CN103001811A - Method and device for fault locating - Google Patents
Method and device for fault locating Download PDFInfo
- Publication number
- CN103001811A CN103001811A CN2012105941483A CN201210594148A CN103001811A CN 103001811 A CN103001811 A CN 103001811A CN 2012105941483 A CN2012105941483 A CN 2012105941483A CN 201210594148 A CN201210594148 A CN 201210594148A CN 103001811 A CN103001811 A CN 103001811A
- Authority
- CN
- China
- Prior art keywords
- event
- failure
- network
- fault
- network element
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for fault locating, and relates to the application field of computer networks. The method and the device for fault locating solves the problem that an existing alarm relevance rule mining system is poor in timeliness and low in efficiency. The method includes constructing a network element topology constraint model; detecting running status of each network element device in a managed network so as to find fault events; collecting the fault events; and using the network element topology constraint model for time layer correlations and space layer correlations of the collected fault events so as to determine a fault location. The method and the device for fault locating are appropriate for fault diagnosis, and achieve efficient and accurate fault locating.
Description
Technical field
The present invention relates to applications of computer network field, relate in particular to a kind of Fault Locating Method and device.
Background technology
The application of computer network has been deep into people's life, each corner of work, and computer also becomes the requisite application tool of modern people.For make network can be effectively, reliable, safety, provide service for people economically, network management just requires management node can carry out in time corresponding fault management when network breaks down, and provides service so that people can be repaired and continue as to network fast.Fault management generally comprises fault detect, failure diagnosis and fault restoration, four steps of failure logging, and wherein failure diagnosis is a wherein the most key ring.If network fault diagnosis can be oriented the source of trouble rapidly and accurately, just can carry out fast fault restoration, thereby reduce the loss that causes because of network failure, guarantee the reliabilty and availability of network, to a certain extent trouble-saving generation.
Network is comprised of each equipment and subsystem, and different equipment and subsystem are interrelated, close-coupled.An equipment produces fault can affect equipment or the subsystem that much links to each other with it, even can cause the paralysis of network, and this phenomenon is called fault propagation.The propagated meeting of fault causes a large amount of event of failures to trigger simultaneously, forms the event of failure storm, thereby makes failure diagnosis become very difficult.Cause the Another reason of event of failure storm to be, for day by day complicated network condition, for the constantly new security challenge of reply, enterprise and tissue have successively been disposed Anti-Virus, fire compartment wall, intruding detection system, vulnerability scanning system, UTM etc., when an equipment produces fault, will touch a whole set of security system, thereby form a large amount of security incidents.Therefore, under complex network environment, be easy to cause the event of failure storm when an equipment fault occurs, network manager is difficult to find out fast the source of trouble from a lot of phenomena of the failure.
Data mining from data a large amount of, incomplete, noisy, fuzzy, at random, extract lie in wherein, the prior ignorant but process of information sometimes potentially useful and knowledge of people.Under complex network environment, but when the event of failure storm occurs together in equipment fault, data mining technology is incorporated in the alarm association, utilize rule-based Correlation Analysis Technology, a plurality of alarms can be grouped into less alarm, filter a large amount of redundant alarms, thereby the auxiliary network administrative staff locate fault.
But traditional alarm association rule digging system mostly directly carries out simple preliminary treatment to the original alarm data and just excavates with mining algorithm, thereby obtains the incidence relation between the alarm.Although this method can be excavated effective alarm association rule, for the alarm data of magnanimity, the ageing and efficiency of such alarm association rule digging system is not high.In addition, if original alarm data passive obtaining from existing security system only, its validity and comprehensive being difficult to are guaranteed.
Summary of the invention
The invention provides a kind of Fault Locating Method and device, solved ageing relatively poor, the problem that efficient is lower of existing alarm association rule mining system.
A kind of Fault Locating Method comprises:
Make up the network element topology restricted model;
Detect the running status of each network element device in the managed network, to find event of failure;
Gather event of failure;
Utilize described network element topology restricted model, it is related with space layer that the event of failure that collects is carried out the time horizon association, determines abort situation.
Preferably, at unauthorized net environment, described structure network element topology restricted model comprises:
Take administrative center's network element node of managed network as surveying initial point, the destination node from described detection initial point to managed network sends the probe data packet through design;
Gather each destination node to the feedback packet of described probe data packet, resolve described feedback packet, obtain the detection feedback data message of each destination node, described detection feedback data message comprises the array that jumps detection of a target address and detective path dot information consists of;
Path to described detection feedback data message travels through and goes heavily to process, and obtains described network element topology restricted model.
Preferably, under the authorisation network environment, described structure network element topology restricted model comprises:
From the IP address field of described managed network, take out an IP address, use SNMP to obtain the IPForwarding value of this IP address;
Be 1 o'clock in described IPForwarding value, judge that network element corresponding to this IP address is router;
Use SNMP to inquire about the IP address table of described router, obtain all IP addresses and corresponding subnet mask in this IP address table, determine the all-ones subnet address that this router connects;
Obtain variable i fType from the interface table, determine the network type of subnet;
Inquire about the routing table of described router, obtain the next-hop ip address of non-direct connection route device, use ICMP to find all movable IP nodes in the described subnet.
Preferably, the running status of each network element device in the described detection managed network, to find that event of failure comprises:
Utilize the error detection and the machine-processed machine of the delaying fault that detects each network element in the described managed network of repayment of ICMP agreement;
Utilize the performance class fault of each network element in SNMP and/or the described managed network of SSH protocol detection;
After finding fault, with the SYSLOG agreement event of failure is reported and submitted.
Preferably, described collection event of failure comprises:
The event of failure that collection is reported and submitted with the SYSLOG agreement;
Gather the general log information of described managed network, state, daily record and the network packet of Network Security Device, the network equipment, host server equipment, operating system, database, middleware;
According to described event of failure and general log information, the event of failure that collects is carried out forming unified event of failure after the normalization;
The event of failure that forms after the normalization is put into the event of failure buffer memory.
Preferably, described according to described event of failure and general log information, the event of failure that collects is carried out forming unified event of failure after the normalization be specially:
According to described general log information, the event of failure that collects is normalized to following classification:
The server machine fault of delaying, server performance fault, link down fault, service disruption fault, threshold value alarm failure, general device fault.
Preferably, described event of failure comprises following information:
Module name, source IP address, source port, purpose IP address, destination interface, protocol type, attack type, message and concrete action.
Preferably, describedly utilize described network element topology restricted model, it is related related with space layer that the event of failure that collects is carried out time horizon, determines that abort situation comprises:
Association in time layer according to the Time And Event type of the alarm order of severity, alarm event of failure is removed the series of fortified passes connection, remove non-failure classes information, concurrent event of failure of same time of polymerization;
Obtain network element topology correlation model up-to-date in the internal memory, described network element topology correlation model is converted into the correlation rule script file;
With the whole rale store in the correlation rule script file to the regular buffer memory;
From described event of failure buffer memory, obtain up-to-date event of failure, carry out the multiple affair association, all exist all event of failures that satisfy rule in the buffer memory;
The event of failure of in buffer memory, storing can with described correlation rule script file in rule match the time, whole event of failures of the described rule of coupling are shifted out buffer memory, generate the alarm to described whole event of failures.
Preferably, describedly utilize described network element topology restricted model, it is related related with space layer that the event of failure that collects is carried out time horizon, determines that the step of abort situation also comprises afterwards:
Network topology visual presentation fault warning information by tree.
The invention provides a kind of fault locator, comprising:
Topological constraints model construction layer is used for making up the network element topology restricted model;
Network state is weighed layer, for detection of the running status of each network element device in the managed network, to find event of failure;
The event of failure acquisition layer is used for gathering event of failure;
The event correlation analysis layer is used for utilizing described network element topology restricted model, and it is related with space layer that the event of failure that collects is carried out the time horizon association, determines abort situation.
Preferably, above-mentioned fault locator also comprises:
The fault location presentation layer is used for the network topology visual presentation fault warning information by tree.
The invention provides a kind of Fault Locating Method and device, make up the network element topology restricted model, detect the running status of each network element device in the managed network, to find event of failure, gather event of failure, utilize described network element topology restricted model, it is related with space layer that the event of failure that collects is carried out the time horizon association, determine abort situation, processing in by network topology model alarm data being excavated, to not exist the correlation rule of topological connection relation to filter out, thereby improve efficient and the correctness of excavating, it is ageing relatively poor to have solved existing alarm association rule mining system, the problem that efficient is lower.
Description of drawings
Fig. 1 is the flow chart of a kind of Fault Locating Method of providing of embodiments of the invention one;
Fig. 2 is the structural representation of a kind of fault locator of providing of embodiments of the invention two;
Fig. 3 is based on the association rules mining algorithm schematic diagram of topological constraints in the embodiments of the invention three.
Embodiment
Traditional alarm association rule digging system mostly directly carries out simple preliminary treatment to the original alarm data and just excavates with mining algorithm, thereby obtains the incidence relation between the alarm.Although this method can be excavated effective alarm association rule, for the alarm data of magnanimity, the ageing and efficiency of such alarm association rule digging system is not high.In addition, if original alarm data passive obtaining from existing security system only, its validity and comprehensive being difficult to are guaranteed.
Therefore need to find a kind of more high efficiency and accurate network failure locating method, satisfy the demand of carrying out fault location under the complex network environment.
In order to address the above problem, embodiments of the invention provide a kind of Fault Locating Method.Hereinafter in connection with accompanying drawing embodiments of the invention are elaborated.Need to prove that in the situation of not conflicting, the embodiment among the application and the feature among the embodiment be combination in any mutually.
At first by reference to the accompanying drawings, embodiments of the invention one are described.
The embodiment of the invention provides a kind of Fault Locating Method, purpose is integrated use based on topological automatic discovering technology under association rules mining algorithm, authorisation network and the unauthorized network condition of topological constraints, isomery massive logs acquisition technique, based on advanced technologies such as the driving flow process of the alarm visualization technique of tree topology, blackboard model, modern communications, solves in super large, the quick diagnosis of onlapping assorted scale network environment lower network fault and the difficult problem of location.The network element scale can reach 5000 in the network that the Fault Locating Method that the embodiment of the invention provides is processed, and the NE type in the network can comprise Network Security Device, the network equipment, host server equipment, operating system, database, middleware etc.
The flow process that the Fault Locating Method that uses the embodiment of the invention to provide is finished accident analysis comprises as shown in Figure 1:
The embodiment of the invention is based on the further investigation to the network failure propagation characteristic, the comprehensive characteristics that adopt the multiple network agreement, carry out the structure of network element topology restricted model with automatic topological discover technology under the complex network environment, carry out the rapid failure diagnosis of catenet and form event of failure with asynchronous Detection Techniques, obtain the event of failure in each source of the whole network with isomery massive logs acquisition technique, based on the topological constraints association rule algorithm event of failure is carried out association analysis, and obtain final fault location conclusion, and provide visual presentation with the tree network topology structure, and a series of flow process and technology be with the blackboard model framework as drive organically form as a whole.
The embodiment of the invention has been studied the propagation characteristic of network failure, and the propagation path of fault in network mainly contains two kinds: horizontal transmission and longitudinal propagation.Horizontal transmission is a fault along physics in succession or horizontal transmission between the equipment that connects of logic.Longitudinal propagation refer to fault at a device interior along protocol stack from low layer to high Es-region propagations.The Fault Locating Method that the embodiment of the invention provides can be divided into two parts to failure diagnosis according to the fault propagation path: laterally diagnosis and vertically diagnosis.Efficient and the accuracy of failure diagnosis so just can be provided.The time that a series of faults occur is the clue how these faults are propagated, certainly and network topology combine and just can more fully understand fault and how to propagate.
Topological constraints model construction layer makes up network element topology correlation model in the network, under variety of network environments, comprehensively adopts the methods such as the agreements such as SNMP, CDP, ICMP and TRACEROUTE, intelligently explores the topological connection relation of network.This topology association relation model is a tree-shaped logical network topology that forms take administrative center as starting point, topological model makes up engine to carry out with separate threads, periodically managed network is carried out Topology Discovery, and this model data is write network element correlation model buffer memory.Simultaneously, topological constraints model construction layer can be converted into the network element correlation model with existing assets topology.
Network element topology restricted model constructed in this step is to set out with administrative center, regards all subnets as one tree type structure.This tree network structure adopts the tree table to represent the data structure of setting, and whole tree table is shown as an ode table, and each element in the ode table comprises a table, and it has recorded the position of all child nodes of this node, is called sublist.The number of node during the length of ode table is namely set is generally used the one-dimension array sequential storage; And the length of sublist depends on each the degree of knot, thus different, generally represent with single linked list; The link of node sequentially is to be undertaken by its from left to right order in tree in the sublist.Like this in ode table except the information that will preserve element itself, also to preserve the meter pointer of sublist.
In order to adapt to complicated network environment, this step adopts different technical schemes in unauthorized network environment with the authorisation network environment, and its target all is in order to make up said network element topological constraints model.Enumerate respectively and be described as follows:
One, at unauthorized net environment, adopt improved TRACEROUTE method to make up the network element topology restricted model.Specific practice is:
1) take administrative center's network element node of managed network as surveying initial point, sends the icmp echo packet of different IP life span (TTL) value as probe data packet from surveying initial point to the destination node the managed network;
2) gather the feedback packet of each destination node feedback, resolve the detection feedback data message that obtains each destination node after these feedback data, in surveying the feedback data message, comprise the structure of arrays that jumps detection of a target address and detective path dot information forms;
3) path of surveying the feedback data message is traveled through and go heavily to process, thereby obtain the network element topology restricted model.
Two, under the authorisation network environment, comprehensive snmp protocol and the ICMP of adopting makes up the network element topology restricted model in this step.Specific practice is:
1) from the IP address field of managed network, take out an IP address (as, take out first address according to the network segment), use SNMP to obtain its iPForwarding value, if be 1, then equipment has the function of Forwards Forwarding IP packet, is router.If found a router, turned step 2); If there is no router (namely verified whole IP address in the IP address field is all judged in the managed network address field after the non-router may not have router), then algorithm finishes.
2) use SNMP to inquire about this IP address of router table (iPAddrTable), obtain all IP addresses (ipAdEntAddr) and corresponding subnet mask (iPAdEntNetMask) in the table.IpAdEntAddr and corresponding iPAdEntNetMask are carried out and operation, determine the all-ones subnet address that this router connects, if subnet not in the managed network of range of management, algorithm finishes; Otherwise, obtain variable i fType from interface table ((ifTable)), determine the network type of subnet.
After obtaining subnet information, inquire about this router routing table ((ipRouteTable)), obtain the next-hop ip address ((ipRoute-NextHop)) of non-direct connection route device, namely the value of route-type ((ipRouteType)) is 4 ((indirect)).If without such router, algorithm finishes; Otherwise, turn step ((2)).Circulation searching goes out for the determined all-ones subnet of above-mentioned algorithm, uses ICMP to find all movable IP nodes that (if comprise a plurality of subnets in the net, then travel through all-ones subnet) in the net.
Above-mentioned two kinds of constructing technologies provide effectively, efficiently finds the network element topology restricted model under the complex network environment, for the consequent malfunction positioning analysis lays the first stone.
The running status of each network element device in step 102, the detection managed network is to find event of failure;
In this step, network state is weighed layer and is adopted asynchronous network to survey diagnostic techniques, utilizes the error detection of ICMP agreement and the line situation that repayment mechanism detects the networking.Adopt asynchronous icmp packet send and receive mode to obtain the diagnostic message of network equipment failure, adopt and set up the diagnostic message that a Transmission Control Protocol is connected to obtain the network service fault with the specified services port.Diagnostic message forms event of failure and is passed to the event of failure acquisition layer by the syslog agreement.
Survey conclusion and all indicate with the unity of form of event of failure, event format is as follows:
mod=%s?sa=%s?sport=%d?da=%s?dport=%d?proto=%d?type="%s"count=%d?msg="%s"act="%s"
The meaning of each parameter is as shown in table 1 in the event of failure.
Table 1
This step is specifically weighed layer by network state and is finished, and network state is weighed layer event of failure is reported to the event of failure acquisition layer.Concrete, network state is weighed layer and directly with the form of java object event of failure is put into the event of failure buffer memory in internal system.
In this step, the event of failure acquisition layer carries out the event of failure collection and specifically comprises event reception, event normalization and three steps of event buffer memory.The event of failure acquisition layer is weighed layer event of failure that reports except receiving network state, can also receive all kinds of network element devices with the security log of syslog agreement active reporting.
The event of failure acquisition layer is weighed layer event of failure that reports except receiving network state, can also receive all kinds of network element devices with the security log of syslog agreement active reporting, and the security log form is exemplified below:
devid=0?date="2011/07/12?16:28:10"dname="Guard?8000"logtype=6?pri=5mod=attack?sa=189.16.100.9?sport=2582?da=189.16.100.180?dport=8888?proto=6type=
"synflood"count=1?msg="protect?syn?connect"act="drop"。
Event of failure acquisition engine (the fault collection layer in the associated frame members, specific implementation for the fault collection layer) receives the security log that network state is weighed layer and all kinds of reported by network element equipment with separate threads, extraction equipment failure classes event directly generates the syslog data class with data message, the security log content is carried out normalization, and the unified event of failure class of production form, at last these event of failures are put into the event of failure buffer memory.
Be (to extract network state to weigh the failure classes event that layer reports herein? it namely is the separately processing of security log of network state being weighed layer event that reports and all kinds of reported by network element equipment? why to generate the syslog data class? answer: what extracted herein (1) is not that network is weighed the failure classes event that layer reports.In fact event of failure has two kinds of sources in the final event of failure buffer memory, the one, network state is weighed the event of failure object that the direct inside of layer reports, that system initiatively carries out state and weighs and to obtain, another is the syslog that all kinds of network element devices oneself in system's passive receive network report, and then turns Huawei's event of failure object by normalization.(2) security log of the network state measurement layer event that reports and all kinds of reported by network element equipment is separately to process, but finally all puts into the event of failure buffer memory.(3) security log of reported by network element equipment, data flow roughly is so, it at first is the syslog protocol massages, be converted into the syslog data class by the message collection, but the syslog data format of distinct device is inconsistent, pass through again normalized, be converted into the unified event of failure class of Final Format), is (content of Lax entropy according to the Lax entropy of daily record normalization configuration file? answer: the normalization explanation of daily record is hereinafter arranged, could do to simplify herein and process? do not indicate " according to the Lax entropy of daily record normalization configuration file ", but directly write the security log content is carried out normalization)
The propagation characteristic of event correlation analysis layer fault Network Based, employing is based on the association rules mining algorithm of topological constraints, obtain hierarchical relationship between the network element according to the topological correlation model of setting up, each equipment of each alarm event of occuring is carried out level coding, and (level coding is actually the level of routing forwarding, centered by fault location system, the location that arrives at a place needs the multilayer route to transmit arrival, encodes with the forwarding level from system centre.)。Annexation between the network element that is embodied by topological structure, determine the propagation path of fault, (constraints refers on the fault propagation path network element device existence reason annexation to obtain the constraints of association rule mining process, if higher level equipment breaks down, can cause the network of subordinate also to break down.)。In the Mining Association Rules process, two or more event of failure possibilities are connected to a set and will be limited by this condition.Employing reduces number of combinations to be detected based on the association rules mining algorithm of topological constraints before having realized connecting greatly again, improves the ageing and result's of fault location accuracy.
In this step, adopt time horizon related with based on the related double-deck event correlation strategy of the space layer of topological constraints.
In the part of time horizon association, remove the series of fortified passes connection for following information in the event of failure:
1, the alarm order of severity;
2, the time of alarm;
3, event type.
Can remove non-failure classes information by the time horizon association, concurrent event of same time of polymerization specifically refers to a large amount of events that send of same equipment short time are carried out polymerization simultaneously.Follow-up space layer association then is handle, and the event that distinct device sends in the certain hour interval is carried out association process.
Space layer based on topological constraints is related, and specific practice is as follows:
1, obtains network element topology correlation model data up-to-date in the internal memory, and be the correlation rule script file with this model conversation, comprise a plurality of correlation rules in the correlation rule script file, as regular based on space connection, the correlation rule that meets the fault propagation path that one cover oneself is arranged of general each network segment, the correlation rule script file comprises the correlation rule of a plurality of network segments.Classification is given an example: same network segment main process equipment diagnosis rule, same network segment safety means fault thigh then waits the network equipment alarm of menace level.Simultaneously, time-based correlation rule repeats alarm such as same equipment in the certain hour cycle.
2, the correlation rule script file is mapped in the internal memory.All rules all exist in the regular buffer memory, when rule increase, delete, when changing, update rule buffer memory simultaneously.In the update rule buffer memory, upgrade the association analysis thread pool and (to refer to the trouble correlation analytic engine, in order raising the efficiency, to adopt thread pool.When the correlation rule script changed, the regular buffer memory that the association analysis thread pool uses also can upgrade at once) in to the processing of this rule.
3, obtain up-to-date event of failure from the event of failure buffer memory, carry out the multiple affair association, concrete association analysis engine can obtain event analysis for the cycle timing take 1 minute from the event of failure buffer memory.All satisfied rules (illustrate, in the time-based association, rule " repeats the main frame alarm " in the same equipment certain hour cycle, satisfy this condition of host event, just be referred to as to satisfy rule, these events are carried out buffer memory, and reach the certain hour cycle, such as 2 minutes, just can be referred to as rule match.Some rule as " the hostdown alarm of menace level " rule are because not life period cycle constraint and event number constraint is consistent as long as satisfy rule with rule match.) event all exist in the buffer memory, (fault that every kind of rule is corresponding a type, this rule can be comprised of a plurality of constraint requirements in case satisfy rule match.Such as " repeating the main frame alarm in the same equipment certain hour cycle ", constraints comprises same equipment, certain hour cycle, Host Type event.), the rule that then will mate shifts out regular buffer memory, and is alarm with the satisfied regular event merger of buffer memory.For guaranteed performance, (the alarm action refers to the processing action to association analysis fault warning out to the action of the maximum simultaneously concurrent alarm of design, as sending out a mail, note etc.) 30, the alarming processing of not carrying out but allowing to come in the formation is moved maximum 5000, surpasses will being dropped of this restriction.
In the embodiment of the invention, after triggering a fault warning, what the user saw is the fault alarm, in fact needs to have a fault tracing.Concrete shows fault warning with fault tree, and relevant event and alarm are generated an alarm tree, and the user can see very clearly that a fault by which alarm is produced, and has also reflected the reasoning process of alarm.In showing interface, it is a fault tree that each alarm that is generated by the fault location module can be reviewed.
Below in conjunction with accompanying drawing, embodiments of the invention two are described.
The embodiment of the invention provides a kind of fault locator, and its structure comprises as shown in Figure 2:
Topological constraints model construction layer 201 is used for making up the network element topology restricted model;
Network state is weighed layer 202, for detection of the running status of each network element device in the managed network, to find event of failure;
Event of failure acquisition layer 203 is used for gathering event of failure;
Event correlation analysis layer 204 is used for utilizing described network element topology restricted model, and it is related with space layer that the event of failure that collects is carried out the time horizon association, determines abort situation.
Preferably, this device also comprises:
Fault location presentation layer 205 is used for the network topology visual presentation fault warning information by tree.
The driving engine of system flow motion is the blackboard model framework, adopts the memory database of composite framework as " blackboard ", sets up many group engines according to service logic and goes to upgrade and analyze data cached.Because have many group engines and polylith data buffer storage zone, the method does not adopt real-time higher " Publish-subscribe push mode ", and adopts " pull-mode ", and each engine basis is service conditions separately, fixed cycle access blackboard zone, the internal storage data in blackboard zone comprises:
1, network element correlation model buffer memory (the incidence relation data of network element in the buffer memory network);
2, event engine cache pool (the passive original syslog data of obtaining from network element device of caching system);
3, event of failure buffer memory (through the relevant security incident object of normalized equipment fault);
4, assets topology buffer memory (the network element topology data that network management system is found or disposed);
5, fault warning buffer memory (the accurately equipment fault warning information that the process association analysis draws).
Wherein, the event engine cache pool specifically refers to the syslog data of the network element device transmission that the event of failure acquisition engine collects, and these data just can enter in the event of failure buffer memory after choosing through filtration.Another source of data is that network is weighed the event of failure that layer directly reports in the event of failure buffer memory.)
Topological constraints model construction layer makes up each network element topology correlation model in the network, under variety of network environments, comprehensively adopts the methods such as the agreements such as SNMP, CDP, ICMP and TRACEROUTE, intelligently explores the topological connection relation of network.This topology association relation model is a tree-shaped logical network topology that forms take administrative center as starting point, topological model makes up engine to carry out with separate threads, periodically managed network is carried out Topology Discovery, and this model data is write network element correlation model buffer memory.Simultaneously, topological constraints model construction layer can be converted into the network element correlation model with existing assets topology.
Network state is weighed layer and is adopted asynchronous network to survey diagnostic techniques, utilizes the error detection of ICMP agreement and the line situation that repayment mechanism detects the networking.Adopt asynchronous icmp packet send and receive mode to obtain the diagnostic message of network equipment failure, adopt and set up the diagnostic message that a Transmission Control Protocol is connected to obtain the network service fault with the specified services port.Diagnostic message forms event of failure and is passed to the event of failure acquisition layer by the syslog agreement.
The event of failure acquisition layer comprises event reception, event normalization and three steps of event buffer memory.The event of failure acquisition layer is weighed layer event of failure that reports except receiving network state, can also receive all kinds of network element devices with the security log of syslog agreement active reporting.The event of failure acquisition engine receives the security log that network state is weighed layer and all kinds of reported by network element equipment with separate threads, extraction equipment failure classes event directly generates the syslog data class with data message, Lax entropy according to daily record normalization configuration file carries out normalization with log content, and the unified event of failure class of production form, at last these event of failures are put into cache pool.
The propagation characteristic of event correlation analysis layer fault Network Based, employing is based on the association rules mining algorithm of topological constraints, obtain hierarchical relationship between the network element according to the topological correlation model of setting up, each equipment of each alarm event of occuring is carried out level coding.Annexation between the network element that is embodied by topological structure, the propagation path of fault as a result obtains the constraints of association rule mining process.In the Mining Association Rules process, two or more project possibilities are connected to a set and will be limited by this condition.Employing reduces number of combinations to be detected based on the association rules mining algorithm of topological constraints before having realized connecting greatly again, improves the ageing and result's of fault location accuracy.
Below in conjunction with accompanying drawing, embodiments of the invention three are described.
The embodiment of the invention provides a kind of Fault Locating Method, wherein, and based on the association rules mining algorithm principle of topological constraints as shown in Figure 3.
Whether based on the network element topology constraint mould that topological constraints model construction layer forms, the network element topology matching algorithm is to any one network element sequence of input, can inquire about the network element sequence inputted and bunch be comprised by a network element from network topology database.If it is return true, show that there is topological relation in the network element in this network element sequence, the alarm propagation path that namely exists between them; If not then returning false, namely the network element sequence of input bunch is not comprised by any one network element, and this shows between the network element in this network element sequence and does not have topological relation, does not namely have the alarm propagation path between them.
Association rules mining algorithm screens frequent mode according to return results, thereby filters out the wrong frequent mode of non-existent alarm propagation condition.Because the FP-Growth algorithm adopts tree structure to excavate, just can further generate frequent mode afterwards in the generation of finishing tree, so the FP-Growth algorithm determines whether once that with them meeting network topology retrains, and then concentrates deletion with incongruent pattern from final frequent mode after excavating frequent mode.
Embodiments of the invention provide a kind of Fault Locating Method and device, make up the network element topology restricted model, detect the running status of each network element device in the managed network, to find event of failure, gather event of failure, utilize described network element topology restricted model, it is related with space layer that the event of failure that collects is carried out the time horizon association, determine abort situation, processing in by network topology model alarm data being excavated, to not exist the correlation rule of topological connection relation to filter out, thus the efficient of improve excavating and just
Propagation characteristic according to network failure, the generation of most of network security faults is not to be determined by single network safety event, decide the needs that therefore only can't satisfy network security to record and the simple analysis of single network security alarm but interacted with different time, different generating source by a plurality of network security alarms.The technical scheme that embodiments of the invention provide is according to the propagation characteristic of network failure, at traditional network alarm association mining on the basis, employing makes alarm association and specific network topology structure think combination based on the topological constraints association rules mining algorithm, has improved greatly the efficient of fault location and to the adaptability of complex network.
Embodiments of the invention have also made up the network constraint topological model, and the processing in by the network constraint topological model alarm data being excavated will not exist the correlation rule of topological connection relation to filter out, thereby improve efficient and the correctness of excavating.
The Fault Locating Method that embodiments of the invention provide and device, for subject matters such as the real-time that often occurs in the fault location process under the complex network environment, stability, autgmentabilities, adopt technological means to carry out good solution, all kinds of failure problems of IT resource complicated in the computer network are carried out detailed classification and accurate location, can reflect truly, exactly the security situation of computer network, be computer network
Adopt open Fault Diagnosis Strategy, the daily record word string of utilizing the event acquisition layer to dispose is mated quick dynamic analysis mechanism, the event of failure of all kinds of safety means of energy express analysis, the active probe equipment fault of energy non-intrusion type is analyzed, diagnoses and is located all kinds of faults that occur in Network Security Device, the network equipment, host server equipment, operating system, database, the middleware running simultaneously.
In addition, the fault locating analysis that also adopts real-time graph is exhibition scheme as a result, network topology visual presentation fault warning information by tree, show spatial information and the time sequence information of network failure in visual mode directly perceived, show the event information that fault is relevant by the form of paging form.
The all or part of step that one of ordinary skill in the art will appreciate that above-described embodiment can realize with the computer program flow process, described computer program can be stored in the computer-readable recording medium, described computer program (such as system, unit, device etc.) on corresponding hardware platform is carried out, when carrying out, comprise step of embodiment of the method one or a combination set of.
Alternatively, all or part of step of above-described embodiment can realize with integrated circuit that also these steps can be made into respectively one by one integrated circuit modules, perhaps a plurality of modules in them or step is made into the single integrated circuit module and realizes.Like this, the present invention is not restricted to any specific hardware and software combination.
Each device/functional module/functional unit in above-described embodiment can adopt general calculation element to realize, they can concentrate on the single calculation element, also can be distributed on the network that a plurality of calculation elements form.
Each device/functional module/functional unit in above-described embodiment is realized with the form of software function module and during as independently production marketing or use, can be stored in the computer read/write memory medium.The above-mentioned computer read/write memory medium of mentioning can be read-only memory, disk or CD etc.
Anyly be familiar with those skilled in the art in the technical scope that the present invention discloses, can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the described protection range of claim.
Claims (11)
1. a Fault Locating Method is characterized in that, comprising:
Make up the network element topology restricted model;
Detect the running status of each network element device in the managed network, to find event of failure;
Gather event of failure;
Utilize described network element topology restricted model, it is related with space layer that the event of failure that collects is carried out the time horizon association, determines abort situation.
2. Fault Locating Method according to claim 1 is characterized in that, at unauthorized net environment, described structure network element topology restricted model comprises:
Take administrative center's network element node of managed network as surveying initial point, the destination node from described detection initial point to managed network sends the probe data packet through design;
Gather each destination node to the feedback packet of described probe data packet, resolve described feedback packet, obtain the detection feedback data message of each destination node, described detection feedback data message comprises the array that jumps detection of a target address and detective path dot information consists of;
Path to described detection feedback data message travels through and goes heavily to process, and obtains described network element topology restricted model.
3. Fault Locating Method according to claim 1 is characterized in that, under the authorisation network environment, described structure network element topology restricted model comprises:
From the IP address field of described managed network, take out an IP address, use SNMP to obtain the IPForwarding value of this IP address;
Be 1 o'clock in described IPForwarding value, judge that network element corresponding to this IP address is router;
Use SNMP to inquire about the IP address table of described router, obtain all IP addresses and corresponding subnet mask in this IP address table, determine the all-ones subnet address that this router connects;
Obtain variable i fType from the interface table, determine the network type of subnet;
Inquire about the routing table of described router, obtain the next-hop ip address of non-direct connection route device, use ICMP to find all movable IP nodes in the described subnet.
4. Fault Locating Method according to claim 1 is characterized in that, the running status of each network element device in the described detection managed network, to find that event of failure comprises:
Utilize the error detection and the machine-processed machine of the delaying fault that detects each network element in the described managed network of repayment of ICMP agreement;
Utilize the performance class fault of each network element in SNMP and/or the described managed network of SSH protocol detection;
After finding fault, with the SYSLOG agreement event of failure is reported and submitted.
5. Fault Locating Method according to claim 1 is characterized in that, described collection event of failure comprises:
The event of failure that collection is reported and submitted with the SYSLOG agreement;
Gather the general log information of described managed network, state, daily record and the network packet of Network Security Device, the network equipment, host server equipment, operating system, database, middleware;
According to described event of failure and general log information, the event of failure that collects is carried out forming unified event of failure after the normalization;
The event of failure that forms after the normalization is put into the event of failure buffer memory.
6. Fault Locating Method according to claim 5 is characterized in that, and is described according to described event of failure and general log information, the event of failure that collects carried out forming unified event of failure after the normalization be specially:
According to described general log information, the event of failure that collects is normalized to following classification:
The server machine fault of delaying, server performance fault, link down fault, service disruption fault, threshold value alarm failure, general device fault.
7. Fault Locating Method according to claim 5 is characterized in that, described event of failure comprises following information:
Module name, source IP address, source port, purpose IP address, destination interface, protocol type, attack type, message and concrete action.
8. Fault Locating Method according to claim 1 is characterized in that, describedly utilizes described network element topology restricted model, and it is related related with space layer that the event of failure that collects is carried out time horizon, determines that abort situation comprises:
Association in time layer according to the Time And Event type of the alarm order of severity, alarm event of failure is removed the series of fortified passes connection, remove non-failure classes information, concurrent event of failure of same time of polymerization;
Obtain network element topology correlation model up-to-date in the internal memory, described network element topology correlation model is converted into the correlation rule script file;
With the whole rale store in the correlation rule script file to the regular buffer memory;
From described event of failure buffer memory, obtain up-to-date event of failure, carry out the multiple affair association, all exist all event of failures that satisfy rule in the buffer memory;
The event of failure of in buffer memory, storing can with described correlation rule script file in rule match the time, whole event of failures of the described rule of coupling are shifted out buffer memory, generate the alarm to described whole event of failures.
9. Fault Locating Method according to claim 8 is characterized in that, describedly utilizes described network element topology restricted model, and it is related related with space layer that the event of failure that collects is carried out time horizon, determines that the step of abort situation also comprises afterwards:
Network topology visual presentation fault warning information by tree.
10. a fault locator is characterized in that, comprising:
Topological constraints model construction layer is used for making up the network element topology restricted model;
Network state is weighed layer, for detection of the running status of each network element device in the managed network, to find event of failure;
The event of failure acquisition layer is used for gathering event of failure;
The event correlation analysis layer is used for utilizing described network element topology restricted model, and it is related with space layer that the event of failure that collects is carried out the time horizon association, determines abort situation.
11. fault locator according to claim 10 is characterized in that, this device also comprises:
The fault location presentation layer is used for the network topology visual presentation fault warning information by tree.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210594148.3A CN103001811B (en) | 2012-12-31 | 2012-12-31 | Fault locating method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210594148.3A CN103001811B (en) | 2012-12-31 | 2012-12-31 | Fault locating method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103001811A true CN103001811A (en) | 2013-03-27 |
| CN103001811B CN103001811B (en) | 2016-01-06 |
Family
ID=47929970
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210594148.3A Expired - Fee Related CN103001811B (en) | 2012-12-31 | 2012-12-31 | Fault locating method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103001811B (en) |
Cited By (58)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103441897A (en) * | 2013-08-26 | 2013-12-11 | 深信服网络科技(深圳)有限公司 | Method and device for locating failure node in virtual network |
| CN103580924A (en) * | 2013-11-12 | 2014-02-12 | 武汉钢铁(集团)公司 | Fault location method, device and system |
| CN103684879A (en) * | 2013-12-30 | 2014-03-26 | 华为技术有限公司 | Display processing method and device |
| CN103944758A (en) * | 2014-04-14 | 2014-07-23 | 张薇 | Interconnection and intercommunication state monitoring system |
| CN103973496A (en) * | 2014-05-21 | 2014-08-06 | 华为技术有限公司 | Fault diagnosis method and device |
| CN104125085A (en) * | 2013-04-27 | 2014-10-29 | 中国移动通信集团黑龙江有限公司 | EBS (Enterprise Service Bus) data management and control method and device |
| CN104219087A (en) * | 2014-08-08 | 2014-12-17 | 蓝盾信息安全技术有限公司 | Fault location method |
| CN105183619A (en) * | 2015-09-29 | 2015-12-23 | 北京奇艺世纪科技有限公司 | System fault early-warning method and system |
| CN105659528A (en) * | 2013-12-20 | 2016-06-08 | 中兴通讯股份有限公司 | Method and apparatus for realizing fault location |
| WO2016095529A1 (en) * | 2014-12-19 | 2016-06-23 | 中兴通讯股份有限公司 | Method and apparatus for querying end-to-end service performance |
| CN105743704A (en) * | 2016-03-30 | 2016-07-06 | 广东凯通软件开发有限公司 | Fault analysis method and device for communication link |
| CN105760402A (en) * | 2014-12-16 | 2016-07-13 | 中兴通讯股份有限公司 | End-to-end service performance query method and end-to-end service performance query device |
| CN105894213A (en) * | 2016-04-27 | 2016-08-24 | 东北大学 | Multi-agent grid fault diagnosis system and method based on blackboard model |
| CN106054858A (en) * | 2016-05-27 | 2016-10-26 | 大连楼兰科技股份有限公司 | Decision tree classification and fault code classification-based vehicle remote diagnosis and spare part retrieval method |
| CN106209456A (en) * | 2016-07-13 | 2016-12-07 | 浪潮(北京)电子信息产业有限公司 | A kind of kernel state lower network fault detection method and device |
| CN106209420A (en) * | 2016-06-27 | 2016-12-07 | 瑞斯康达科技发展股份有限公司 | A kind of method positioning data forwarding service fault and electronic equipment |
| WO2016206386A1 (en) * | 2015-06-26 | 2016-12-29 | 中兴通讯股份有限公司 | Fault correlation method and apparatus |
| CN106371986A (en) * | 2016-09-08 | 2017-02-01 | 上海新炬网络技术有限公司 | Log treatment operation and maintenance monitoring system |
| CN106506237A (en) * | 2016-12-08 | 2017-03-15 | 广东电网有限责任公司电力科学研究院 | A kind of Fault Locating Method of substation communication network and device |
| WO2017107014A1 (en) * | 2015-12-21 | 2017-06-29 | 华为技术有限公司 | Network sub-health diagnosis method and apparatus |
| CN106982148A (en) * | 2016-01-19 | 2017-07-25 | 中国移动通信集团浙江有限公司 | A kind of server is delayed the monitoring method of machine, apparatus and system |
| CN107171861A (en) * | 2017-06-29 | 2017-09-15 | 联想(北京)有限公司 | A kind of information processing method, electronic equipment and computer-readable storage medium |
| CN107332915A (en) * | 2017-07-05 | 2017-11-07 | 北京辰安信息科技有限公司 | A kind of information processing method and device |
| CN107358106A (en) * | 2017-07-11 | 2017-11-17 | 北京奇虎科技有限公司 | Leak detection method, Hole Detection device and server |
| CN107770797A (en) * | 2016-08-17 | 2018-03-06 | 中国移动通信集团内蒙古有限公司 | A kind of association analysis method and system of wireless network alarm management |
| CN108092824A (en) * | 2018-01-15 | 2018-05-29 | 淮阴师范学院 | A kind of control system diagnostic method based on complex dynamic network |
| CN108259241A (en) * | 2018-01-11 | 2018-07-06 | 上海有云信息技术有限公司 | A kind of abnormal localization method and device of cloud platform monitoring system |
| CN108259195A (en) * | 2016-12-28 | 2018-07-06 | 阿里巴巴集团控股有限公司 | The determining method and system of the coverage of anomalous event |
| CN108306748A (en) * | 2017-01-12 | 2018-07-20 | 阿里巴巴集团控股有限公司 | Network failure locating method, device and interactive device |
| CN108600049A (en) * | 2018-04-16 | 2018-09-28 | 苏州云杉世纪网络科技有限公司 | A kind of performance measurement method and device of data center network TCP connection |
| CN108964960A (en) * | 2017-05-27 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of processing method and processing device of alarm event |
| WO2018223672A1 (en) * | 2017-06-07 | 2018-12-13 | 北京小度信息科技有限公司 | Data processing method and device |
| CN109308248A (en) * | 2018-08-27 | 2019-02-05 | 上海功致信息科技有限公司 | Event relation analyzing method and system |
| CN109684181A (en) * | 2018-11-20 | 2019-04-26 | 华为技术有限公司 | Alarm root is because of analysis method, device, equipment and storage medium |
| CN110086682A (en) * | 2019-05-22 | 2019-08-02 | 四川新网银行股份有限公司 | Service link call relation view and failure root based on TCP are because of localization method |
| CN110191003A (en) * | 2019-06-18 | 2019-08-30 | 北京达佳互联信息技术有限公司 | Fault repairing method, device, computer equipment and storage medium |
| CN110278099A (en) * | 2018-03-14 | 2019-09-24 | 比亚迪股份有限公司 | Message test method, device and computer equipment |
| CN110336808A (en) * | 2019-06-28 | 2019-10-15 | 南瑞集团有限公司 | A kind of attack source tracing method and system towards electric power industry control network |
| CN110417580A (en) * | 2019-06-29 | 2019-11-05 | 苏州浪潮智能科技有限公司 | A kind of methods of exhibiting, equipment and the storage medium of IB network topology |
| CN110475161A (en) * | 2019-08-28 | 2019-11-19 | 飞思达技术(北京)有限公司 | A kind of the fault automatic location method and its system of IPTV service live streaming link |
| CN110855502A (en) * | 2019-11-22 | 2020-02-28 | 叶晓斌 | Fault cause determination method and system based on time-space analysis log |
| CN110855503A (en) * | 2019-11-22 | 2020-02-28 | 叶晓斌 | Fault cause determining method and system based on network protocol hierarchy dependency relationship |
| CN110932878A (en) * | 2018-09-20 | 2020-03-27 | 中国移动通信有限公司研究院 | Management method, equipment and system of distributed network |
| CN111343031A (en) * | 2020-03-31 | 2020-06-26 | 新华三信息安全技术有限公司 | Method and device for determining network fault |
| CN112468400A (en) * | 2020-11-09 | 2021-03-09 | 青岛海信网络科技股份有限公司 | Fault positioning method, device, equipment and medium |
| CN112671767A (en) * | 2020-12-23 | 2021-04-16 | 广东能源集团科学技术研究院有限公司 | Security event early warning method and device based on alarm data analysis |
| CN113162810A (en) * | 2021-05-14 | 2021-07-23 | 中央军委后勤保障部信息中心 | Event data processing method and device |
| CN113485859A (en) * | 2021-06-23 | 2021-10-08 | 珠海格力电器股份有限公司 | Fault positioning method and device, electronic equipment and computer readable storage medium |
| CN113839800A (en) * | 2020-06-24 | 2021-12-24 | 中国联合网络通信集团有限公司 | Abnormal network element prompting method and device, electronic equipment and storage medium |
| CN114006823A (en) * | 2020-07-14 | 2022-02-01 | 瞻博网络公司 | Method, system and storage medium for failure impact analysis of network events |
| CN114143171A (en) * | 2021-11-30 | 2022-03-04 | 中国电信集团系统集成有限责任公司 | Alarm root cause positioning method and system based on TR069 protocol |
| CN114389957A (en) * | 2022-03-01 | 2022-04-22 | 四创电子股份有限公司 | Patrol alarm method for special vehicle-mounted equipment |
| CN114629776A (en) * | 2020-12-11 | 2022-06-14 | 中国联合网络通信集团有限公司 | Fault analysis method and device based on graph model |
| CN114723082A (en) * | 2022-04-19 | 2022-07-08 | 镇江西门子母线有限公司 | Abnormity early warning method and system for intelligent low-voltage complete equipment |
| CN114765574A (en) * | 2020-12-30 | 2022-07-19 | 中盈优创资讯科技有限公司 | Network anomaly delimitation positioning method and device |
| CN115086154A (en) * | 2021-03-11 | 2022-09-20 | 中国电信股份有限公司 | Fault delimitation method and device, storage medium and electronic equipment |
| CN116401614A (en) * | 2023-06-06 | 2023-07-07 | 苏州振州机电科技有限公司 | Equipment fault identification method and system |
| WO2023241484A1 (en) * | 2022-06-16 | 2023-12-21 | 中兴通讯股份有限公司 | Method for processing abnormal event, and electronic device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1756189A (en) * | 2004-09-30 | 2006-04-05 | 北京航空航天大学 | IP network topology discovering method based on SNMP |
| CN101217763A (en) * | 2008-01-15 | 2008-07-09 | 中兴通讯股份有限公司 | An expanding device and method from logic tree to physical tree in fault analysis |
| CN101873229A (en) * | 2010-06-24 | 2010-10-27 | 东软集团股份有限公司 | Network topology discover method and device based on SNMP (Simple Network Management Protocol) |
| CN102035667A (en) * | 2009-09-27 | 2011-04-27 | 华为技术有限公司 | Method, device and system for evaluating network reliability |
| CN102045192A (en) * | 2009-10-20 | 2011-05-04 | 株式会社日立制作所 | Apparatus and system for estimating network configuration |
| CN102439905A (en) * | 2011-09-30 | 2012-05-02 | 华为技术有限公司 | Method, device and system of finding network topology automatically |
| CN102571407A (en) * | 2010-12-30 | 2012-07-11 | 中国移动通信集团河北有限公司 | Alarm correlation analysis method and device |
-
2012
- 2012-12-31 CN CN201210594148.3A patent/CN103001811B/en not_active Expired - Fee Related
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1756189A (en) * | 2004-09-30 | 2006-04-05 | 北京航空航天大学 | IP network topology discovering method based on SNMP |
| CN101217763A (en) * | 2008-01-15 | 2008-07-09 | 中兴通讯股份有限公司 | An expanding device and method from logic tree to physical tree in fault analysis |
| CN102035667A (en) * | 2009-09-27 | 2011-04-27 | 华为技术有限公司 | Method, device and system for evaluating network reliability |
| CN102045192A (en) * | 2009-10-20 | 2011-05-04 | 株式会社日立制作所 | Apparatus and system for estimating network configuration |
| CN101873229A (en) * | 2010-06-24 | 2010-10-27 | 东软集团股份有限公司 | Network topology discover method and device based on SNMP (Simple Network Management Protocol) |
| CN102571407A (en) * | 2010-12-30 | 2012-07-11 | 中国移动通信集团河北有限公司 | Alarm correlation analysis method and device |
| CN102439905A (en) * | 2011-09-30 | 2012-05-02 | 华为技术有限公司 | Method, device and system of finding network topology automatically |
Non-Patent Citations (2)
| Title |
|---|
| 曹晓梅等: "基于SNMP和ICMP的拓扑自动发现算法的分析与实现", 《河南大学学报(自然科学版)》, vol. 33, no. 1, 30 March 2003 (2003-03-30) * |
| 郭晓永等: "一种基于SNMP的网络拓扑发现算法", 《重庆工商大学学报(自然科学版)》, vol. 28, no. 1, 20 February 2011 (2011-02-20) * |
Cited By (84)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104125085A (en) * | 2013-04-27 | 2014-10-29 | 中国移动通信集团黑龙江有限公司 | EBS (Enterprise Service Bus) data management and control method and device |
| CN104125085B (en) * | 2013-04-27 | 2018-05-22 | 中国移动通信集团黑龙江有限公司 | A kind of data management-control method and device based on ESB |
| CN103441897A (en) * | 2013-08-26 | 2013-12-11 | 深信服网络科技(深圳)有限公司 | Method and device for locating failure node in virtual network |
| CN103580924A (en) * | 2013-11-12 | 2014-02-12 | 武汉钢铁(集团)公司 | Fault location method, device and system |
| CN105659528B (en) * | 2013-12-20 | 2019-10-08 | 中兴通讯股份有限公司 | A kind of method and device for realizing fault location |
| CN105659528A (en) * | 2013-12-20 | 2016-06-08 | 中兴通讯股份有限公司 | Method and apparatus for realizing fault location |
| CN103684879B (en) * | 2013-12-30 | 2017-03-08 | 华为技术有限公司 | Show the method and apparatus for processing |
| CN103684879A (en) * | 2013-12-30 | 2014-03-26 | 华为技术有限公司 | Display processing method and device |
| CN103944758A (en) * | 2014-04-14 | 2014-07-23 | 张薇 | Interconnection and intercommunication state monitoring system |
| CN103973496B (en) * | 2014-05-21 | 2017-10-17 | 华为技术有限公司 | Method for diagnosing faults and device |
| CN103973496A (en) * | 2014-05-21 | 2014-08-06 | 华为技术有限公司 | Fault diagnosis method and device |
| CN104219087A (en) * | 2014-08-08 | 2014-12-17 | 蓝盾信息安全技术有限公司 | Fault location method |
| CN105760402A (en) * | 2014-12-16 | 2016-07-13 | 中兴通讯股份有限公司 | End-to-end service performance query method and end-to-end service performance query device |
| WO2016095529A1 (en) * | 2014-12-19 | 2016-06-23 | 中兴通讯股份有限公司 | Method and apparatus for querying end-to-end service performance |
| WO2016206386A1 (en) * | 2015-06-26 | 2016-12-29 | 中兴通讯股份有限公司 | Fault correlation method and apparatus |
| CN106330501A (en) * | 2015-06-26 | 2017-01-11 | 中兴通讯股份有限公司 | Fault correlation method and device |
| CN105183619B (en) * | 2015-09-29 | 2018-03-27 | 北京奇艺世纪科技有限公司 | A kind of system failure method for early warning and system |
| CN105183619A (en) * | 2015-09-29 | 2015-12-23 | 北京奇艺世纪科技有限公司 | System fault early-warning method and system |
| CN108141374A (en) * | 2015-12-21 | 2018-06-08 | 华为技术有限公司 | A kind of network inferior health diagnostic method and device |
| WO2017107014A1 (en) * | 2015-12-21 | 2017-06-29 | 华为技术有限公司 | Network sub-health diagnosis method and apparatus |
| CN106982148B (en) * | 2016-01-19 | 2020-02-18 | 中国移动通信集团浙江有限公司 | Server downtime monitoring method, device and system |
| CN106982148A (en) * | 2016-01-19 | 2017-07-25 | 中国移动通信集团浙江有限公司 | A kind of server is delayed the monitoring method of machine, apparatus and system |
| CN105743704A (en) * | 2016-03-30 | 2016-07-06 | 广东凯通软件开发有限公司 | Fault analysis method and device for communication link |
| CN105743704B (en) * | 2016-03-30 | 2019-11-19 | 凯通科技股份有限公司 | A kind of failure analysis methods and device of communication link |
| CN105894213B (en) * | 2016-04-27 | 2019-10-11 | 东北大学 | A kind of multiple agent electric network failure diagnosis system and method based on blackboard model |
| CN105894213A (en) * | 2016-04-27 | 2016-08-24 | 东北大学 | Multi-agent grid fault diagnosis system and method based on blackboard model |
| CN106054858A (en) * | 2016-05-27 | 2016-10-26 | 大连楼兰科技股份有限公司 | Decision tree classification and fault code classification-based vehicle remote diagnosis and spare part retrieval method |
| CN106054858B (en) * | 2016-05-27 | 2019-09-27 | 大连楼兰科技股份有限公司 | The method of the vehicle remote diagnosis and spare part retrieval classified based on decision tree classification and error code |
| CN106209420A (en) * | 2016-06-27 | 2016-12-07 | 瑞斯康达科技发展股份有限公司 | A kind of method positioning data forwarding service fault and electronic equipment |
| CN106209420B (en) * | 2016-06-27 | 2019-03-26 | 瑞斯康达科技发展股份有限公司 | A kind of method and electronic equipment of location data forwarding service failure |
| CN106209456A (en) * | 2016-07-13 | 2016-12-07 | 浪潮(北京)电子信息产业有限公司 | A kind of kernel state lower network fault detection method and device |
| CN106209456B (en) * | 2016-07-13 | 2019-08-02 | 浪潮(北京)电子信息产业有限公司 | A kind of kernel state lower network fault detection method and device |
| CN107770797A (en) * | 2016-08-17 | 2018-03-06 | 中国移动通信集团内蒙古有限公司 | A kind of association analysis method and system of wireless network alarm management |
| CN106371986A (en) * | 2016-09-08 | 2017-02-01 | 上海新炬网络技术有限公司 | Log treatment operation and maintenance monitoring system |
| CN106506237B (en) * | 2016-12-08 | 2019-06-21 | 广东电网有限责任公司电力科学研究院 | A kind of Fault Locating Method and device of substation communication network |
| CN106506237A (en) * | 2016-12-08 | 2017-03-15 | 广东电网有限责任公司电力科学研究院 | A kind of Fault Locating Method of substation communication network and device |
| CN108259195A (en) * | 2016-12-28 | 2018-07-06 | 阿里巴巴集团控股有限公司 | The determining method and system of the coverage of anomalous event |
| CN108259195B (en) * | 2016-12-28 | 2021-07-09 | 阿里巴巴集团控股有限公司 | Method and system for determining influence range of abnormal event |
| CN108306748A (en) * | 2017-01-12 | 2018-07-20 | 阿里巴巴集团控股有限公司 | Network failure locating method, device and interactive device |
| CN108964960B (en) * | 2017-05-27 | 2021-10-19 | 阿里巴巴集团控股有限公司 | Alarm event processing method and device |
| CN108964960A (en) * | 2017-05-27 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of processing method and processing device of alarm event |
| WO2018223672A1 (en) * | 2017-06-07 | 2018-12-13 | 北京小度信息科技有限公司 | Data processing method and device |
| CN107171861A (en) * | 2017-06-29 | 2017-09-15 | 联想(北京)有限公司 | A kind of information processing method, electronic equipment and computer-readable storage medium |
| CN107332915A (en) * | 2017-07-05 | 2017-11-07 | 北京辰安信息科技有限公司 | A kind of information processing method and device |
| CN107358106A (en) * | 2017-07-11 | 2017-11-17 | 北京奇虎科技有限公司 | Leak detection method, Hole Detection device and server |
| CN108259241A (en) * | 2018-01-11 | 2018-07-06 | 上海有云信息技术有限公司 | A kind of abnormal localization method and device of cloud platform monitoring system |
| CN108092824A (en) * | 2018-01-15 | 2018-05-29 | 淮阴师范学院 | A kind of control system diagnostic method based on complex dynamic network |
| CN110278099A (en) * | 2018-03-14 | 2019-09-24 | 比亚迪股份有限公司 | Message test method, device and computer equipment |
| CN108600049B (en) * | 2018-04-16 | 2020-07-07 | 苏州云杉世纪网络科技有限公司 | Method and device for measuring performance of TCP connection of data center network and storage medium |
| CN108600049A (en) * | 2018-04-16 | 2018-09-28 | 苏州云杉世纪网络科技有限公司 | A kind of performance measurement method and device of data center network TCP connection |
| CN109308248A (en) * | 2018-08-27 | 2019-02-05 | 上海功致信息科技有限公司 | Event relation analyzing method and system |
| CN110932878A (en) * | 2018-09-20 | 2020-03-27 | 中国移动通信有限公司研究院 | Management method, equipment and system of distributed network |
| CN109684181A (en) * | 2018-11-20 | 2019-04-26 | 华为技术有限公司 | Alarm root is because of analysis method, device, equipment and storage medium |
| CN110086682B (en) * | 2019-05-22 | 2022-06-24 | 四川新网银行股份有限公司 | Service link calling relation view and fault root cause positioning method based on TCP |
| CN110086682A (en) * | 2019-05-22 | 2019-08-02 | 四川新网银行股份有限公司 | Service link call relation view and failure root based on TCP are because of localization method |
| CN110191003A (en) * | 2019-06-18 | 2019-08-30 | 北京达佳互联信息技术有限公司 | Fault repairing method, device, computer equipment and storage medium |
| CN110336808A (en) * | 2019-06-28 | 2019-10-15 | 南瑞集团有限公司 | A kind of attack source tracing method and system towards electric power industry control network |
| CN110336808B (en) * | 2019-06-28 | 2021-08-24 | 南瑞集团有限公司 | Attack tracing method and system for power industrial control network |
| CN110417580A (en) * | 2019-06-29 | 2019-11-05 | 苏州浪潮智能科技有限公司 | A kind of methods of exhibiting, equipment and the storage medium of IB network topology |
| CN110475161B (en) * | 2019-08-28 | 2021-03-09 | 飞思达技术(北京)有限公司 | Automatic fault positioning method and system for IPTV service live link |
| CN110475161A (en) * | 2019-08-28 | 2019-11-19 | 飞思达技术(北京)有限公司 | A kind of the fault automatic location method and its system of IPTV service live streaming link |
| CN110855503A (en) * | 2019-11-22 | 2020-02-28 | 叶晓斌 | Fault cause determining method and system based on network protocol hierarchy dependency relationship |
| CN110855502A (en) * | 2019-11-22 | 2020-02-28 | 叶晓斌 | Fault cause determination method and system based on time-space analysis log |
| CN111343031B (en) * | 2020-03-31 | 2022-02-22 | 新华三信息安全技术有限公司 | Method and device for determining network fault |
| CN111343031A (en) * | 2020-03-31 | 2020-06-26 | 新华三信息安全技术有限公司 | Method and device for determining network fault |
| CN113839800B (en) * | 2020-06-24 | 2023-12-12 | 中国联合网络通信集团有限公司 | Abnormal network element prompting method and device, electronic equipment and storage medium |
| CN113839800A (en) * | 2020-06-24 | 2021-12-24 | 中国联合网络通信集团有限公司 | Abnormal network element prompting method and device, electronic equipment and storage medium |
| CN114006823A (en) * | 2020-07-14 | 2022-02-01 | 瞻博网络公司 | Method, system and storage medium for failure impact analysis of network events |
| CN112468400A (en) * | 2020-11-09 | 2021-03-09 | 青岛海信网络科技股份有限公司 | Fault positioning method, device, equipment and medium |
| CN114629776A (en) * | 2020-12-11 | 2022-06-14 | 中国联合网络通信集团有限公司 | Fault analysis method and device based on graph model |
| CN112671767A (en) * | 2020-12-23 | 2021-04-16 | 广东能源集团科学技术研究院有限公司 | Security event early warning method and device based on alarm data analysis |
| CN114765574A (en) * | 2020-12-30 | 2022-07-19 | 中盈优创资讯科技有限公司 | Network anomaly delimitation positioning method and device |
| CN114765574B (en) * | 2020-12-30 | 2023-12-05 | 中盈优创资讯科技有限公司 | Network anomaly delimitation positioning method and device |
| CN115086154A (en) * | 2021-03-11 | 2022-09-20 | 中国电信股份有限公司 | Fault delimitation method and device, storage medium and electronic equipment |
| CN113162810A (en) * | 2021-05-14 | 2021-07-23 | 中央军委后勤保障部信息中心 | Event data processing method and device |
| CN113485859A (en) * | 2021-06-23 | 2021-10-08 | 珠海格力电器股份有限公司 | Fault positioning method and device, electronic equipment and computer readable storage medium |
| CN114143171A (en) * | 2021-11-30 | 2022-03-04 | 中国电信集团系统集成有限责任公司 | Alarm root cause positioning method and system based on TR069 protocol |
| CN114143171B (en) * | 2021-11-30 | 2022-11-29 | 中电信数智科技有限公司 | Alarm root cause positioning method and system based on TR069 protocol |
| CN114389957A (en) * | 2022-03-01 | 2022-04-22 | 四创电子股份有限公司 | Patrol alarm method for special vehicle-mounted equipment |
| CN114723082A (en) * | 2022-04-19 | 2022-07-08 | 镇江西门子母线有限公司 | Abnormity early warning method and system for intelligent low-voltage complete equipment |
| CN114723082B (en) * | 2022-04-19 | 2023-08-18 | 镇江西门子母线有限公司 | Abnormality early warning method and system for intelligent low-voltage complete equipment |
| WO2023241484A1 (en) * | 2022-06-16 | 2023-12-21 | 中兴通讯股份有限公司 | Method for processing abnormal event, and electronic device and storage medium |
| CN116401614A (en) * | 2023-06-06 | 2023-07-07 | 苏州振州机电科技有限公司 | Equipment fault identification method and system |
| CN116401614B (en) * | 2023-06-06 | 2023-08-18 | 苏州振州机电科技有限公司 | Equipment fault identification method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103001811B (en) | 2016-01-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103001811B (en) | Fault locating method and device | |
| CN103442008B (en) | A kind of routing safety detecting system and detection method | |
| Gregori et al. | The impact of IXPs on the AS-level topology structure of the Internet | |
| US7631222B2 (en) | Method and apparatus for correlating events in a network | |
| CN101313280B (en) | Pool-based network diagnostic systems and methods | |
| Siganos et al. | Jellyfish: A conceptual model for the as internet topology | |
| CN102984140B (en) | Malicious software feature fusion analytical method and system based on shared behavior segments | |
| CN107171819A (en) | A kind of network fault diagnosis method and device | |
| Rezgui et al. | Detecting faulty and malicious vehicles using rule-based communications data mining | |
| CN111030873A (en) | Fault diagnosis method and device | |
| Elejla et al. | Labeled flow-based dataset of ICMPv6-based DDoS attacks | |
| Qiu et al. | Global Flow Table: A convincing mechanism for security operations in SDN | |
| Lad et al. | Visualizing internet routing changes | |
| Novotny et al. | On-demand discovery of software service dependencies in MANETs | |
| Lad et al. | An algorithmic approach to identifying link failures | |
| CN113259364B (en) | Network event correlation analysis method and device and computer equipment | |
| CN102883359A (en) | Method, device and system for measuring key nodes of wireless sensor network | |
| CN117459365A (en) | Fault cause determining method, device, equipment and storage medium | |
| Aryan et al. | A general formalism for defining and detecting openflow rule anomalies | |
| Frankowski et al. | Application of the Complex Event Processing system for anomaly detection and network monitoring | |
| Hassine | Describing and assessing availability requirements in the early stages of system development | |
| Wang et al. | A methodology for root-cause analysis in component based systems | |
| Wang et al. | Internet anomaly detection based on complex network path | |
| Li et al. | Research on the network security management based on data mining | |
| kaur Kang et al. | An implementation of hierarchical intrusion detection systems using snort and federated databases |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160106 Termination date: 20211231 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |