CN115442139B - Multi-layer network topology relation construction method and system for local area network - Google Patents
Multi-layer network topology relation construction method and system for local area network Download PDFInfo
- Publication number
- CN115442139B CN115442139B CN202211073999.3A CN202211073999A CN115442139B CN 115442139 B CN115442139 B CN 115442139B CN 202211073999 A CN202211073999 A CN 202211073999A CN 115442139 B CN115442139 B CN 115442139B
- Authority
- CN
- China
- Prior art keywords
- service
- network
- local area
- access
- area network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000010276 construction Methods 0.000 title claims description 16
- 238000000034 method Methods 0.000 claims abstract description 35
- 230000004931 aggregating effect Effects 0.000 claims abstract description 23
- 238000010586 diagram Methods 0.000 claims abstract description 14
- 230000000875 corresponding effect Effects 0.000 claims description 81
- 230000002776 aggregation Effects 0.000 claims description 9
- 238000004220 aggregation Methods 0.000 claims description 9
- 230000002596 correlated effect Effects 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 abstract description 5
- 239000010410 layer Substances 0.000 description 144
- 230000006870 function Effects 0.000 description 11
- 230000006854 communication Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 238000011160 research Methods 0.000 description 7
- 230000007717 exclusion Effects 0.000 description 6
- 238000003860 storage Methods 0.000 description 6
- 206010000117 Abnormal behaviour Diseases 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000012423 maintenance Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000002452 interceptive effect Effects 0.000 description 3
- 239000011229 interlayer Substances 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- 238000012098 association analyses Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000002356 single layer Substances 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000008846 dynamic interplay Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 239000012925 reference material Substances 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for constructing a multi-layer network topological relation facing a local area network, wherein the method comprises the following steps: acquiring local area network data; aggregating local area network data to generate a local area network topological relation; the local area network topological relation comprises a first network and a second network; and combining the first network and the second network to generate a topological structure diagram of the three-layer network situation. The invention provides a method for comprehensively representing the running state of a local area network from three layers; the physical equipment layer topology is used for analyzing interconnection and intercommunication conditions, and the service application layer topology is used for monitoring the running state of the service system; the user role layer topology is used for constructing the relation between user accounts and provides an important supporting function for network security situation analysis and auxiliary decision making.
Description
Technical Field
The invention relates to the field of network security situation awareness, in particular to a method and a system for constructing a multi-layer network topological relation facing a local area network.
Background
In the field of network security situation awareness, in order to better describe the running state of a user local area network, in a related technology product, network security situations are generated by converging information acquired by equipment such as a firewall, intrusion detection, flow monitoring, honey-net honeypot, vulnerability scanning and the like and running log information of a terminal server by taking network topology as a background, so that the security operation and maintenance management of a network is supported.
The current network topology information acquisition and analysis mainly aims at the interconnection level of network equipment, and the topology structure inside the whole protection network is carved out by authorizing the acquisition of the configuration information table and the routing information in the router and the switch. From the perspective of analyzing intra-domain routing protocols, related research has enabled topology discovery based on OSPF protocol [1-4] and topology discovery based on IS-IS protocol [5].
Because of the layering design characteristics of the network and the different association relations formed by various users in the network, the topology simply based on the interconnection layer of the network equipment has a large limitation in the aspect of representing the network security situation, and is mainly characterized in that:
(1) The service association relationship formed based on the data traffic between the network application systems cannot be characterized. The service system in the network can have larger difference according to the service direction of the actual using units, for example, for a campus network, the service system can comprise a student management system, a student class selection system, an intelligent classroom system, a security management system, various stations for organizing student activities, forums and the like, the service system and client software thereof can establish a logic connection relationship based on the characteristics of the service system per se besides interconnection and intercommunication based on routing exchange equipment in a network layer, and the working states and the association relationship of the service systems can provide important data support for the security operation and threat early warning of the service system through monitoring and analyzing the flow level.
(2) The interpersonal association relationship formed based on service access and communication interaction between network users cannot be characterized. People often have multiple virtual user roles in the process of using a network, and the virtual user roles are reflected as various account numbers or identity IDs in the process of using various service systems, mailboxes, forums and instant messaging tools, and the virtual user roles of different individuals can form an association relationship with each other through service access. In the current situation generation, the acquisition and analysis of such information are lacking, so that great defects exist in the analysis of abnormal user behaviors and associated user accounts thereof.
(3) After the network abnormal behavior is found, the pure device layer network topology has insufficient threat association analysis capability. The current network attack event may be based on the situation that a plurality of service systems are taken together as a springboard by utilizing a plurality of associated user accounts. Therefore, for the discovered network abnormal behavior, not only the association equipment analysis is needed at the physical equipment layer, but also the association service system analysis is needed at the service layer, and the association account analysis is needed at the user role layer. Only building a multi-layer network topology across multiple dimensions from different levels for the entire network is it possible to provide significant support for the overall analysis when anomalies occur.
Currently, from the review of published literature, there is still little research on a multi-layer network topology construction method for a local area network. The prior art scheme mainly aims at a physical equipment layer network topology research [6], and an information network interconnection condition based on a routing protocol is obtained by analyzing an IP network layer message, so that a local area network topology structure is constructed. The method is relatively close to the discovery method of the network topological relation of the bottommost layer in the patent, but only focuses on the topological condition formed by interconnection of physical equipment, does not have business access relation in the network, performs aggregation analysis on user role information, has a simple overall network structure, has single element component type, and is used for describing the network topology at a low-dimension, single-layer and flattened stage.
As shown in fig. 1, fig. 1 shows a physical device layer network topology discovery scheme that is most popular at present. The technology is realized by collecting terminal equipment information in a network and clustering to obtain the subordinate relation between data; and then, acquiring the routing information in the routing equipment, analyzing and obtaining the connection relation among the equipment, and then, combining the interactive dynamic webpage development technology to visually display the network topology distribution condition.
The implementation mode is accepted and approved by wide developers and users, but the scheme only focuses on the network topology structure in the physical equipment layer, but cannot three-dimensionally describe the whole situation in the local area network in a multi-dimension way, and mainly comprises the following steps: 1. the method cannot characterize the service association relationship formed between network application systems based on data traffic; 2. the interpersonal association relationship formed based on business access and the like between network users cannot be represented; 3. after the network abnormal behavior is found, the pure device layer network topology has insufficient threat association analysis capability. Therefore, the whole network topology structure is flattened and single, and the network security situation awareness requirement cannot be effectively met.
Reference materials:
[1] zhou Yang, xu Qing, luo Xiangyang, et al, research on the concept of network space mapping and its technical system [ J ]. Computer science, 2018,45 (5): 7.
[2] Li Nan research on network topology optimization detection and identification method [ D ]. University of electronic technology, 2018
[3] The Hua Chao, internet network topology discovery method research [ D ]. University of Wuhan, 2017.
[4] Zhou Changjian, xing Jinge, liu Hai Bo. Multi-protocol fusion network layer topology discovery algorithm research [ J ]. Computer science, 2017 (S1): 5.
[5] Zhao Yifang, zhang Dongmei a network topology discovery algorithm against route spoofing [ J ].2017 (7).
[6] min Rui, huang, luo Yu, etc. an automatic discovery method for LAN topology, CN111865684A [ P ].2020.
Disclosure of Invention
The invention provides a multi-layer network topological relation construction method facing a local area network, which comprises the following steps:
Acquiring local area network data;
aggregating local area network data to generate a local area network topological relation;
the local area network topological relation comprises a first network and a second network;
And combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
Further, the local area network data includes: local area network physical equipment data, local area network service system data and local area network user data;
the aggregation of local area network data to generate a local area network topological relation comprises the following steps:
drawing a physical equipment layer network topology by using local area network physical equipment data;
drawing a service application layer network topology by using local area network service system data;
Drawing a user role layer network topology by using local area network user data;
Aggregating the physical equipment layer network topology and the business application layer network topology to generate a first network;
And aggregating the service application layer network topology and the user role layer network topology to generate a second network.
Further, a plurality of service systems are arranged in the local area network;
the service application layer network topology comprises a plurality of system-to-system relationships and a plurality of system-to-node relationship sets;
the local area network service system data comprises service system basic information and a system access log;
The drawing of the service application layer network topology by using the local area network service system data comprises the following steps:
generating and obtaining service system nodes according to the basic information of the service system;
Generating access nodes according to the system access logs;
Judging the access relation between any two business systems to obtain a system access judgment result;
When the system access judgment result is that an access relation exists, connecting service system nodes corresponding to two service systems to obtain a system-to-system relation;
And determining any service system and a corresponding access node, and connecting the corresponding service system node and the corresponding access node to obtain the relation between the system and the node.
Further, the determining the access relationship between any two service systems to obtain a system access determination result includes:
Judging that an access interface exists between the two service systems, if the access interface exists, the two service systems have an access relationship;
If the function call exists between the two service systems, judging that the function call exists between the two service systems, and if the function call exists between the two service systems, judging that the access relationship exists between the two service systems;
If the access link exists, the two business system interfaces are judged to have the access link, and if the access link exists, the two business systems have the access relationship.
Further, a plurality of service accounts are arranged in the service system;
the user role layer network topology comprises a plurality of first account relationships and a plurality of second account relationships;
the drawing of the user role layer network topology using the local area network user data includes:
judging the correlation of any plurality of service accounts in the same service system to obtain a system correlation judgment result;
when the system correlation judgment result is correlated, connecting the service accounts to obtain a first account relationship;
Judging the relativity of any two service accounts in different service systems to obtain a relativity judging result of different systems;
and when the correlation judgment result of the different systems is correlated, connecting the two service accounts to obtain a second account relationship.
Further, the service system comprises a plurality of service system attributes, and a plurality of service system attributes are combined to form service attribute information;
The step of judging the correlation of any plurality of service accounts in the same service system to obtain a system correlation judgment result comprises the following steps:
Selecting a plurality of service system attributes to be respectively combined to form a service attribute information combination;
judging whether the service attribute information combination is a correct combination or not;
When the judging result is correct combination;
presetting an internal association threshold L, and acquiring the number of service accounts corresponding to all service attribute information;
When the ratio of the number of service accounts corresponding to certain service attribute information in the service attribute information combination to the number of total service accounts is less than or equal to L, the service accounts are related, and the system correlation judgment result is related;
the judging that the service attribute information is combined into the correct combination comprises the following steps:
Judging whether all the service attribute information in the combination contains mutually exclusive attributes or not;
when the result is that the service account is not contained, judging that the number of the service accounts corresponding to certain service attribute information is greater than 1;
When the result is that the service exists, judging whether the total number of the service accounts corresponding to all the service attribute information is the same as the number of the service accounts in the service system;
when the results are the same, judging that the results are correct combinations;
the judging of the correlation of any two service accounts in different service systems to obtain a judging result of the correlation of different systems comprises the following steps:
Judging that the two business systems have the same business system attribute;
when the result is that the service system exists, presetting an associated attribute, wherein the associated attribute is part or all of the same service system attribute of the two service systems;
Respectively finding two service account numbers related to the associated attribute in the two service systems;
Presetting an associated attribute threshold M, presetting a service system attribute weight, and assigning a service system attribute in advance;
when the product sum of each attribute value in the associated attribute and the attribute weight is greater than or equal to M, the two service accounts are related, and the different system correlation judgment result is related.
Further, aggregating the physical device layer network topology and the service application layer network topology to generate a first network, including:
Obtaining IP addresses of each service system node and access node of a service application layer;
When the service system node or the access node is the same as the IP address of a certain physical device in the physical device layer;
connecting a service system node or an access node with the physical device;
and completing connection of all service system nodes or access nodes with the physical equipment to generate a first network.
Further, aggregating the business application layer network topology and the drawn user role layer network topology to generate a second network, including:
obtaining the IP address corresponding to the service account number in a certain service system, obtaining the corresponding IP address of the access node in the service system,
Connecting the service account number in the user role layer with the access node in the service application layer with the same IP address,
And completing connection of service accounts and access nodes in all service systems, and generating a second network.
Further, after aggregating the physical device layer network topology and the service application layer network topology to generate the first network, the method further includes:
When two physical devices are respectively provided with a service system and traffic exceeding a normal range exists between the two physical devices;
Then there is access relation between the two corresponding service systems, and the service application layer network topology is updated according to the access relation.
The invention also provides a multi-layer network topological relation construction system facing the local area network, which comprises the following steps:
the acquisition module is used for acquiring local area network data;
the aggregation module is used for aggregating local area network data and generating a local area network topological relation;
the local area network topological relation comprises a first network and a second network;
And the generating module is used for combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
The invention discloses a multi-layer network topological relation construction method and system for a local area network, which take typical campus network situation as an example, and provides a method for comprehensively representing the running state of the whole campus network from three layers of a physical equipment layer, a business application layer and a user role layer. The physical equipment layer network topology is used for analyzing the interconnection and intercommunication condition of the network equipment in the whole campus to serve as a basic support for daily operation and maintenance, and the service application layer topology is used for monitoring the operation state and service flow relation of various service systems at the application layer and timely finding out access abnormal conditions; the user role layer topology is used for constructing access relations and social communication relations between network user accounts and early warning abnormal behaviors possibly existing in related accounts, and the method can provide important supporting functions for network security situation analysis and auxiliary decision making.
Drawings
FIG. 1 is a flow chart of a physical device layer network topology discovery scheme in an embodiment of the invention;
fig. 2 is a schematic flow diagram of a multi-layer network topology relationship construction method facing to a local area network in the embodiment of the invention;
FIG. 3 illustrates a schematic diagram of a network topology of a service application layer drawn using a unidirectional connection in an embodiment of the invention;
fig. 4 shows a schematic diagram of a service application layer network topology using a directed connection in an embodiment of the invention.
Detailed Description
In order to make the present invention better understood by those skilled in the art, the following description will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or device that comprises a list of steps or elements is not limited to the list of steps or elements but may, in the alternative, include other steps or elements not expressly listed or inherent to such process, method, article, or device.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
In the following, some terms used in the present application are explained for easy understanding by those skilled in the art.
Local area network: generally refers to an ethernet network interconnected by a few routers and switches within a certain range, and mainly refers to a campus network, an enterprise intranet, and the like.
Multilayer network: a multi-layer network (multi-layernetwork) is made up of multiple single-layer networks and possibly inter-layer interactions, each layer characterizing a different type and meaning of interaction between nodes or entities. The multi-layer network comprises sides that interact differently: intra-layer edges (connections between nodes within the same layer) and possibly inter-layer edges (connections between different inter-layer nodes and their copies or other nodes).
Network topology: for computer networks, network topology refers to a layout structure formed by interconnecting various network devices and terminal devices. In a broad sense, it may refer broadly to a graph-like structure formed by different types of nodes and connections.
Network situation: the current state and the change trend of the whole network are formed by various factors such as the running state of network equipment, the network behavior, the user behavior and the like.
Network security situation awareness: refers to the activity of acquiring, understanding, displaying and predicting network security elements.
Neo4j database: neo4j is a high-performance NOSQL graph database that stores structured data on the network rather than in tables. It is an embedded, disk-based Java persistence engine with full transactional properties, but it stores structured data on the network (mathematically called a graph) rather than in a table. Neo4j can also be seen as a high performance graph engine with all the features of the mature database.
The application designs a multi-layer network topological relation construction method facing a local area network, which can collect data based on network protocols and flow detection, divide component levels by symbol definition, describe three-layer mesh topological structures in the local area network, help network maintenance personnel to further comb network architecture and refine network management granularity. The application mainly solves the problems of single flattening of a network topology modeling result structure and sparse elements in the prior art. And providing a three-layer three-dimensional network situation topology model with multi-dimension, broad semantics and dynamic interaction. Each of which is described in detail below.
In this embodiment, a method for constructing a multi-layer network topology relationship facing to a local area network includes obtaining local area network data; aggregating local area network data to generate a local area network topological relation; the local area network topological relation comprises a first network and a second network; combining the first network and the second network to generate a topology structure diagram of a three-layer network situation, as shown in fig. 2:
101. and acquiring the physical equipment data of the local area network, and drawing the network topology of the physical equipment layer by using the physical equipment data.
In the embodiment of the application, all acquired data are obtained by importing data or collecting data. The application needs to acquire local area network data, wherein the local area network data comprises local area network physical equipment data, local area network service system data and local area network user data. The aggregation of local area network data to generate a local area network topological relation comprises the following steps: drawing a physical equipment layer network topology by using local area network physical equipment data; drawing a service application layer network topology by using local area network service system data; and drawing the user role layer network topology by using the local area network user data.
The application obtains the user name of the personal account through the log and the like, but does not need the password information of the personal account. The application is not limited as to how to acquire the data, for example, the data is obtained after the management right of the local area network is obtained, for example, an administrator provides corresponding files, etc.
In the embodiment of the invention, the local area network physical equipment data comprises an IP address, an MAC address and basic equipment information (namely brands, versions and the like);
In the embodiment of the invention, the local area network physical equipment data comprises routing information, such as a routing list of the routing equipment and related configuration information;
in the embodiment of the invention, the data of the local area network physical equipment also comprises the communication relation among different physical equipment;
Obtaining local area network physical equipment data and drawing physical equipment layer network topology, wherein the method comprises the following steps:
And acquiring the physical equipment data of the local area network, and analyzing the network data of the physical equipment layer. Analyzing basic Information of physical equipment in a local area network, including an IP address, an MAC address and basic Information (namely brands, versions and the like) of the equipment, and establishing an Information tuple [ IP, MAC, information () ] of a physical equipment node; and analyzing a routing list and related configuration information of the routing equipment, and extracting the communication relation and the routing path between different physical equipment through the routing information to obtain link data. And drawing the network topology of the physical equipment layer by combining the information tuples of the nodes and the link data.
It should be noted that, in the present application, the physical device in the physical device layer is all network devices in the lan, including routers, servers, computers, and the like.
Further, in the present application, the lan physical device data further includes data traffic and data packets between lan physical devices.
Other methods of mapping the physical device layer network topology may also be used, such as the scheme shown in fig. 1. In the present application, the drawing device layer network topology may also use the existing technology, such as CN105763357A, CN109687989A, CN111865684 a.
102. And acquiring local area network service system data, and drawing service application layer network topology by using the local area network service system data.
In the embodiment of the invention, a plurality of service systems are arranged in a local area network, and the service system data of the local area network comprises basic information of the service systems;
in the embodiment of the invention, the local area network service system data comprises a system access log, wherein the system access log is used for recording a log file accessed by a service system;
In the embodiment of the invention, the basic information of the service system is analyzed to obtain the service system node, and the access log of the system is analyzed to obtain the access node.
Service system node: the aggregate of various service system function modules (part of service system has sub-modules) is the abstract expression of the service system at the service application layer.
If the class selection system is a service system node corresponding to the class selection service system. In the application, the problem of the sub-module is considered, when the service system has the sub-module (or calls other modules), and the sub-module (or called module) can finish independent service, the corresponding sub-module (or called module) is an independent service system node. If the business on a certain business system is completed by a sub-module or by calling the modules or sub-modules of other business systems, the business system is not regarded as a business system node.
The campus service platform can select lessons, ask for leave, and the like, and the corresponding lesson selecting system and ask for leave system are regarded as separate service system nodes. If the campus service platform is all sub-modules or functions are realized through the calling module, the campus service platform is not regarded as a service system node. When the course selecting system is accessed, the information of the students in the student information management system is read first, and at the moment, the information reading can not independently complete the course selecting service, so that the student information management system called in the course selecting system is not regarded as an independent service system node. When the student information management system is used for student information management, the student information management system realizes independent functions, and is an independent service system node. The IP address corresponding to the service system node can be obtained by an administrator or other means (e.g., scan, nslookup command, ping command, etc.).
Access node (access node): the access node in the service application layer is a mapping node (logic) of the user terminal entity device in the access relationship, and is an access node of the user in the service access relationship: the system access log information is represented by IP (the ID of which is accessed at a certain time), that is, IP is one of the access nodes of the service system.
Illustratively, the user accesses using client software, where client software is the access node. If the user can access the mailbox system through a browser, the user can also access the course selection system through the browser, wherein the browser accesses the access node. Also, where command line tools, such as cmd. Exe, shell, etc., are used to access nodes, such as using command lines for access. These access nodes have in common that they are attached to an operating system, so in the present application, an access node can be understood as an operating system whose corresponding label can be an IP address. The mailbox system and the lesson selecting system are service system nodes. For different service system nodes, a certain access node may be the same, i.e. a certain user may access the mailbox system, the lesson selection system, etc. at the same IP address.
The application draws the service application layer network topology by using the following modes:
the service application layer network topology includes a plurality of system-to-system relationships and a plurality of system-to-node relationships. Judging access relation between any two business systems, and connecting business system nodes corresponding to the two business systems when the two business systems have access relation to obtain a system-to-system relation; and judging every two business systems in the business application layer, and finally obtaining a plurality of system-to-system relations.
And determining any service system and a corresponding access node, and connecting the corresponding service system node and the corresponding access node to obtain a system-node relationship. And connecting all the service systems in the service application layer and the corresponding access nodes thereof to finally obtain a plurality of system-node relations.
The application judges the access relation between different service systems by determining the access relation between the service system nodes and the service system nodes, and the access relation is divided into two types:
mode one: the existence of access interfaces or the existence of function calls between different service systems is regarded as having access relations:
Exemplary: taking a campus network scene as an example, a service system node A represents a course selection system, a service system node B is a student information management system, and a service system node C is a scoring system.
When a certain learner accesses the course selection system (based on a certain access node) (an access interface exists between the A and the B), the course selection system firstly reads the learner information (personal ID and personal basic information) in the learner information management system, determines the course selection range of the current learner and displays the course selection range; at this point a calls B.
After the related school is finished at the end of the school period, the score and the completion condition of the related school in the scoring system are updated back to the learner information management system; at this point B calls C.
Here, there is an access relationship between a and B, but there is no access relationship between B and a; similarly, there is an access relationship between B and C, but there is no access relationship between C and B.
Mode two: the existence of "access links" for different business system interfaces is also considered to have access relationships
Exemplary: taking campus network scene as an example, a 'campus mailbox' link is arranged on a homepage or a main interface of a 'library service system' for feeding back related comments, and the hyperlink is also regarded as having access relation, and at the moment, the 'library service system' and the 'campus mailbox' have access relation. The campus mailbox has no link of the library service system, so that the campus mailbox has no access relationship with the library service system.
If a two-dimensional code exists on a homepage or a main interface of a system A, the system A and the system B are jumped to after the WeChat is used for scanning, and an access relationship exists between the system A and the system B instead of the access relationship between the system A or the system B and the WeChat.
It should be noted that, there are access interfaces between different service systems, or there are function calls between different service systems, or there are "access links" between two service system interfaces, so long as the above conditions meet one of them, the access relationship can be judged. The three conditions are judged to be not successive.
The access relation between different service systems is obtained by analyzing the basic information of the corresponding service systems. Because different service systems have specific corresponding relations in a physical layer (i.e. the service systems are necessarily arranged on a certain physical device), when two service systems have access relations, a large amount of data exchange phenomenon exists between the physical devices corresponding to the two service systems, namely, traffic exists.
Therefore, the application can judge the access relation between different service systems through the flow on the physical layer:
Mode three: when two physical devices are respectively provided with a service system, and traffic exceeding a normal range exists between the two physical devices, an access relationship exists between the two service systems.
If two physical devices are respectively different service systems, and the two service systems have no access relationship (i.e. the two service systems are not related), there is little traffic between the two physical devices. The following is an example of a wide area network service system, from which one skilled in the art can derive the service system in the local area network; if the payroll corresponds to the physical device (e.g. the payroll corresponds to a plurality of servers, the servers are regarded as a whole for analysis) there is a lot of traffic between the physical devices, and the traffic between the payroll and the physical devices corresponding to WeChat is very small.
It is determined that there are several uncorrelated traffic systems in the network. If not, it indicates that all business systems are relevant. If the traffic is present, all the physical devices provided with the service system are counted, the traffic between any two of the physical devices is counted, and the average value Z of the traffic is calculated. When the flow between two of the physical devices is far greater than the average, then it is considered to be out of normal range.
And presetting an average threshold value, and when the ratio of the flow between the two physical devices to the average value is greater than or equal to the average threshold value, considering that the flow between the two physical devices is far greater than the average value.
When the application draws the network topology of the service application layer, only the first mode and the second mode are considered. And after the physical equipment layer network topology and the service application layer network topology are aggregated, updating the service application layer network topology in a third mode.
Illustratively, business system basic information in the local area network is analyzed, wherein the business system basic information comprises names, functions, versions, service objects, manufacturers and the like. The basic information of the service system is as follows: (campus communication, 2.03, all users in the campus network, XX manufacturer), the basic information of the D service system is as follows: (course arrangement system, course arrangement, 1.04, educational staff, teacher, XX manufacturer). The basic information of the service system also comprises the corresponding IP address. The business system basic information also includes access relationships between business systems.
The application connects the service system nodes corresponding to the two service systems, and is divided into undirected connection and directed connection.
When the connection is undirected, only considering the relation between the service systems, and if the access relation exists between the service system A and the service system B, connecting the service system A and the service system B; the relationship between the two is not considered;
When the connection is directed, the relation between the connection is considered, and the direction of the relation is also considered; if the A service system and the B service system have a one-way access relationship (such as A calls B), the A service system and the B service system are connected by using a connector with a direction symbol (such as a line with an arrow). If a one-way access relation exists between the library service system and the campus mailbox, the one-way access relation is recorded as the library service system-campus mailbox, and if a two-way access relation exists between the library service system and the campus mailbox, the one-way access relation is recorded as the library service system Campus mailbox.
The application uses the following modes to determine the service system and the corresponding access node: analyzing the system access log, finding out the corresponding access point, and connecting the access point to the corresponding service system node. If a certain service system access node is A, and the service system access log comprises the IP such as abcd, the abcd is connected with A by the access node of the service system.
Illustratively, it is assumed that there is an ABCDE service system in the lan (ABCDE is a service system node, where the same letters are used to denote the service system and the service system node, i.e., a service system, whose service system node is a), and the access node is ABCDE, where the service system is analyzed, a invokes BCD (or a has an access relationship with BCD), B invokes a, C invokes DE, and E invokes a.
Analyzing the log, wherein the access node A is abc; b accessing access node ac; c, the access node is abc; d, the access node is cd; e its access node is bce.
When drawing, all service system nodes ABCDE and all access nodes ABCDE are marked first. And drawing an access relation between the ABCDE (namely, connecting service system nodes corresponding to two service systems to obtain a system-system relation when the access relation exists between the two service systems, wherein if the access relation exists between A and BCD, the A is respectively connected with the BCD, and the C is used for calling the DE, and the C is respectively connected with the CD and the like, so that all the two service system nodes with the access relation are finally connected. And (3) according to the access node, connecting ABCDE with ABCDE (namely determining a service system and a corresponding access node, and connecting the corresponding service system node with the access node to obtain a relation between the system and the node). Both undirected and directed connections and both renderings can be used.
When using undirected connections, duplicate items need to be removed, such as a connection B, B connection a, where duplicate content needs to be deleted, as finally shown in fig. 3.
When the directional connection is used, the connection time marks are marked in the direction, and when the connection A is connected with the connection B and the connection B is connected with the connection A, the connection of the connection A and the connection B is a double-headed arrow, and finally, the connection is shown in fig. 4.
The direction relation between the two service systems can be judged through the physical layer.
1) And confirming that an access relationship exists between the two service systems in the third using mode.
2) And analyzing continuous data packets between the two, and calculating the ratio of the first transmitted data.
The successive packets between the two are analyzed. In a communication process, a plurality of data packets are continuously transmitted between the two data packets to complete certain communication content, and the data packets are transmitted by one party and the reply of the other party are very close in time, namely the continuous data packets.
The side of the continuous data packet, which firstly transmits the data packet, is necessarily present; if the A calls the B first, the physical device corresponding to the A sends a request first, and the B responds, namely the A is the party which sends the data packet first. All packets are counted, assuming that the number of first transmitted packets of a, Y A, exceeds the number of packets of B, Y B. Then
First-transmitted data rate=y A/(YA+YB
3) A first threshold value Y 1 of the data packet ratio, a second threshold value Y 2 of the data packet ratio,
When (when)
1. When the data rate of the first transmitted data is more than or equal to Y 1, the access relationship exists between A and B;
When the data rate of Y 1 is larger than or equal to Y 2, the access relationship exists between A and B or the bidirectional access relationship exists between AB;
When the data rate of Y 2 is larger than or equal to 0.5, the AB has a bidirectional access relationship.
The directional conduction of the flow between the service systems in a certain period of time can reflect the degree of service intersection between different service systems laterally; meanwhile, the type of the data information contained in the flow can reflect the association type between the service systems.
103. And acquiring local area network user data, and drawing the user role layer network topology by using the local area network user data.
The application draws the user role layer network topology by using the following modes:
a plurality of service accounts are arranged in the service system;
the user role layer network topology comprises a plurality of first account relationships and a plurality of second account relationships;
Connecting all service account numbers in the system by taking each service system (virtual in a user role layer) as a center;
Judging the relation among any plurality of service accounts in the same service system, and connecting the service accounts when the service accounts are related to each other to obtain a first account relation; judging the relation among all the service accounts in the service system and connecting the service accounts to finally obtain a plurality of first account relations;
and judging the relation between any two service accounts in different service systems, and connecting the two service accounts when the two service accounts are related to obtain a second account relation. And judging the relation between the two business accounts in all any different business systems, and connecting the two business accounts to finally obtain a plurality of second account relations.
Basic Information of a User role of a service system is acquired and analyzed to form an Information tuple [ ID, user, information () ] of the User role; and acquiring log-in logs and service information of user roles in the service system, and analyzing possible association relations among users, including the association relations among users in the same service system, possible homogeneous relations of login of the same access point among users in different service systems, and the like.
In the campus network, the student A uses a course selection system and a book system, and if the ID is 0001, the information tuple of the user role is [0001, A, course selection & book, etc ].
In the embodiment of the invention, the local area network user data comprises a service account number in a service system, and the service system comprises service system attributes.
The service account number is used for logging in the service system. The service system comprises a plurality of service accounts, for example, 20 students in a first class of the network, and a plurality of service accounts are arranged in the class selecting system, wherein the total of 20 service accounts belong to the first class of the network. The service system access log is represented by ID. The service account number is obtained through a service system access log or through the service system administrator. Meanwhile, the IP address corresponding to the service account number can be obtained.
It should be noted that, in many business systems, the present application uses "name" and the like as examples, where the "name" and the like cannot be obtained from the system access log, but do not represent that all systems cannot be obtained. The application selects a part of service systems for example, and those skilled in the art can understand that the application can also be extended and analogized, for example, the name can be correspondingly called as a registration name, a user, etc., and the age can be correspondingly called as a registration time, etc.
The service system and the service related comprise a plurality of attributes, namely the attributes of the service system, which are obtained by an operator analyzing the service system, and each service account corresponds to part of the attributes or all the attributes. Let A service system contain {a11、a12、a13…a1l、a21、a22、a23…a2m…ai1、ai2、ai3…aip、b1、b2、b3…bn} attributes, wherein i, l, m, n, p are all positive integers.
Service account A (user A) under the service system A has b 1、b2、b3…bj attributes, wherein j is less than or equal to n; one or any combination of a plurality of the b 1、b2、b3…bj is the service attribute information of the user A.
The business system attributes behave differently in different business systems, such as in school news, a "friend" is one of its business system attributes, such as in a forum, and a "focus" is one of its business system attributes.
In the service system, the authority of the user also belongs to the service system attribute, such as an administrator, a common member and the like. The login IP is also one of the properties of the business system.
Such as course selection systems, including personnel names, class, all course names, etc. Such as business account number a (i.e., user a), belonging to the first class of network, with higher mathematics for selection of courses, english, computer network …, user b, belonging to the second class of network, with higher mathematics for selection of courses, english, computer network …. The service system attribute corresponding to the user a is "first, first network class, higher mathematics, english, computer network …", and the service attribute information may be "first network class" or "higher mathematics" or "first network class, higher mathematics, english, computer network", etc. The service system attribute corresponding to the user b is "second, higher mathematics, english, computer network …", and the service attribute information may be "second, higher mathematics" or "second, higher mathematics, english, computer network", etc.
Let A service system contain {a11、a12、a13…a1l、a21、a22、a23…a2m…ai1、ai2、ai3…aip、b1、b2、b3…bn} service system attributes, wherein i, l, m, n, p is A positive integer.
,{a11、a12、a13…a1l}、{a21、a22、a23…a2m}…{ai1、ai2、ai3…aip} Is a plurality of mutually exclusive attribute groups, wherein the attribute in each group is mutually exclusive, and the attribute between the groups is not mutually exclusive, namely if the user X has an a 11 attribute, the user X does not have an a 12、a13…a1l attribute; but user X may have attributes such as a 22…ai3.
Such as { male, female } is a mutual exclusion property, { network first class, network second class … } { first class, second class, third class … } {20, 21, 22 … (here age) }, etc. are different mutual exclusion property groups. A user may have attributes of "man, network class a, class three, 22". It is not possible for the user to have properties such as "male, female" (i.e., the user's gender is both male and female).
{ B 1、b2、b3…bn } is a non-mutually exclusive attribute, i.e., a user may have one or several attributes at the same time.
Such as { high numbers, english, computer network … } in the selection lessons are non-mutually exclusive properties, which the user can select at the same time.
For {a11、a12、a13…a1l、a21、a22、a23…a2m…ai1、ai2、ai3…aip、b1、b2、b3…bn}, in the A service system, selecting A plurality of service system attributes for combination to form service attribute information A 1 of the A service system, and also continuously selecting A plurality of service system attributes for combination (which are different from A 1, the same as the A 1 can affect the efficiency, but have no influence on judging the relativity), forming service attribute information A 2 and … … of the A service system, and finally forming service attribute information combination Y= [ A 1、A2、A3…Ak ] of the A service system, wherein 1 is less than or equal to k; a 1、A2、A3…Ak is service attribute information of the a service system respectively.
The specific business attribute information is determined by the operator. For any service system, the service attribute information in the service attribute information combination needs to meet the following conditions:
1) Each business attribute information does not contain mutual exclusion attribute;
If the service attribute information contains the mutual exclusion attribute, the service attribute information cannot correspond to the service account number.
2) All the service attribute information, and the total number of the corresponding service accounts is the number of the service accounts in the service system;
When setting the service attribute information, a certain piece of service attribute information may not have a service account number corresponding to it (i.e., the number of corresponding service accounts is 0). The application does not consider all the service attribute information, and the number of the corresponding service accounts is all 1 or 0 (when all the corresponding service accounts are 1 or 0, all the service accounts cannot judge the relevance, so that the application is meaningless). Therefore, there must be a certain piece of business attribute information corresponding to several business accounts. Such as business attribute information "network one shift" can correspond to several students. Under this piece of service attribute information, it can be used to determine whether these service accounts are related.
It should be noted that, each service attribute information does not contain a mutual exclusion attribute, at least one service attribute information exists, the number of corresponding service accounts is greater than 1, the total number of service accounts corresponding to all service attribute information is the same as the number of service accounts in the service system, and if the three conditions are required to be satisfied at the same time, the service attribute information combination is judged to be a correct combination. The three conditions are judged to be not sequential.
Different business attribute information may correspond to a plurality of same business accounts, such as business attribute information "network first class", "higher mathematics", "network first class, higher mathematics, english, computer network" can correspond to user a. Thus, the duplicate business account is calculated only once when the total is calculated.
If q business accounts are shared in a certain business system, q is a positive integer. If the a service attribute information corresponds to 5 service accounts and the B service attribute information corresponds to 8 service accounts, wherein 3 service accounts are the same, the a service attribute information and the B service attribute information correspond to 8+5-3=10 service accounts in total. All the service attribute information corresponds to q service accounts.
All business attribute information can correspond to all business accounts. In the application, a certain piece of service attribute information can not be corresponding to the service account, but any service account can be corresponding to one or a plurality of pieces of service attribute information, namely, one or a plurality of pieces of service attribute information can be used for classifying.
It should be noted that, the attribute sum contained in all the service attribute information is less than or equal to the attribute number of all the service systems.
Because each service attribute information is composed of a plurality of service system attributes, the attribute sum contained in all the service attribute information is necessarily smaller than or equal to the attribute number of all the service systems of the service system.
For all business attribute information, when calculating the sum of the business system attributes, the repeated attributes are calculated once, namely A1∪A2∪A3∪…∪Ak≤{a11、a12、a13…a1l、a21、a22、a23…a2m…ai1、ai2、ai3…aip、b1、b2、b3…bn}=A.
For example, q business accounts are shared by a certain business system, and the business attribute information combination may be y= [ man, woman ], or y= [ { man, network first shift, english, high number }, { woman, network first shift, english, high number }, { man, network first shift, english, computer network }, { woman, network first shift, english, computer network }, { man, network second shift, high number }, { woman, network second shift, high number } … ].
When the service attribute information is Y= [ man, woman ], the { man }, the { woman } does not contain mutual exclusion attribute; { Man }, { woman }, the total number of corresponding service accounts is q; the sum of the attributes is 2, which is less than or equal to the number of all the attributes of the service system.
And a certain service system comprising q service accounts, wherein certain service attribute information in the service attribute information combination corresponds to a plurality of service accounts, and the number of the service accounts is w. The preset internal association threshold L is determined by an operator in combination with the number of service system accounts, analysis of specific data requirements and the like. If students who want to analyze selection course A, the L value is larger when more courses A are selected, and is smaller otherwise.
When (when)When these service accounts are considered to be related.
For example, in a school, the number of students is greater than the number of teachers, and the value of L is greater when analyzing students.
When a certain business system is in, if the business attribute information is [ students, teachers ]. When "student" is used as the association attribute, all students are associated when the internal association threshold L is not considered. While all student correlations are not much meaningful in practice. When considering the inter-correlation threshold L, the result is irrelevant. The relationship between the two cannot be judged by the student.
If { Man, network class one, english, high number } is used as the association relationship, it is the class student in practice. After considering the internal correlation threshold L (where the L value is smaller), the obtained result is still relevant, and meets the practical situation.
When the two service systems have the same service system attribute, the service accounts corresponding to the two service systems may be related.
Let C service system contain { e 1、e2、e3…ej、c1、c2、c3…cq } attributes, let D service system contain { e 1、e2、e3…ej、d1、d2、d3…dr } attributes, j, q, r are all positive integers. Where e 1、e2、e3…ej is the same business system attribute of both, and c 1、c2、c3…cq and d 1、d2、d3…dr are different business system attributes of both, respectively. Each attribute is assigned in advance. Illustratively, the assignment is related to a property, e.g., male and female properties are both gender, and both are assigned the same value; the man is different from the network, and the assignment of the man and the network is different. Assume here that the business system attribute e 1 has a value of e 1; … … service system attribute e g, service system attribute e g+1 values are e g,eg+1, respectively.
The method comprises the steps of presetting an association attribute and an association attribute threshold M, wherein the association attribute is part or all of the same service system attribute { e 1、e2、e3…ej } of two service systems, and is set as { e g,eg+1 … }, and g is a positive integer. So { e g,eg+1…}∈{e1、e2、e3…ej }. M is set according to the correlation and accuracy requirements. If two account numbers in the two service systems are related to men over 20 years old, the M value is lower; if two accounts are 20 years old men in the two service systems and the last names are the same in the same class, the two service systems are related, and the M value is higher.
If a service account corresponds to a plurality of service system attributes, and the service system attributes comprise associated attributes, the associated attributes are related to the service account. Through the associated attribute, a related service account number can be found from the service system, and the service account number C in the C service system is assumed to correspond to { e 1、e2、e3…es、c1、c2、c3…ct } bar attributes, wherein s is less than or equal to j, and t is less than or equal to q. If { e 1、e2、e3…es、c1、c2、c3…ct } includes { e g,eg+1 … }, {eg,eg+1…}∈{e1、e2、e3…es、c1、c2、c3…ct}, then the association attribute is associated with the service account number C.
Similarly, the service account number T in the D service system related to the related attribute can be found, and the attribute corresponds to { e 1、e2、e3…es、d1、d2、d3…du } bar, wherein s≤j,u≤r.{eg,eg+1…}∈{e1、e2、e3…es、d1、d2、d3…du}.
It should be noted that, the attributes corresponding to the service account number c and the service account number t all include the association attribute { e g,eg+1 … }. The service account number c and the service account number t correspond to the same service system attribute and may also include other attributes, for example, the attributes corresponding to both include the same service system attribute { e 1、e2、e3…es }, where { e g,eg+1…}∈{e1、e2、e3…es }.
Let C service system contain { e 1、e2、e3…ej、c1、c2、c3…cq }, where the weight value of each attribute corresponds to e 1'、e2'、e3'…ej'、c1'、c2'、c3'…cq', respectively.
The D business system comprises { e 1、e2、e3…ej、d1、d2、d3…dr }, wherein the weight value of each attribute is respectively corresponding to e 1'、e2'、e3'…ej'、d1'、d2'、d3'…dr'.
Weights e 1'、e2'、e3'…ej'、c1'、c2'、c3'…cq 'and e 1'、e2'、e3'…ej'、d1'、d2'、d3'…dr' are preset by an operator, for example, according to importance, for example, according to the percentage of the service accounts having the attribute to all the service accounts.
When e g*eg'+eg+1*eg+1' + … is more than or equal to M, judging that the two are related, otherwise judging that the two are not related.
For example, in a high school, many students select a high number of courses, and few students select a certain course, so that in the course selection system and the achievement system, the weight corresponding to the high number of courses is small, and the weight corresponding to the certain course is large.
When the high number is used as the association attribute and the weight is not considered, the course is selected by most business accounts of the course selection system and most business accounts of the achievement system, so that the corresponding relationship exists. But most of them may not actually be known or may not be known because of the selection of "high" courses, and thus may not be able to obtain true personal relationships without regard to weights. After the weight is considered, the obtained result is irrelevant, and the relation between the two can not be judged through a high number.
When a specific specialized course is used as the association relationship, since students learn the course less, the students may be in the same class or the same specialized students in practice. After the weight is considered, the obtained result is still relevant and accords with the actual situation.
Illustratively, if it is determined which accounts are registered by the same student, the service system attribute is used for determination.
1) Several key attributes are determined, such as name, gender, class, etc.
2) And presetting an M value according to actual requirements.
Because the accuracy requirement of the judgment is extremely high, a higher value is preset for the association attribute threshold M.
3) And judging by using key attributes respectively or judging after combination.
If the attribute of the name is important, the same attribute is smaller, and the corresponding weight is larger; attribute importance of "sex", "class", "age", and the like is general. When the "sex", "class", "age" and the like are used for judgment, respectively or in combination, the final judgment is that the two are not related and cannot be judged.
And the judgment is carried out by using the name, and the judgment results are related.
4) Further accurately judging.
If the phenomenon of duplicate names is considered, setting M as a higher numerical value, and judging whether two accounts are related or not by combining 'name' with a plurality of other attributes, wherein the related accounts are registered by the same student.
When the network topology of the user role layer is drawn, all service systems in the network are obtained firstly, and for each service system, relevant service accounts in the same service system are connected, namely a first account relationship; and connecting related service accounts in different service systems, namely a second account relationship.
It should be noted that, during actual drawing, a service system corresponding to virtual information may also be established in the user role layer (for convenience in subsequent aggregation and viewing). And using each service system as a center, and connecting all service account numbers in the service system by using virtual information of the service system.
101, 102, 103 Do not represent a sequential order, and 101, 102, 103 may be performed simultaneously or in any order.
104. And aggregating the physical equipment layer network topology and the business application layer network topology to generate a first network.
The local area network service system data includes service system deployment conditions, i.e. IP addresses of each service system node and access node of the service application layer.
The application uses the following mode to polymerize:
and obtaining the IP addresses of each service system node and each access node of the service application layer, and connecting the service system node or the access node with the corresponding physical equipment when the IP addresses of a certain service system node or the access node and a certain physical equipment in the physical equipment layer are the same. And completing connection of all service system nodes or access nodes with the physical equipment to generate a first network.
Further, the application also comprises updating the network topology of the service application layer.
The updating mode is as follows:
analyzing data traffic in the physical device layer; when two physical devices are respectively provided with service systems and the traffic exceeding the normal range exists between the two physical devices, an access relationship exists between the two service systems;
if the access relation exists between the two service systems, updating the service application layer network topology according to the access relation.
The updating mode is as follows, if two service systems in the original topological graph are connected, the updating mode is unchanged; and if the two service systems in the original topological graph are not connected, connecting the service system nodes corresponding to the two service systems. And circularly checking the traffic among all the physical devices provided with the service system until the updating is completed.
105. Aggregating the service application layer network topology and the drawn user role layer network topology to generate a second network;
The user role layer can be drawn by using only the service account numbers, and the application uses the following mode to aggregate:
obtaining the IP address corresponding to the service account number in a certain service system, obtaining the corresponding IP address of the access node in the service system,
Connecting the service account number in the user role layer with the access node in the service application layer with the same IP address,
And completing connection of service accounts in all service systems and access nodes, and finally generating a second network.
It should be noted that, the service system virtual information of the user role layer may also be connected with the service system node in the corresponding service application layer.
Note that 104 and 105 do not represent a sequential order, and 104 and 105 may be performed simultaneously or in any order.
106. And combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
And combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
The first network and the second network both comprise a service application layer network topology, and are combined by using the same parts of the two networks.
Further, according to actual needs, different service attribute information is set, and topology structure diagrams of different three-layer network situations can be generated. As with the relationship of researchers, focus on attributes such as "friends", "classes", etc.; study learning objectives focus on attributes such as different courses. Different concerns bring about topology structures of different three-layer network situations.
By way of example, users can easily find the relationship between users by using the same account name in different service systems; the user Li IV uses different account names in different service systems, but sets different service attribute information, such as the same class, the same course, and then uses the same access node in a combined way, so that different accounts in different service systems are more likely to be found. The user king II and the Lifour use the same access node, but when different service attribute information is set, analysis results in that the user king II and the Lifour are irrelevant, and the user king II and the Lifour can judge that different users log in by using the same equipment.
When friends, classes and the like are used as service attribute information, social relations among user accounts can be obtained. If multiple kinds of service attribute information analysis are combined, for example, a certain account is not related to a plurality of accounts, but a friend is added to analyze the information, different results may be obtained.
The node information and the link information of the topology structure diagram of the three-layer network situation can be stored and visualized.
Storing node information and link information in the three-layer network in a Neo4j database, and setting a network element (node/link) information query interface; based on the B/S architecture, the method is realized by adopting R language, and the campus three-layer network interactive visualization is realized by combining an interactive webpage development framework.
In addition to using the graph database neo4j as a network element storage, conventional relational databases (e.g., oracle, DB2, mySQL, microsoft SQL SERVER) can also be used as storage schemes by means of suitable storage schemes.
In addition to the R-based language as a display scheme for network topology visualization, javaScript provided network visualization controls may also be used as a support scheme.
The invention also discloses a multi-layer network topological relation construction system facing the local area network, which comprises:
The acquisition module is used for acquiring local area network data, wherein the local area network data comprises local area network physical equipment data, local area network service system data and local area network user data;
the physical equipment layer drawing module is used for drawing the physical equipment layer network topology by utilizing the local area network physical equipment data;
The business application layer drawing module is used for drawing a business application layer network topology by utilizing the data of the local area network business system;
The user role layer drawing module is used for drawing a user role layer network topology by using the local area network user data;
The first network aggregation module is used for aggregating the physical equipment layer network topology and the business application layer network topology to generate a first network;
The second network aggregation module is used for aggregating the service application layer network topology and the user role layer network topology to generate a second network;
And the generating module is used for combining the first network and the second network to generate a topological structure diagram of the three-layer network situation.
The application also discloses a multi-layer network topological relation construction device facing the local area network, which comprises a memory storing executable program codes and a processor coupled with the memory; the device can be applied to a construction system, such as a local server or a cloud server for a multi-layer network topology relation construction system facing a local area network, and the embodiment of the application is not limited.
The processor invokes the executable program code stored in the memory for performing the steps in the lan-oriented multi-layer network topology construction method described in the present application.
The application also discloses a computer-readable storage medium storing a computer program for electronic data exchange, wherein the computer program causes a computer to execute the steps in the multi-layer network topology relation construction method facing the local area network.
The application also discloses a computer program product comprising a non-transitory computer readable storage medium storing a computer program, and the computer program is operable to cause a computer to perform the steps of the method for constructing a multi-layer network topology relation towards a local area network described in the application.
The apparatus embodiments described above are merely illustrative, in which the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above detailed description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product that may be stored in a computer-readable storage medium including read-only memory (ROM), random-access memory (Random Access Memory, RAM), programmable read-only memory (Programmable Read-onlyMemory, PROM), erasable programmable read-only memory (Erasable Programmable Read OnlyMemory, EPROM), one-time programmable read-only memory (one-time Programmable Read-OnlyMemory, OTPROM), electrically erasable rewritable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disc memory, magnetic disk memory, tape memory, or any other medium that is readable by a computer and that can be used to carry or store data.
The invention provides a multi-layer network topological relation construction method and system for a local area network, which take typical campus network situation as an example, and provides a method for comprehensively representing the running state of the whole campus network from three layers of a physical equipment layer, a business application layer and a user role layer. The physical equipment layer network topology is used for analyzing the interconnection and intercommunication conditions of the network equipment in the whole campus so as to serve as a basic support for daily operation and maintenance, and the service application layer topology is used for monitoring the operation states of various service systems at the application level and timely finding out access abnormal conditions; the user role layer topology is used for constructing access relations and social communication relations between network user accounts and early warning abnormal behaviors possibly existing in related accounts, and the method can provide important supporting functions for network security situation analysis and auxiliary decision making.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (6)
1. A method for constructing a multi-layer network topology for a local area network, the method comprising:
Acquiring local area network data;
aggregating local area network data to generate a local area network topological relation;
the local area network topological relation comprises a first network and a second network;
Combining the first network and the second network to generate a topological structure diagram of a three-layer network situation;
a plurality of service systems are arranged in the local area network;
a plurality of service accounts are arranged in the service system;
The service system comprises a plurality of service system attributes, and a plurality of service system attributes are combined to form service attribute information;
Judging the relativity of any plurality of service accounts in the same service system to obtain a system relativity judging result, comprising the following steps:
Selecting a plurality of service system attributes to be respectively combined to form a service attribute information combination;
judging whether the service attribute information combination is a correct combination or not;
When the judging result is correct combination;
presetting an internal association threshold L, and acquiring the number of service accounts corresponding to all service attribute information;
When the ratio of the number of service accounts corresponding to certain service attribute information in the service attribute information combination to the number of total service accounts is less than or equal to L, the service accounts are related, and the system correlation judgment result is related;
Judging that the service attribute information combination is the correct combination comprises the following steps:
Judging whether all the service attribute information in the combination contains mutually exclusive attributes or not;
when the result is that the service account is not contained, judging that the number of the service accounts corresponding to certain service attribute information is greater than 1;
When the result is that the service exists, judging whether the total number of the service accounts corresponding to all the service attribute information is the same as the number of the service accounts in the service system;
when the results are the same, judging that the results are correct combinations;
Judging the relativity of any two service accounts in different service systems to obtain a different system relativity judging result, comprising the following steps:
Judging that the two business systems have the same business system attribute;
when the result is that the service system exists, presetting an associated attribute, wherein the associated attribute is part or all of the same service system attribute of the two service systems;
Respectively finding two service account numbers related to the associated attribute in the two service systems;
Presetting an associated attribute threshold M, presetting a service system attribute weight, and assigning a service system attribute in advance;
When the product sum of each attribute value in the associated attribute and the attribute weight is greater than or equal to M, the two service accounts are related, and the different system correlation judgment result is related;
aggregating the physical device layer network topology and the service application layer network topology to generate a first network, comprising:
Obtaining IP addresses of each service system node and access node of a service application layer;
When the service system node or the access node is the same as the IP address of a certain physical device in the physical device layer;
connecting a service system node or an access node with the physical device;
Completing connection of all service system nodes or access nodes with physical equipment to generate a first network;
Aggregating the business application layer network topology and the drawn user role layer network topology to generate a second network, comprising:
obtaining the IP address corresponding to the service account number in a certain service system, obtaining the corresponding IP address of the access node in the service system,
Connecting the service account number in the user role layer with the access node in the service application layer with the same IP address,
Completing connection of service accounts in all service systems and access nodes, and generating a second network;
After aggregating the physical device layer network topology and the service application layer network topology to generate the first network, the method further includes:
When two physical devices are respectively provided with a service system and traffic exceeding a normal range exists between the two physical devices;
Then there is access relation between the two corresponding service systems, and the service application layer network topology is updated according to the access relation.
2. The method for constructing a multi-layer network topology for a local area network of claim 1, wherein,
The local area network data comprises: local area network physical equipment data, local area network service system data and local area network user data;
the aggregation of local area network data to generate a local area network topological relation comprises the following steps:
drawing a physical equipment layer network topology by using local area network physical equipment data;
drawing a service application layer network topology by using local area network service system data;
Drawing a user role layer network topology by using local area network user data;
Aggregating the physical equipment layer network topology and the business application layer network topology to generate a first network;
And aggregating the service application layer network topology and the user role layer network topology to generate a second network.
3. The method for constructing a multi-layer network topology for a local area network of claim 2, wherein,
The service application layer network topology comprises a plurality of system-to-system relationships and a plurality of system-to-node relationship sets;
the local area network service system data comprises service system basic information and a system access log;
The drawing of the service application layer network topology by using the local area network service system data comprises the following steps:
obtaining service system nodes according to the basic information of the service system;
According to the system access log, an access node is obtained;
Judging the access relation between any two business systems to obtain a system access judgment result;
When the system access judgment result is that an access relation exists, connecting service system nodes corresponding to two service systems to obtain a system-to-system relation;
And determining any service system and a corresponding access node, and connecting the corresponding service system node and the corresponding access node to obtain the relation between the system and the node.
4. The method for constructing a multi-layer network topology for a local area network as recited in claim 3, wherein,
Judging the access relation between any two business systems to obtain a system access judgment result, wherein the method comprises the following steps:
Judging that an access interface exists between the two service systems, if the access interface exists, the two service systems have an access relationship;
If the function call exists between the two service systems, judging that the function call exists between the two service systems, and if the function call exists between the two service systems, judging that the access relationship exists between the two service systems;
If the access link exists, the two business system interfaces are judged to have the access link, and if the access link exists, the two business systems have the access relationship.
5. The method for constructing a multi-layer network topology for a local area network of claim 4, wherein,
The user role layer network topology comprises a plurality of first account relationships and a plurality of second account relationships;
the drawing of the user role layer network topology using the local area network user data includes:
judging the correlation of any plurality of service accounts in the same service system to obtain a system correlation judgment result;
when the system correlation judgment result is correlated, connecting the service accounts to obtain a first account relationship;
Judging the relativity of any two service accounts in different service systems to obtain a relativity judging result of different systems;
and when the correlation judgment result of the different systems is correlated, connecting the two service accounts to obtain a second account relationship.
6. A multi-layer network topology construction system for a local area network, the system comprising:
the acquisition module is used for acquiring local area network data;
the aggregation module is used for aggregating local area network data and generating a local area network topological relation;
the local area network topological relation comprises a first network and a second network;
the generation module is used for combining the first network and the second network to generate a topological structure diagram of a three-layer network situation;
a plurality of service systems are arranged in the local area network;
a plurality of service accounts are arranged in the service system;
The service system comprises a plurality of service system attributes, and a plurality of service system attributes are combined to form service attribute information;
Judging the relativity of any plurality of service accounts in the same service system to obtain a system relativity judging result, comprising the following steps:
Selecting a plurality of service system attributes to be respectively combined to form a service attribute information combination;
judging whether the service attribute information combination is a correct combination or not;
When the judging result is correct combination;
presetting an internal association threshold L, and acquiring the number of service accounts corresponding to all service attribute information;
When the ratio of the number of service accounts corresponding to certain service attribute information in the service attribute information combination to the number of total service accounts is less than or equal to L, the service accounts are related, and the system correlation judgment result is related;
Judging that the service attribute information combination is the correct combination comprises the following steps:
Judging whether all the service attribute information in the combination contains mutually exclusive attributes or not;
when the result is that the service account is not contained, judging that the number of the service accounts corresponding to certain service attribute information is greater than 1;
When the result is that the service exists, judging whether the total number of the service accounts corresponding to all the service attribute information is the same as the number of the service accounts in the service system;
when the results are the same, judging that the results are correct combinations;
Judging the relativity of any two service accounts in different service systems to obtain a different system relativity judging result, comprising the following steps:
Judging that the two business systems have the same business system attribute;
when the result is that the service system exists, presetting an associated attribute, wherein the associated attribute is part or all of the same service system attribute of the two service systems;
Respectively finding two service account numbers related to the associated attribute in the two service systems;
Presetting an associated attribute threshold M, presetting a service system attribute weight, and assigning a service system attribute in advance;
When the product sum of each attribute value in the associated attribute and the attribute weight is greater than or equal to M, the two service accounts are related, and the different system correlation judgment result is related;
aggregating the physical device layer network topology and the service application layer network topology to generate a first network, comprising:
Obtaining IP addresses of each service system node and access node of a service application layer;
When the service system node or the access node is the same as the IP address of a certain physical device in the physical device layer;
connecting a service system node or an access node with the physical device;
Completing connection of all service system nodes or access nodes with physical equipment to generate a first network;
Aggregating the business application layer network topology and the drawn user role layer network topology to generate a second network, comprising:
obtaining the IP address corresponding to the service account number in a certain service system, obtaining the corresponding IP address of the access node in the service system,
Connecting the service account number in the user role layer with the access node in the service application layer with the same IP address,
Completing connection of service accounts in all service systems and access nodes, and generating a second network;
after aggregating the physical device layer network topology and the business application layer network topology, generating a first network,
When two physical devices are respectively provided with a service system and traffic exceeding a normal range exists between the two physical devices;
Then there is access relation between the two corresponding service systems, and the service application layer network topology is updated according to the access relation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211073999.3A CN115442139B (en) | 2022-09-02 | 2022-09-02 | Multi-layer network topology relation construction method and system for local area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211073999.3A CN115442139B (en) | 2022-09-02 | 2022-09-02 | Multi-layer network topology relation construction method and system for local area network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115442139A CN115442139A (en) | 2022-12-06 |
| CN115442139B true CN115442139B (en) | 2024-04-19 |
Family
ID=84246615
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211073999.3A Active CN115442139B (en) | 2022-09-02 | 2022-09-02 | Multi-layer network topology relation construction method and system for local area network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115442139B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116074322B (en) * | 2023-04-06 | 2023-06-02 | 中国人民解放军国防科技大学 | High-throughput task scheduling method, system and medium based on intelligent message segmentation |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107659423A (en) * | 2016-07-25 | 2018-02-02 | 南京中兴新软件有限责任公司 | Method for processing business and device |
| CN111654402A (en) * | 2020-06-23 | 2020-09-11 | 中国平安财产保险股份有限公司 | Network topology creating method, device, equipment and storage medium |
| CN112469102A (en) * | 2020-11-10 | 2021-03-09 | 南京大学 | Time-varying network-oriented active network topology construction method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10320619B2 (en) * | 2016-11-12 | 2019-06-11 | Solana Networks Inc. | Method and system for discovery and mapping of a network topology |
-
2022
- 2022-09-02 CN CN202211073999.3A patent/CN115442139B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107659423A (en) * | 2016-07-25 | 2018-02-02 | 南京中兴新软件有限责任公司 | Method for processing business and device |
| CN111654402A (en) * | 2020-06-23 | 2020-09-11 | 中国平安财产保险股份有限公司 | Network topology creating method, device, equipment and storage medium |
| CN112469102A (en) * | 2020-11-10 | 2021-03-09 | 南京大学 | Time-varying network-oriented active network topology construction method and system |
Non-Patent Citations (2)
| Title |
|---|
| An Internet-Oriented Multilayer Network Model Characterization and Robustness Analysis Method;Yongheng Zhang等;《entropy》;20220818;全文 * |
| 多域网络逻辑拓扑布局算法研究;贾百韬;艾中良;;软件;20170115(第01期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115442139A (en) | 2022-12-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210312709A1 (en) | Cyberspace map model creation method and device | |
| JP5735969B2 (en) | System and method for analyzing social graph data for determining connections within a community | |
| CN103164416B (en) | The recognition methods of a kind of customer relationship and equipment | |
| CN107229556A (en) | Log Analysis System based on elastic components | |
| CN107273267A (en) | Log analysis method based on elastic components | |
| JP6933112B2 (en) | Cyber attack information processing program, cyber attack information processing method and information processing equipment | |
| CN111585840B (en) | Service resource monitoring method, device and equipment | |
| CN107979597A (en) | Intranet assets management method, system, equipment and the storage medium of Distributed Scans | |
| CN112152871B (en) | Artificial intelligence test method, device and system for network security equipment | |
| Son et al. | An adaptive IoT trust estimation scheme combining interaction history and stereotypical reputation | |
| US20210209162A1 (en) | Method for processing identity information, electronic device, and storage medium | |
| CN115442139B (en) | Multi-layer network topology relation construction method and system for local area network | |
| CN114422211B (en) | HTTP malicious traffic detection method and device based on graph attention network | |
| US20160335405A1 (en) | Method and system for analyzing digital activity | |
| CN108804679A (en) | A kind of operation system user's operation monitoring data method for visualizing | |
| CN115333966B (en) | Topology-based Nginx log analysis method, system and equipment | |
| US20050204290A1 (en) | System and method for generating distributed application and distributed system topologies with management information in a networked environment | |
| CN112835784A (en) | Method for evaluating and optimizing interoperation capacity of complex giant system | |
| CN116629599A (en) | Cloud management evaluation method and device, electronic equipment and storage medium | |
| CN112838956B (en) | User-oriented network space resource analysis method and equipment | |
| CN115168652A (en) | Visual display method, device, medium and equipment for information assets | |
| CN113836247A (en) | Wall map battle method and system for network security management | |
| CN101840437A (en) | Friend collating unit on stranger page | |
| KR20130076348A (en) | Method and apparatus for managing foaf data | |
| Eslami et al. | Deriving cyber use cases from graph projections of cyber data represented as bipartite graphs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |