CN115442139A - Multilayer network topology relation construction method and system for local area network - Google Patents

Multilayer network topology relation construction method and system for local area network Download PDF

Info

Publication number
CN115442139A
CN115442139A CN202211073999.3A CN202211073999A CN115442139A CN 115442139 A CN115442139 A CN 115442139A CN 202211073999 A CN202211073999 A CN 202211073999A CN 115442139 A CN115442139 A CN 115442139A
Authority
CN
China
Prior art keywords
service
network
local area
area network
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211073999.3A
Other languages
Chinese (zh)
Other versions
CN115442139B (en
Inventor
陆余良
杨国正
张永恒
刘京菊
卢灿举
钟晓峰
罗智昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202211073999.3A priority Critical patent/CN115442139B/en
Publication of CN115442139A publication Critical patent/CN115442139A/en
Application granted granted Critical
Publication of CN115442139B publication Critical patent/CN115442139B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation

Abstract

The invention discloses a multilayer network topological relation construction method and a multilayer network topological relation construction system for a local area network, wherein the method comprises the following steps: acquiring local area network data; aggregating LAN data to generate a LAN topology relation; the local area network topological relation comprises a first network and a second network; and combining the first network and the second network to generate a topological structure diagram of the three-layer network situation. The invention provides a method for comprehensively representing the running state of a local area network from three layers; the physical equipment layer topology is used for analyzing the interconnection and intercommunication condition, and the service application layer topology is used for monitoring the operation state of a service system; the user role layer topology is used for constructing the relationship between user accounts and providing an important support function for network security situation analysis and assistant decision making.

Description

Multilayer network topology relation construction method and system for local area network
Technical Field
The invention relates to the field of network security situation awareness, in particular to a method and a system for constructing a multilayer network topology relation facing a local area network.
Background
In the field of network security situation awareness, in order to better depict the operation state of a user local area network, a related technology product takes a network topology as a background, and generates a network security situation by gathering information acquired by devices such as a firewall, intrusion detection, flow monitoring, honey net honeypot, bug scanning and the like and operation log information of a terminal server, so as to support the security operation and maintenance management of the network.
The current network topology information acquisition and analysis mainly aims at the interconnection level of network equipment, and configuration information and routing information in a router and a switch are obtained through authorization, so that the internal topology structure of the whole protection network is described. From the perspective of analyzing routing protocols within domains, related research has enabled topology discovery based on the OSPF protocol [1-4] and topology discovery based on the IS-IS protocol [5].
Because the hierarchical design characteristics of the network itself and various users can form different association relations in the network, the topology based solely on the network device interconnection layer has a larger limitation in representing the network security situation, and is mainly reflected in that:
(1) The service association relationship formed between the network application systems based on the data traffic cannot be represented. The service systems in the network may have great differences according to the service directions of actual use units, for example, for a campus network, the campus network may include a student status management system, a student course selection system, a smart classroom system, a security management system, and various sites and forums for organizing student activities, and the service systems and client software thereof establish a logical connection relationship based on the characteristics of the service systems in addition to interconnection and intercommunication based on routing switching equipment at a network layer, and provide important data support for the safety operation and maintenance and threat early warning of the service systems by monitoring and analyzing the working states and the association relationship of the service systems at a traffic layer.
(2) The interpersonal association relationship formed between network users based on service access and communication interaction cannot be represented. People often have a plurality of virtual user roles in the process of using the network, the virtual user roles are embodied into various account numbers or identity IDs in various service systems, mailboxes, forums and instant messaging tools, and the virtual user roles of different individuals form an association relationship with each other through service access. In the current situation generation, the acquisition and analysis of such information is lacked, so that a great disadvantage exists in the analysis of abnormal user behaviors and associated user accounts.
(3) After the network abnormal behavior is discovered, the simple equipment layer network topology has insufficient capability of analyzing the threat association. At present, a network attack event may occur in a situation that a plurality of service systems are used as springboards and participate together by using a plurality of associated user accounts. Therefore, for the discovered network abnormal behavior, not only the related device analysis needs to be performed on the physical device layer, but also the related service system analysis needs to be performed on the service layer, and further the related account analysis needs to be performed on the user role layer. Only constructing a multi-layer network topology relationship from different layers across multiple dimensions for the entire network may provide important support for comprehensive analysis when an anomaly occurs.
At present, from the review of published documents, there is only a few relevant researches on the multilayer network topology construction method for the local area network. The prior art scheme mainly aims at the research [6] of the network topology of the physical equipment layer, and obtains the information network interconnection condition based on the routing protocol by analyzing the IP network layer message, thereby constructing the network topology structure of the local area network. The method is closer to the method for discovering the topology relation of the bottommost network in the patent, but only focuses on the topology situation formed by interconnection of physical devices, does not perform aggregation analysis on service access relation in the network and user role information, has a simple overall network structure and single element component type, and can be used for depicting the network topology in a low-dimensional, single-layer and flat stage.
As shown in fig. 1, fig. 1 shows the most common discovery scheme of the physical device layer network topology at present. The technical realization is that the subordination relation among data is obtained by collecting the terminal equipment information in the network and clustering; and then, acquiring routing information in the routing equipment, analyzing and obtaining the connection relation between the equipment, and then, visually displaying the network topology distribution condition by combining an interactive dynamic webpage development technology.
The implementation mode is accepted and approved by vast developers and users, but the scheme only focuses on the network topology structure in the physical device layer surface, but cannot describe the whole situation in the local area network in a multi-dimensional stereo manner, and mainly comprises the following steps: 1. the business association relation between the network application systems based on the data flow cannot be represented; 2. the interpersonal association relationship formed between network users based on service access and the like cannot be represented; 3. after the network abnormal behavior is discovered, the simple equipment layer network topology has insufficient threat association analysis capability. Therefore, the whole network topology structure is flat and single, and the requirement of network security situation perception cannot be effectively met.
Reference material:
[1] zhou Yang, xu Qing, luo Xiangyang, et al, research on the concept of network space mapping and its technology system [ J ]. Computer science, 2018,45 (5): 7.
[2] Li Nan network topology optimization detection and identification method research [ D ] electronic science and technology university, 2018
[3] Huachao Internet network topology discovery method research [ D ]. Wuhan university, 2017.
[4] Zhou Changjian, xing Jinge, liu Haibo. Network layer topology discovery algorithms with converged multiprotocols study [ J ] computer science, 2017 (S1): 5.
[5] Zhao Yifang, zhang Dongmei a network topology discovery algorithm [ J ].2017 (7) that is resistant to route spoofing.
[6] Once Min, ui Huang Yu, luo Yu, et al, local area network topology auto discovery method, CN111865684a [ P ] 2020.
Disclosure of Invention
The invention provides a multilayer network topology relationship construction method facing a local area network, which comprises the following steps:
acquiring local area network data;
aggregating LAN data to generate a LAN topology relation;
the local area network topological relation comprises a first network and a second network;
and combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
Further, the local area network data includes: local area network physical equipment data, local area network service system data and local area network user data;
the aggregating LAN data to generate a LAN topology relationship, including:
drawing a physical equipment layer network topology by using local area network physical equipment data;
drawing a service application layer network topology by using the data of the local area network service system;
drawing a user role layer network topology by using local area network user data;
aggregating a physical device layer network topology and a service application layer network topology to generate a first network;
and aggregating the service application layer network topology and the user role layer network topology to generate a second network.
Furthermore, a plurality of service systems are arranged in the local area network;
the service application layer network topology comprises a plurality of system-to-system relationships and a plurality of system-to-node relationship sets;
the local area network service system data comprises service system basic information and a system access log;
the drawing of the service application layer network topology by using the local area network service system data comprises the following steps:
generating and obtaining a service system node according to the basic information of the service system;
generating an access node according to the system access log;
judging the access relation between any two service systems to obtain a system access judgment result;
when the system access judgment result shows that the access relationship exists, connecting service system nodes corresponding to the two service systems to obtain the relationship between the systems;
and determining any service system and the corresponding access node, and connecting the corresponding service system node and the corresponding access node to obtain the relationship between the system and the node.
Further, the determining an access relationship between any two service systems to obtain a system access determination result includes:
judging that an access interface exists between the two service systems, if so, judging that the two service systems have an access relation;
if the function call does not exist, judging that function call exists between the two service systems, and if the function call exists, judging that the two service systems have an access relation;
if the access link does not exist, the two service system interfaces are judged to have the access link, and if the access link exists, the two service systems have the access relation.
Furthermore, a plurality of service account numbers are arranged in the service system;
the user role layer network topology comprises a plurality of first account relations and a plurality of second account relations;
the drawing of the user role layer network topology by using the local area network user data comprises the following steps:
judging the relevance of any plurality of business accounts in the same business system to obtain the judgment result of the relevance of the same system;
when the judgment result of the system correlation is correlation, the business accounts are connected to obtain a first account relationship;
judging the correlation of any two service accounts in different service systems to obtain a correlation judgment result of different systems;
and when the inter-system correlation judgment result is correlation, connecting the two service accounts to obtain a second account relationship.
Furthermore, the service system comprises a plurality of service system attributes, and the service system attributes are combined to form service attribute information;
the method for judging the relevance of any plurality of business accounts in the same business system to obtain the judgment result of the relevance of the same system comprises the following steps:
selecting a plurality of service system attributes to be combined respectively to form a service attribute information combination;
judging whether the service attribute information combination is a correct combination;
when the judgment result is correct combination;
presetting an inner association threshold L, and acquiring the number of service accounts corresponding to all service attribute information;
when the ratio of the number of the service accounts corresponding to certain service attribute information in the service attribute information combination to the total number of the service accounts is less than or equal to L, the service accounts are related, and the system correlation judgment result is related;
the judging that the service attribute information combination is a correct combination comprises the following steps:
judging whether all the service attribute information in the combination contains a mutual exclusion attribute;
when the result is that the business attribute information does not exist, judging that the number of the business accounts corresponding to the certain business attribute information is larger than 1;
if the result is that the service attribute information exists, judging whether the total number of the service accounts corresponding to all the service attribute information is the same as the number of the service accounts in the service system or not;
if the results are the same, judging that the results are correct combinations;
the method for judging the correlation of any two service accounts in different service systems to obtain the correlation judgment result of different systems comprises the following steps:
judging that two service systems have partially same service system attributes;
when the result is that the two service systems exist, the association attribute is preset, and the association attribute is part or all of the service system attributes which are the same in the two service systems;
respectively finding two service account numbers related to the correlation attribute in the two service systems;
presetting an associated attribute threshold value M, presetting a service system attribute weight, and assigning values to service system attributes in advance;
and when the product of each attribute value in the associated attribute and the attribute weight is more than or equal to M, the two business account numbers are related, and the inter-system correlation judgment result is related.
Further, aggregating the physical device layer network topology and the service application layer network topology to generate a first network, including:
obtaining IP addresses of each service system node and access node of a service application layer;
when the service system node or the access node is the same as the IP address of a certain physical device in the physical device layer;
connecting a service system node or an access node with the physical equipment;
and completing the connection of all service system nodes or access nodes with the physical equipment to generate a first network.
Further, aggregating the service application layer network topology and the drawn user role layer network topology to generate a second network, comprising:
obtaining IP address corresponding to service account number in a certain service system, obtaining IP address corresponding to access node in the service system,
connecting the service account number in the user role layer with the access node in the service application layer with the same IP address,
and completing the connection of the service accounts in all the service systems and the access nodes to generate a second network.
Further, after aggregating the physical device layer network topology and the service application layer network topology to generate the first network, the method further includes:
when the two physical devices are respectively provided with a service system and the flow beyond the normal range exists between the two physical devices;
and if so, updating the service application layer network topology according to the access relation between the two corresponding service systems.
The invention also provides a multilayer network topology relationship construction system facing the local area network, which comprises the following steps:
the acquisition module is used for acquiring local area network data;
the aggregation module is used for aggregating the local area network data to generate a local area network topological relation;
the local area network topological relation comprises a first network and a second network;
and the generating module is used for combining the first network and the second network to generate a topology structure diagram of a three-layer network situation.
The invention discloses a method and a system for constructing a multilayer network topological relation facing a local area network, which take the situation of depicting a typical campus network as an example, and provide a method for comprehensively representing the running state of the whole campus network from three layers of a physical device layer, a service application layer and a user role layer. The physical equipment layer network topology is used for analyzing the interconnection and intercommunication conditions of network equipment in the whole campus to serve as a basic support for daily operation and maintenance, and the service application layer topology is used for monitoring the relation between the operation state and the service flow of various service systems at an application layer and finding out abnormal access conditions in time; the user role layer topology is used for constructing access relations and social communication relations among the account numbers of the network users, early warning possible abnormal behaviors of the related account numbers, and the method can provide important support for network security situation analysis and assistant decision-making.
Drawings
Fig. 1 is a flowchart illustrating a physical device layer network topology discovery scheme according to an embodiment of the present invention;
fig. 2 is a schematic flow chart illustrating a method for constructing a multilayer network topology relationship oriented to a local area network according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating a service application layer network topology using undirected connections in an embodiment of the invention;
fig. 4 is a schematic diagram illustrating a service application layer network topology mapped using a directed connection in an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," and the like in the description and claims of the present invention and in the above-described drawings are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, apparatus, product, or apparatus that comprises a list of steps or elements is not limited to those listed but may alternatively include other steps or elements not listed or inherent to such process, method, product, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the invention. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
Hereinafter, some terms in the present application are explained to facilitate understanding by those skilled in the art.
Local area network: the term "ethernet" refers broadly to a range of ethernet networks interconnected through a small number of routers and switches, and is used herein primarily to refer to campus networks, intranets, and the like.
Multilayer network: a multi-layer network (multi-layer) is composed of a plurality of single-layer networks and possible inter-layer interactions, each layer characterizing a different type and meaning of interaction between nodes or entities. The multilayer network contains different interacting edges: intra-layer edges (connections between nodes within the same layer) and possibly inter-layer edges (connections between different inter-layer nodes and their replicas or other nodes).
Network topology: for computer networks, a network topology refers to a layout structure formed by interconnecting various network devices and terminal devices. Broadly speaking, the graph-like structure formed by different types of nodes and connection relationships can be broadly referred to.
Network situation: the current state and the variation trend of the whole network are formed by various network equipment operation states, network behaviors, user behaviors and other factors.
Network security situation awareness: refers to the activities of acquiring, understanding, displaying, and predicting network security elements.
Neo4j database: neo4j is a high-performance NOSQL graph database that stores structured data on the network rather than in tables. It is an embedded, disk-based Java persistence engine with full transactional properties, but it stores structured data on the network (called a graph mathematically) instead of in tables. Neo4j can also be viewed as a high performance graph engine with all the features of a full database.
The invention designs a multilayer network topological relation construction method facing a local area network, which can collect data based on a network protocol and flow detection, define and divide component hierarchies by relying on symbols, depict a three-layer mesh topological structure in the local area network, help network maintenance personnel to further comb a network architecture and refine network management granularity. The method mainly solves the problems that in the prior art, the network topology modeling result is single and flat in structure and sparse in elements. And a three-layer three-dimensional network situation topology model with multiple dimensions, wide semantics and dynamic interaction is provided. The details are described below.
In this embodiment, a method for constructing a multilayer network topology relationship oriented to a local area network includes acquiring local area network data; aggregating the local area network data to generate a local area network topological relation; the local area network topological relation comprises a first network and a second network; combining the first network and the second network to generate a topology structure diagram of a three-layer network situation, as shown in fig. 2:
101. and acquiring local area network physical equipment data, and drawing a physical equipment layer network topology by using the local area network physical equipment data.
In the embodiment of the invention, all the acquired data are acquired by importing data or collecting data. The method and the device need to acquire local area network data, wherein the local area network data comprises local area network physical equipment data, local area network service system data and local area network user data. The aggregating LAN data to generate a LAN topology relationship, including: drawing a physical equipment layer network topology by using local area network physical equipment data; drawing a service application layer network topology by using the data of the local area network service system; and drawing a user role layer network topology by using the local area network user data.
The acquisition of the application is realized through device information, network information, basic information of a service system, a system access log (log file) of the service system, a public file and the like, and the application can acquire a user name and the like of a personal account through the log and the like, but does not need password information of the personal account. How to obtain the data is not limited in the present application, for example, obtaining the data after obtaining the local area network management right, for example, providing a corresponding file by an administrator.
In the embodiment of the invention, the local area network physical equipment data comprises an IP address, an MAC address and basic equipment information (brand, version and the like);
in the embodiment of the invention, the local area network physical equipment data comprises routing information, such as a routing equipment routing list and related configuration information;
in the embodiment of the invention, the local area network physical equipment data also comprises the communication relation among different physical equipment;
obtaining local area network physical equipment data, and drawing a physical equipment layer network topology, comprising:
and acquiring local area network physical equipment data, and analyzing the physical equipment layer network data. Analyzing basic Information of physical equipment in a local area network, wherein the basic Information comprises an IP address, an MAC address and basic equipment Information (brand, version and the like), and establishing an Information tuple [ IP, MAC and Information () ] of a physical equipment node; and analyzing a routing list and related configuration information of the routing equipment, and extracting the communication relation and routing path between different physical equipment through the routing information to obtain link data. And drawing the network topology of the physical equipment layer by combining the information tuples and the link data of the nodes.
It should be noted that, in the present application, the physical devices in the physical device layer are all network devices in the local area network, and include a router, a server, a computer, and the like.
Further, in this application, the local area network physical device data further includes data traffic and data packets between the local area network physical devices.
Other methods of mapping the physical device layer network topology may also be used, such as the scheme shown in fig. 1. In the present application, the drawing physical device layer network topology may also use the prior art, such as CN105763357A, CN109687989A, CN111865684 a.
102. And acquiring local area network service system data, and drawing a service application layer network topology by using the local area network service system data.
In the embodiment of the invention, a plurality of service systems are arranged in the local area network, and the data of the local area network service systems comprise basic information of the service systems;
in the embodiment of the invention, the local area network service system data comprises a system access log, wherein the system access log is a log file used for recording the access of a service system;
in the embodiment of the invention, the basic information of the service system is analyzed to obtain the service system node, and the system access log is analyzed to obtain the access node.
Service system node: the aggregation of various service system function modules (part of service systems have sub-modules) is the abstract expression of the service system at a service application layer.
If the course selection system is the service system node corresponding to the course selection service system. In the application, considering the sub-module problem, when the service system has the sub-module (or calls other modules), and the sub-module (or called module) can complete an independent service, the corresponding sub-module (or called module) is an independent service system node. If the service on a certain service system is completed by the sub-module or by calling the modules or sub-modules of other service systems, the service system is not regarded as a service system node.
For example, the campus service platform may select classes, leave requests, etc., and the corresponding class selecting system and leave requesting system, etc. are all regarded as separate service system nodes. If the campus service platforms are all realized by the sub-modules or the calling modules, the campus service platforms are not regarded as service system nodes. When the course selection system is accessed, the student information in the student information management system is read firstly, and at the moment, the read information cannot independently complete the course selection service, so that the student information management system called in the course selection system is not regarded as an independent service system node. When the student information management system is used for student information management, the student information management system realizes an independent function, and the student information management system is an independent service system node. The IP address corresponding to the service system node can be obtained by an administrator or other means (such as scanning, nslookup command, ping command, etc.).
Access node (access node): the access node in the service application layer is a mapping node (logic) in the access relationship for the user terminal entity device, and is an access node in the service access relationship for the user: the system access log information is represented by IP (at a certain time, its ID is IP), i.e. IP is one of the access nodes of the service system.
Illustratively, the user accesses using client software, i.e., an access node. If the user can access the mailbox system through the browser, the user can also access the course selection system through the browser, and the browser accesses the access node. Similarly, if a command line is used for access, the command line tools herein, such as cmd. These visiting access nodes have a common feature that they are attached to an operating system, so in this application, a visiting access node may be understood as an operating system, and its corresponding label may be an IP address. The mailbox system and the course selection system are service system nodes. For different service system nodes, a certain access node may be the same, i.e. a certain user may access the mailbox system, the course selection system, etc. at the same IP address.
The application draws a service application layer network topology in the following way:
the service application layer network topology comprises a plurality of system-to-system relationships and a plurality of system-to-node relationships. Judging the access relation between any two service systems, and connecting service system nodes corresponding to the two service systems to obtain a system-to-system relation when the two service systems have the access relation; and judging every two service systems in the service application layer to finally obtain a plurality of system-to-system relationships.
And determining any service system and the corresponding access node, and connecting the corresponding service system node and the corresponding access node to obtain a system-node relationship. And connecting all service systems in the service application layer and corresponding access nodes thereof to finally obtain a plurality of system-node relationships.
The access relation between different service systems is judged by the following method, namely the access relation between the service system node and the service system node is determined and divided into two types:
the method I comprises the following steps: the existence of access interfaces or function calls between different business systems is considered as having an access relationship:
the following are exemplary: taking campus network scene as an example, service system node A represents course selection system, service system node B is student information management system, and service system node C is scoring system.
When a student (based on a certain access node) accesses the course selection system (an access interface exists between A and B), the course selection system firstly reads student information (personal ID and personal basic information) in the student information management system, determines the course selection range of the current student and displays the course selection range; at which point a calls B.
After the related academic is finished at the end of the school period, the academic points and the completion conditions of the related school in the scoring system are updated back to the student information management system; at which point B calls C.
Here, there is an access relationship between a and B, but there is no access relationship between B and a; similarly, there is an access relationship between B and C, but there is no access relationship between C and B.
The second method comprises the following steps: the existence of 'access link' in different business system interfaces is also considered to have access relation
The following are exemplary: similarly, taking a campus network scene as an example, a "library service system" homepage or a main interface has a "campus mailbox" link for feeding back related opinions, and such a hyperlink is also considered to have an access relationship, and at this time, an access relationship exists between the "library service system" and the "campus mailbox". And the campus mailbox is not linked with the library service system, so that the campus mailbox and the library service system have no access relation.
If a certain two-dimensional code exists on a homepage or a main interface of a certain A system, and the system jumps to a B system after using WeChat scanning, the A and the B have an access relation, but the A or the B and the WeChat do not have the access relation.
It should be noted that there is an access interface between different service systems, or there is a function call between different service systems, or there is an "access link" between two service system interfaces, so long as one of the above conditions is satisfied, the access relationship can be determined. The three conditions are not judged in sequence.
The access relation between different service systems is obtained by analyzing the basic information of the corresponding service system. Because different service systems have specific corresponding relations at a physical layer (i.e. the service systems are necessarily arranged on a certain physical device), when two service systems have an access relation, a large amount of data exchange phenomenon exists between the physical devices corresponding to the two service systems, i.e. flow exists.
Therefore, the access relationship between different service systems can be judged through the flow on the physical layer:
the third method comprises the following steps: when two physical devices are respectively provided with service systems and flow exceeding a normal range exists between the two physical devices, an access relation exists between the two service systems.
If different service systems are set on the two physical devices and there is no access relationship between the two service systems (i.e., the two service systems are not related), there is very little traffic between the two physical devices. In the following, the wan service system is used as an example, and those skilled in the art can derive the service system in the lan; if the payment treasure is in a large amount of traffic with the physical device corresponding to the treasure, such as the treasure corresponding to a plurality of servers, which are considered as a whole for analysis, the traffic between the payment treasure and the physical device corresponding to the WeChat is very small.
It is determined that there are several unrelated business systems in the network. If not, all the service systems are related. And if the traffic flow exists, counting all the physical equipment provided with the service system, counting the traffic flow between any two pieces of physical equipment, and calculating the average value Z of the traffic flow. When the flow between two of the physical devices is much larger than the average, the flow is considered to be out of the normal range.
And presetting an average threshold, and when the ratio of the flow between the two physical devices to the average value is greater than or equal to the average threshold, determining that the flow between the two physical devices is far greater than the average value.
When drawing a service application layer network topology, only the first mode and the second mode are considered. And after the network topology of the physical equipment layer and the network topology of the service application layer are aggregated, the network topology of the service application layer is updated in a third using mode.
Illustratively, basic information of a service system in the local area network is analyzed, wherein the basic information of the service system comprises a name, a function, a version, a service object, a manufacturer and the like. For example, the basic information of the service system C is as follows: (campus communication, 2.03, all users in the campus network and XX manufacturers), the basic information of the D service system is as follows: (course arrangement system, course arrangement, 1.04, instructor and teacher, and XX manufacturer). The service system basic information also includes its corresponding IP address. The business system basic information also comprises access relations among the business systems.
The method and the device connect service system nodes corresponding to two service systems, and are divided into non-directional connection and directional connection.
When the connection is undirected, only considering the relation between the service systems, if the access relation exists between the service system A and the service system B, connecting the service system A and the service system B; the relationship between the two is not considered;
when there is a directional connection, the relationship between the two is considered, and the direction of the relationship is also considered; if the A service system and the B service system have a unidirectional access relation (such as A calls B), the A service system and the B service system are connected by using a connector with a direction symbol (such as a line with an arrow head)And B, connecting the service systems. If a one-way access relationship exists between the library service system and the campus mailbox, the library service system → the campus mailbox is marked, and if a two-way access relationship exists between the library service system and the campus mailbox, the library service system is marked
Figure BDA0003830695350000141
Campus mailbox.
The application uses the following modes to determine a service system and a corresponding access node: and analyzing the system access log, finding out the corresponding access point, and connecting the access point to the corresponding service system node. If a certain service system access node is A and the service system access log comprises IP such as abcd, the abcd is the access node of the service system and connects the abcd with A respectively.
For example, it is assumed that an ABCDE service system exists in the local area network (ABCDE is a service system node, where the same letter is used to indicate a service system and a service system node, i.e., a service system whose service system node is a) and an access node is ABCDE, where the service system is analyzed, a calls BCD (or a and BCD have an access relationship), B calls a, C calls DE, and E calls a.
Analyzing the log, wherein the access node A is abc; b, the access node is ac; c, the access node is abc; d, the access node is cd; e its access node is bce.
During drawing, all service system nodes ABCDE and all access nodes ABCDE are marked. And drawing an access relation between the ABCDE (namely, if the access relation exists between the two service systems, connecting service system nodes corresponding to the two service systems to obtain a system-system relation, if the A and the BCD have the access relation, respectively connecting the A with the BCD, and if the C calls the DE, respectively connecting the C with the CD and the like, and finally connecting any two service system nodes with the access relation). If the access node A is abc, the A is respectively connected with abc, the B is connected with ac, and the like, and finally, all the service system nodes and the corresponding access nodes are connected. Undirected connections and directed connections and both renderings may be used.
When using undirected join, duplicate entries need to be removed, such as a join B, B join a, and duplicate content needs to be deleted at this time, as shown in fig. 3 finally.
When directional connection is used, the direction is marked when the connection is made, for example, when a is connected to B, and when B is connected to a, the connection line between the two is a bidirectional arrow, and finally as shown in fig. 4.
The direction relation between the two service systems can also be judged through the physical layer.
1) And the third using mode confirms that the access relation exists between the two service systems.
2) And analyzing continuous data packets between the two, and calculating a first sending data ratio.
Analyzing the continuous data packets between the two. In one communication process, a plurality of data packets are continuously transmitted between the two to complete certain communication content, and the time interval between the transmission of the data packets by one party and the reply of the data packets by the other party is very close, namely the data packets are continuous data packets.
The side which sends the data packet first must exist in the continuous data packet; if A calls B first, the physical device corresponding to A sends the request first, and B responds, namely A is the party sending the data packet first. Counting all data packets, assuming that A sends the number of data packets Y first A Number Y exceeding B B . Then
Ratio of early transmitted data = Y A /(Y A +Y B )
3) Presetting a first threshold value Y of packet ratio 1 Second threshold value of packet ratio Y 2
When in use
1 ≧ early-transmitted data ratio ≧ Y 1 If so, the A and the B have an access relation;
Y 1 >early transmit data ratio ≧ Y 2 If so, the A and the B have an access relation or the AB has a bidirectional access relation;
when Y is 2 >When the ratio of the first sending data is larger than or equal to 0.5, the AB has a bidirectional access relation.
The traffic intersection degree between different service systems can be laterally reflected by the directional conduction of the traffic between the service systems within a certain time period; meanwhile, the data information type contained in the flow can reflect the association type between the service systems.
103. And acquiring local area network user data, and drawing a user role layer network topology by using the local area network user data.
The method comprises the following steps of drawing a user role layer network topology:
a plurality of service account numbers are arranged in the service system;
the user role layer network topology comprises a plurality of first account relations and a plurality of second account relations;
connecting all service account numbers in the system by taking each service system (virtual in a user role layer) as a center;
judging the relationship among any plurality of business accounts in the same business system, and connecting the business accounts to obtain a first account relationship when the business accounts are related; judging the relationship among all the service accounts in the service system, connecting the service accounts, and finally obtaining a plurality of first account relationships;
and judging the relationship between any two service accounts in different service systems, and connecting the two service accounts to obtain a second account relationship when the two service accounts are related. And judging the relationship between two service accounts in any different service systems and connecting to finally obtain a plurality of second account relationships.
Acquiring and analyzing basic Information of a User role of a service system to form an Information tuple [ ID, user, information () ] of the User role; the method comprises the steps of obtaining login logs and service information of user roles in a service system, and analyzing possible association relations among users, including association relations among users in the same service system, possible homogeneous relations among users in different service systems logged in with an access point, and the like.
In the campus network, the class selection system and the book system are used by the student A, the ID is 0001, and the information tuple of the user role is [0001, A, class selection & book, etc. ].
In the embodiment of the invention, the local area network user data comprises a service account number in a service system, and the service system comprises a service system attribute.
The business account is used for logging in a business system. One service system comprises a plurality of service accounts, if 20 students exist in a class selection system, a plurality of service accounts are arranged in the class selection system, wherein the total 20 service accounts belong to the network. Embodied as the ID in the business system access log. The service account number is obtained through a service system access log or obtained through a service system administrator. Meanwhile, the IP address corresponding to the service account can be obtained.
It should be noted that the name or the like is used as an example in this application, and in many business systems the name or the like is not available from the system access log, but is not available on behalf of all systems. The present application selects a part of service systems for example, and those skilled in the art can understand that this can also be extended and analogized, for example, a "name" may correspond to a "registration name", "user", and so on, and an age may correspond to a "registration time", and so on.
The business system and business correlation contains a plurality of attributes, namely the business system attribute, which are obtained by analyzing the business system by an operator, and each business account corresponds to part of or all of the attributes. Suppose A service system contains { a 11 、a 12 、a 13 …a 1l 、a 21 、a 22 、a 23 …a 2m …a i1 、a i2 、a i3 …a ip 、b 1 、b 2 、b 3 …b n And (4) attributes, wherein i, l, m, n and p are positive integers.
A service account number A (user A) under the A service system has b 1 、b 2 、b 3 …b j A seed attribute, wherein j is less than or equal to n; then b is 1 、b 2 、b 3 …b j One or any combination of the two is the service attribute information of the user A.
The service system attributes behave differently in different service systems, such as in school news communications, "friends" is one of their service system attributes, such as in forums, "focus" is one of their service system attributes.
In the service system, the authority of the user also belongs to the attribute of the service system, such as an administrator, a common member and the like. The login IP is also one of the service system attributes.
Such as course selection system, including personnel name, class, all course names, etc. For example, a business account A (i.e., a user A) belongs to one class of network, a selected course has advanced mathematics, english, and the computer network …, and a user B belongs to two classes of network, and a selected course has advanced mathematics, english, and the computer network …. The business system attribute corresponding to the user A is 'A, network one class, advanced mathematics, english, computer network …', the service attribute information can be 'one class of network' or 'advanced mathematics' or 'one class of network, advanced mathematics, english, computer network' and the like. The service system attribute corresponding to the user b is "b, network two shift, advanced math, english, computer network …", and the service attribute information may be "network two shift" or "advanced math" or "network two shift, advanced math, english, computer network", etc.
Suppose a business system contains { a 11 、a 12 、a 13 …a 1l 、a 21 、a 22 、a 23 …a 2m …a i1 、a i2 、a i3 …a ip 、b 1 、b 2 、b 3 …b n And (4) service system attributes, wherein i, l, m, n and p are positive integers.
Wherein, { a 11 、a 12 、a 13 …a 1l }、{a 21 、a 22 、a 23 …a 2m }…{a i1 、a i2 、a i3 …a ip Is several mutually exclusive attribute groups, the attribute in each group is mutually exclusive, the attribute between groups is not mutually exclusive, that is, if user X has a 11 Attribute, then user X will not have a 12 、a 13 …a 1l These attributes;but user X may have a 22 …a i3 And so on.
For example, { male, female } are mutual exclusion attributes, { network one shift, network two shift … } { grade one, grade two, grade three … } {20, 21, 22 … (here, age) } are different sets of mutual exclusion attributes. A user may have attributes of "male, network class one, third grade, 22". A user may not have attributes such as "male, female" (i.e., the user's gender is both male and female).
{b 1 、b 2 、b 3 …b n Are non-mutually exclusive attributes, i.e. a user may have one or several of them at the same time.
If the { high number, english, computer network … } in the course selection is the non-mutual exclusion attribute, the user can select the courses at the same time.
For a in-A business system 11 、a 12 、a 13 …a 1l 、a 21 、a 22 、a 23 …a 2m …a i1 、a i2 、a i3 …a ip 、b 1 、b 2 、b 3 …b n Selecting several service system attributes to combine them to form service attribute information A of A service system 1 Likewise, continue to select some of the service system attributes to combine (with A) 1 Different, the same will affect the efficiency, but has no effect on the judgment of the correlation), form the service attribute information a of the service system a 2 … …, finally form the service attribute information combination Y = [ a ] of the a service system 1 、A 2 、A 3 …A k ]Wherein k is not less than 1; a. The 1 、A 2 、A 3 …A k Respectively, the service attribute information of the a service system.
The specific service attribute information is determined by the operator. For any service system, the service attribute information in the service attribute information combination needs to satisfy the following conditions:
1) Each service attribute information does not contain the mutual exclusion attribute;
if the service attribute information contains the mutual exclusion attribute, the service attribute information cannot correspond to the service account.
2) The total number of the corresponding service accounts of all the service attribute information is the number of the service accounts in the service system;
when the service attribute information is set, a certain piece of service attribute information may not have a service account number corresponding thereto (i.e., the number of corresponding service accounts is 0). In the application, all the service attribute information is not considered, and the corresponding service account number is all 1 or 0 (when all the service account numbers are 1 or 0, all the service accounts cannot judge the correlation, so that the correlation is meaningless). Therefore, certain service attribute information is bound to correspond to a plurality of service accounts. For example, the service attribute information 'one network shift' can correspond to a plurality of students. Under the service attribute information, the service attribute information can be used for judging whether the service accounts are related or not.
It should be noted that each service attribute information does not contain a mutual exclusion attribute, at least one service attribute information exists, the number of the corresponding service accounts is greater than 1, the total number of the service accounts corresponding to all the service attribute information is the same as the number of the service accounts in the service system, and if the three conditions need to be met at the same time, the service attribute information combination is judged to be a correct combination. The three conditions are not judged in sequence.
Different service attribute information may correspond to a plurality of same service accounts, for example, service attribute information "one class of network", "advanced mathematics", "one class of network, advanced mathematics, english, computer network" may all correspond to user a. Therefore, when the total number is calculated, the duplicate service account is calculated only once.
If a certain service system has q service accounts, q is a positive integer. If the a service attribute information corresponds to 5 service accounts, and the B service attribute information corresponds to 8 service accounts, where 3 service accounts are the same, the a service attribute information and the B service attribute information correspond to 8+5-3=10 service accounts in total. All the service attribute information corresponds to q service accounts.
All the service attribute information can correspond to all the service accounts. In the application, a certain piece of service attribute information may not have a service account number corresponding to the service attribute information, but any one service account may correspond to one to several pieces of service attribute information, that is, one to several pieces of service attribute information may be used for classification.
It should be noted that the sum of the attributes included in all the service attribute information is less than or equal to the number of all the service system attributes of the service system.
Because each service attribute information is composed of a plurality of service system attributes, the sum of the attributes contained in all the service attribute information is necessarily less than or equal to the number of all the service system attributes of the service system.
For all service attribute information, when calculating the attribute sum of the service system, the repeated attribute is calculated only once, namely A 1 ∪A 2 ∪A 3 ∪…∪A k ≤{a 11 、a 12 、a 13 …a 1l 、a 21 、a 22 、a 23 …a 2m …a i1 、a i2 、a i3 …a ip 、b 1 、b 2 、b 3 …b n }=A。
For example, a certain service system has q service accounts in total, and the service attribute information combination is Y = [ male, female ], or Y = [ { male, network one, english, high number }, { female, network one, english, high number }, { male, network one, english, computer network }, { female, network one, english, computer network }, { male, network two, high number }, { female, network two, high number } … ].
When the service attribute information is Y = [ male, female ], the { male } and the { female } do not contain the exclusive attribute; { male }, and { female }, wherein the corresponding service account total number is q; the sum of the attributes is 2, which is less than or equal to the number of all the attributes of the service system.
And a certain service system comprises q service account numbers, wherein certain service attribute information in the service attribute information combination corresponds to a plurality of service account numbers, and the number of the service attribute information is w. And (3) presetting an internal association threshold value L, wherein the L is determined by an operator according to the number of the account numbers of the business system, specific requirements of data analysis and the like. If the situation of the student who selects course A is analyzed, when more courses A are selected, the value of L is larger, and vice versa.
When the temperature is higher than the set temperature
Figure BDA0003830695350000201
And if so, regarding the service account numbers as related.
For example, in a school, if the number of students is greater than the number of teachers, then the value of L is greater when analyzing students.
In a certain service system, if the service attribute information is [ student, teacher ]. When "students" are used as the association attribute, all students are related regardless of the internal association threshold L. And all student correlations are not of much significance in practice. When considering the intra-correlation threshold L, the result is not correlated. The relation between the two can not be judged by students.
If { male, network one shift, english, high number } is used as the association, it is actually a class-class student. After the inner association threshold value L (the value of L is smaller at this moment) is considered, the obtained result is still relevant and accords with the actual situation.
When two service systems have partially identical service system attributes, part of service accounts corresponding to the two service systems may be related.
Suppose C business system contains { e 1 、e 2 、e 3 …e j 、c 1 、c 2 、c 3 …c q Attribute, suppose D service system contains { e } 1 、e 2 、e 3 …e j 、d 1 、d 2 、d 3 …d r J, q and r are positive integers. Wherein e 1 、e 2 、e 3 …e j For both identical service system attributes, c 1 、c 2 、c 3 …c q And d 1 、d 2 、d 3 …d r Respectively, the two different business system attributes. Each attribute is assigned a value in advance. Illustratively, the assignment is related to the property of the attribute, such as that both the male and female attributes belong to gender, and the assignments are the same; the male and the network are different from each other, and the assignment of the male and the network is different. It is assumed here that the service system attribute e 1 A value of e 1 (ii) a … … service system attribute e g Business system attribute e g+1 Respectively has a value of e g ,e g+1
Presetting an associated attribute and an associated attribute threshold value M, wherein the associated attribute is an attribute { e ] of two service systems which are the same 1 、e 2 、e 3 …e j Some or all of the attributes of { e } are set to { e } g ,e g+1 …, g is a positive integer. So { e g ,e g+1 …}∈{e 1 、e 2 、e 3 …e j }. M is set according to the correlation and accuracy requirements. If two account numbers in the two business systems are related to men over 20 years old, the M value is lower; if two account numbers in the two business systems are 20 years old men and the same family name in the same class are the same, the correlation is realized, and the M value is higher.
And if a certain business account number corresponds to a plurality of business system attributes, and the business system attributes comprise association attributes, the association attributes are related to the business account number. Through the correlation attribute, the related business account can be found from the business system, and if the business account in the C business system corresponds to { e } 1 、e 2 、e 3 …e s 、c 1 、c 2 、c 3 …c t The attribute of each bar is s ≦ j, and t ≦ q. E.g. { e 1 、e 2 、e 3 …e s 、c 1 、c 2 、c 3 …c t Includes { e } g ,e g+1 …, i.e., { e } g ,e g+1 …}∈{e 1 、e 2 、e 3 …e s 、c 1 、c 2 、c 3 …c t And the association attribute is associated with the service account number c.
Similarly, a business account D in the D business system related to the associated attribute can be found, corresponding to { e 1 、e 2 、e 3 …e s 、d 1 、d 2 、d 3 …d u And f, the attributes are multiplied, wherein s is less than or equal to j, and u is less than or equal to r. { e g ,e g+1 …}∈{e 1 、e 2 、e 3 …e s 、d 1 、d 2 、d 3 …d u }。
It should be noted that the attributes corresponding to the business account number c and the business account number d all include an association attribute { e } g ,e g+1 …. The service account C and the service account D corresponding to the same service system attribute can also contain other attributes, for example, the attributes corresponding to the service account C and the service account D both contain the same service system attribute { e } 1 、e 2 、e 3 …e s At this time { e } g ,e g+1 …}∈{e 1 、e 2 、e 3 …e s }。
Suppose C business system contains { e } 1 、e 2 、e 3 …e j 、c 1 、c 2 、c 3 …c q Wherein, the weight value of each attribute is e 1 ’、e 2 ’、e 3 ’…e j ’、c 1 ’、c 2 ’、c 3 ’…c q ’。
The D service system comprises { e 1 、e 2 、e 3 …e j 、d 1 、d 2 、d 3 …d r Wherein the weighted value of each attribute is respectively corresponding to e 1 ’、e 2 ’、e 3 ’…e j ’、d 1 ’、d 2 ’、d 3 ’…d r ’。
Weight e 1 ’、e 2 ’、e 3 ’…e j ’、c 1 ’、c 2 ’、c 3 ’…c q ' and e 1 ’、e 2 ’、e 3 ’…e j ’、d 1 ’、d 2 ’、d 3 ’…d r The attribute is preset by an operator, for example, the attribute is preset according to the importance degree, and for example, the percentage of the service account having the attribute in all the service accounts is preset.
When e is g* e g ’+e g+1* e g+1 ' + … is greater than or equal to M, judging that the two are related, otherwise, judging that the two are unrelated.
For example, in a college, there are many students who select a high number of courses, and there are few students who select a certain course, so in the course selection system and the score system, the weight corresponding to the high number of courses is small, and the weight corresponding to the certain course is large.
When the "high number" is used as the association attribute, and the weight is not considered, most of the business accounts of the course selection system and most of the business accounts of the achievement system select the course, so that the corresponding relationship exists. But most of them may not be actually known or may not be known by choosing the "high" course, so that the true personal relationship may not be obtained without considering the weight. After the weight is considered, the obtained result is irrelevant, and the relation between the two can not be judged through high number.
When a professional course is used as the association relationship, the students who learn the course are fewer, and may be students of the same class or the same professional in practice. After the weight is considered, the obtained result is still relevant and accords with the actual situation.
For example, if determining which accounts are registered by the same student, the determination is made using business system attributes.
1) Several key attributes are determined, such as name, gender, class, etc.
2) And presetting the value of M according to actual requirements.
Since the accuracy requirement of the judgment is extremely high, a higher numerical value is preset for the correlation attribute threshold value M.
3) And judging respectively or after combination by using the key attributes.
If the attribute of the name is more important, and the same one is smaller, the corresponding weight is larger; the importance of attributes such as "gender", "class", "age" and the like is general. When the judgment is made by using "sex", "class", "age" or the like individually or in combination, the judgment is finally made that the two are not related and cannot be made.
The judgment is performed by using the name, and the judgment result is related to the name.
4) And further accurately judging.
If the phenomenon of the duplicate name is considered, setting M to be a higher numerical value, and using the name in combination with other attributes, whether two account numbers are related can be judged, wherein the related account numbers are the account numbers registered by the same student.
When drawing a user role layer network topology, firstly obtaining all service systems in a network, and connecting related service accounts in the same service system for each service system, namely a first account relation; for all different service systems, the related service accounts in the different service systems are connected, namely, the second account relationship.
It should be noted that, during actual drawing, a service system corresponding to the virtual information may also be established in the user role layer (for subsequent aggregation and viewing convenience). And taking each service system as a center, and connecting all service account numbers in the service system by using the virtual information of the service system.
It should be noted that 101, 102, and 103 do not represent a sequential order, and 101, 102, and 103 may be performed simultaneously or in any order.
104. And aggregating the network topology of the physical equipment layer and the network topology of the service application layer to generate a first network.
The local area network service system data comprises service system deployment conditions, namely IP addresses of each service system node and each access node of the service application layer.
The present application uses the following polymerization:
and when a certain service system node or access node is the same as the IP address of a certain physical device in the physical device layer, connecting the service system node or access node with the corresponding physical device. And finishing the connection of all service system nodes or access nodes and the physical equipment to generate a first network.
Further, the method also comprises updating the service application layer network topology.
The updating method is as follows:
analyzing data flow in a physical equipment layer; when two physical devices are respectively provided with service systems and the traffic exceeding a normal range exists between the service systems, an access relation exists between the two service systems;
and if the access relationship exists between the two service systems, updating the service application layer network topology according to the access relationship.
The updating mode is as follows, if two service systems in the original topological graph are connected, the updating mode is not changed; and if the two service systems in the original topological graph are not connected, connecting service system nodes corresponding to the two service systems. And circularly checking the flow among all the physical equipment provided with the service system until the updating is completed.
105. Aggregating the service application layer network topology and the drawn user role layer network topology to generate a second network;
the user role layer can be drawn only by using the business account, and the method is polymerized in the following mode:
obtaining IP address corresponding to service account number in a certain service system, obtaining IP address corresponding to access node in the service system,
connecting the service account number in the user role layer with the access node in the service application layer with the same IP address,
and completing the connection of the service accounts in all the service systems and the access nodes, and finally generating a second network.
It should be noted that, the service system virtual information of the user role layer may also be connected to the service system node in the corresponding service application layer.
Note that 104 and 105 do not represent a sequential order, and 104 and 105 may be performed simultaneously or in any order.
106. And combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
And combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
The first network and the second network both comprise a service application layer network topology, and are combined by using the same parts of the first network and the second network.
Furthermore, different service attribute information is set according to actual needs, and a topology structure diagram of different three-layer network situations can be generated. As the researchers have relations, they focus on attributes such as "friends", "class", etc.; the study target is researched and the study target focuses on attributes of different courses and the like. Different points of interest bring different topological structure diagrams of three-layer network situations.
For example, users Zhang III, and the same account name is used in different business systems, so that the relationship between the users can be easily found; the user li four uses different account names in different service systems, but sets different service attribute information, for example, if the same class is included, the same course is selected, and the same access node is used in combination, the different account names in different service systems can be found out more probably. The users Wang Er and lie four use the same access node, but when different service attribute information is set, the two are analyzed to be irrelevant, and then it can be judged that different users use the same device to log in.
When friends, classes and the like are used as the service attribute information, the social relationship among the user accounts can be obtained. If multiple service attribute information analyses are combined, for example, a certain account is not related to a plurality of accounts, but a friend performs the analyses, different results may be obtained.
The node information and the link information of the topology structure diagram of the three-layer network situation can also be stored and visualized.
Storing node information and link information in a three-layer network in a Neo4j database, and setting a network element (node/link) information query interface; based on the B/S architecture, the three-layer network interaction visualization of the campus is realized by adopting the R language and combining an interaction webpage development frame.
In addition to storing the graph database Neo4j as a network element, a conventional relational database (e.g., oracle, DB2, mySQL, microsoft SQL Server) can also be used as a storage scheme by an appropriate storage scheme.
Besides the display scheme based on the R language as network topology visualization, the network visualization control provided by JavaScript can also be used as a support scheme.
The invention also discloses a multilayer network topology relationship construction system facing the local area network, which comprises:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring local area network data, and the local area network data comprises local area network physical equipment data, local area network service system data and local area network user data;
the physical equipment layer drawing module is used for drawing a physical equipment layer network topology by utilizing the local area network physical equipment data;
the service application layer drawing module is used for drawing a service application layer network topology by utilizing the data of the local area network service system;
the user role layer network topology drawing module is used for drawing a user role layer network topology by utilizing the local area network user data;
the first network aggregation module is used for aggregating the network topology of the physical equipment layer and the network topology of the service application layer to generate a first network;
the second network aggregation module is used for aggregating the service application layer network topology and the user role layer network topology to generate a second network;
and the generating module is used for combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
The application also discloses a multilayer network topology relationship construction device facing the local area network, which comprises a memory storing executable program codes and a processor coupled with the memory; the device can be applied to a construction system, such as a local server or a cloud server for a multilayer network topology relationship construction system facing a local area network, and the embodiment of the invention is not limited.
The processor calls the executable program code stored in the memory for executing the steps of the method for constructing the multilayer network topology relationship oriented to the local area network described in the application.
The application also discloses a computer readable storage medium storing a computer program for electronic data exchange, wherein the computer program enables a computer to execute the steps of the method for constructing the multilayer network topology relationship facing the local area network described in the application.
The present application also discloses a computer program product comprising a non-transitory computer readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute the steps in the local area network-oriented multilayer network topology relationship building method described in the present application.
The above-described embodiments of the apparatus are merely illustrative, and the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above detailed description of the embodiments, those skilled in the art will clearly understand that the embodiments may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. Based on such understanding, the above technical solutions may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, wherein the storage medium includes a Read-Only Memory (ROM), a Random Access Memory (RAM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), a One-time Programmable Read-Only Memory (OTPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a compact disc-Read-Only Memory (CD-ROM) or other memories, a magnetic tape, or any other media capable of storing data.
The invention discloses a method and a system for constructing a multilayer network topological relation facing a local area network, which take the situation of depicting a typical campus network as an example, and provide a method for comprehensively representing the running state of the whole campus network from three layers of a physical device layer, a service application layer and a user role layer. The physical equipment layer network topology is used for analyzing the interconnection and intercommunication conditions of network equipment in the whole campus to serve as a basic support for daily operation and maintenance, and the service application layer topology is used for monitoring the running states of various service systems at an application layer and finding out abnormal access conditions in time; the user role layer topology is used for constructing access relations and social communication relations among the account numbers of the network users, early warning possible abnormal behaviors of the related account numbers, and the method can provide important support for network security situation analysis and assistant decision-making.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. A multilayer network topology relationship construction method facing to a local area network is characterized by comprising the following steps:
acquiring local area network data;
aggregating LAN data to generate a LAN topology relation;
the local area network topological relation comprises a first network and a second network;
and combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
2. The method for constructing multilayer network topology relationship facing local area network according to claim 1,
the local area network data comprises: local area network physical equipment data, local area network service system data and local area network user data;
the aggregating LAN data to generate a LAN topology relationship, including:
drawing a physical equipment layer network topology by using local area network physical equipment data;
drawing a service application layer network topology by using the data of the local area network service system;
drawing a user role layer network topology by using local area network user data;
aggregating a physical device layer network topology and a service application layer network topology to generate a first network;
and aggregating the service application layer network topology and the user role layer network topology to generate a second network.
3. The method for constructing multilayer network topology relationship facing local area network according to claim 2,
a plurality of service systems are arranged in the local area network;
the service application layer network topology comprises a plurality of system-to-system relations and a plurality of system-to-node relation sets;
the local area network service system data comprises service system basic information and a system access log;
the drawing of the service application layer network topology by using the local area network service system data comprises the following steps:
obtaining a service system node according to the basic information of the service system;
obtaining an access node according to the system access log;
judging the access relation between any two service systems to obtain a system access judgment result;
when the system access judgment result indicates that the access relationship exists, connecting service system nodes corresponding to the two service systems to obtain the relationship between the systems;
and determining any service system and the corresponding access node, and connecting the corresponding service system node and the corresponding access node to obtain the relationship between the system and the node.
4. The method for constructing multilayer network topology relationship facing local area network according to claim 3,
judging the access relation between any two service systems to obtain a system access judgment result, wherein the method comprises the following steps:
judging that an access interface exists between the two service systems, if so, judging that the two service systems have an access relation;
if the function call does not exist, judging that function call exists between the two service systems, and if the function call exists, judging that the two service systems have an access relation;
if the access link does not exist, the two service system interfaces are judged to have the access link, and if the access link exists, the two service systems have the access relation.
5. The method for constructing multilayer network topology relationship facing local area network according to claim 4,
a plurality of service account numbers are arranged in the service system;
the user role layer network topology comprises a plurality of first account relations and a plurality of second account relations;
the drawing of the user role layer network topology by using the local area network user data comprises the following steps:
judging the correlation of any plurality of business accounts in the same business system to obtain a judgment result of the correlation of the same system;
when the judgment result of the correlation with the system is correlation, the business accounts are connected to obtain a first account relationship;
judging the correlation of any two service accounts in different service systems to obtain a correlation judgment result of different systems;
and when the inter-system correlation judgment result is correlation, connecting the two service accounts to obtain a second account relationship.
6. The method for constructing multilayer network topology relationship facing local area network according to claim 5,
the service system comprises a plurality of service system attributes, and a plurality of service system attributes are combined to form service attribute information;
the method for judging the correlation of any plurality of business accounts in the same business system to obtain the judgment result of the correlation of the same system comprises the following steps:
selecting a plurality of service system attributes to be respectively combined to form a service attribute information combination;
judging whether the service attribute information combination is a correct combination;
when the judgment result is correct combination;
presetting an inner association threshold L, and acquiring the number of service accounts corresponding to all service attribute information;
when the ratio of the number of the service accounts corresponding to certain service attribute information in the service attribute information combination to the total number of the service accounts is less than or equal to L, the service accounts are related, and the system correlation judgment result is related;
the judging that the service attribute information combination is a correct combination comprises the following steps:
judging whether all the service attribute information in the combination contains a mutual exclusion attribute;
when the result is that the business attribute information does not exist, judging that the number of the business accounts corresponding to the certain business attribute information is larger than 1;
if the result is that the service attribute information exists, judging whether the total number of the service accounts corresponding to all the service attribute information is the same as the number of the service accounts in the service system or not;
when the results are the same, judging that the results are correct combinations;
the method for judging the correlation of any two service accounts in different service systems to obtain the correlation judgment result of different systems comprises the following steps:
judging that two service systems have partially same service system attributes;
when the result is that the two service systems exist, the association attribute is preset, and the association attribute is part or all of the service system attributes which are the same in the two service systems;
respectively finding two service account numbers related to the correlation attribute in the two service systems;
presetting an associated attribute threshold value M, presetting a service system attribute weight, and assigning values to service system attributes in advance;
and when the product of each attribute value in the associated attribute and the attribute weight is more than or equal to M, the two business account numbers are related, and the inter-system correlation judgment result is related.
7. The method according to claim 6, wherein the multi-layer network topology relationship is constructed,
aggregating a physical device layer network topology and a service application layer network topology to generate a first network, comprising:
obtaining IP addresses of each service system node and access node of a service application layer;
when the service system node or the access node is the same as the IP address of a certain physical device in the physical device layer;
connecting a service system node or an access node with the physical equipment;
and finishing the connection of all service system nodes or access nodes and the physical equipment to generate a first network.
8. The method for constructing multilayer network topology relationship facing local area network according to claim 7,
aggregating the service application layer network topology and the drawn user role layer network topology to generate a second network, comprising:
obtaining IP address corresponding to service account number in a certain service system, obtaining IP address corresponding to access node in the service system,
connecting the service account number in the user role layer with the access node in the service application layer with the same IP address,
and completing the connection of the service accounts in all the service systems and the access nodes to generate a second network.
9. The method for constructing multilayer network topology relationship facing local area network according to claim 8,
after aggregating a physical device layer network topology and a service application layer network topology and generating a first network, the method further includes:
when the two physical devices are respectively provided with a service system and the flow exceeding the normal range exists between the two physical devices;
and if so, updating the service application layer network topology according to the access relation between the two corresponding service systems.
10. A multilayer network topology relationship construction system facing local area network, the system comprising:
the acquisition module is used for acquiring local area network data;
the aggregation module is used for aggregating the local area network data to generate a local area network topological relation;
the local area network topological relation comprises a first network and a second network;
and the generating module is used for combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
CN202211073999.3A 2022-09-02 2022-09-02 Multi-layer network topology relation construction method and system for local area network Active CN115442139B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211073999.3A CN115442139B (en) 2022-09-02 2022-09-02 Multi-layer network topology relation construction method and system for local area network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211073999.3A CN115442139B (en) 2022-09-02 2022-09-02 Multi-layer network topology relation construction method and system for local area network

Publications (2)

Publication Number Publication Date
CN115442139A true CN115442139A (en) 2022-12-06
CN115442139B CN115442139B (en) 2024-04-19

Family

ID=84246615

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211073999.3A Active CN115442139B (en) 2022-09-02 2022-09-02 Multi-layer network topology relation construction method and system for local area network

Country Status (1)

Country Link
CN (1) CN115442139B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116074322A (en) * 2023-04-06 2023-05-05 中国人民解放军国防科技大学 High-throughput task scheduling method, system and medium based on intelligent message segmentation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107659423A (en) * 2016-07-25 2018-02-02 南京中兴新软件有限责任公司 Method for processing business and device
US20180139104A1 (en) * 2016-11-12 2018-05-17 Solana Networks Inc. Method and System for Discovery and Mapping of a Network Topology
CN111654402A (en) * 2020-06-23 2020-09-11 中国平安财产保险股份有限公司 Network topology creating method, device, equipment and storage medium
CN112469102A (en) * 2020-11-10 2021-03-09 南京大学 Time-varying network-oriented active network topology construction method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107659423A (en) * 2016-07-25 2018-02-02 南京中兴新软件有限责任公司 Method for processing business and device
US20180139104A1 (en) * 2016-11-12 2018-05-17 Solana Networks Inc. Method and System for Discovery and Mapping of a Network Topology
CN111654402A (en) * 2020-06-23 2020-09-11 中国平安财产保险股份有限公司 Network topology creating method, device, equipment and storage medium
CN112469102A (en) * 2020-11-10 2021-03-09 南京大学 Time-varying network-oriented active network topology construction method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
YONGHENG ZHANG等: "An Internet-Oriented Multilayer Network Model Characterization and Robustness Analysis Method", 《ENTROPY》, 18 August 2022 (2022-08-18) *
贾百韬;艾中良;: "多域网络逻辑拓扑布局算法研究", 软件, no. 01, 15 January 2017 (2017-01-15) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116074322A (en) * 2023-04-06 2023-05-05 中国人民解放军国防科技大学 High-throughput task scheduling method, system and medium based on intelligent message segmentation
CN116074322B (en) * 2023-04-06 2023-06-02 中国人民解放军国防科技大学 High-throughput task scheduling method, system and medium based on intelligent message segmentation

Also Published As

Publication number Publication date
CN115442139B (en) 2024-04-19

Similar Documents

Publication Publication Date Title
US20210312709A1 (en) Cyberspace map model creation method and device
Pourghebleh et al. Data aggregation mechanisms in the Internet of things: A systematic review of the literature and recommendations for future research
Jafarian et al. Discrimination-aware trust management for social internet of things
JP5965511B2 (en) Determining connections within a community
Golbeck et al. Inferring binary trust relationships in web-based social networks
Golbeck et al. Reputation Network Analysis for Email Filtering.
Shittu et al. Intrusion alert prioritisation and attack detection using post-correlation analysis
US20120011590A1 (en) Systems, methods and devices for providing situational awareness, mitigation, risk analysis of assets, applications and infrastructure in the internet and cloud
Son et al. An adaptive IoT trust estimation scheme combining interaction history and stereotypical reputation
Suryanarayana et al. Architectural support for trust models in decentralized applications
CN115442139A (en) Multilayer network topology relation construction method and system for local area network
CN114422211B (en) HTTP malicious traffic detection method and device based on graph attention network
Correa et al. Whacky!-what anyone could know about you from twitter
Yin et al. Autrust: A practical trust measurement for adjacent users in social networks
Conti et al. Epidemic diffusion of social updates in dunbar-based dosn
US20050204290A1 (en) System and method for generating distributed application and distributed system topologies with management information in a networked environment
CN113010255A (en) Interaction method and device based on binding session group and computer equipment
Li et al. Privacy measurement method using a graph structure on online social networks
US20230065398A1 (en) Cygraph graph data ingest and enrichment pipeline
Raynor et al. The State of the Art in BGP Visualization Tools: A Mapping of Visualization Techniques to Cyberattack Types
Yasin et al. A granular approach for user-centric network analysis to identify digital evidence
Eslami et al. Deriving cyber use cases from graph projections of cyber data represented as bipartite graphs
Yüksel et al. A reputation-based privacy management system for social networking sites
Svenson Complex networks and social network analysis in information fusion
JP2015186001A (en) Communication service classification device, method, and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant