CN101594247A - The method and system of identification applied topology - Google Patents
The method and system of identification applied topology Download PDFInfo
- Publication number
- CN101594247A CN101594247A CNA2008101110198A CN200810111019A CN101594247A CN 101594247 A CN101594247 A CN 101594247A CN A2008101110198 A CNA2008101110198 A CN A2008101110198A CN 200810111019 A CN200810111019 A CN 200810111019A CN 101594247 A CN101594247 A CN 101594247A
- Authority
- CN
- China
- Prior art keywords
- stream
- mutual
- afferent
- type
- grouping
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000004044 response Effects 0.000 claims abstract description 45
- 230000003993 interaction Effects 0.000 claims abstract description 23
- 238000000605 extraction Methods 0.000 claims abstract description 12
- 230000007480 spreading Effects 0.000 claims abstract description 11
- 238000012384 transportation and delivery Methods 0.000 claims abstract description 10
- 230000002452 interceptive effect Effects 0.000 claims description 14
- 230000000977 initiatory effect Effects 0.000 claims description 6
- 230000000007 visual effect Effects 0.000 claims description 4
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 claims 2
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 claims 2
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 claims 2
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 claims 2
- 238000001914 filtration Methods 0.000 claims 1
- 230000008569 process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000004069 differentiation Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000013179 statistical model Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000005303 weighing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of method and system of discerning applied topology.Wherein method comprises: one of at least grouping in the predetermined host scope and obtain delivery time of grouping in extraction source address and the destination address the network traffics that take place in predetermined amount of time; Mutual according to interaction feature identification packet bearer describedly comprises alternately: mutual type, mutual requesting party and mutual response side; Generate and represent the identical mutual stream in type, requesting party and response side, comprise the mutual statistics of this type of interaction that relevant grouping of extracting is carried in each unit interval of described predetermined amount of time; With at having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream, find out relevant afferent stream and spread out of stream.System and method of the present invention has improved the efficient of the applied topology of being discerned.
Description
Technical field
The present invention relates to the configuration management of information technology (IT) system, relate in particular to the method and system of identification applied topology.
Background technology
Many instruments that help is managed for configuration in the IT system of for example data center are arranged.Yet these instruments are faced with variety of issue.Increasing sharply of system scale and complexity for example, the frequent variations of forming such as the system of server and application etc.The keeper knows equipment and the network topology that IT system comprises usually, yet these are for more effectively, managing I T system is not enough efficiently.The keeper need have more deep understanding to IT system.
An aspect need understanding in depth is the applied topology in the IT system, i.e. mutual (for example service request-response) of the parts of Ying Yonging (for example program, service, assembly etc.) between the parts of deployment on each main frame of IT system (for example server) and the application disposed.
Be useful on the instrument of identification applied topology.For example (the Tivoli application-dependent is found manager to the TADDM of the IBM Corporation of the U.S.: Tivoli Application Dependency DiscoveryManager) find applied topology by port/configuration scanning.Yet the active instrument of this class needs active scan IP address and predetermined port to find that application or logon server are to obtain and analytical applications configuration file or the special installation agent of needs (agent).
The nLayers InSight of Canadian EMC Inc. is the passive-type instrument that applied topology is discerned in a kind of grouping that obtains via means such as Port Mirroring, the taps of network cable by scanning.NLayers InSight identifies mutual between the parts of application and parts by predefined interaction feature (fingerprints) from the payload of packet bearer, and based on exist causal mutual between the corresponding hypothesis that has the time of origin correlation, discern the correlation between mutual.Yet this class instrument needs more information to prepare before work.In addition, above-mentioned hypothesis is not set up forever, and because the difference of application component running environment makes time of origin to running environment very strong dependence be arranged, thereby shows bigger shake because of the variation of running environment.These factors all can reduce the efficient and the success rate of identification.
Therefore, need a kind ofly can to rely on the means that information is still less discerned applied topology.
Summary of the invention
An object of the present invention is to provide a kind of method and system of discerning applied topology, so that improve the efficient of the applied topology of being discerned.
One embodiment of the present of invention provide a kind of system that discerns applied topology, comprise: packet extractor, one of at least grouping in the predetermined host scope and obtain delivery time of grouping in extraction source address and the destination address the network traffics that are configured in predetermined amount of time, take place; The interactive identification device is configured to mutual according to interaction feature identification packet bearer, describedly comprises alternately: mutual type, mutual requesting party and mutual response side; The stream maker is configured to generate the mutual stream of representing type, requesting party and response side identical, comprises the mutual statistics of this type of interaction that relevant grouping of extracting in each unit interval of described predetermined amount of time is carried; And correlator, be configured to seek out relevant afferent stream and spread out of stream at having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream.
One embodiment of the present of invention provide a kind of method of discerning applied topology, comprise: 12. 1 kinds of methods of discerning applied topology comprise: one of at least grouping in the predetermined host scope and obtain delivery time of grouping in extraction source address and the destination address the network traffics that take place in predetermined amount of time; Mutual according to interaction feature identification packet bearer describedly comprises alternately: mutual type, mutual requesting party and mutual response side; Generate and represent the identical mutual stream in type, requesting party and response side, comprise the mutual statistics of this type of interaction that relevant grouping of extracting is carried in each unit interval of described predetermined amount of time; With at having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream, find out relevant afferent stream and spread out of stream.
Description of drawings
With reference to below in conjunction with the explanation of accompanying drawing, can understand above and other purpose of the present invention, characteristics and advantage more easily to the embodiment of the invention.In the accompanying drawings, technical characterictic or parts identical or correspondence will adopt identical or corresponding Reference numeral to represent.
Fig. 1 shows the exemplary configurations of the system that discerns applied topology according to an embodiment of the invention.
Fig. 2 shows the exemplary behavior pattern of a stream by chart.
Fig. 3 shows the stream mode of HTTP query requests in the example and the stream mode of JDBC query requests.
Fig. 4 shows the flow chart of the method for discerning applied topology according to an embodiment of the invention.
Fig. 5 shows an exemplary application topology.
Fig. 6 is the block diagram that the exemplary configurations that wherein realizes computer of the present invention is shown.
Embodiment
Embodiments of the invention are described with reference to the accompanying drawings.Should be noted that for purpose clearly, omitted the parts that have nothing to do with the present invention, those of ordinary skills are known and the expression and the description of processing in accompanying drawing and the explanation.
Fig. 1 shows the exemplary configurations of the system 100 that discerns applied topology according to an embodiment of the invention.
As shown in Figure 1, system 100 comprises packet extractor 102, interactive identification device 103, stream maker 104 and correlator 105.
In the predetermined host scope, decide needs analyzed node to the sign that packet extractor 102 can obtain according to the source/destination address or the address transition of grouping.A node can be a main frame or a similar treatment facility.A node can have one or more addresses or sign.
Preferably, packet extractor 102 can comprise the device (not shown) that filters unnecessary grouping.This device is removed redundancy packets, for example removes sequence number number of repeated packet or the like, and/or removing and the irrelevant grouping of application, for example removes route protocol packet or the like.
What carry in the grouping that interactive identification device 103 is extracted according to interaction feature identification packet extractor 102 is mutual.Be meant that alternately application component transmits the activity of information with the service logic of finishing application each other according to application protocol.Generally speaking, can be with the mutual abstract requesting party-side's of the response model that is, wherein the application component as the requesting party sends request message (being used for initiating mutual) to square in response application component, response side carries out the service logic of being asked after receiving request message, and return corresponding results to the requesting party, also may need not return any information.In the application's environment, represent by request message usually alternately, but also can represent by the part or all of message of whole request-response process.
Represent interactive messages to encapsulate based on application protocol usually.The example of application protocol includes but not limited to HTTP (HTTP), HTTPS (SHTTP Secure Hyper Text Transfer Protocol), JDBC (interconnection of JAVA database)/ODBC (Open Database Connection), LDAP (LDAP), SMTP (simple message transfer protocol (SMTP)), POP3 (Post Office Protocol,Version 3), NNTP (NNTP).Message through the application protocol encapsulation is carried by dividing into groups.The grouping that carrying is used to initiate interactive messages is also referred to as initiates mutual grouping.
Mutual type depends on the application protocol type and distinguishes granularity.For example, mutual for by HTTP request message " GET/index.jsp HTTP/1.1 " representative, if the differentiation granularity is a server, then type of interaction adds protocol version (for example HTTP/1.1) by protocol type (for example HTTP) or protocol type and distinguishes; Be service if distinguish granularity, then type of interaction adds type of service (for example HTTP (/index)) or protocol type by protocol type and adds protocol version and add type of service (for example HTTP/1.1 (/index)) and distinguish.Different application protocols has corresponding differentiation mode.Can design at various application protocols and be used to identify mutual agreement and service features.For example can adopt the similar approach of identification protocol in the technology of interaction feature among the nLayers InSight of EMC Inc..
Preferably, interactive identification device 103 can with requesting party's (for example initiating the source address or the sign of mutual application component) not the mutual requesting party in the predetermined host scope be identified as same specific requesting party, the exception supposition external server.Preferably, interactive identification device 103 can be ignored not mutual in the predetermined host scope of response side, to get rid of and the irrelevant topology of the application of being concerned about.
The stream that stream maker 104 is generated can comprise for example following information: the requesting party (promptly relevant mutual requesting party) of the type of stream (promptly relevant mutual type), stream, the response side (promptly relevant mutual response side) of stream and the pattern of stream.Fig. 2 shows the exemplary behavior pattern of a stream by chart, and wherein transverse axis is represented the time, and the longitudinal axis is represented the mutual counting of the HTTP of per minute.
Multistage dependence between the relevant representative application component of stream.For example, customer end A is sent the HTTP query requests to the WEB server B, sends the JDBC query requests and the WEB server B responds this request to database C.Owing to have causality between HTTP query requests and the JDBC query requests, therefore in a time interval, these ask the pattern of pairing stream can have higher similarity.
Can calculate correlation between the stream mode by various related algorithms, with the correlation during weighing.For example can calculate coefficient correlation by following formula:
Wherein
X represents the pattern of afferent stream, and Y represents to spread out of the pattern of stream.X
iThe statistics of unit interval i among the expression pattern X, Y
iThe statistics of unit interval i among the expression pattern Y.P
X, YCorrelation between expression pattern X and Y, cov (X, the Y) covariance of expression pattern X and Y, σ
XThe standard deviation of expression pattern X, σ
YThe standard deviation of expression pattern Y, n is the number of unit interval, μ
xBe the average of pattern X, μ
yIt is the average of pattern Y.Wherein the n in the standard deviation computing formula also can replace with n-1.Correlation also can not use coefficient correlation to represent, for example can use T value (T-value) or P value (P-value) to be expressed.
Fig. 3 shows the stream mode of HTTP query requests in the above-mentioned example and the stream mode of JDBC query requests.As can be seen from Figure 3, the similitude between two stream mode is higher.Correlation calculations also shows two correlation maximums (being 0.889) between stream mode, therefore analyzedly goes out to belong to same relevant.
In one embodiment, system 100 can also containing type identifier (not shown).Type identifier uses the type of server pattern to determine the type of server of the response side of each stream.The type of server mode-definition corresponding relation of type of server of mutual type and response side of stream.For example the type of server pattern can include but not limited to following corresponding relation:
● type of interaction HTTP is corresponding to Web server
● type of interaction JDBC is corresponding to database server
● type of interaction LDAP is corresponding to ldap server.
In one embodiment, system 100 can also comprise the transducer (not shown).Transducer is converted to visual form with applied topology, to present by the equipment such as display by connecting corresponding requesting party and response side with stream and showing dependency relation between the stream and the type of server of response side.
Example below in conjunction with Fig. 5 illustrates the method for the present invention shown in Fig. 4.Fig. 4 shows the flow chart of the method for discerning applied topology according to an embodiment of the invention.Fig. 5 shows an exemplary application topology.
As shown in Figure 4, method is from step 400.Then in step 401, one of at least grouping in the predetermined host scope in extraction source address and the destination address the network traffics that in predetermined amount of time, take place, and obtain delivery time of grouping.As shown in Figure 5, suppose that the system that is monitored comprises: mail server 501, IP address are 100.1.0.1; WEB server 502, IP address are 100.1.0.2; Mail server 503, IP address are 100.0.0.1; WEB server 504, IP address are 100.0.0.2; Ldap server 505, IP address are 100.0.0.3. Server 501 and 502 is on same physical server 500.In step 401, extract the purpose grouping of IP address in above-mentioned scope.
Then in step 402, mutual according to interaction feature identification packet bearer describedly comprises alternately: mutual type, mutual requesting party and mutual response side.For example shown in Figure 5, can identify from the client to the server 501 type is the mutual A of POP3,502 type is the mutual B of HTTP from the client to the server, 503 type is the mutual C of POP3 from server 501 to server, 504 type is the mutual D of HTTP from server 502 to server, with 505 type is the mutual E of LDAP from server 504 to server, and with the mutual requesting party and the response side of above-mentioned IP address designation.
Then, generate and represent the identical mutual stream in type, requesting party and response side, comprise the mutual statistics of this type of interaction that the grouping of extraction in each unit interval of relevant section is at the fixed time carried in step 403.For the example of Fig. 5, generated the mutual corresponding stream that obtains with step 402, be designated as A ' respectively, B ', C ', D ' and E '.Then in step 404, spread out of stream at all afferent streams with afferent stream and each the response side that spreads out of stream and all, seek out all such afferent streams successively and spread out of stream: this afferent stream and to spread out of the degree of correlation between the statistics of described predetermined amount of time of stream the highest and satisfy preselected threshold condition, and this afferent stream of being found out is belonged to same relevant with spreading out of to fail to be sold at auction to be designated as, this afferent stream wherein found out and the dependency relation that spreads out of stream be not in the scope of follow-up searching, to guarantee the analytical method convergence.For the example of Fig. 5, suppose stream A ' and C ', B ' and D ', the correlation maximum of D ' and E ', thereby step 404 determines that A ' belongs to same relevant with C ', and B ', D ' belongs to same relevant with E '.
Further, can use the type of server pattern to determine the type of server of the response side of each stream.For the example of Fig. 5, can determine that server 501 is mail server, server 502 is the WEB server, and server 503 is a mail server, and server 504 is the WEB server, and server 505 is a ldap server.
Further, can applied topology be converted to visual form by connecting corresponding requesting party and response side with stream and showing dependency relation between the stream and the type of server of response side.For example applied topology can be shown as and similar form shown in Figure 5 correlation between wherein available specific markers (for example color or symbol etc.) is represented to flow.
Above-mentioned series of processes and device can be realized by hardware.Such hardware can be single treatment facility or a plurality of treatment facility.Such treatment facility can be any equipment of part, state machine, logical circuit and/or the operation signal of microprocessor, microcontroller, digital processing unit, microcomputer, CPU.
Should also be noted that above-mentioned series of processes and device also can be by software and firmware realizations.Under situation about realizing by software or firmware, from storage medium or network to computer with specialized hardware structure, all-purpose computer 600 for example shown in Figure 6 is installed the program that constitutes this software, and this computer can be carried out various functions or the like when various program is installed.
In Fig. 6, CPU (CPU) 601 carries out various processing according to program stored among read-only memory (ROM) 602 or from the program that storage area 608 is loaded into random-access memory (ram) 603.In RAM 603, also store data required when CPU 601 carries out various the processing as required.
Following parts are connected to input/output interface 605: importation 606 comprises keyboard, mouse or the like; Output 607 comprises display, such as cathode ray tube (CRT), LCD (LCD) or the like and loud speaker or the like; Storage area 608 comprises hard disk or the like; With communications portion 609, comprise that network interface unit is such as LAN card, modulator-demodulator or the like.Communications portion 609 is handled such as the internet executive communication via network.
As required, driver 610 also is connected to input/output interface 605.Detachable media 611 is installed on the driver 610 as required such as disk, CD, magneto optical disk, semiconductor memory or the like, makes the computer program of therefrom reading be installed to as required in the storage area 608.
Realizing by software under the situation of above-mentioned series of processes, such as detachable media 611 program that constitutes software is being installed such as internet or storage medium from network.
It will be understood by those of skill in the art that this storage medium is not limited to shown in Figure 6 wherein having program stored therein, distribute separately so that the detachable media 611 of program to be provided to the user with equipment.The example of detachable media 611 comprises disk (comprising floppy disk), CD (comprising compact disc read-only memory (CD-ROM) and digital universal disc (DVD)), magneto optical disk (comprising mini-disk (MD)) and semiconductor memory.Perhaps, storage medium can be hard disk that comprises in ROM 602, the storage area 608 or the like, computer program stored wherein, and be distributed to the user with the equipment that comprises them.
The step that also it is pointed out that the above-mentioned series of processes of execution can order following the instructions naturally be carried out in chronological order, but does not need necessarily to carry out according to time sequencing.Some step can walk abreast or carry out independently of one another.
Though described the present invention and advantage thereof in detail, be to be understood that and under not withdrawing from, can carry out various changes, alternative and conversion by the situation of the appended the spirit and scope of the present invention that claim limited.
Claims (22)
1. system that discerns applied topology comprises:
Packet extractor, one of at least grouping in the predetermined host scope and obtain delivery time of grouping in extraction source address and the destination address the network traffics that are configured in predetermined amount of time, take place;
The interactive identification device is configured to mutual according to interaction feature identification packet bearer, describedly comprises alternately: mutual type, mutual requesting party and mutual response side;
The stream maker is configured to generate the mutual stream of representing type, requesting party and response side identical, comprises the mutual statistics of this type of interaction that relevant grouping of extracting in each unit interval of described predetermined amount of time is carried; With
Correlator is configured to seek out relevant afferent stream and spread out of stream at having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream.
2. the system as claimed in claim 1, described correlator also is configured to seek out successively all relevant like this afferent streams and spreads out of stream: when this afferent stream with to spread out of the degree of correlation between the statistics of described predetermined amount of time of stream the highest and satisfy preselected threshold condition, then this afferent stream of being found out is belonged to same relevant with spreading out of to fail to be sold at auction to be designated as, and this afferent stream found out and the dependency relation that spreads out of stream are got rid of in the scope of follow-up searching.
3. system as claimed in claim 1 or 2, wherein packet extractor comprise be used to filter redundancy packets and with the device of using irrelevant grouping.
4. system as claimed in claim 1 or 2, wherein said interaction feature comprise mutual based on the feature of agreement or the combining of the feature of agreement and application.
5. as each described system of claim 1-4, wherein said agreement comprises: HTTP, HTTPS, JDBC/ODBC, LDAP, SMTP, POP3 or NNTP.
6. as each described system of claim 1-4, wherein mutual requesting party and response side are represented by the source address and the destination address of initiating mutual grouping respectively.
7. as each described system of claim 1-4, wherein said interactive identification device also be configured to the requesting party not the mutual requesting party in the predetermined host scope be identified as same specific requesting party.
8. as each described system of claim 1-4, wherein said interactive identification device also is configured to ignore not mutual in the predetermined host scope of response side.
9. as each described system of claim 1-4, wherein the data of being added up comprise: mutual counting, interactive data quantity or its combination.
10. as each described system of claim 1-4, also comprise:
Type identifier is configured to use the type of server pattern to determine the type of server of the response side of each stream.
11., also comprise as each described system of claim 1-4:
Transducer is configured to by connecting corresponding requesting party and response side with stream and showing dependency relation between the stream and the type of server of response side applied topology is converted to visual form.
12. a method of discerning applied topology comprises:
One of at least the grouping in the predetermined host scope and obtain delivery time of grouping in extraction source address and the destination address the network traffics that in predetermined amount of time, take place;
Mutual according to interaction feature identification packet bearer describedly comprises alternately: mutual type, mutual requesting party and mutual response side;
Generate and represent the identical mutual stream in type, requesting party and response side, comprise the mutual statistics of this type of interaction that relevant grouping of extracting is carried in each unit interval of described predetermined amount of time; With
At having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream, find out relevant afferent stream and spread out of stream.
13. method as claimed in claim 12, wherein at having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream, the step of finding out relevant afferent stream and spreading out of stream also comprises to be sought out all such afferent streams successively and spreads out of stream: when this afferent stream with to spread out of the degree of correlation between the statistics of described predetermined amount of time of stream the highest and satisfy preselected threshold condition, then this afferent stream of being found out is belonged to same relevant with spreading out of to fail to be sold at auction to be designated as, and this afferent stream found out and the dependency relation that spreads out of stream are got rid of in the scope of follow-up searching.
14. as claim 12 or 13 described methods, wherein said extraction comprises the grouping of filtering redundancy packets and haveing nothing to do with application.
15. as claim 12 or 13 described methods, wherein said interaction feature comprise mutual based on the feature of agreement or the combining of the feature of agreement and application.
16. as each described method of claim 12-15, wherein said agreement comprises: HTTP, HTTPS, JDBC/ODBC, LDAP, SMTP, POP3 or NNTP.
17. as each described method of claim 12-15, wherein mutual requesting party and response side are represented by the source address and the destination address of initiating mutual grouping respectively.
18. as each described method of claim 12-15, wherein said identification comprise with the requesting party not the mutual requesting party in the predetermined host scope be identified as same specific requesting party.
19. as each described method of claim 12-15, wherein said identification comprises ignores not mutual in the predetermined host scope of response side.
20. as each described method of claim 12-15, wherein the data of being added up comprise: mutual counting, interactive data quantity or its combination.
21., also comprise as each described method of claim 12-15:
Use the type of server pattern to determine the type of server of the response side of each stream.
22., also comprise as each described method of claim 12-15:
By connecting corresponding requesting party and response side with stream and showing dependency relation between the stream and the type of server of response side, applied topology is converted to visual form.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008101110198A CN101594247A (en) | 2008-05-29 | 2008-05-29 | The method and system of identification applied topology |
KR20090044189A KR20090124944A (en) | 2008-05-29 | 2009-05-20 | System and method for identifying application topology |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008101110198A CN101594247A (en) | 2008-05-29 | 2008-05-29 | The method and system of identification applied topology |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101594247A true CN101594247A (en) | 2009-12-02 |
Family
ID=41408707
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2008101110198A Pending CN101594247A (en) | 2008-05-29 | 2008-05-29 | The method and system of identification applied topology |
Country Status (2)
Country | Link |
---|---|
KR (1) | KR20090124944A (en) |
CN (1) | CN101594247A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107004022A (en) * | 2015-01-09 | 2017-08-01 | 英特尔公司 | Data are split and transform method and device |
CN109802842A (en) * | 2017-11-16 | 2019-05-24 | 华为软件技术有限公司 | The generation method and relevant device of applied topology |
CN110808865A (en) * | 2019-11-13 | 2020-02-18 | 北京理工大学 | Passive industrial control network topology discovery method and industrial control network security management system |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116436152B (en) * | 2022-12-13 | 2023-11-10 | 国网湖北省电力有限公司电力科学研究院 | Intelligent low-voltage distribution transformer area topology identification method based on characteristic information correlation |
-
2008
- 2008-05-29 CN CNA2008101110198A patent/CN101594247A/en active Pending
-
2009
- 2009-05-20 KR KR20090044189A patent/KR20090124944A/en active IP Right Grant
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107004022A (en) * | 2015-01-09 | 2017-08-01 | 英特尔公司 | Data are split and transform method and device |
CN107004022B (en) * | 2015-01-09 | 2021-08-17 | 英特尔公司 | Data segmentation and transformation method and device |
CN109802842A (en) * | 2017-11-16 | 2019-05-24 | 华为软件技术有限公司 | The generation method and relevant device of applied topology |
CN109802842B (en) * | 2017-11-16 | 2021-12-03 | 华为技术有限公司 | Application topology generation method and related equipment |
CN110808865A (en) * | 2019-11-13 | 2020-02-18 | 北京理工大学 | Passive industrial control network topology discovery method and industrial control network security management system |
CN110808865B (en) * | 2019-11-13 | 2021-04-02 | 北京理工大学 | Passive industrial control network topology discovery method and industrial control network security management system |
Also Published As
Publication number | Publication date |
---|---|
KR20090124944A (en) | 2009-12-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8266097B2 (en) | System analysis program, system analysis method, and system analysis apparatus | |
US8676965B2 (en) | Tracking high-level network transactions | |
KR100424724B1 (en) | Apparatus for detecting invasion with network stream analysis | |
CN106790718A (en) | Service call link analysis method and system | |
JP2008507010A (en) | Server state estimation in stateless communication protocol | |
WO2020042029A1 (en) | Discovery method for invoked link, apparatus, device, and storage medium | |
CN107203541A (en) | Page loading method and its page loading device | |
CN109144813B (en) | System and method for monitoring server node fault of cloud computing system | |
CN101099345A (en) | Interpreting an application message at a network element using sampling and heuristics | |
CN109379390B (en) | Network security baseline generation method based on full flow | |
CN111756706A (en) | Abnormal flow detection method and device and storage medium | |
CN110430226B (en) | Network attack detection method and device, computer equipment and storage medium | |
US20100077075A1 (en) | Network Diagnostic Systems and Methods for Collecting Data From Network Nodes | |
WO2021047402A1 (en) | Application identification method and apparatus, and storage medium | |
CN108418727B (en) | Method and system for detecting network equipment | |
CN113553310B (en) | Data acquisition method and device, storage medium and electronic equipment | |
CN108234345A (en) | A kind of traffic characteristic recognition methods of terminal network application, device and system | |
CN106067879B (en) | The detection method and device of information | |
CN105610636A (en) | Security log generation method for cloud computing environment | |
CN113726783A (en) | Abnormal IP address identification method and device, electronic equipment and readable storage medium | |
CN101594247A (en) | The method and system of identification applied topology | |
Lee et al. | ATMSim: An anomaly teletraffic detection measurement analysis simulator | |
CN112688924A (en) | Network protocol analysis system | |
US8429458B2 (en) | Method and apparatus for system analysis | |
KR20030035181A (en) | Apparatus and method for managing network faults by multi-agent communication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20091202 |
|
C20 | Patent right or utility model deemed to be abandoned or is abandoned |