CN106254153B

CN106254153B - Network anomaly monitoring method and device

Info

Publication number: CN106254153B
Application number: CN201610831494.7A
Authority: CN
Inventors: 周瑞卿; 张丹; 王浩宇; 梁赛婷; 吴检
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd; Tencent Cloud Computing Beijing Co Ltd
Priority date: 2016-09-19
Filing date: 2016-09-19
Publication date: 2019-12-10
Anticipated expiration: 2036-09-19
Also published as: CN106254153A

Abstract

the application provides a network anomaly monitoring method and a network anomaly monitoring device, wherein the method comprises the following steps: acquiring a plurality of network data objects reported by a server in a service platform in a time period to be analyzed, wherein each network data object comprises: the network delay of the client accessing the server and the generation time of the network delay; clustering the plurality of network data objects based on the density distribution of the generation time of the network delay to obtain a plurality of cluster clusters; determining an abnormal cluster with abnormal network delay from the plurality of clusters according to the distribution of the network delay in the plurality of clusters; and performing network anomaly analysis based on the generation time of the network delay contained in the abnormal cluster and the network login information associated with the network data object contained in the abnormal cluster. The scheme of the application can be beneficial to timely finding and positioning the network access abnormity in the process of accessing the business service platform by the client, thereby improving the network quality of the business service platform.

Description

Network anomaly monitoring method and device

Technical Field

the present application relates to the field of data processing technologies, and in particular, to a method and an apparatus for monitoring network anomalies.

Background

with the development of network technology, a set of service platforms can provide services of certain services for users in different regions around the world. For example, based on the same game server system, game players in different countries and regions can provide game services, so that game competition can be performed among game players in different countries and regions around the world.

however, because the difference of network conditions provided by different countries and operators is large, the difference of network quality of users in different regions around the world is large, so that if one or some users in a certain region have network access abnormality, it is difficult to find and locate the network access abnormality in time, thereby affecting the network quality of the service platform and further affecting the normal access of the users to the service platform. Therefore, how to timely find and locate the network access abnormality occurring in the process of accessing the service platform by the user is a technical problem which needs to be solved urgently by those skilled in the art.

disclosure of Invention

the application provides a network anomaly monitoring method and device, and the network anomaly occurring in the process of accessing a business service platform by a client is discovered and positioned in time, so that the network quality of the business service platform is improved.

In order to solve the above problem, in one aspect, the present application provides a network anomaly monitoring method, including:

acquiring a network data object set reported by a server in a service platform in a time period to be analyzed, wherein the network data object set comprises a plurality of network data objects, and each network data object comprises: the network delay of the client accessing the server and the generation time of the network delay;

Clustering network data objects in the network data object set based on density distribution of the network delay at the generation moment to obtain a plurality of cluster clusters, wherein each cluster comprises a plurality of network data objects;

determining abnormal cluster clusters with abnormal network delay from the plurality of cluster clusters according to the distribution of the network delay in the plurality of cluster clusters;

And analyzing network abnormity based on the generation time of the network time delay contained in the abnormal cluster and the network login information associated with the network data object contained in the abnormal cluster.

On the other hand, an embodiment of the present application further provides a network anomaly monitoring apparatus, including:

A data obtaining unit, configured to obtain a network data object set reported by a server in a service platform in a time period to be analyzed, where the network data object set includes a plurality of network data objects, and each network data object includes: the network delay of the client accessing the server and the generation time of the network delay;

The data clustering unit is used for clustering the network data objects in the network data object set based on the density distribution of the generation time of the network time delay to obtain a plurality of clustering clusters, and each clustering cluster comprises a plurality of network data objects;

An abnormal cluster determining unit, configured to determine an abnormal cluster with abnormal network delay from the multiple clusters according to the distribution of the network delay in the multiple clusters;

and the anomaly analysis unit is used for carrying out network anomaly analysis based on the generation time of the network time delay contained in the anomaly cluster and the network login information associated with the network data object contained in the anomaly cluster.

From the above, when a network anomaly needs to be monitored, a network data object set reported by a server in a service platform in a time period to be analyzed can be obtained, then, a plurality of network data objects in the network data object set are clustered according to the distribution density of the generation time of the network delay included in each network data object in the network data object set, and an abnormal cluster with abnormal network delay is determined based on the distribution of the network delay in the clustered clusters, so that the network anomaly can be analyzed based on the generation time of the network delay included in the abnormal cluster and the network login information associated with each network data object in the abnormal cluster, thereby timely monitoring the network anomaly and the occurrence time of the network anomaly within the time period to be analyzed and being beneficial to analyzing the cause of the anomaly in a targeted manner, thereby being beneficial to improving the reliability of the business service platform.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.

fig. 1 is a schematic diagram illustrating an embodiment of a network anomaly monitoring method according to the present application;

Fig. 2 shows a schematic diagram of the distribution of the individual network delays over the time period to be analyzed;

FIG. 3 is a schematic diagram illustrating a component structure of an embodiment of a business service platform according to the present application;

FIG. 4 shows a schematic flow chart of clustering using DBSCAN algorithm;

FIG. 5 is a schematic diagram illustrating the interaction of the network anomaly monitoring method according to another embodiment of the present application;

FIG. 6 is a schematic flow interaction diagram illustrating a further embodiment of the network anomaly monitoring method according to the present application in an application scenario of a business service platform providing a global uniform game;

FIG. 7 is a schematic structural diagram illustrating an embodiment of a network anomaly monitoring apparatus according to the present application;

Fig. 8 is a diagram illustrating a hardware architecture of an embodiment of a terminal according to the present application.

Detailed Description

The service scenario described in the embodiment of the present invention is for more clearly illustrating the technical solution of the embodiment of the present invention, and does not form a limitation on the technical solution provided in the embodiment of the present invention, and as a person having ordinary skill in the art knows that along with the evolution of a network architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems.

The network anomaly monitoring method is suitable for a scene of monitoring and analyzing the network delay condition of the client accessing the service platform. The anomaly monitoring method can be applied to a server, the server can also be a server which is independently arranged in a service platform and used for data analysis, and can also be a server which is originally used for providing service for a client in the service platform.

according to the network anomaly monitoring method, by analyzing the data such as the network delay of the client accessing the service platform, the time when the network delay anomaly exists in the service platform and the network login information of the client accessing the service platform when the network delay anomaly exists can be timely and accurately positioned, so that the network anomaly reason at the time when the network delay anomaly exists can be analyzed based on the network login information, the network anomaly can be timely found, the reason for analyzing the anomaly pertinently can be obtained, and the reliability of the service platform can be further improved.

The business service platform of the application can have a plurality of possibilities. For example, in a possible situation, the service platform may be a game service platform, the client may obtain game data and run a corresponding game service by accessing the game service platform, and the network anomaly monitoring method according to the present application may analyze information such as a time point of an abnormal network access and a player, and may find out a network anomaly fluctuation in time in a game service running process, thereby being beneficial to solving a network anomaly problem in time and further being beneficial to improving game experience.

The following detailed description is made with reference to the accompanying drawings.

referring to fig. 1, a flowchart of an embodiment of a network anomaly monitoring method according to the present application is shown, where the method of the present embodiment may be applied to a server or other data analysis devices. The method of the embodiment may include:

101, acquiring a network data object set reported by a server in a service platform in a time period to be analyzed.

The network data object includes a plurality of network data objects. Wherein each network data object comprises: the network delay of the client accessing the server and the generation time of the network delay.

The network delay may also be referred to as network delay, and refers to a time period from a time when a client sends a data packet to a server to the time when the client receives a response returned by the server for the data packet.

A server in a service platform can acquire the network delay of a client for accessing the server, for example, the server requests the client to report the network delay corresponding to the client; for another example, the client may report the network delay to the server in real time or every preset time period. The method for determining the network delay of the client accessing the server may be various, for example, the client may determine the access delay of the client accessing the server by using an Internet Packet probe (PING, Packet Internet Groper) test, and of course, other methods for determining the network delay may be provided, which is not limited herein.

the time of generating the network delay may be the time of reporting the network delay by the client, or the time of reporting the network delay by the client when the server receives the network delay. For example, while the client reports the network delay, the client may send the time at which the network delay is reported to the server, so that the server determines the time at which the network delay is generated. For another example, the client may only report the network delay, and the server may automatically record the reporting time of the network delay when receiving the network delay reported by the client, and determine the reporting time as the generation time of the network delay.

It can be understood that, in order to distinguish the information of the client, the user account, the IP address, the operator to which the IP address belongs, the country, and the like, which report each network data object, so that the information of the user account, the IP address, and the like, which generate the network delay can be determined after the network delay belonging to the network anomaly is located, the server determines the network login information corresponding to the network delay when receiving the network delay reported by the client, and stores the network delay in association with the network login information. The network login information may include one or more of information such as an IP address of the client that reports the network delay, a user account, an operator to which the IP address belongs, a country to which the IP address belongs, and the like. For example, the client may report the network delay and carry the network login information; or, the client may report the network delay while carrying the IP address and the user account of the client, and the server may analyze information such as an operator and a country to which the IP address belongs based on the IP address, or, of course, the server may obtain the network login information of the client from the stored log record of the client when receiving the network delay reported by the client; of course, there may be other ways to obtain the network login information, which will not be described herein.

The time period to be analyzed and the time length of the time period to be analyzed can be set according to the time length required by monitoring, for example, monitoring can be performed every half hour, and when data monitoring and analysis are required, a set of network data objects generated in a half hour before the current time can be obtained.

and 102, clustering the network data objects in the network data object set based on the density distribution of the generation time of the network delay to obtain a plurality of cluster clusters.

Wherein each cluster comprises a plurality of network data objects.

each network data object actually includes two data, one is a network delay, and one is a time when the network delay is generated, that is, a time when the network delay is generated. When clustering the network data objects, the generation time of the network delay in the network data objects is taken as a clustering reference, so that the plurality of network data objects in the network data object set are clustered based on the density distribution of the generation time of the network delay contained in different network data objects, and a plurality of clustered clusters are obtained.

the network delays in each cluster can have similar characteristics through clustering, for example, the network delays corresponding to a plurality of network data objects belonging to the same cluster are relatively close, and the difference between the network delays of the network data objects belonging to different clusters is relatively large.

it should be noted that the clustering process of the present application is a process that is repeatedly executed and continuously iterated.

Based on the density distribution of the generation time of the network delay, there are various ways to cluster the network data objects, which are not limited herein.

Optionally, in order to improve the clustering effect, so that the clustered cluster can reflect that the density of the network delay within a certain specific time duration is as large as possible within a certain time sequence, an unsupervised clustering algorithm can be adopted in the present application, and the clustering algorithm is an algorithm with better tolerance to noise points. For example, Clustering may be performed using a noisy Density-based Clustering (DBSCAN) algorithm.

When clustering is performed by using the DBSCAN algorithm, the generation times of a plurality of network delays corresponding to a plurality of network data objects are used as a plurality of object points to be clustered in the DBSCAN algorithm, and meanwhile, a time radius interval Eps (also called a scanning radius) and a density threshold MinPts (also called a minimum inclusion point number) required for clustering need to be obtained, for example, the time radius interval may be-100 milliseconds to 100 milliseconds, the density threshold is used to limit the number of the object points, and for example, the density threshold may be 10. Therefore, when clustering is carried out, the DBSCA algorithm can be adopted to cluster the plurality of object points to be clustered according to the currently set time radius interval and the density threshold, and the generation time of the network delay represented by each object point belongs to one network data object, so that clustering of the plurality of network data objects is realized through clustering of the plurality of object points to be clustered, and a plurality of cluster clusters are obtained.

Among them, the biggest advantage of the DBSCAN algorithm is that it has little requirement on the distribution of the original data set and is insensitive to noise, so that its model adaptability and robustness are relatively strong. The DBSCAN algorithm divides an area with sufficient density into clusters and finds an arbitrarily shaped cluster in a spatial database with noise, and defines the cluster as the maximum set of density-connected points.

of course, in the process of clustering a plurality of network data objects by using the DBSCAN algorithm, it is also necessary to repeat clustering continuously and iteratively, and in this process, both the time radius section and the density threshold may change, so when it is detected that the time radius section and the density threshold are adjusted, it is necessary to replace the time radius section set before the current time with the adjusted time radius section and replace the density threshold set before the current time with the adjusted density threshold, and perform clustering again based on the adjusted time radius section and density threshold.

103, according to the distribution of the network delay in the plurality of cluster clusters, determining an abnormal cluster with abnormal network delay from the plurality of cluster clusters.

The abnormal cluster refers to a cluster in which the included network delay is determined to be abnormal, and for convenience of distinguishing, the cluster in which the included network delay is determined to be abnormal is called an abnormal cluster. The number of the determined abnormal cluster can be one or more.

It can be understood that the difference between the distribution interval of the network delay included in the abnormal cluster and the distribution interval of the network delay included in other clusters is large, and when the network is abnormal, the data of the network delay required by the client to access the server is increased; in addition, in an actual network environment, the number of network delays within the normal delay range is far greater than the network delays in the abnormal state, so that the abnormal cluster belonging to the abnormal network delays can be determined according to the distribution of the network delays in each cluster.

There are various ways to specifically determine the abnormal cluster. For example, in an implementation manner, a preset proportion or a preset proportion interval occupied by the network delay belonging to the normal delay may be set, for example, the preset proportion interval may be seventy to eighty-five percent, so that the delay interval to which the network delay included in each cluster belongs and the proportion occupied by the network delay in the delay interval may be determined first, and then at least one target cluster may be selected from the plurality of clusters, so that the proportion of the total data amount of the network delay occupied by the number of the network delay included in the selected at least one target cluster is within the preset proportion interval, and the value of the network delay included in the selected target cluster is smaller than the value of the network delay included in the cluster not belonging to the target cluster.

for example, it is assumed that the preset proportion interval may be seventy percent to eighty-five percent, and it is assumed that there are four clustered clusters, namely cluster 1 to cluster 4. The network delay in the cluster 1 is basically in the range of 1ms-350ms, and the proportion of the network delay in the range of 1ms-350ms in the data of all the network delays (all the acquired network delays) contained in all the clusters is twenty percent; the network delay of the cluster 2 is within the interval range of 370-500ms, and the proportion of the network delay within the interval range of 370-500ms in all the acquired data of the network delay is sixty percent; the network delay in the cluster 3 is within the range of 600-1200ms, and the proportion of the network delay within the range of 600-1200ms in all the network delays is fifteen percent; the network delay in the cluster 4 is 1100-3000ms, and the proportion of the network delay in the network delay is 1100-3000ms to all the acquired network delays is five percent, so that the proportion of the normal network delay is relatively high, the proportion of the normal network delay should be seventy-eighty-five percent, and the normal network delay is generally smaller than the value of the abnormal network delay, therefore, it can be determined that the cluster 1 and the cluster 2 are normal clusters, the majority of the network delay in the cluster 1 and the cluster 2 is within the interval of 1ms-500ms, and the proportion of the network delay in the interval occupies eighty percent, so that the cluster 3 and the cluster 4 can be analyzed as abnormal clusters.

In another implementation manner, the manner of determining the abnormal cluster may be: acquiring a target interval of the network delay in a normal state set by a user, for example, after determining a plurality of cluster clusters, the distribution condition of the network delay corresponding to each of the plurality of cluster clusters can be shown, so that the user can estimate the target interval of the normal network delay according to the distribution condition of the network delay and input the target interval set by the user, for example, referring to fig. 2, which shows the distribution condition of all network delays in a time period to be analyzed, wherein a horizontal axis represents each time point corresponding to the time period to be analyzed, and the unit is second; the vertical axis is the duration of the network delay. According to the distribution condition of the network delay in different delay intervals in the time period to be analyzed, a user can set a target interval in which the normal network delay is positioned. For example, the target interval may be 1ms to 600 ms. And then, according to the obtained target interval of the currently set network delay, determining abnormal cluster with the set proportion exceeding a preset value from the plurality of clusters, wherein the set proportion refers to the ratio of the number of the network delays which do not belong to the target interval in the clusters to the total number of the network delays contained in the clusters. For example, the preset value can be set according to the requirement, and is generally greater than fifty percent, for example, the set value can be seventy percent.

for example, assuming that the total number of network delays included in a certain cluster is 1000, and the number of network delays in the cluster that are not in the target interval exceeds 700, it may be determined that the cluster is an abnormal cluster.

And 104, performing network anomaly analysis based on the generation time of the network delay contained in the abnormal cluster and the network login information associated with the network data object contained in the abnormal cluster.

the network login information may include one or more of a user account corresponding to the network latency, an IP address of the user account, a country to which the IP address belongs, an operator, and other information. In practical application, after the abnormal cluster is determined, the server acquires network login information associated with each network data object in the abnormal cluster; or when the network data object reported by the server of the service platform is acquired, the network login information corresponding to the network data object is determined, so that when the step 104 is executed, the network login information corresponding to each network data object in the predetermined abnormal cluster can be directly queried. The specific manner of determining the network login information may refer to the description of step 101, which is not described herein again.

After the abnormal cluster is determined, the generation time of each network delay contained in the abnormal cluster can be regarded as the occurrence time of the abnormality, meanwhile, each network delay belongs to one network data object according to the cluster, and different network data objects are actually associated with different network login information, so that the network abnormality can be analyzed from a plurality of different directions according to the dimension of the analysis. For example, analyzing one or more of the information of the operator or the process to which the IP address of the client with the network abnormality belongs, and the like, at the time when the network abnormality occurs, so as to accurately determine the cause of the network abnormality, or analyze the occurrence rule of the network abnormality, and the like.

It can be seen that, in the embodiment of the present application, when a network anomaly needs to be monitored, a network data object set reported by a server in a service platform in a time period to be analyzed may be obtained, then a plurality of network data objects in the network data object set may be clustered according to a distribution density of a generation time of a network delay included in each network data object in the network data object set, and an abnormal cluster with an abnormal network delay may be determined based on a distribution of network delays in the clustered plurality of clusters, so that, based on the generation time of the network delay included in the abnormal cluster and login information associated with each network data object in the abnormal cluster, a network anomaly analysis may be performed, thereby monitoring the network anomaly occurring within the time period to be analyzed and the occurrence time of the network anomaly in time, and facilitating a targeted analysis of an anomaly cause, thereby being beneficial to improving the reliability of the business service platform.

Optionally, in this embodiment of the application, the network data object reported by the server in the service platform may be a part of the log data. For example, a server in the service platform may record or obtain log data generated during a process of maintaining a communication connection between the client and the server, so that the server that collects the log data may report the log data corresponding to each client to a database in the service platform, or report the log data to a preset server for data analysis, so as to store the log data in the server for data analysis or store the log data in the database.

correspondingly, a server currently performing data analysis in the service platform can obtain a log set reported by the server in the service platform in a time period to be analyzed, wherein the log set comprises a plurality of log data. The server currently performing data analysis may obtain the network data object and the network login information associated with the network data object from the log data, and obtain a network data object set formed by a plurality of network data objects and the network login information associated with the network data object in the network data objects.

For example, refer to fig. 3, which shows a schematic structural diagram of a service platform to which a network anomaly monitoring method according to the present application is applied.

the business service platform 31 may include a plurality of business servers 311, a monitoring server 312, and a database 313.

The client 32 can access the service server in the service platform 31 to obtain the corresponding service server.

The plurality of service servers may provide different types of services to the client, or may provide the same service, and the plurality of service servers may be deployed in one machine room, or may be deployed in different regions, respectively.

in this embodiment, the service server may further obtain a network delay and a generation time corresponding to the network delay in a process of accessing the service server by the client, and store the obtained network delay and the generation time corresponding to the network delay in the database, where one network delay and the generation time corresponding to the network delay may be used as a network data object to be analyzed in this embodiment.

correspondingly, the monitoring server can monitor network abnormity based on data, such as network time delay and network time delay generation time, reported by different service servers at different times and stored in the database, and can locate and analyze network abnormity in time.

in practical application, the data such as the network delay and the generation time of the network delay, which are acquired by the service server, can also be directly transmitted to the monitoring server, and then the monitoring server stores the data such as the network delay and the generation time of the network delay, which are reported by the service server, in the database.

Of course, in this embodiment, the service platform is described as having a database, and in practical applications, the service platform may not have a database, and the service server in the service platform may store the network delay and the time when the network delay is generated in the monitoring server.

It should be noted that, in practical application, the monitoring server may also be an independent server, or may also be a certain service server, for example, a service server may be selected from the plurality of service servers at a certain moment to serve as the server, and the service server obtains, from the database, the network data object reported by the service server of the service platform in the time period to be analyzed, and analyzes the network data object.

it is to be understood that, for convenience of analysis, a server providing a business service to a client is referred to as a business server in the embodiment of the present application, and a server performing network anomaly monitoring is referred to as a monitoring server.

a network anomaly monitoring method according to the present application is introduced below based on the service platform of fig. 3. For convenience of description, clustering using the DBSCAN algorithm is taken as an example for description. The central idea of the DBSCAN algorithm is as follows: for each point P (excluding boundary points) in a class (cluster in this application), the number of data points in a given certain EPS field (the aforementioned time radius interval) is not less than a preset minimum number (the aforementioned density threshold) MinPts, which is the minimum number of points that the EPS field of a certain point (not including boundary points) in the cluster must include. Some definitions of the following DBSCAN algorithm are introduced below:

Definition 1, Ε PS neighborhood: a region with a given object radius within Ε PS is called the Ε PS neighborhood of the object;

Definition 2, core object (also called core point): if the sample point number in the context of E PS of a given object is greater than or equal to the given MinPts, the object is called a core object;

Definition 3, the direct density can be reached: for one sample set D, if sample point q is within the e ps domain of p, and p is the core object, then sample point q is directly density reachable from sample point p.

Definition 4, the density can be reached: for one sample set D, given a string of sample points p1, p2 …. pn, p ═ p1, q ═ pn, sample points q are density reachable from sample points p, provided that sample points pi are density reachable directly from pi-1.

Definition 5, density connected: there is a point o in the sample set D, and if the sample point o to the sample point p and the sample point q are density reachable, then the sample point p and q are density linked.

among them, the DBSCAN objective is to find the maximum set of density-connected sample points.

The process of clustering the sample point set by using the DBSCAN algorithm is briefly described below, and referring to fig. 4, a schematic flow chart of clustering by using the DBSCAN algorithm is shown, where the clustering process may include:

401. And selecting one sample point from the sample point set as an object to be processed.

402, judging whether the number of sample points in the EPS neighborhood of the sample point which is currently used as the object to be processed is larger than or equal to the given MinPts, if not, executing a step 403; if so, step 404 is performed.

403, if the number of sample points in the EPS neighborhood of the sample point as the object to be processed is smaller than the given MinPts, mark the sample point as noise, and execute step 406.

It should be noted that, if the number of sample points in the EPS neighborhood of a sample point currently serving as an object to be processed is less than MinPts, it can only be stated that the sample point is not a core object, but the sample point may be located in the EPS neighborhood of a certain core object, and thus the sample point may still be classified into a cluster of the core object, so that the sample point is temporarily marked as a noise point. Of course, if the number of sample points in the EPS neighborhood of the sample point currently serving as the object to be processed is smaller than the given MinPts and the sample point is not in the EPS neighborhoods of other core objects, the sample point may be finally determined as noise.

404, if the number of sample points in the EPS neighborhood of the sample point as the object to be processed is greater than or equal to the given MinPts, adding the sample point and the sample point in the EPS neighborhood of the sample point into the candidate set N, and creating a new cluster including the sample point in the candidate set N, and executing step 405;

405. Selecting a sample point which is not taken as an object to be processed from the candidate set N, if the number of the sample points in the EPS neighborhood of the sample point is more than or equal to the given MinPts, adding the sample points which are in the EPS neighborhood of the sample point and are not added into the cluster and the candidate set N, and repeating the step 405 until all the sample points in the candidate set N are taken as the object to be processed, thereby completing the clustering of one cluster.

In short, if the number of sample points in the EPS field of a sample point is greater than or equal to minPts, the sample point forms a cluster with the sample point in the EPS field of the sample point, and the sample point is marked as visited (visited), and then recursively, all the points in the cluster that are not marked as visited (visited) are processed in the same way, thereby expanding the cluster.

406, selecting a sample point from the sample points in the sample point set that have not been classified into any cluster or marked as noise as the object to be processed, and returning to execute step 402 until all sample points in the sample point set are used as the object to be processed, thereby obtaining a plurality of cluster clusters.

through the above steps 402-406, the sample points in the sample point set can be classified into a certain cluster (i.e., a clustering cluster), or classified into a noise, so as to complete the clustering process.

Of course, fig. 4 is only one implementation of clustering using the DBSCAN algorithm, and there may be other ways in the process of clustering using the DBSCAN algorithm, which is not limited herein.

The following introduces a network anomaly monitoring method according to an embodiment of the present application, based on the composition of the service platform in fig. 3 and taking clustering performed by using the DBSCAN algorithm as an example. Referring to fig. 5, which shows a schematic flow chart of another embodiment of the network anomaly monitoring method according to the present application, the method of the embodiment may include:

501, a service server obtains log files corresponding to clients accessing the service server.

the log file may include a network delay reported by the client, a time when the network delay is generated, and a user account and an IP address used by the client to log in the service server.

each service server can acquire network delay related to the client, generation time of the network delay, and information such as a user account and an IP address corresponding to the client.

certainly, the log file may further include key node information of the network link in the running process of the client, for example, if the service platform is a game service platform and the client is a game client, the key node information of the network link may include: and logging in, fighting, pulling the state of the component and the return code.

502, the service server sends the log file corresponding to each client to the monitoring server.

503, the monitoring server determines the operator and the country to which the IP address belongs according to the IP address in the log file.

The monitoring server may analyze the IP address in each log file when acquiring each log file reported by the service server, so as to determine the country and the operator to which the IP address belongs. Thus, when the network delay in the log file is determined to belong to the abnormal network delay in the abnormal cluster, the information of the country to which the IP address associated with the network delay belongs and the information of the operator can be directly obtained.

And 504, the monitoring server stores the user account, the network delay, the generation time of the network delay, the IP address, the operator and the country information corresponding to each log file as a record in a database.

Optionally, before the monitoring server stores the data in the log file in the database, operations such as deduplication, redundancy elimination, and null elimination of the data may also be performed, which are not described herein again.

505, when the network abnormality needs to be monitored, the monitoring server extracts a plurality of data records of which the generating time belongs to the time period to be analyzed from the database.

Each data record comprises network time delay, generation time of the network time delay, an IP address, an operator and national information.

and 506, the monitoring server takes the network delay in each data record and the generation time of the network delay as a network data object to be clustered, and obtains a plurality of network data objects corresponding to the plurality of data records.

each data record corresponds to a network data object, and each network data object contains two types of data: one is network delay and one is generation time of the network delay. Each network data object is an object or a sample point which needs to be clustered in the DNSCAN algorithm.

507, the monitoring server obtains the currently set time radius section EPS and the density threshold value MinPts.

the EPS and MinPts may be preset, or may be input by the user in real time according to actual requirements.

The set radius interval is a range of time intervals rather than a fixed one.

specifically, the process of setting the time radius interval EPS may be: and regularizing each data in the network data objects, calculating Euclidean distances among different network data objects, and drawing a k-distance curve according to the calculated Euclidean distances, so that a proper time radius interval is selected according to a distance change trend. Wherein, the k-distance refers to: given a dataset P ═ { P (i); i is 0,1, … n, for any point p (i), the distances between all points in the subset S of the set D from the point p (i) to the point p (i) are calculated, the distances are sorted in descending order, and D (k) is called k-distance assuming that the sorted distance set is D { D (1), D (2), …, D (k-1), D (k), D (k +1), …, D (n) }. That is, the k-distance is the k-th closest distance between point p (i) and all points (except point p (i)). And calculating k-distance for each point p (i) in the set to be clustered, and finally obtaining a k-distance set E of all points, namely { E (1), E (2), …, E (n) }.

it can be understood that, in the clustering process, the specific data of the two parameters EPS and MinPts may be dynamically adjusted according to the clustering needs, and therefore, the clustering process is performed with the two currently set parameters EPS and MinPts as the reference.

And 508, clustering the plurality of network data objects by the monitoring server by adopting a DBSCAN algorithm based on the density distribution of the generation time of the network time delay in the plurality of network data objects, the EPS and the MinPts which are set currently, and obtaining a plurality of clustering clusters.

wherein each cluster contains a plurality of network data objects.

With the generation time of the network delay in the network data object as a reference, the process of clustering the network data object can be understood as follows: the method comprises the steps of taking the generation time of the network delay in a certain network data object as a reference, detecting whether the number of the generation times of the network delays corresponding to other network data objects contained in the EPS field of the generation time of the network delay in the network data object is larger than or equal to MinPts, if so, forming a cluster by the network data object and other network data objects in the EPS neighborhood of the generation time of the network delay in the network data object, marking the network data object as an accessed sample point, then recursively processing all sample points which are not marked as accessed (visited) in the cluster by the same method, and expanding the cluster.

509, the monitoring server determines the maximum and minimum values of the network delay included in each cluster, respectively.

And 510, the monitoring server determines at least one interested cluster from the plurality of clusters based on the difference between the maximum value and the minimum value of the network delay contained in the clusters.

after the maximum value and the minimum value of the network delay contained in the cluster are determined, the difference value between the maximum value and the minimum value of the network delay can be further calculated, and if the difference value is larger than a preset value, the cluster can be determined as an interested cluster, so that the data records of the interested cluster can be further clustered.

Of course, the cluster of interest may also be specified by the user, for example, after the monitoring server determines the maximum value and the minimum value of the network delay included in each cluster, the difference between the maximum value and the minimum value of the network delay in each cluster may be calculated, and then the difference corresponding to each cluster may be output, so that the user selects the cluster of interest according to the difference, and the monitoring server determines at least one cluster of interest selected by the user.

511, obtaining the currently adjusted EPS and MinPts.

In this step 511, in order to further cluster the network data objects included in the interested cluster, EPS and MinPts need to be adjusted, so as to finally classify the plurality of network data objects in the interested cluster into the sub-cluster corresponding to the interested cluster.

The process of setting the EPS may refer to the description of step 507.

And 512, for any interested cluster, clustering a plurality of network data objects contained in the interested cluster by adopting a DBSCAN algorithm based on the density distribution of the generation moments of a plurality of network delays contained in the interested cluster, and the adjusted EPS and MinPts to obtain a plurality of clusters corresponding to the interested cluster.

Of course, the process of clustering the plurality of network data objects included in the cluster of interest may be similar to the previous clustering process, and will not be described herein again.

513, according to the distribution of the network delay in the multiple clusters corresponding to the cluster of interest, determining an abnormal cluster with abnormal network delay from the multiple clusters corresponding to the cluster of interest.

The process of determining an abnormal cluster from a plurality of clusters clustered by a plurality of network data objects included in the cluster of interest is similar to the process of determining an abnormal cluster in the embodiment of fig. 1, and is not repeated here.

Of course, step 513 in this embodiment is a preferred implementation manner, and in practical applications, after clustering a plurality of network data objects included in a cluster of interest, an abnormal cluster may be determined from all currently obtained clusters.

it should be noted that the steps 509 to 513 are optional steps, and after the step 508, a manner of directly determining an abnormal cluster from the clustered multiple clusters is also applicable to the present embodiment.

514, determining the generation time, the operator and the country of the network delay corresponding to the plurality of network data objects contained in the abnormal cluster, and analyzing the network abnormality based on the generation time, the operator and the country of the network delay.

In the embodiment of the application, after the abnormal cluster with the abnormal network delay is determined, the information such as the generation time, the user account, the operator, the country and the like corresponding to the network delay with the abnormal network delay can be obtained, so that the abnormal analysis can be performed based on the information.

it should be noted that, after determining the abnormal network delay, the time of generating the network delay, and the information of the user account, the operator, the country, and the like corresponding to the network delay, there are various ways of analyzing the abnormality, for example, the time of occurrence of the abnormal network delay can be determined, and the rule of the time of occurrence of the abnormality can be searched, so as to take corresponding measures to control the network abnormality; the method can also be used for counting the operator corresponding to the user account with the abnormal network delay, and further analyzing whether the abnormal network delay is caused by the abnormal network delay of the operator; or counting the regular distribution of network delay abnormality in a certain time interval (e.g., every day, every week, every month), and then reporting the return code state and logs by the service server, the client and other nodes according to the time of the abnormality occurrence to locate the specific reason of the network abnormality occurrence.

in addition, after the abnormal cluster is determined, the operators, countries and the like corresponding to the network data objects contained in the abnormal cluster can be counted finally, so that the occurrence conditions of the whole network abnormality in different operators and countries can be observed globally.

Of course, other anomaly analysis methods are possible, which are not listed here.

The network anomaly monitoring method in the embodiment of the application can be applied to various different application scenes, for convenience of understanding, taking network anomaly monitoring of a service platform providing global uniform game service as an example, in the service platform providing global uniform game service, a service server can be specifically a game service server, and the game service server can be used for providing game services or data services required by game running for game clients of different game players. For example, the game service server may provide a game service for Player-to-Player competition (PVP, Player VS Player); a game service in which a Player battles with the Environment (PVE, Player VS Environment) and the like can also be provided; or, a business service such as data maintenance or data recording required in the game running process is provided, for example, the game business server may be an internet data center or the like. Of course, different game service servers may provide different kinds of game services or data support.

The global uniform game can provide game service for game players in different countries and regions around the world, and the network delay of the game players directly influences the experience of the game, so that in order to analyze the delay condition of the global players in time, the network abnormity monitoring method of the embodiment of the application can collect the network delay data of the game players in the global uniform game, and can evaluate and analyze the network quality of global users by combining the network conditions of operators in different countries, the geographic distribution coordinates of the users, the bandwidth, the packet loss and other data, so as to locate the network abnormity and analyze the reason causing the network abnormity.

Referring to fig. 6, a schematic flow chart of a network anomaly monitoring method according to another embodiment of the present application is shown.

the method of the embodiment may include:

601, the game service server obtains the log file corresponding to each game client accessing the game service server.

The log file may include information such as a network delay reported by the game client, a time at which the network delay is generated, a player account used by the game client to log in the service server, an IP address corresponding to the player account, and a geographic location coordinate.

of course, the log file may also include key node information of the network link between the game client and the game service server, such as: and logging in, fighting, pulling the state of the component and the return code.

And 602, the game service server sends the log file corresponding to each game client to the monitoring server.

603, the monitoring server determines the operator and the country to which the IP address belongs according to the IP address in the log file.

604, the monitoring server stores the player account, the network delay, the time of generation of the network delay, the IP address, the operator, and the country information corresponding to each log file as a record in the database.

605, when the network anomaly needs to be monitored, the monitoring server extracts a plurality of data records whose generating time belongs to the time period to be analyzed from the database.

Each data record comprises a player account, network delay, generation time of the network delay, an IP address, an operator and country information.

and 606, the monitoring server takes the network delay in each data record and the generation time of the network delay as a network data object to be clustered, and a plurality of network data objects corresponding to a plurality of data records are obtained.

Each data record corresponds to a network data object, and each network data object contains two types of data: one is network delay and one is generation time of the network delay.

607, the monitoring server obtains the currently set time radius section EPS and the density threshold value MinPts.

And 608, the monitoring server clusters the plurality of network data objects by using a DBSCAN algorithm based on the density distribution of the generation time of the network delay in the plurality of network data objects, and the EPS and MinPts set currently, so as to obtain a plurality of cluster clusters.

Wherein each cluster contains a plurality of network data objects.

609, according to the distribution of the network time delay in the cluster clusters, determining an abnormal cluster with abnormal network time delay from the cluster clusters.

And 610, determining the occurrence time of the network anomaly and the distribution conditions of the game players with the network anomaly in different operators and countries based on the player accounts of the abnormal game players corresponding to the network data objects in the abnormal cluster, the occurrence time of the network delay, the IP addresses corresponding to the player accounts, and the operators and countries to which the IP addresses belong.

Optionally, after the abnormal cluster is determined, the generation time of the network delay in the abnormal cluster is also the occurrence time of the abnormal network delay, so that based on the player account of the abnormal game player in the abnormal cluster and the occurrence time of the abnormal network delay, the log about the abnormal game player recorded in the game client where the abnormal game player is located and the game service server accessed by the game client can be obtained, the states and the return codes of the nodes such as login, fight and pull components in the network link in the log are analyzed, and the possible cause of the game player jamming and the possible cause of the abnormal network delay can be analyzed.

the following describes a network anomaly monitoring device provided in an embodiment of the present application.

Referring to fig. 7, which shows a schematic structural diagram of an embodiment of a network anomaly monitoring apparatus according to the present application, the apparatus of the present embodiment may be applied to a server, and the apparatus may include:

A data obtaining unit 701, configured to obtain a network data object set reported by a server in a service platform in a time period to be analyzed, where the network data object set includes a plurality of network data objects, and each network data object includes: the network delay of the client accessing the server and the generation time of the network delay;

a data clustering unit 702, configured to cluster the network data objects in the network data object set based on density distribution at the time of generating the network delay, to obtain a plurality of cluster clusters, where each cluster includes a plurality of network data objects;

An abnormal cluster determining unit 703, configured to determine an abnormal cluster with abnormal network delay from the multiple clusters according to the distribution of the network delay in the multiple clusters;

An anomaly analysis unit 704, configured to perform network anomaly analysis based on the generation time of the network delay included in the anomalous cluster and the network login information associated with the network data object included in the anomalous cluster.

Optionally, the data clustering unit includes:

The clustering parameter acquiring unit is used for acquiring a currently set time radius interval and a density threshold;

And the clustering subunit is used for clustering the plurality of network data objects by adopting a density-based clustering DBSCAN algorithm with noise based on density distribution of a plurality of network time delay generation moments corresponding to the plurality of network data objects, the currently set time radius interval and a density threshold value to obtain a plurality of clustering clusters.

Optionally, the method further includes:

The cluster analysis unit is used for respectively determining the maximum value and the minimum value of the network delay contained in each cluster after the data clustering unit obtains the plurality of clusters;

An interest cluster determining unit, configured to determine at least one cluster of interest from the plurality of clusters based on a difference between a maximum value and a minimum value of network delays included in the clusters;

the clustering parameter adjusting unit is used for acquiring the currently adjusted time radius interval and the density threshold;

a re-clustering unit, configured to, for any interested cluster, cluster a plurality of network data objects included in the interested cluster by using the DBSCAN algorithm based on density distribution of a plurality of network delay generation times corresponding to a plurality of network data objects in the interested cluster, and a currently adjusted time radius and density threshold, so as to obtain a plurality of clusters corresponding to the interested cluster;

The abnormal cluster determining unit is specifically configured to determine an abnormal cluster with abnormal network delay from the multiple clusters corresponding to the cluster of interest according to the distribution of the network delay in the multiple clusters corresponding to the cluster of interest.

Optionally, the apparatus may further include:

A delay parameter obtaining unit, configured to obtain a target interval of the currently set network delay before the abnormal cluster determining unit determines the abnormal cluster with the abnormal network delay;

The abnormal cluster determining unit is specifically configured to determine an abnormal cluster with a set proportion exceeding a preset value when determining the abnormal cluster with abnormal network delay, wherein the set proportion is a ratio of the number of network delays in the clusters, which do not belong to the target interval, to the total number of network delays included in the clusters.

Optionally, the network login information includes one or more of the following:

IP address, user account, operator and country information.

The embodiment of the invention also provides a server which can comprise the other network abnormity monitoring device.

fig. 8 is a block diagram illustrating a hardware configuration of a server, and referring to fig. 8, the server 800 may include: a processor 801, a communication interface 802, a memory 803, and a communication bus 804;

The processor 801, the communication interface 802 and the memory 803 complete mutual communication through a communication bus 804;

Optionally, the communication interface 802 may be an interface of a communication module, such as an interface of a GSM module;

A processor 801 for executing programs;

a memory 803 for storing programs;

The program may include program code including computer operating instructions.

The processor 801 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention.

The memory 803 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.

Among them, the procedure can be specifically used for:

The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. a network anomaly monitoring method is characterized by comprising the following steps:

Acquiring a currently set time radius interval and a density threshold;

based on the density distribution of the network time delay generation moments corresponding to the network data objects, the currently set time radius interval and the density threshold, clustering the network data objects by adopting a clustering DBSCAN algorithm with noise and based on density to obtain a plurality of clustering clusters, wherein each clustering cluster comprises a plurality of network data objects;

Respectively determining the maximum value and the minimum value of the network time delay contained in each cluster;

determining at least one interested cluster from the plurality of clusters based on the difference between the maximum value and the minimum value of the network time delay contained in the clusters;

Acquiring a currently adjusted time radius interval and a density threshold; the time radius interval and the density threshold can be dynamically adjusted according to clustering requirements and serve as clustering references in the clustering process;

For any interested cluster, based on the density distribution of the generation moments of the network delays corresponding to the network data objects in the interested cluster, the currently adjusted time radius and the density threshold, clustering the network data objects contained in the interested cluster by adopting the DBSCAN algorithm to obtain a plurality of clusters corresponding to the interested cluster;

Determining an abnormal cluster with abnormal network delay from a plurality of clusters corresponding to the cluster of interest according to the distribution of the network delay in the plurality of clusters corresponding to the cluster of interest;

2. The method according to claim 1, wherein before the determining the abnormal cluster with abnormal network delay, the method further comprises:

Acquiring a target interval of currently set network delay;

the determining of the abnormal cluster with abnormal network delay includes:

And determining abnormal cluster with a set proportion exceeding a preset value, wherein the set proportion is the ratio of the number of the network delays which do not belong to the target interval in the cluster to the total number of the network delays contained in the cluster.

3. The method for monitoring network anomaly according to claim 1, wherein the network login information includes one or more of the following:

IP address, user account, operator and country information.

4. The method for monitoring network anomaly according to claim 1 or 3, wherein the acquiring a set of network data objects reported by a server in a service platform in a time period to be analyzed comprises:

Acquiring a log set reported by a server in a service server platform in a time period to be analyzed, wherein the log set comprises a plurality of log data;

And acquiring the network data object and the network login information related to the network data object from the log data to obtain a network data object set formed by a plurality of network data objects and the network login information related to the network data object in the network data objects.

5. A network anomaly monitoring device, comprising:

The data clustering unit is used for clustering the network data objects in the network data object set by taking the generation time of the network delay as a clustering reference based on the density distribution of the generation time of the network delay to obtain a plurality of clustering clusters, and each clustering cluster comprises a plurality of network data objects;

The abnormal cluster analysis unit is used for analyzing network abnormality based on the generation time of the network time delay contained in the abnormal cluster and the network login information related to the network data object contained in the abnormal cluster;

The data clustering unit comprises:

The clustering subunit is configured to cluster the plurality of network data objects by using a density-based clustering DBSCAN algorithm with noise based on density distribution of a plurality of network delay generation times corresponding to the plurality of network data objects, the currently set time radius interval and a density threshold value, so as to obtain a plurality of clustering clusters;

The device further comprises:

The clustering parameter adjusting unit is used for acquiring the currently adjusted time radius interval and the density threshold; the time radius interval and the density threshold can be dynamically adjusted according to clustering requirements and serve as clustering references in the clustering process;

6. The network anomaly monitoring device according to claim 5, further comprising:

7. The network anomaly monitoring device according to claim 5, wherein said network login information comprises one or more of:

IP address, user account, operator and country information.

8. a storage medium having stored therein a software module which, when executed, implements the network anomaly monitoring method of any one of claims 1 to 4.

9. a server, comprising a processor and a memory;

the memory is used for storing programs;

The processor is configured to execute the program to implement the network anomaly monitoring method according to any one of claims 1 to 4.