CN101594247A - The method and system of identification applied topology - Google Patents

The method and system of identification applied topology Download PDF

Info

Publication number
CN101594247A
CN101594247A CNA2008101110198A CN200810111019A CN101594247A CN 101594247 A CN101594247 A CN 101594247A CN A2008101110198 A CNA2008101110198 A CN A2008101110198A CN 200810111019 A CN200810111019 A CN 200810111019A CN 101594247 A CN101594247 A CN 101594247A
Authority
CN
China
Prior art keywords
stream
mutual
afferent
type
grouping
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2008101110198A
Other languages
Chinese (zh)
Inventor
谢冰
方兴
陆晟
叶萌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to CNA2008101110198A priority Critical patent/CN101594247A/en
Priority to KR20090044189A priority patent/KR20090124944A/en
Publication of CN101594247A publication Critical patent/CN101594247A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of method and system of discerning applied topology.Wherein method comprises: one of at least grouping in the predetermined host scope and obtain delivery time of grouping in extraction source address and the destination address the network traffics that take place in predetermined amount of time; Mutual according to interaction feature identification packet bearer describedly comprises alternately: mutual type, mutual requesting party and mutual response side; Generate and represent the identical mutual stream in type, requesting party and response side, comprise the mutual statistics of this type of interaction that relevant grouping of extracting is carried in each unit interval of described predetermined amount of time; With at having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream, find out relevant afferent stream and spread out of stream.System and method of the present invention has improved the efficient of the applied topology of being discerned.

Description

The method and system of identification applied topology
Technical field
The present invention relates to the configuration management of information technology (IT) system, relate in particular to the method and system of identification applied topology.
Background technology
Many instruments that help is managed for configuration in the IT system of for example data center are arranged.Yet these instruments are faced with variety of issue.Increasing sharply of system scale and complexity for example, the frequent variations of forming such as the system of server and application etc.The keeper knows equipment and the network topology that IT system comprises usually, yet these are for more effectively, managing I T system is not enough efficiently.The keeper need have more deep understanding to IT system.
An aspect need understanding in depth is the applied topology in the IT system, i.e. mutual (for example service request-response) of the parts of Ying Yonging (for example program, service, assembly etc.) between the parts of deployment on each main frame of IT system (for example server) and the application disposed.
Be useful on the instrument of identification applied topology.For example (the Tivoli application-dependent is found manager to the TADDM of the IBM Corporation of the U.S.: Tivoli Application Dependency DiscoveryManager) find applied topology by port/configuration scanning.Yet the active instrument of this class needs active scan IP address and predetermined port to find that application or logon server are to obtain and analytical applications configuration file or the special installation agent of needs (agent).
The nLayers InSight of Canadian EMC Inc. is the passive-type instrument that applied topology is discerned in a kind of grouping that obtains via means such as Port Mirroring, the taps of network cable by scanning.NLayers InSight identifies mutual between the parts of application and parts by predefined interaction feature (fingerprints) from the payload of packet bearer, and based on exist causal mutual between the corresponding hypothesis that has the time of origin correlation, discern the correlation between mutual.Yet this class instrument needs more information to prepare before work.In addition, above-mentioned hypothesis is not set up forever, and because the difference of application component running environment makes time of origin to running environment very strong dependence be arranged, thereby shows bigger shake because of the variation of running environment.These factors all can reduce the efficient and the success rate of identification.
Therefore, need a kind ofly can to rely on the means that information is still less discerned applied topology.
Summary of the invention
An object of the present invention is to provide a kind of method and system of discerning applied topology, so that improve the efficient of the applied topology of being discerned.
One embodiment of the present of invention provide a kind of system that discerns applied topology, comprise: packet extractor, one of at least grouping in the predetermined host scope and obtain delivery time of grouping in extraction source address and the destination address the network traffics that are configured in predetermined amount of time, take place; The interactive identification device is configured to mutual according to interaction feature identification packet bearer, describedly comprises alternately: mutual type, mutual requesting party and mutual response side; The stream maker is configured to generate the mutual stream of representing type, requesting party and response side identical, comprises the mutual statistics of this type of interaction that relevant grouping of extracting in each unit interval of described predetermined amount of time is carried; And correlator, be configured to seek out relevant afferent stream and spread out of stream at having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream.
One embodiment of the present of invention provide a kind of method of discerning applied topology, comprise: 12. 1 kinds of methods of discerning applied topology comprise: one of at least grouping in the predetermined host scope and obtain delivery time of grouping in extraction source address and the destination address the network traffics that take place in predetermined amount of time; Mutual according to interaction feature identification packet bearer describedly comprises alternately: mutual type, mutual requesting party and mutual response side; Generate and represent the identical mutual stream in type, requesting party and response side, comprise the mutual statistics of this type of interaction that relevant grouping of extracting is carried in each unit interval of described predetermined amount of time; With at having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream, find out relevant afferent stream and spread out of stream.
Description of drawings
With reference to below in conjunction with the explanation of accompanying drawing, can understand above and other purpose of the present invention, characteristics and advantage more easily to the embodiment of the invention.In the accompanying drawings, technical characterictic or parts identical or correspondence will adopt identical or corresponding Reference numeral to represent.
Fig. 1 shows the exemplary configurations of the system that discerns applied topology according to an embodiment of the invention.
Fig. 2 shows the exemplary behavior pattern of a stream by chart.
Fig. 3 shows the stream mode of HTTP query requests in the example and the stream mode of JDBC query requests.
Fig. 4 shows the flow chart of the method for discerning applied topology according to an embodiment of the invention.
Fig. 5 shows an exemplary application topology.
Fig. 6 is the block diagram that the exemplary configurations that wherein realizes computer of the present invention is shown.
Embodiment
Embodiments of the invention are described with reference to the accompanying drawings.Should be noted that for purpose clearly, omitted the parts that have nothing to do with the present invention, those of ordinary skills are known and the expression and the description of processing in accompanying drawing and the explanation.
Fig. 1 shows the exemplary configurations of the system 100 that discerns applied topology according to an embodiment of the invention.
As shown in Figure 1, system 100 comprises packet extractor 102, interactive identification device 103, stream maker 104 and correlator 105.
Packet extractor 102 receives from grouping of network (being network message (packet)).The system that the keeper managed of using system 100 has certain scope.Main frame in this scope links to each other by network.The application component of main frame deploy is undertaken alternately to realize various application by network.Can utilize for example technology of switch ports themselves mirror image, cable tap/optical fibre light splitting device, hub, not influence the grouping that transmits in the network connection that obtains in real time under the normally mutual situation expecting to monitor.Because may be by (for example dividing into groups entrained address; IP (Internet protocol) address) or similar sign (for example; URL (unified resource identifier)) discerns main frame, so resulting grouping is usually based on (for example, the TCP (transmission control protocol)/IP) of unified procotol family.But obtain the purpose of grouping for convenience, if there is no address or identification collision also can be caught the grouping from protocol suite.
Packet extractor 102 from the grouping that obtains in real time in extraction source address and the destination address one of at least in the grouping of predetermined host scope.Promptly expect the interior grouping of system scope of topology that is applied, and write down corresponding extraction time, with delivery time as grouping.If grouping directly attaches arranged the corresponding delivery time, then the extraction time of packet extractor 102 records is exactly this delivery time.If the grouping that packet extractor 102 is extracted can be by real-time analysis, then extraction time need be recorded in the delivery time that is used for the approximate representation grouping in the grouped record.
In the predetermined host scope, decide needs analyzed node to the sign that packet extractor 102 can obtain according to the source/destination address or the address transition of grouping.A node can be a main frame or a similar treatment facility.A node can have one or more addresses or sign.
Preferably, packet extractor 102 can comprise the device (not shown) that filters unnecessary grouping.This device is removed redundancy packets, for example removes sequence number number of repeated packet or the like, and/or removing and the irrelevant grouping of application, for example removes route protocol packet or the like.
What carry in the grouping that interactive identification device 103 is extracted according to interaction feature identification packet extractor 102 is mutual.Be meant that alternately application component transmits the activity of information with the service logic of finishing application each other according to application protocol.Generally speaking, can be with the mutual abstract requesting party-side's of the response model that is, wherein the application component as the requesting party sends request message (being used for initiating mutual) to square in response application component, response side carries out the service logic of being asked after receiving request message, and return corresponding results to the requesting party, also may need not return any information.In the application's environment, represent by request message usually alternately, but also can represent by the part or all of message of whole request-response process.
Represent interactive messages to encapsulate based on application protocol usually.The example of application protocol includes but not limited to HTTP (HTTP), HTTPS (SHTTP Secure Hyper Text Transfer Protocol), JDBC (interconnection of JAVA database)/ODBC (Open Database Connection), LDAP (LDAP), SMTP (simple message transfer protocol (SMTP)), POP3 (Post Office Protocol,Version 3), NNTP (NNTP).Message through the application protocol encapsulation is carried by dividing into groups.The grouping that carrying is used to initiate interactive messages is also referred to as initiates mutual grouping.
Mutual type depends on the application protocol type and distinguishes granularity.For example, mutual for by HTTP request message " GET/index.jsp HTTP/1.1 " representative, if the differentiation granularity is a server, then type of interaction adds protocol version (for example HTTP/1.1) by protocol type (for example HTTP) or protocol type and distinguishes; Be service if distinguish granularity, then type of interaction adds type of service (for example HTTP (/index)) or protocol type by protocol type and adds protocol version and add type of service (for example HTTP/1.1 (/index)) and distinguish.Different application protocols has corresponding differentiation mode.Can design at various application protocols and be used to identify mutual agreement and service features.For example can adopt the similar approach of identification protocol in the technology of interaction feature among the nLayers InSight of EMC Inc..
Interactive identification device 103 is discerned can comprise for example following information alternately: mutual type, mutual requesting party and mutual response side.Mutual requesting party can be by (for example initiating this mutual application component, synchronization request grouping) source address or sign (for example URL etc.) are represented, and mutual response can be represented by the destination address of initiating this mutual grouping (for example, synchronization request grouping) or sign (for example URL etc.).
Preferably, interactive identification device 103 can with requesting party's (for example initiating the source address or the sign of mutual application component) not the mutual requesting party in the predetermined host scope be identified as same specific requesting party, the exception supposition external server.Preferably, interactive identification device 103 can be ignored not mutual in the predetermined host scope of response side, to get rid of and the irrelevant topology of the application of being concerned about.
Stream maker 104 with type, requesting party and response side identical be generated as stream alternately, and derive the pattern of stream.In the application's environment, the mutual middle requesting party that the grouping that the stream representative takes place is in a period of time carried is mutual with all that response side is identical respectively and type of interaction is also identical.The pattern of stream is meant the mutual pattern that statistics constituted of this stream that the grouping that takes place is carried in each unit interval of above-mentioned time period.Time period (for example some hrs, day or the like) and unit interval (for example second, grade) can be determined according to specific implementation.Statistics can be for example mutual counting, interactive data quantity or its in conjunction with (for example addition and, weighted sum etc.).
The stream that stream maker 104 is generated can comprise for example following information: the requesting party (promptly relevant mutual requesting party) of the type of stream (promptly relevant mutual type), stream, the response side (promptly relevant mutual response side) of stream and the pattern of stream.Fig. 2 shows the exemplary behavior pattern of a stream by chart, and wherein transverse axis is represented the time, and the longitudinal axis is represented the mutual counting of the HTTP of per minute.
Correlator 105 is at end points (the promptly physically corresponding node of each stream of all streams of being generated of stream maker 104, can for stream the requesting party or the response side of stream), all afferent streams that obtain this end points (promptly, with this end points is the stream of response side) and all spread out of stream (that is, this end points is as requesting party's stream).It should be noted that described end points is interpreted as not only comprising the end points that has afferent stream simultaneously and spread out of stream, also comprises the end points that has only afferent stream or spread out of stream.Calculate the correlation between the statistical model that each afferent stream and each spread out of stream.Correlation between correlator 105 is selected surpass predetermined threshold (threshold value can be zero) and in all correlations maximum a pair of afferent stream and spread out of stream, as relevant afferent stream with spread out of stream, be about to them and be identified as and belong to same relevant.Yet getting rid of this to importing into and spreading out of under the situation of stream, correlator 105 carries out aforementioned calculation and selection again.By repeating successively, until not having correlation to surpass the afferent stream of predetermined threshold (threshold value can be zero) and spread out of stream, perhaps all afferent streams all and spread out of stream and be associated, perhaps all streams that spread out of all are associated with afferent stream.May a series ofly import, spread out of stream into and all belong to same relevant.Should be noted that the present invention is not limited to above-mentioned correlation, but can use the tolerance of any expression degree of correlation.And the present invention also is not limited to above-mentioned predetermined threshold, but can use any threshold condition that is used for the comparison degree of correlation.Threshold condition can be by artificial input.Threshold value can be zero, i.e. not setting threshold restriction, it comes down to all afferent streams and the degree of correlation that spreads out of stream have been carried out classification, can select the higher afferent stream of correlation then and spread out of stream to or group carry out subsequent analysis.
Multistage dependence between the relevant representative application component of stream.For example, customer end A is sent the HTTP query requests to the WEB server B, sends the JDBC query requests and the WEB server B responds this request to database C.Owing to have causality between HTTP query requests and the JDBC query requests, therefore in a time interval, these ask the pattern of pairing stream can have higher similarity.
Can calculate correlation between the stream mode by various related algorithms, with the correlation during weighing.For example can calculate coefficient correlation by following formula:
ρ X , Y = cov ( X , Y ) σ X σ Y
Wherein
σ X 2 = 1 n Σ ( X i - μ x ) 2 And σ Y 2 = 1 n Σ ( Y i - μ y ) 2 ,
X represents the pattern of afferent stream, and Y represents to spread out of the pattern of stream.X iThe statistics of unit interval i among the expression pattern X, Y iThe statistics of unit interval i among the expression pattern Y.P X, YCorrelation between expression pattern X and Y, cov (X, the Y) covariance of expression pattern X and Y, σ XThe standard deviation of expression pattern X, σ YThe standard deviation of expression pattern Y, n is the number of unit interval, μ xBe the average of pattern X, μ yIt is the average of pattern Y.Wherein the n in the standard deviation computing formula also can replace with n-1.Correlation also can not use coefficient correlation to represent, for example can use T value (T-value) or P value (P-value) to be expressed.
Fig. 3 shows the stream mode of HTTP query requests in the above-mentioned example and the stream mode of JDBC query requests.As can be seen from Figure 3, the similitude between two stream mode is higher.Correlation calculations also shows two correlation maximums (being 0.889) between stream mode, therefore analyzedly goes out to belong to same relevant.
In one embodiment, system 100 can also containing type identifier (not shown).Type identifier uses the type of server pattern to determine the type of server of the response side of each stream.The type of server mode-definition corresponding relation of type of server of mutual type and response side of stream.For example the type of server pattern can include but not limited to following corresponding relation:
● type of interaction HTTP is corresponding to Web server
● type of interaction JDBC is corresponding to database server
● type of interaction LDAP is corresponding to ldap server.
In one embodiment, system 100 can also comprise the transducer (not shown).Transducer is converted to visual form with applied topology, to present by the equipment such as display by connecting corresponding requesting party and response side with stream and showing dependency relation between the stream and the type of server of response side.
Example below in conjunction with Fig. 5 illustrates the method for the present invention shown in Fig. 4.Fig. 4 shows the flow chart of the method for discerning applied topology according to an embodiment of the invention.Fig. 5 shows an exemplary application topology.
As shown in Figure 4, method is from step 400.Then in step 401, one of at least grouping in the predetermined host scope in extraction source address and the destination address the network traffics that in predetermined amount of time, take place, and obtain delivery time of grouping.As shown in Figure 5, suppose that the system that is monitored comprises: mail server 501, IP address are 100.1.0.1; WEB server 502, IP address are 100.1.0.2; Mail server 503, IP address are 100.0.0.1; WEB server 504, IP address are 100.0.0.2; Ldap server 505, IP address are 100.0.0.3. Server 501 and 502 is on same physical server 500.In step 401, extract the purpose grouping of IP address in above-mentioned scope.
Then in step 402, mutual according to interaction feature identification packet bearer describedly comprises alternately: mutual type, mutual requesting party and mutual response side.For example shown in Figure 5, can identify from the client to the server 501 type is the mutual A of POP3,502 type is the mutual B of HTTP from the client to the server, 503 type is the mutual C of POP3 from server 501 to server, 504 type is the mutual D of HTTP from server 502 to server, with 505 type is the mutual E of LDAP from server 504 to server, and with the mutual requesting party and the response side of above-mentioned IP address designation.
Then, generate and represent the identical mutual stream in type, requesting party and response side, comprise the mutual statistics of this type of interaction that the grouping of extraction in each unit interval of relevant section is at the fixed time carried in step 403.For the example of Fig. 5, generated the mutual corresponding stream that obtains with step 402, be designated as A ' respectively, B ', C ', D ' and E '.Then in step 404, spread out of stream at all afferent streams with afferent stream and each the response side that spreads out of stream and all, seek out all such afferent streams successively and spread out of stream: this afferent stream and to spread out of the degree of correlation between the statistics of described predetermined amount of time of stream the highest and satisfy preselected threshold condition, and this afferent stream of being found out is belonged to same relevant with spreading out of to fail to be sold at auction to be designated as, this afferent stream wherein found out and the dependency relation that spreads out of stream be not in the scope of follow-up searching, to guarantee the analytical method convergence.For the example of Fig. 5, suppose stream A ' and C ', B ' and D ', the correlation maximum of D ' and E ', thereby step 404 determines that A ' belongs to same relevant with C ', and B ', D ' belongs to same relevant with E '.
Further, can use the type of server pattern to determine the type of server of the response side of each stream.For the example of Fig. 5, can determine that server 501 is mail server, server 502 is the WEB server, and server 503 is a mail server, and server 504 is the WEB server, and server 505 is a ldap server.
Further, can applied topology be converted to visual form by connecting corresponding requesting party and response side with stream and showing dependency relation between the stream and the type of server of response side.For example applied topology can be shown as and similar form shown in Figure 5 correlation between wherein available specific markers (for example color or symbol etc.) is represented to flow.
Above-mentioned series of processes and device can be realized by hardware.Such hardware can be single treatment facility or a plurality of treatment facility.Such treatment facility can be any equipment of part, state machine, logical circuit and/or the operation signal of microprocessor, microcontroller, digital processing unit, microcomputer, CPU.
Should also be noted that above-mentioned series of processes and device also can be by software and firmware realizations.Under situation about realizing by software or firmware, from storage medium or network to computer with specialized hardware structure, all-purpose computer 600 for example shown in Figure 6 is installed the program that constitutes this software, and this computer can be carried out various functions or the like when various program is installed.
In Fig. 6, CPU (CPU) 601 carries out various processing according to program stored among read-only memory (ROM) 602 or from the program that storage area 608 is loaded into random-access memory (ram) 603.In RAM 603, also store data required when CPU 601 carries out various the processing as required.
CPU 601, ROM 602 and RAM 603 are connected to each other via bus 604.Input/output interface 605 also is connected to bus 604.
Following parts are connected to input/output interface 605: importation 606 comprises keyboard, mouse or the like; Output 607 comprises display, such as cathode ray tube (CRT), LCD (LCD) or the like and loud speaker or the like; Storage area 608 comprises hard disk or the like; With communications portion 609, comprise that network interface unit is such as LAN card, modulator-demodulator or the like.Communications portion 609 is handled such as the internet executive communication via network.
As required, driver 610 also is connected to input/output interface 605.Detachable media 611 is installed on the driver 610 as required such as disk, CD, magneto optical disk, semiconductor memory or the like, makes the computer program of therefrom reading be installed to as required in the storage area 608.
Realizing by software under the situation of above-mentioned series of processes, such as detachable media 611 program that constitutes software is being installed such as internet or storage medium from network.
It will be understood by those of skill in the art that this storage medium is not limited to shown in Figure 6 wherein having program stored therein, distribute separately so that the detachable media 611 of program to be provided to the user with equipment.The example of detachable media 611 comprises disk (comprising floppy disk), CD (comprising compact disc read-only memory (CD-ROM) and digital universal disc (DVD)), magneto optical disk (comprising mini-disk (MD)) and semiconductor memory.Perhaps, storage medium can be hard disk that comprises in ROM 602, the storage area 608 or the like, computer program stored wherein, and be distributed to the user with the equipment that comprises them.
The step that also it is pointed out that the above-mentioned series of processes of execution can order following the instructions naturally be carried out in chronological order, but does not need necessarily to carry out according to time sequencing.Some step can walk abreast or carry out independently of one another.
Though described the present invention and advantage thereof in detail, be to be understood that and under not withdrawing from, can carry out various changes, alternative and conversion by the situation of the appended the spirit and scope of the present invention that claim limited.

Claims (22)

1. system that discerns applied topology comprises:
Packet extractor, one of at least grouping in the predetermined host scope and obtain delivery time of grouping in extraction source address and the destination address the network traffics that are configured in predetermined amount of time, take place;
The interactive identification device is configured to mutual according to interaction feature identification packet bearer, describedly comprises alternately: mutual type, mutual requesting party and mutual response side;
The stream maker is configured to generate the mutual stream of representing type, requesting party and response side identical, comprises the mutual statistics of this type of interaction that relevant grouping of extracting in each unit interval of described predetermined amount of time is carried; With
Correlator is configured to seek out relevant afferent stream and spread out of stream at having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream.
2. the system as claimed in claim 1, described correlator also is configured to seek out successively all relevant like this afferent streams and spreads out of stream: when this afferent stream with to spread out of the degree of correlation between the statistics of described predetermined amount of time of stream the highest and satisfy preselected threshold condition, then this afferent stream of being found out is belonged to same relevant with spreading out of to fail to be sold at auction to be designated as, and this afferent stream found out and the dependency relation that spreads out of stream are got rid of in the scope of follow-up searching.
3. system as claimed in claim 1 or 2, wherein packet extractor comprise be used to filter redundancy packets and with the device of using irrelevant grouping.
4. system as claimed in claim 1 or 2, wherein said interaction feature comprise mutual based on the feature of agreement or the combining of the feature of agreement and application.
5. as each described system of claim 1-4, wherein said agreement comprises: HTTP, HTTPS, JDBC/ODBC, LDAP, SMTP, POP3 or NNTP.
6. as each described system of claim 1-4, wherein mutual requesting party and response side are represented by the source address and the destination address of initiating mutual grouping respectively.
7. as each described system of claim 1-4, wherein said interactive identification device also be configured to the requesting party not the mutual requesting party in the predetermined host scope be identified as same specific requesting party.
8. as each described system of claim 1-4, wherein said interactive identification device also is configured to ignore not mutual in the predetermined host scope of response side.
9. as each described system of claim 1-4, wherein the data of being added up comprise: mutual counting, interactive data quantity or its combination.
10. as each described system of claim 1-4, also comprise:
Type identifier is configured to use the type of server pattern to determine the type of server of the response side of each stream.
11., also comprise as each described system of claim 1-4:
Transducer is configured to by connecting corresponding requesting party and response side with stream and showing dependency relation between the stream and the type of server of response side applied topology is converted to visual form.
12. a method of discerning applied topology comprises:
One of at least the grouping in the predetermined host scope and obtain delivery time of grouping in extraction source address and the destination address the network traffics that in predetermined amount of time, take place;
Mutual according to interaction feature identification packet bearer describedly comprises alternately: mutual type, mutual requesting party and mutual response side;
Generate and represent the identical mutual stream in type, requesting party and response side, comprise the mutual statistics of this type of interaction that relevant grouping of extracting is carried in each unit interval of described predetermined amount of time; With
At having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream, find out relevant afferent stream and spread out of stream.
13. method as claimed in claim 12, wherein at having afferent stream and/or spreading out of all afferent streams of each end points of stream and all spread out of stream, the step of finding out relevant afferent stream and spreading out of stream also comprises to be sought out all such afferent streams successively and spreads out of stream: when this afferent stream with to spread out of the degree of correlation between the statistics of described predetermined amount of time of stream the highest and satisfy preselected threshold condition, then this afferent stream of being found out is belonged to same relevant with spreading out of to fail to be sold at auction to be designated as, and this afferent stream found out and the dependency relation that spreads out of stream are got rid of in the scope of follow-up searching.
14. as claim 12 or 13 described methods, wherein said extraction comprises the grouping of filtering redundancy packets and haveing nothing to do with application.
15. as claim 12 or 13 described methods, wherein said interaction feature comprise mutual based on the feature of agreement or the combining of the feature of agreement and application.
16. as each described method of claim 12-15, wherein said agreement comprises: HTTP, HTTPS, JDBC/ODBC, LDAP, SMTP, POP3 or NNTP.
17. as each described method of claim 12-15, wherein mutual requesting party and response side are represented by the source address and the destination address of initiating mutual grouping respectively.
18. as each described method of claim 12-15, wherein said identification comprise with the requesting party not the mutual requesting party in the predetermined host scope be identified as same specific requesting party.
19. as each described method of claim 12-15, wherein said identification comprises ignores not mutual in the predetermined host scope of response side.
20. as each described method of claim 12-15, wherein the data of being added up comprise: mutual counting, interactive data quantity or its combination.
21., also comprise as each described method of claim 12-15:
Use the type of server pattern to determine the type of server of the response side of each stream.
22., also comprise as each described method of claim 12-15:
By connecting corresponding requesting party and response side with stream and showing dependency relation between the stream and the type of server of response side, applied topology is converted to visual form.
CNA2008101110198A 2008-05-29 2008-05-29 The method and system of identification applied topology Pending CN101594247A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNA2008101110198A CN101594247A (en) 2008-05-29 2008-05-29 The method and system of identification applied topology
KR20090044189A KR20090124944A (en) 2008-05-29 2009-05-20 System and method for identifying application topology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2008101110198A CN101594247A (en) 2008-05-29 2008-05-29 The method and system of identification applied topology

Publications (1)

Publication Number Publication Date
CN101594247A true CN101594247A (en) 2009-12-02

Family

ID=41408707

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2008101110198A Pending CN101594247A (en) 2008-05-29 2008-05-29 The method and system of identification applied topology

Country Status (2)

Country Link
KR (1) KR20090124944A (en)
CN (1) CN101594247A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107004022A (en) * 2015-01-09 2017-08-01 英特尔公司 Data are split and transform method and device
CN109802842A (en) * 2017-11-16 2019-05-24 华为软件技术有限公司 The generation method and relevant device of applied topology
CN110808865A (en) * 2019-11-13 2020-02-18 北京理工大学 Passive industrial control network topology discovery method and industrial control network security management system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116436152B (en) * 2022-12-13 2023-11-10 国网湖北省电力有限公司电力科学研究院 Intelligent low-voltage distribution transformer area topology identification method based on characteristic information correlation

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107004022A (en) * 2015-01-09 2017-08-01 英特尔公司 Data are split and transform method and device
CN107004022B (en) * 2015-01-09 2021-08-17 英特尔公司 Data segmentation and transformation method and device
CN109802842A (en) * 2017-11-16 2019-05-24 华为软件技术有限公司 The generation method and relevant device of applied topology
CN109802842B (en) * 2017-11-16 2021-12-03 华为技术有限公司 Application topology generation method and related equipment
CN110808865A (en) * 2019-11-13 2020-02-18 北京理工大学 Passive industrial control network topology discovery method and industrial control network security management system
CN110808865B (en) * 2019-11-13 2021-04-02 北京理工大学 Passive industrial control network topology discovery method and industrial control network security management system

Also Published As

Publication number Publication date
KR20090124944A (en) 2009-12-03

Similar Documents

Publication Publication Date Title
US8266097B2 (en) System analysis program, system analysis method, and system analysis apparatus
US8676965B2 (en) Tracking high-level network transactions
KR100424724B1 (en) Apparatus for detecting invasion with network stream analysis
CN106790718A (en) Service call link analysis method and system
JP2008507010A (en) Server state estimation in stateless communication protocol
WO2020042029A1 (en) Discovery method for invoked link, apparatus, device, and storage medium
CN107203541A (en) Page loading method and its page loading device
CN109144813B (en) System and method for monitoring server node fault of cloud computing system
CN101099345A (en) Interpreting an application message at a network element using sampling and heuristics
CN109379390B (en) Network security baseline generation method based on full flow
CN111756706A (en) Abnormal flow detection method and device and storage medium
CN110430226B (en) Network attack detection method and device, computer equipment and storage medium
US20100077075A1 (en) Network Diagnostic Systems and Methods for Collecting Data From Network Nodes
WO2021047402A1 (en) Application identification method and apparatus, and storage medium
CN108418727B (en) Method and system for detecting network equipment
CN113553310B (en) Data acquisition method and device, storage medium and electronic equipment
CN108234345A (en) A kind of traffic characteristic recognition methods of terminal network application, device and system
CN106067879B (en) The detection method and device of information
CN105610636A (en) Security log generation method for cloud computing environment
CN113726783A (en) Abnormal IP address identification method and device, electronic equipment and readable storage medium
CN101594247A (en) The method and system of identification applied topology
Lee et al. ATMSim: An anomaly teletraffic detection measurement analysis simulator
CN112688924A (en) Network protocol analysis system
US8429458B2 (en) Method and apparatus for system analysis
KR20030035181A (en) Apparatus and method for managing network faults by multi-agent communication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
AD01 Patent right deemed abandoned

Effective date of abandoning: 20091202

C20 Patent right or utility model deemed to be abandoned or is abandoned