the network, detect unusual router and send the tlv triple vector information to neighbor node; When the needs agreement was adjusted, initiator's node produced one and adjusts message, and described adjustment message sends along the Route Selection direction, and each intermediate node is adjusted accordingly according to protocol after receiving and adjusting message.

8. system as claimed in claim 7 is characterized in that, also comprises:

The route adjustment unit is used to adjust route; When judging that described link failure, neighbor node lost efficacy or the interdependent node of described link is under attack, then relevant route is adjusted.

Images