CN107196815B - Method and equipment for determining difference of flow analysis capacity - Google Patents
Method and equipment for determining difference of flow analysis capacity Download PDFInfo
- Publication number
- CN107196815B CN107196815B CN201610143797.XA CN201610143797A CN107196815B CN 107196815 B CN107196815 B CN 107196815B CN 201610143797 A CN201610143797 A CN 201610143797A CN 107196815 B CN107196815 B CN 107196815B
- Authority
- CN
- China
- Prior art keywords
- dpi
- equipment
- flow
- devices
- reported
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/11—Identifying congestion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0882—Utilisation of link capacity
Abstract
The application relates to the technical field of communication, and discloses a method and equipment for determining differences of flow analysis capabilities, in particular to a method for determining differences of flow analysis capabilities in a scene that a plurality of DPI devices work cooperatively, coordination equipment for analyzing the flow analysis capabilities of a plurality of DPI devices, and the coordination equipment is used for acquiring flow analysis information reported by different DPI devices, so that the differences of the flow analysis capabilities of the DPI devices are acquired, a correct flow analysis result is acquired, and the working capability of the whole system is improved when the DPI devices work cooperatively.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for determining a difference in traffic analysis capabilities.
Background
Under the large background of fine operation, a plurality of Deep Packet Inspection (DPI) devices with traffic recognition capability are often deployed in series on an operator network to support different applications upward.
These DPI devices have for various reasons a large difference in their own traffic analyzing capabilities. The various reasons mentioned above are exemplified as follows: different DPI devices come from different vendors, use different network access methods, use different traffic identification technologies, have different evolution directions, have different upgrade maintenance cycles, and so on.
Due to the difference in the flow analysis capability of each DPI device, when a plurality of DPI devices work cooperatively, different DPI device flow analysis results may be inconsistent, so that an acquirer (e.g., a worker) of the flow analysis results cannot accept or reject different flow analysis results, and thus cannot correctly obtain the flow application condition of the base layer network.
At present, the difficulty of coordinating the flow analysis capabilities of multiple DPI devices is great. The comparison is usually performed according to similar statistical objects in multiple business reports output by an upper-layer application system, and because the multiple business reports contain data sources from multiple DPI devices, the difference of flow analysis results of different DPI devices can be found.
However, this way of reversely deducing the difference of the traffic analysis capabilities of different DPI devices according to the traffic report has many disadvantages. Because the upper application system focuses on the application itself, the report is not specifically designed for the quality of the traffic analysis data of the DPI device, and therefore the coverage of the comparison method is very limited. In addition, the business report is often designed to achieve a certain business presentation, and may be obtained through various processing methods such as filtering, screening, aggregation, and algorithm, so the comparison accuracy of the comparison method is very limited.
In summary, in an environment where multiple DPI devices work cooperatively, when flow analysis results obtained due to different flow analysis capabilities of different DPI devices are inconsistent, differences in the flow analysis capabilities of different DPI devices cannot be accurately obtained, and thus a correct flow analysis result cannot be obtained, which affects the working capability of the entire system when the DPI devices work cooperatively.
Disclosure of Invention
The embodiment of the application provides a flow analysis coordination method and device, which are used for solving the problem that the difference of flow analysis capabilities of different DPI devices cannot be accurately known when a plurality of DPI devices work cooperatively.
The embodiment of the application provides the following specific technical scheme:
in a first aspect, a method for determining a difference in traffic analysis capability is provided, including: the coordination equipment for analyzing the flow analysis capability of the DPI equipment notifies the DPI equipment of the reported content of the flow analysis information; after notifying the reported content of the traffic analysis information, the coordinating device receives the traffic analysis information which is reported by the DPI devices and contains the reported content; the coordination equipment analyzes the received flow analysis information reported by the DIP equipment to obtain the difference of the flow analysis capability of each DPI equipment in the DPI equipment; and the coordination equipment outputs the obtained difference of the flow analysis capability of each DPI equipment in the plurality of DPI equipment. According to the scheme provided by the embodiment of the application, when the plurality of DPI devices work cooperatively, the coordinating device collects the flow analysis information obtained by detecting the flow of the DPI devices, the coordinating device can obtain the difference of the flow analysis capabilities of the DPI devices by analyzing the collected flow analysis information, and alarms or displays the analysis result under the condition that the difference of the flow analysis capabilities of different DPI devices is large, so that the application system can process the analysis result in time and pertinence. And the application system can also select correct flow analysis information through the analysis result, so that the working capacity of the whole system when the DPI equipment works cooperatively can be improved.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the reporting content of the traffic analysis information at least includes: starting time and ending time of flow detection; the unique identification ID and the application protocol description of the identified application protocol; and counting the uplink flow, the downlink flow and the user number.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the reported content of the traffic information may be expanded.
With reference to the first aspect and any one of the first to second possible implementation manners of the first aspect, in a third possible implementation manner of the first aspect, the method further includes: the coordination equipment respectively receives self-supported time calculation granularity reported by the DPI equipment; calculating granularity according to the received time supported by each DPI device, and determining a reporting period of the flow analysis information by combining a statistical time interval configured in advance by the coordination device; and the coordination equipment informs the plurality of DPI equipment of the reporting period of the flow analysis information.
With reference to the first or second possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the analyzing, by the coordination device, the received traffic analysis information reported by the multiple DPI devices to obtain a difference between traffic analysis capabilities of the multiple DPI devices includes: the coordination device judges the similarity of statistical contents of each DPI device in the DPI devices in the same time period and compares the waveform change trend, wherein the statistical contents comprise the size of the uplink flow, the size of the downlink flow and the number of users, and the difference between the sizes of the uplink flow, the size of the downlink flow or the number of users counted by a first DPI device and a second DPI device in the DPI devices is judged to be larger than a set threshold value; and the coordination equipment judges the corresponding relation between the protocol libraries of the DPI equipment according to the application protocol ID and the application protocol description which can be identified in the same time period and reported by each DPI equipment in the DPI equipment, and judges that the first DPI equipment in the DPI equipment can not identify the application protocol description which can be identified by the second DPI equipment.
With reference to the first aspect and any one of the first to fourth possible implementation manners of the first aspect, in a fifth possible implementation manner of the first aspect, the outputting, by the coordination device, the obtained difference in the flow analysis capability of the plurality of DPI devices includes: the coordinating device outputs the obtained difference in the flow analysis capability of the plurality of DPI devices locally or to other devices.
In a second aspect, a method for determining traffic analysis capability is provided, including: the method comprises the steps that DPI equipment receives reported content of flow analysis information notified by coordination equipment, wherein the coordination equipment is used for analyzing flow analysis capacity of a plurality of DPI equipment including the DPI equipment; and the DPI equipment reports the flow analysis information containing the reported content to the coordination equipment. Therefore, the DPI equipment reports the flow identification capability of the DPI equipment to the coordination equipment, so that the coordination equipment can coordinate and manage a plurality of DPI equipment in a unified manner, and the difference of the flow analysis capabilities of the DPI equipment is known.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the reporting content of the traffic analysis information includes: starting time and ending time of flow detection; the unique identification ID and the application protocol description of the identified application protocol; and counting the uplink flow, the downlink flow and the user number.
With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the method further includes: the DPI equipment reports the self-supported time calculation granularity to the coordination equipment; the DPI equipment receives a reporting period of the flow analysis information notified by the coordination equipment; and the DPI equipment reports the flow analysis information to the coordination equipment periodically according to the reporting period.
In a third aspect, a coordination device is provided, where the coordination device has a function of coordinating device behaviors in any method design of the first aspect and any one of the first to fifth possible implementation manners of the first aspect. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above-described functions.
In a fourth aspect, a DPI device is provided, where the DPI device has a function of coordinating device behaviors in a method design implementing any one of the second aspect and the first to second possible implementations of the second aspect. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above-described functions.
In a fifth aspect, a coordinating device is provided, where the structure of the coordinating device includes a transceiver, a processor and a bus, and the processor is configured to invoke a set of programs so that the coordinating device performs the method according to the first aspect and any one of the first to fifth possible implementation manners of the first aspect.
In a sixth aspect, a DPI device is provided, the DPI device comprising a transceiver, a processor, and a bus, wherein the processor is configured to invoke a set of programs, so that the DPI device performs the method according to the second aspect and any one of the first to second possible implementations of the second aspect.
In a seventh aspect, there is provided a computer storage medium for storing computer software instructions for a coordinating device according to the above aspect, comprising a program designed for executing the above aspect.
In an eighth aspect, there is provided a computer storage medium storing computer software instructions for a DPI device according to the above aspects, comprising a program designed to perform the above aspects.
According to the scheme provided by the embodiment of the application, the flow analysis capabilities of the DPI devices are coordinately and uniformly analyzed through the coordination device, so that the difference of the flow analysis capabilities of the DPI devices can be accurately obtained, the correct flow analysis result can be obtained, and the working capability of the whole system during the cooperative work of the DPIs can be improved.
Drawings
FIG. 1 is a diagram of an application system architecture in an embodiment of the present application;
fig. 2 is a flowchart of a method for determining a difference in traffic analysis capability according to an embodiment of the present application;
fig. 3 is a schematic diagram illustrating a method for determining a difference in traffic analysis capability in an application scenario according to an embodiment of the present application;
FIG. 4 is a block diagram of a coordinating device according to an embodiment of the present disclosure;
figure 5 is one of the block diagrams of the DPI device in the embodiment of the present application;
FIG. 6 is a second block diagram of a coordinating device in an embodiment of the present application;
figure 7 is a second block diagram of a DPI device in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The DPI device in the embodiment of the present application refers to a network element including a module with DPI capability, and the DPI device tends to different DPI capabilities based on different application scenarios, for example, traffic monitoring, policy control, network analysis, marketing support, and the like.
The method and the device are suitable for a network scene where a plurality of DPI devices are deployed to work cooperatively.
For example, in an initial stage of the operator transforming to a refined operation, a plurality of DPI devices of different manufacturers may be introduced, and the traffic analysis capabilities of the DPI devices of the different manufacturers are different; for another example, an existing network of an operator has several DPI devices, each DPI device is built based on different application scenarios as described above, and the traffic analysis capabilities of the several DPI devices are also different.
In some application scenarios based on operator development, the traffic analysis capability of each DPI device needs to be analyzed to implement data fusion, and in order to ensure the fused data quality, quickly find the abnormal data quality, alarm, and timely process the abnormal data quality, in the embodiment of the present application, a method for determining the difference of the traffic analysis capability in a scenario where a plurality of DPI devices work cooperatively, and a coordinating device for analyzing the traffic analysis capability of a plurality of deep packet inspection DPI devices are provided, and the coordinating device is used to obtain the traffic analysis information reported by different DPI devices, so as to obtain the difference of the traffic analysis capability of each DPI device.
Fig. 1 is a diagram illustrating an architecture of an application system according to an embodiment of the present application. The operator deploys several DPI devices, denoted DPI-A, DPI-B, DPI-C, DPI-D, DPI-E, which identify the traffic of the base-layer network and support different applications upwards (e.g., application 1, application 2, application 3, application 4).
Preferred implementations of the embodiments of the present application will be described in detail below with reference to the accompanying drawings.
Referring to fig. 2, a method for determining a difference in flow analysis capability according to an embodiment of the present invention is described below.
Step 201: and the coordination equipment informs the plurality of DPI equipment of the reported content of the flow analysis information.
The flow analysis information refers to information obtained by analyzing and counting the identified network flow by the DPI equipment through identifying the network flow;
the reported content of the traffic analysis information at least comprises: starting time and ending time of flow detection; the unique identification ID and the application protocol description of the identified application protocol; and counting the uplink flow, the downlink flow and the user number.
Because the traffic analysis capabilities of the DPI devices are different, the content of the traffic analysis information that the DPI devices can report to the coordinator device is also different, and here, in order to have a horizontal analysis on the traffic analysis capabilities of different DPI devices, the report content of the traffic analysis information notified to each DPI device is available to each DPI device through the basic analysis capability.
Of course, in the embodiment of the present application, the coordinating device may expand the reported content of the traffic analysis information on the basis of the set basic content by knowing the content that can be reported by each DPI in advance.
Preferably, in this embodiment of the present application, the coordinating device further sends a reporting period of the traffic analysis information to the DPI devices. The reporting period is determined as follows.
Since different DPI devices support different time computation granularities, the coordinating device first needs to know the time computation granularity supported by each DPI device. Then:
1) and the DPI equipment reports the self-supported time calculation granularity to the coordination equipment.
The time calculation granularity that one of the DPI devices can support is such as one or more of 1 minute, 5 minutes, 10 minutes, 15 minutes, 1 hour, 1 day, etc.
2) And the coordination equipment respectively receives the self-supported time calculation granularity reported by the DPI equipment, and determines the reporting period of the flow analysis information according to the received self-supported time calculation granularity of each DPI equipment and the statistic time interval configured in advance by the coordination equipment.
3) And the coordination equipment informs the plurality of DPI equipment of the reporting period of the flow analysis information.
It should be noted that the reporting periods sent by the coordinating device to each DPI device may be the same or different.
The part 2) is a negotiation process of a reporting period, and the coordinating device itself may also be configured with a statistical time interval supported preferentially, for example, a statistical time interval supported preferentially for 1 hour. The coordinating device calculates the granularity according to the time supported by each DPI device, and negotiates a proper reporting period by combining the self-supported statistic time interval. For example, the DPI-A in FIG. 1 supports a time-calculated particle size of 1 minute, 1 hour; the time calculation granularity supported by the DPI-B is 5 minutes and 1 hour; the time calculation granularity supported by the DPI-C is 10 minutes and 1 hour; the time calculation granularity supported by the DPI-D is 15 minutes and 1 hour; the DPI-E supported time calculated particle size was 1 min, 15 min. The coordinating device finds that both the DPI-A, DPI-B, DPI-C and the DPI-D can support a time calculation granularity of 1 hour, and the coordinating device itself preferentially supports a statistical time interval of 1 hour, and only if the time calculation granularity supported by the DPI-E does not include 1 hour, the negotiating device sends a reporting period of 1 hour to both the DPI-A, DPI-B, DPI-C and the DPI-D, and sends a reporting period of 15 minutes to the DPI-E. And then, according to the starting time and the ending time in the reported flow analysis information of the DPI-E and the starting time and the ending time in the flow analysis information reported by the other four DPI devices, selecting the DPI-E to compare with the flow analysis information reported by the other four DPI devices in the same time period (the time length is 1 hour), wherein the flow analysis information reported by the DPI-E in the same time period is the common content of the flow analysis information reported four times continuously.
Step 202: after receiving the reported content of the traffic analysis information notified by the coordinating device, the DPI device reports the traffic analysis information containing the reported content to the coordinating device.
Step 203: and the coordination equipment receives the flow analysis information which is reported by the DPI equipment and contains the reported content, analyzes the received flow analysis information which is reported by the DIP equipment, and obtains the difference of the flow analysis capability of each DPI equipment in the DPI equipment.
It should be noted that, in the embodiment of the present application, because the report content is extensible, the coordination device may have different analysis manners for the traffic analysis information including the report content, and the analysis manner for the traffic analysis information reported by each DPI device is not specifically limited in the present application, and any analysis manner that can obtain the difference of the traffic analysis capability of each DPI device may be used.
In the embodiment of the present application, only some examples of the analysis manner are given, and by way of example, some differences in the flow analysis capability of the plurality of DPI devices may be obtained. For example, the following steps:
the coordination device judges the similarity of statistical contents of each DPI device in the DPI devices in the same time period and compares the waveform change trend, wherein the statistical contents comprise the size of the uplink flow, the size of the downlink flow and the number of users, and the difference between the sizes of the uplink flow, the size of the downlink flow or the number of users counted by a first DPI device and a second DPI device in the DPI devices is judged to be larger than a set threshold value;
and the coordination equipment judges the corresponding relation between the protocol libraries of the DPI equipment according to the application protocol ID and the application protocol description which can be identified in the same time period and reported by each DPI equipment in the DPI equipment, and judges that the first DPI equipment in the DPI equipment can not identify the application protocol description which can be identified by the second DPI equipment.
Preferably, in this embodiment of the present application, after obtaining the difference of the flow analysis capability of each DPI device in the plurality of DPI devices each time, the coordinating device locally stores the obtained result, so that the analysis results can be accumulated for a period of time. After the traffic analysis information reported by each of the DPI devices is received latest, in the analysis process, the reported traffic analysis information may be compared with the stored analysis result accumulated for a period of time, so as to obtain what change the traffic analysis capability of each DPI device has, for example, the number of users counted by the DPI-C in fig. 1 fluctuates greatly, and this situation may be recorded as an abnormal situation that can be alarmed. Therefore, the difference of the flow analysis capability of each DPI device can be compared transversely, and the difference of the flow analysis capability of the same DPI device in different periods can be compared longitudinally.
Step 204: and the coordination equipment outputs the obtained difference of the flow analysis capability of each DPI equipment in the plurality of DPI equipment.
Specifically, the coordinating device outputs the obtained difference in the flow analysis capabilities of the plurality of DPI devices locally or to other devices. The output mode can be in the form of a report or an alarm. The system maintenance personnel can also perform secondary analysis on the basis of the output result, and further obtain more detailed, more exact and richer results.
Based on the method introduced in fig. 2, a specific application scenario is taken as an example, and the method provided in the embodiment of the present application is further described in detail below.
As shown in fig. 3, an operator deploys a Service awareness quality (SEQ) network element and a Service Control Gateway (SCG) network element at the same time, where the SEQ network element and the SCG network element are system instances having a DPI function and both support the same application Business Intelligence (BI) system upward. The basic Network structure comprises a wireless Network (English), two core Network element examples: GRS service Support Node (SGSN), Gateway GPRS Support Node (GGSN), and Internet. The method comprises the following steps that (1) Gn interface data are collected by an SEQ network element and are used for network analysis; the SCG network element collects Gi interface data for strategy control. The SEQ network element and the SCG network element respectively identify the acquired data and count traffic analysis information, and both report the counted traffic analysis information to a BI system of a user. Meanwhile, in another dimension, the SEQ network element and the SCG network element receive the unified management of the coordinator device, and periodically report the counted traffic analysis information to the coordinator device according to the report content and the report period of the traffic analysis information sent by the coordinator device. On the coordination equipment side, the coordination equipment analyzes the received flow analysis information periodically sent by the SEQ network element and the SCG network element, obtains the difference of the flow analysis capabilities of the SEQ network element and the SCG network element, locally outputs the difference or outputs the difference to a BI (business intelligence) system of a user by a report form method, and sends an alarm to the BI system of the user or locally gives an alarm when the flow analysis capability of the SEQ network element or the SCG network element is found to be seriously wrong.
Based on the same inventive concept, referring to fig. 4, an embodiment of the present application provides a coordinating device 400, where the coordinating device 400 is configured to analyze traffic analysis capabilities of a plurality of DPI devices, and the coordinating device 400 includes: a notification unit 401, a receiving unit 402, an analysis unit 403, and an output unit 404. Wherein:
a notification unit 401, configured to notify the plurality of DPI devices of the reported content of the traffic analysis information;
a receiving unit 402, configured to receive traffic analysis information that includes the reported content and is reported by the DPI devices after the reporting content of the traffic analysis information is notified by the notifying unit 401;
an analyzing unit 403, configured to analyze the traffic analysis information reported by the DIP devices and received by the receiving unit 402, to obtain a difference between traffic analysis capabilities of each DPI device in the DPI devices;
an output unit 404, configured to output the difference in flow analysis capability of each DPI device in the plurality of DPI devices obtained by the analysis unit 403.
Optionally, the content reported by the traffic analysis information at least includes: starting time and ending time of flow detection; the unique identification ID and the application protocol description of the identified application protocol; and counting the uplink flow, the downlink flow and the user number.
Optionally, the receiving unit 402 is further configured to receive the self-supported time calculation granularity reported by the multiple DPI devices, respectively;
the coordinating device 400 further comprises:
a determining unit 405, configured to determine a reporting period of the traffic analysis information according to the time calculation granularity, which is received by the receiving unit 402 and supported by each DPI device, and by combining a statistical time interval preconfigured by the coordinating device;
the notifying unit 401 is further configured to notify the DPI devices of the reporting period of the traffic analysis information determined by the determining unit 405.
Optionally, the analysis unit 403 is configured to:
judging the similarity of the statistical content of each DPI device in the DPI devices in the same time period and comparing the waveform change trend, wherein the statistical content comprises the size of the uplink flow, the size of the downlink flow and the number of users, and judging that the difference between the sizes of the uplink flow, the downlink flow or the number of users respectively counted by a first DPI device and a second DPI device in the DPI devices is larger than a set threshold value; and
and judging the corresponding relation between the protocol libraries of the DPI devices according to the application protocol ID and the application protocol description which can be identified in the same time period and reported by each of the DPI devices, and judging that the first DPI device in the DPI devices cannot identify the application protocol description which can be identified by the second DPI device.
Optionally, the output unit 404 is configured to:
and outputting the obtained difference of the flow analysis capability of the plurality of DPI devices locally or to other devices.
Based on the same inventive concept, referring to fig. 5, an embodiment of the present application further provides a DPI device 500, including: a receiving unit 501 and a transmitting unit 502, wherein:
a receiving unit 501, configured to receive a report content of traffic analysis information notified by a coordinating device, where the coordinating device is configured to analyze traffic analysis capabilities of a plurality of DPI devices including the DPI device 500;
a sending unit 502, configured to report the traffic analysis information including the report content to the coordinating device.
Optionally, the content reported by the traffic analysis information includes: starting time and ending time of flow detection; the unique identification ID and the application protocol description of the identified application protocol; and counting the uplink flow, the downlink flow and the user number.
Optionally, the sending unit 502 is further configured to report, to the coordinating device, a time calculation granularity supported by the sending unit;
the receiving unit 501 is further configured to receive a reporting period of the traffic analysis information notified by the coordinating device after the sending unit 502 reports the time calculation granularity supported by itself to the coordinating device;
the sending unit 502 is further configured to report traffic analysis information to the coordinating device periodically according to the reporting period received by the receiving unit 501.
Based on the same inventive concept, referring to fig. 6, an embodiment of the present application further provides another coordination device 600, where the coordination device 600 is configured to analyze traffic analysis capabilities of a plurality of deep packet inspection DPI devices, the coordination device 600 includes a transceiver 601, a processor 602, and a bus 603, and both the transceiver 601 and the processor 602 are connected to the bus 603, where the processor 602 is configured to invoke a set of programs, so that the coordination device 600 executes the method shown in fig. 2.
Preferably, the coordinating device 600 further comprises a memory 604, wherein the memory 604 is used for storing the program called by the processor.
The processor 602 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP.
The processor 602 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The aforementioned PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
The memory 604 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory 604 may also include a non-volatile memory (english: non-volatile memory), such as a flash memory (english: flash memory), a hard disk (english: hard disk drive, abbreviated: HDD) or a solid-state drive (english: SSD); the memory 604 may also comprise a combination of the above types of memory.
Based on the same inventive concept, referring to fig. 7, an embodiment of the present application further provides another DPI device 700, which includes a transceiver 701, a processor 702, and a bus 703, where the transceiver 701 and the processor 702 are both connected to the bus 703, where the processor 702 is configured to call a set of programs, so that the DPI device 700 executes the method shown in fig. 2.
Preferably, DPI device 700 further comprises a memory 704, where memory 704 is used to store programs called by processor 702.
The processor 702 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP.
The processor 702 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The aforementioned PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
The memory 704 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory 704 may also include a non-volatile memory (english: non-volatile memory), such as a flash memory (english: flash memory), a hard disk (english: hard disk drive, abbreviated: HDD) or a solid-state drive (english: SSD); the memory 704 may also comprise a combination of the above types of memory.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.
Claims (12)
1. A method for determining a difference in traffic analysis capabilities, comprising:
the coordination equipment for analyzing the flow analysis capability of the Deep Packet Inspection (DPI) equipment notifies the DPI equipment of the reported content of flow analysis information;
after notifying the reported content of the traffic analysis information, the coordinating device receives the traffic analysis information which is reported by the DPI devices and contains the reported content;
the coordination equipment analyzes the received flow analysis information reported by the DIP equipment to obtain the difference of the flow analysis capability of each DPI equipment in the DPI equipment;
and the coordination equipment outputs the obtained difference of the flow analysis capability of each DPI equipment in the plurality of DPI equipment.
2. The method of claim 1, wherein the reporting of the traffic analysis information at least comprises: starting time and ending time of flow detection; the unique identification ID and the application protocol description of the identified application protocol; and counting the uplink flow, the downlink flow and the user number.
3. The method of claim 1 or 2, further comprising:
the coordination equipment respectively receives self-supported time calculation granularity reported by the DPI equipment; and
calculating granularity according to the received time supported by each DPI device, and determining a reporting period of the flow analysis information by combining a statistical time interval configured in advance by the coordination device;
and the coordination equipment informs the plurality of DPI equipment of the reporting period of the flow analysis information.
4. The method of claim 2, wherein analyzing, by the coordinating device, the received traffic analysis information reported by the DPI devices to obtain a difference in traffic analysis capabilities of the DPI devices comprises:
the coordination device judges the similarity of statistical contents of each DPI device in the DPI devices in the same time period and compares the waveform change trend, wherein the statistical contents comprise the size of the uplink flow, the size of the downlink flow and the number of users, and the difference between the sizes of the uplink flow, the size of the downlink flow or the number of users counted by a first DPI device and a second DPI device in the DPI devices is judged to be larger than a set threshold value;
and the coordination equipment judges the corresponding relation between the protocol libraries of the DPI equipment according to the application protocol ID and the application protocol description which can be identified in the same time period and reported by each DPI equipment in the DPI equipment, and judges that the first DPI equipment in the DPI equipment can not identify the application protocol description which can be identified by the second DPI equipment.
5. The method of claim 1, 2, or 4, wherein the coordinating device outputs the obtained difference in the flow analysis capabilities of the number of DPI devices, comprising:
the coordinating device outputs the obtained difference in the flow analysis capability of the plurality of DPI devices locally or to other devices.
6. A coordination device, configured to analyze traffic analysis capabilities of a plurality of Deep Packet Inspection (DPI) devices, the coordination device comprising:
a notification unit, configured to notify the plurality of DPI devices of the reported content of the traffic analysis information;
a receiving unit, configured to receive, after the notifying unit notifies the reported content of the traffic analysis information, the traffic analysis information including the reported content, which is reported by the DPI devices;
the analysis unit is used for analyzing the traffic analysis information reported by the DIP equipment and received by the receiving unit to obtain the difference of traffic analysis capability of each DPI equipment in the DPI equipment;
and the output unit is used for outputting the difference of the flow analysis capability of each DPI equipment in the plurality of DPI equipment, which is obtained by the analysis unit.
7. The coordinating device of claim 6, wherein the reporting of the traffic analysis information comprises at least: starting time and ending time of flow detection; the unique identification ID and the application protocol description of the identified application protocol; and counting the uplink flow, the downlink flow and the user number.
8. The coordinating device of claim 6 or 7, wherein the receiving unit is further configured to receive the self-supported time computation granularities reported by the DPI devices respectively;
the coordinating device further comprises:
a determining unit, configured to calculate a granularity according to time supported by each DPI device received by the receiving unit, and determine a reporting period of the traffic analysis information in combination with a statistical time interval preconfigured by the coordinating device;
the notifying unit is further configured to notify the plurality of DPI devices of the reporting period of the traffic analysis information determined by the determining unit.
9. The coordinating device of claim 8, wherein the analysis unit is to:
judging the similarity of the statistical content of each DPI device in the DPI devices in the same time period and comparing the waveform change trend, wherein the statistical content comprises the size of the uplink flow, the size of the downlink flow and the number of users, and judging that the difference between the sizes of the uplink flow, the downlink flow or the number of users respectively counted by a first DPI device and a second DPI device in the DPI devices is larger than a set threshold value; and
and judging the corresponding relation between the protocol libraries of the DPI devices according to the application protocol ID and the application protocol description which can be identified in the same time period and reported by each of the DPI devices, and judging that the first DPI device in the DPI devices cannot identify the application protocol description which can be identified by the second DPI device.
10. The coordinating device of claim 6, 7 or 9, wherein the output unit is to:
and outputting the obtained difference of the flow analysis capability of the plurality of DPI devices locally or to other devices.
11. A coordinating device for analyzing traffic analysis capabilities of a plurality of deep packet inspection, DPI, devices, comprising a transceiver, a processor and a bus, each connected to the bus, wherein the processor is configured to invoke a set of programs to cause the coordinating device to perform the method according to any of claims 1-5.
12. The coordinating device of claim 11, further comprising a memory to store a program called by the processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610143797.XA CN107196815B (en) | 2016-03-14 | 2016-03-14 | Method and equipment for determining difference of flow analysis capacity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610143797.XA CN107196815B (en) | 2016-03-14 | 2016-03-14 | Method and equipment for determining difference of flow analysis capacity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107196815A CN107196815A (en) | 2017-09-22 |
| CN107196815B true CN107196815B (en) | 2020-06-16 |
Family
ID=59870618
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610143797.XA Active CN107196815B (en) | 2016-03-14 | 2016-03-14 | Method and equipment for determining difference of flow analysis capacity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107196815B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111783804B (en) * | 2019-04-04 | 2023-11-24 | 中国移动通信集团上海有限公司 | Abnormal ticket determining method, device, equipment and storage medium |
| CN113572700A (en) * | 2020-04-29 | 2021-10-29 | 厦门网宿有限公司 | Flow detection method, system, device and computer readable storage medium |
| CN112039731B (en) * | 2020-11-05 | 2021-01-01 | 武汉绿色网络信息服务有限责任公司 | DPI (deep packet inspection) identification method and device, computer equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008046326A1 (en) * | 2006-10-18 | 2008-04-24 | Huawei Technologies Co., Ltd. | A method and system for network service controlling |
| CN101286937A (en) * | 2008-05-16 | 2008-10-15 | 华为技术有限公司 | Network flow control method, device and system |
| CN101715182A (en) * | 2009-11-30 | 2010-05-26 | 中国移动通信集团浙江有限公司 | Method, system and device for controlling traffic |
| CN101882999A (en) * | 2009-05-08 | 2010-11-10 | 中兴通讯股份有限公司 | Management method and system of business identification network based on deep packet inspection equipment |
| CN103248528A (en) * | 2012-02-10 | 2013-08-14 | 上海戴德网络科技有限公司 | Network flow detecting method based on ant colony optimization and layered DPI (deep packet inspection) |
| CN103684803A (en) * | 2013-12-11 | 2014-03-26 | 中国联合网络通信集团有限公司 | Flow collecting device and system and method for directional flow accounting |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8284662B2 (en) * | 2007-03-06 | 2012-10-09 | Ericsson Ab | Flexible, cost-effective solution for peer-to-peer, gaming, and application traffic detection and treatment |
-
2016
- 2016-03-14 CN CN201610143797.XA patent/CN107196815B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008046326A1 (en) * | 2006-10-18 | 2008-04-24 | Huawei Technologies Co., Ltd. | A method and system for network service controlling |
| CN101286937A (en) * | 2008-05-16 | 2008-10-15 | 华为技术有限公司 | Network flow control method, device and system |
| CN101882999A (en) * | 2009-05-08 | 2010-11-10 | 中兴通讯股份有限公司 | Management method and system of business identification network based on deep packet inspection equipment |
| CN101715182A (en) * | 2009-11-30 | 2010-05-26 | 中国移动通信集团浙江有限公司 | Method, system and device for controlling traffic |
| CN103248528A (en) * | 2012-02-10 | 2013-08-14 | 上海戴德网络科技有限公司 | Network flow detecting method based on ant colony optimization and layered DPI (deep packet inspection) |
| CN103684803A (en) * | 2013-12-11 | 2014-03-26 | 中国联合网络通信集团有限公司 | Flow collecting device and system and method for directional flow accounting |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107196815A (en) | 2017-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9900790B1 (en) | Prediction of performance indicators in cellular networks | |
| US9571334B2 (en) | Systems and methods for correlating alarms in a network | |
| US20170364819A1 (en) | Root cause analysis in a communication network via probabilistic network structure | |
| US20130207801A1 (en) | Approach for prioritizing network alerts | |
| US11604991B2 (en) | Multi-domain service assurance using real-time adaptive thresholds | |
| EP3314762B1 (en) | Adaptive filtering based network anomaly detection | |
| US9189738B2 (en) | Automatic event analysis | |
| CN109918279B (en) | Electronic device, method for identifying abnormal operation of user based on log data and storage medium | |
| CN107196815B (en) | Method and equipment for determining difference of flow analysis capacity | |
| CN109889512B (en) | Charging pile CAN message abnormity detection method and device | |
| US9936409B2 (en) | Analyzing and classifying signaling sets or calls | |
| JP2020512631A (en) | Automated decision making using stepwise machine learning | |
| CN115038088B (en) | Intelligent network security detection early warning system and method | |
| US20210359899A1 (en) | Managing Event Data in a Network | |
| US11054815B2 (en) | Apparatus for cost-effective conversion of unsupervised fault detection (FD) system to supervised FD system | |
| CN114697618A (en) | Building control method and system based on mobile terminal | |
| WO2019149143A1 (en) | Link bandwidth utilization rate acquisition method and device, and terminal | |
| CN109976986B (en) | Abnormal equipment detection method and device | |
| CN113204692A (en) | Method and device for monitoring execution progress of data processing task | |
| CN109462510B (en) | CDN node quality evaluation method and device | |
| CN107517474B (en) | Network analysis optimization method and device | |
| WO2016206241A1 (en) | Data analysis method and apparatus | |
| CN115905450A (en) | Unmanned aerial vehicle monitoring-based water quality abnormity tracing method and system | |
| US20140136699A1 (en) | Method and apparatus of establishing computer network monitoring criteria | |
| EP3706048A1 (en) | Anomaly prediction in an industrial system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |