CN115883320A - Network equipment abnormity analysis method and device, electronic equipment and readable storage medium - Google Patents
Network equipment abnormity analysis method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN115883320A CN115883320A CN202111134740.0A CN202111134740A CN115883320A CN 115883320 A CN115883320 A CN 115883320A CN 202111134740 A CN202111134740 A CN 202111134740A CN 115883320 A CN115883320 A CN 115883320A
- Authority
- CN
- China
- Prior art keywords
- network
- entity
- knowledge graph
- detected
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 20
- 230000002159 abnormal effect Effects 0.000 claims abstract description 145
- 238000000034 method Methods 0.000 claims abstract description 41
- 230000005856 abnormality Effects 0.000 claims abstract description 9
- 230000015654 memory Effects 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 10
- 238000010276 construction Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 12
- 238000012423 maintenance Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a network equipment abnormality analysis method and device, electronic equipment and a readable storage medium. The method comprises the steps of obtaining a configuration file of the network equipment to be detected; constructing a knowledge graph corresponding to the network equipment to be detected according to the configuration file of the network equipment to be detected; responding to the comparison instruction, and comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network equipment to be detected; the standard knowledge graph is constructed by configuration files of a plurality of network devices, and the network device to be detected and the plurality of network devices are in the same network; the knowledge graph and the standard knowledge graph are both composed of a network entity and an event entity, and the event entity is connected with the network entity; the types of network entities include at least network devices, interfaces, protocols, and services. The method can discover the potential fault risk of the network equipment in advance so as to improve the operation safety of the network equipment.
Description
Technical Field
The present disclosure relates to network device failure analysis technologies, and in particular, to a method and an apparatus for analyzing network device anomalies, an electronic device, and a readable storage medium.
Background
A network device is a physical entity, such as a computer, hub, switch, bridge, router, gateway, etc., connected to a network. The operation state of the network device determines whether stable network service can be provided for the client, and therefore, the operation and maintenance of the network device are very important.
In the existing operation and maintenance of network equipment, the failure cause is generally analyzed and solved after the network equipment fails, and the potential failure hidden danger of the network equipment cannot be discovered and eliminated in advance. If the potential hidden trouble of the network device is triggered when the network device operates, the caused sudden failure can not be solved in time, and unpredictable damage can be caused to the stability of the network device and the network service.
Therefore, how to discover and eliminate the potential failure risk of the network device in advance to improve the operation security of the network device is still a problem to be solved urgently.
Disclosure of Invention
The application provides a method and a device for analyzing network equipment abnormity, electronic equipment and a readable storage medium, which are used for discovering and eliminating potential fault risks of the network equipment in advance so as to improve the operation safety of the network equipment.
In one aspect, the present application provides a method for analyzing an anomaly of a network device, including:
acquiring a configuration file of the network equipment to be detected;
constructing a knowledge graph corresponding to the network equipment to be detected according to the configuration file of the network equipment to be detected;
receiving a comparison instruction;
responding to the comparison instruction, and comparing the knowledge graph and the standard knowledge graph corresponding to the network equipment to be detected to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network equipment to be detected; the abnormal network entity is a network entity which generates an abnormal event, and the abnormal event entity is used for indicating the abnormal event generated by the abnormal network entity; the standard knowledge graph is constructed by configuration files of a plurality of network devices, and the network device to be detected and the plurality of network devices are in the same network;
the knowledge graph and the standard knowledge graph are both composed of a network entity and an event entity, and the event entity is connected with the network entity; the types of network entities include at least network devices, interfaces, protocols, and traffic.
Optionally, before comparing the knowledge graph corresponding to the network device to be detected with the standard knowledge graph, the method further includes:
acquiring configuration files of the plurality of network devices;
extracting a network entity and an event entity of each network device from the configuration files of the plurality of network devices, and extracting a common network entity and a common event entity from the configuration files of the plurality of network devices;
filling a center frame in a standard knowledge graph frame with a common network entity and a common event entity in a configuration file of any one network device to obtain a center knowledge graph, and filling an edge frame in the standard knowledge graph frame with a non-common network entity and a non-common event entity in the configuration file of each network device to obtain an edge knowledge graph; the central knowledge graph and all the edge knowledge graphs form the standard knowledge graph, and the standard knowledge graph framework is established by the connection relation of the network entity and the event entity.
Optionally, the populating an edge frame in the standard knowledge-graph frame with the non-common network entities and the non-common event entities in the configuration file of each network device to obtain an edge knowledge-graph includes:
and filling the non-common network entities and the non-common event entities in the configuration files of the network equipment belonging to the same equipment type in the plurality of network equipment into an edge frame of one area to obtain an edge knowledge graph corresponding to each type of network equipment.
Optionally, after obtaining the edge knowledge graph corresponding to each type of network device, the method further includes:
identifying an edge knowledge graph corresponding to each type of network equipment according to the equipment type;
the step of responding to the comparison instruction, comparing the knowledge graph and the standard knowledge graph corresponding to the network device to be detected, and obtaining the abnormal network entity and the abnormal event entity in the configuration file of the network device to be detected comprises:
responding to the comparison instruction, and determining an edge knowledge graph to which the knowledge graph corresponding to the network equipment to be detected belongs according to the equipment type of the network equipment to be detected and the equipment type identification of the edge knowledge graph; the edge knowledge graph and the central knowledge graph which the knowledge graph corresponding to the network equipment to be detected belongs to form a standard knowledge graph to be compared;
and comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to be compared to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network equipment to be detected.
Optionally, after comparing the knowledge graph corresponding to the network device to be detected with the standard knowledge graph to obtain the abnormal network entity and the abnormal event entity in the configuration file of the network device to be detected, the method further includes:
acquiring a key abnormal network entity in the abnormal network entities and a key abnormal event entity in the abnormal event entities based on the connection relationship of the standard knowledge graph;
the key abnormal network entity is a network entity which is connected with the most abnormal event entities in the abnormal network entities;
the key abnormal event entity is an abnormal event which is connected with the most abnormal network entities in the abnormal event entities.
Optionally, the constructing a knowledge graph corresponding to the network device to be detected according to the configuration file of the network device to be detected includes:
and extracting a network entity and an event entity from the configuration file of the network equipment to be detected, and filling the extracted network entity and event entity into a knowledge graph frame to be detected to obtain a knowledge graph corresponding to the network equipment to be detected.
In another aspect, the present application provides a network device abnormality analysis apparatus, including:
the acquisition module is used for acquiring a configuration file of the network equipment to be detected;
the construction module is used for constructing a knowledge graph corresponding to the network equipment to be detected according to the configuration file of the network equipment to be detected;
the receiving module is used for receiving a comparison instruction;
the processing module is used for responding to the comparison instruction, comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network equipment to be detected; the abnormal network entity is a network entity which generates an abnormal event, and the abnormal event entity is used for indicating the abnormal event generated by the abnormal network entity; the standard knowledge graph is constructed by configuration files of a plurality of network devices, and the network device to be detected and the plurality of network devices are in the same network;
the knowledge graph and the standard knowledge graph are both composed of a network entity and an event entity, and the event entity is connected with the network entity; the types of network entities include at least network devices, interfaces, protocols, and services.
In another aspect, the present application provides an electronic device comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer execution instructions;
the processor executes computer-executable instructions stored by the memory to implement the network device anomaly analysis method of the first aspect.
In another aspect, the present application provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the instructions are executed, the instructions cause a computer to execute the network device abnormality analysis method according to the first aspect.
In another aspect, the present application provides a computer program product comprising a computer program, which when executed by a processor implements the network device anomaly analysis method according to the first aspect.
According to the method for analyzing the network equipment abnormity, a relatively correct standard knowledge graph is constructed based on the configuration files of a plurality of network equipment which are in the same network with the network equipment to be detected, and then the knowledge graph constructed based on the configuration files of the network equipment to be detected is compared with the standard knowledge graph to obtain the abnormal network entity and the abnormal event entity in the configuration files of the network to be detected. The abnormal network entity and the abnormal event entity in the configuration file are the potential faults of the network equipment, and the potential faults of the network equipment can be eliminated after the abnormal network entity and the abnormal event entity in the configuration file are corrected.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic view of an application scenario of the network device anomaly analysis method provided in the present application.
Fig. 2 is a schematic flowchart of a method for analyzing an anomaly of a network device according to an embodiment of the present application.
Fig. 3 is a schematic diagram of an anomaly analysis method for a network device according to an embodiment of the present application.
Fig. 4 is a schematic flowchart of a method for analyzing an anomaly of a network device according to a second embodiment of the present application.
Fig. 5 is a schematic diagram of an abnormality analysis apparatus for network devices according to a third embodiment of the present application.
Fig. 6 is a schematic view of an electronic device according to a fourth embodiment of the present application.
Specific embodiments of the present disclosure have been shown by way of example in the drawings and will be described in more detail below. These drawings and written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the concepts of the disclosure to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the disclosure, as detailed in the appended claims.
A network device is a physical entity, such as a computer, hub, switch, bridge, router, gateway, etc., connected to a network. The operation state of the network device determines whether stable network service can be provided for the client, and therefore, the operation and maintenance of the network device are very important.
In the existing operation and maintenance of network equipment, the failure cause is generally analyzed and solved after the network equipment fails, and the potential failure hidden danger of the network equipment cannot be discovered and eliminated in advance. If the potential hidden trouble of the network device is triggered when the network device operates, the caused sudden failure can not be solved in time, and unpredictable damage can be caused to the stability of the network device and the network service.
Therefore, how to discover and eliminate the potential failure risk of the network device in advance to improve the operation security of the network device is still a problem to be solved.
Based on the above, the application provides a method and a device for analyzing the abnormality of the network device, the electronic device and a readable storage medium, a relatively correct standard knowledge graph is constructed based on configuration files of a plurality of network devices in the same network with the network device to be detected, and then the knowledge graph constructed based on the configuration file of the network device to be detected is compared with the standard knowledge graph to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network to be detected. The abnormal network entity and the abnormal event entity in the configuration file are the potential faults of the network equipment, and the potential faults of the network equipment can be eliminated after the abnormal network entity and the abnormal event entity in the configuration file are corrected.
The network equipment abnormity analysis method is applied to computer equipment such as a computer and a special server for a laboratory. Fig. 1 is an application schematic diagram of the network device anomaly analysis method provided by the present application, in which the computer device receives configuration files sent by multiple network devices in the same network, extracts multiple network entities and multiple event entities from the configuration files sent by the multiple network devices, and constructs a standard knowledge graph with reference values based on the extracted network entities and event entities. And after receiving the configuration file sent by the network equipment to be detected, establishing a knowledge graph corresponding to the network equipment to be detected based on the configuration file for establishing the network equipment to be detected. And comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to obtain abnormal points in the knowledge graph corresponding to the network equipment to be detected, wherein the abnormal points comprise abnormal network entities and abnormal event entities.
Referring to fig. 2, an embodiment of the present application provides a method for analyzing an anomaly of a network device, including:
s210, acquiring a configuration file of the network equipment to be detected.
The configuration file of the network device stores almost all parameters and configurations required during the operation of the device to guide the network device to operate according to a given logic. The accuracy, reasonableness and completeness of the configuration file all determine whether the network device can always operate normally.
S220, constructing a knowledge graph corresponding to the network equipment to be detected according to the configuration file of the network equipment to be detected.
After the configuration file of the network equipment to be detected is obtained, the network entity and the event entity in the configuration file of the network equipment to be detected are extracted, and the knowledge graph of the configuration file of the network equipment to be detected is constructed based on the extracted network entity and event entity. The network entities, such as network devices, interfaces, protocols, services, etc., involved in the configuration file have associations, which are event entities. The network entities in the configuration files are used as nodes, the event entities in the configuration files are used as edges to construct the knowledge graph of the configuration files, and the constructed knowledge graph can effectively describe the logic relation between different network entities in the configuration files.
Specifically, a configuration file of the network device to be detected is obtained, a network entity and an event entity are extracted from the configuration file of the network device to be detected, and the extracted network entity and event entity are filled into a knowledge graph frame to be detected, so that a knowledge graph corresponding to the network device to be detected is obtained. The knowledge graph frame to be detected is concluded and concluded by the tester according to the mastered configuration rule.
And S230, receiving a comparison instruction.
The comparison instruction is triggered and generated on the computer equipment by a user, and after the construction of the knowledge graph corresponding to the network equipment to be detected is completed, the user can trigger and generate the comparison instruction on the computer equipment.
S240, responding to the comparison instruction, comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network equipment to be detected; the abnormal network entity is a network entity which generates an abnormal event, and the abnormal event entity is used for indicating the abnormal event generated by the abnormal network entity; the standard knowledge graph is constructed by configuration files of a plurality of network devices, and the network device to be detected and the plurality of network devices are in the same network; the knowledge graph and the standard knowledge graph are both composed of a network entity and an event entity, and the event entity is connected with the network entity; the types of network entities include at least network devices, interfaces, protocols, and traffic.
When the standard knowledge graph is constructed, a tester can manually summarize and conclude the standard knowledge graph framework through the mastered configuration rule. When the standard knowledge graph framework is established, the interconnection relation of the network entity and the event entity in the standard knowledge graph framework is established according to the experience of daily maintenance summary, and then the standard knowledge graph framework is filled according to the network entity and the event entity in the configuration files of the plurality of network devices.
Specifically, the computer device extracts the network entity and the event entity of each network device from the configuration files of the plurality of network devices, and extracts the common network entity and the common event entity from the configuration files of the plurality of network devices from the network entity and the event entity of each network device. And filling a central frame in the standard knowledge graph frame with a common network entity and a common event entity in the configuration file of any one network device to obtain a central knowledge graph, and filling an edge frame in the standard knowledge graph frame with a non-common network entity and a non-common event entity in the configuration file of each network device to obtain an edge knowledge graph. The central knowledge-graph and the edge knowledge-graph form the standard knowledge-graph.
Wherein the common network entity and the common event entity refer to a network entity and an event entity that are present in a profile of each of the plurality of network devices. The non-common network entity and the non-common event entity are network entities and event entities that are unique to each network device.
Fig. 3 is a schematic diagram illustrating the construction of the standard knowledge-graph and the comparison between the knowledge-graph of the network device to be detected and the standard knowledge-graph. In fig. 3, the tester configures the standard intellectual graph framework according to the existing knowledge, and then fills the standard intellectual graph framework with the network entities and the event entities extracted from the multiple network devices to obtain the standard intellectual graph. When the configuration file of the network device to be detected is analyzed for abnormality, the computer device may start a comparison task to compare the knowledge graph corresponding to the network device to be detected with the standard knowledge graph to find an abnormal network entity and an abnormal event entity. And outputting the abnormal network entity and the abnormal event entity as the analysis result of the hidden trouble configuration of the network equipment to be detected.
Further, the configuration file of the network device may change in real time, and the computer device may receive the configuration file sent by different network devices in real time, so that the knowledge graph and the standard knowledge graph corresponding to the network device to be detected may also change along with the change of the configuration file of the network device. The computer equipment can also be set to compare the knowledge graph when the knowledge graph changes, so that the real-time analysis of the abnormity of the configuration file of the network equipment is realized.
In summary, according to the method for analyzing the network device abnormality provided in this embodiment, a relatively correct standard knowledge graph is constructed based on the configuration files of a plurality of network devices in the same network as the network device to be detected, and then the knowledge graph constructed based on the configuration file of the network device to be detected is compared with the standard knowledge graph, so as to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network to be detected. The abnormal network entity and the abnormal event entity in the configuration file are the potential faults of the network equipment, and the potential faults of the network equipment can be eliminated after the abnormal network entity and the abnormal event entity in the configuration file are corrected.
Referring to fig. 4, a second embodiment of the present application further provides a method for analyzing an anomaly of a network device, which further describes the method for constructing a knowledge graph, comparing the knowledge graphs, and determining an abnormal network entity and an abnormal event entity in the first embodiment. The method comprises the following steps:
s410, obtaining configuration files of the plurality of network devices.
S420, extracting the network entity and the event entity of each network device from the configuration files of the multiple network devices, and extracting the common network entity and the common event entity from the network entity and the event entity of each network device.
The relevant description about step S410 to step S420 can refer to the relevant description about constructing the standard knowledge-graph in the first embodiment.
S430, filling a center frame in the standard knowledge graph frame with a common network entity and a common event entity in a configuration file of any network device to obtain a center knowledge graph, and filling a non-common network entity and a non-common event entity in the configuration file of the network device belonging to the same device type in the plurality of network devices to an edge frame of an area to obtain an edge knowledge graph corresponding to each type of network device.
The standard knowledge graph constructed at this time is composed of the edge knowledge graph and the center knowledge graph corresponding to all the classes of network devices in the plurality of network devices.
The network device category includes gateway network device, switch network device, and router network device.
And S440, identifying the edge knowledge graph corresponding to each type of network equipment according to the equipment type.
That is, the edge knowledge graph of each region has one device type identification. For example, the standard knowledge graph includes edge knowledge graphs of an area a, an area B, an area C, and an area D, which represent a first type of network device, a second type of network device, a third type of network device, and a fourth type of network device, respectively.
S450, in response to the comparison instruction, determining an edge knowledge graph to which the knowledge graph corresponding to the network equipment to be detected belongs according to the equipment type of the network equipment to be detected and the equipment type identifier of the edge knowledge graph; the edge knowledge graph and the central knowledge graph which the knowledge graph corresponding to the network equipment to be detected belongs to form a standard knowledge graph to be compared.
That is, the network entities and the event entities in the standard knowledge graph to be compared include the common network entity and the common event entity in the configuration files of the multiple network devices, and further include the non-common network entity and the non-common event entity in the configuration files of all the network devices of the same type as the network device to be detected.
And S460, comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to be compared to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network equipment to be detected.
The workload of the computer equipment can be reduced by only comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to be compared, so that the speed of the computer equipment for carrying out the abnormal analysis on the configuration file of the network equipment to be detected is increased.
S470, acquiring a key abnormal network entity in the abnormal network entity and a key abnormal event entity in the abnormal event entity based on the connection relation of the standard knowledge graph; the key abnormal network entity is a network entity which is connected with most abnormal event entities in the abnormal network entities; the key abnormal event entity is an abnormal event which is connected with the most abnormal network entities in the abnormal event entities.
The tester can only modify the key abnormal network entity and the key abnormal event entity, thereby reducing the modification steps of the abnormal network entity and the abnormal event entity.
The method further describes the method for constructing the standard knowledge graph, comparing the knowledge graph and determining the abnormal network entity and the abnormal event entity, and the standard knowledge graph is constructed according to the type of network equipment when the standard knowledge graph is constructed. Furthermore, when the knowledge graph is compared, the workload of the knowledge graph comparison can be reduced, and the running speed of the computer equipment is further improved. After the abnormal network entity and the abnormal event entity are determined, the key abnormal network entity and the key abnormal event entity can be further determined, so that a tester can modify the key abnormal network entity and the key abnormal event entity, and the modification workload of the tester is reduced.
Referring to fig. 5, a third embodiment of the present application further provides a network device abnormality analysis apparatus 10, including:
the obtaining module 11 is configured to obtain a configuration file of the network device to be detected.
The constructing module 12 is configured to construct a knowledge graph corresponding to the network device to be detected according to the configuration file of the network device to be detected.
And the receiving module 13 is configured to receive a comparison instruction.
The processing module 14 is configured to compare the knowledge graph and the standard knowledge graph corresponding to the network device to be detected in response to the comparison instruction, so as to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network device to be detected; the abnormal network entity is a network entity which generates an abnormal event, and the abnormal event entity is used for indicating the abnormal event generated by the abnormal network entity; the standard knowledge graph is constructed by configuration files of a plurality of network devices, and the network device to be detected and the plurality of network devices are in the same network. The knowledge graph and the standard knowledge graph are both composed of a network entity and an event entity, and the event entity is connected with the network entity; the types of network entities include at least network devices, interfaces, protocols, and services.
An obtaining module 11, configured to obtain configuration files of the plurality of network devices; and extracting the network entity and the event entity of each network device from the configuration files of the plurality of network devices, and extracting the shared network entity and the shared event entity from the network entity and the event entity of each network device.
A construction module 12, configured to fill a central frame in a standard knowledge graph frame with a common network entity and a common event entity in a configuration file of any one network device to obtain a central knowledge graph, and fill an edge frame in the standard knowledge graph frame with a non-common network entity and a non-common event entity in a configuration file of each network device to obtain an edge knowledge graph; the central knowledge-graph and all the edge knowledge-graphs form the standard knowledge-graph, and the standard knowledge-graph framework is established by the connection relation of the network entity and the event entity.
The building module 12 is specifically configured to fill the non-common network entities and the non-common event entities in the configuration files of the network devices belonging to the same device type in the plurality of network devices into an edge frame of one area, so as to obtain an edge knowledge graph corresponding to each type of network device.
The processing module 14 is further configured to identify an edge knowledge graph corresponding to each type of network device according to the device type; responding to the comparison instruction, and determining an edge knowledge graph to which the knowledge graph corresponding to the network equipment to be detected belongs according to the equipment type of the network equipment to be detected and the equipment type identification of the edge knowledge graph; the edge knowledge graph and the central knowledge graph which the knowledge graph corresponding to the network equipment to be detected belongs to form a standard knowledge graph to be compared; and comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to be compared to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network equipment to be detected.
The processing module 14 is further configured to obtain a key abnormal network entity in the abnormal network entities and a key abnormal event entity in the abnormal event entities based on the connection relationship of the standard knowledge graph; the key abnormal network entity is a network entity which is connected with the most abnormal event entities in the abnormal network entities; the key abnormal event entity is an abnormal event which is connected with the most abnormal network entities in the abnormal event entities.
The construction module 12 is specifically configured to extract a network entity and an event entity from the configuration file of the network device to be detected, and fill the extracted network entity and event entity in a knowledge graph frame to be detected, so as to obtain a knowledge graph corresponding to the network device to be detected.
Referring to fig. 6, a fourth embodiment of the present application further provides an electronic device 20, including: a processor 21, and a memory 22 communicatively coupled to the processor 21, the memory 22 storing computer-executable instructions; the processor 21 executes the computer-executable instructions stored in the memory 22 to implement the network device anomaly analysis method described in the first embodiment and the second embodiment.
The present application further provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the instructions are executed, the instructions cause a processor to execute the instructions, so as to implement the method for analyzing the network device anomaly provided by any one of the above embodiments.
The computer-readable storage medium may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read Only Memory (EPROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a magnetic Random Access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM). And may be various electronic devices such as mobile phones, computers, tablet devices, personal digital assistants, etc., including one or any combination of the above-mentioned memories.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a component of' 8230; \8230;" does not exclude the presence of another like element in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application or portions thereof that contribute to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (such as a ROM/RAM, a magnetic disk, and an optical disk), and includes several instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method described in the embodiments of the present application.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings of the present application, or which are directly or indirectly applied to other related technical fields, are included in the scope of the present application.
Claims (10)
1. A method for analyzing network equipment abnormity is characterized by comprising the following steps:
acquiring a configuration file of the network equipment to be detected;
constructing a knowledge graph corresponding to the network equipment to be detected according to the configuration file of the network equipment to be detected;
receiving a comparison instruction;
responding to the comparison instruction, and comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network equipment to be detected; the abnormal network entity is a network entity which generates an abnormal event, and the abnormal event entity is used for indicating the abnormal event generated by the abnormal network entity; the standard knowledge graph is constructed by configuration files of a plurality of network devices, and the network device to be detected and the plurality of network devices are in the same network;
the knowledge graph and the standard knowledge graph are both composed of a network entity and an event entity, and the event entity is connected with the network entity; the types of network entities include at least network devices, interfaces, protocols, and traffic.
2. The method according to claim 1, wherein before comparing the knowledge-graph corresponding to the network device to be detected with the standard knowledge-graph, the method further comprises:
acquiring configuration files of the plurality of network devices;
extracting a network entity and an event entity of each network device from the configuration files of the plurality of network devices, and extracting a common network entity and a common event entity from the configuration files of the plurality of network devices;
filling a center frame in a standard knowledge graph frame with a common network entity and a common event entity in a configuration file of any one network device to obtain a center knowledge graph, and filling an edge frame in the standard knowledge graph frame with a non-common network entity and a non-common event entity in the configuration file of each network device to obtain an edge knowledge graph; the central knowledge-graph and all the edge knowledge-graphs form the standard knowledge-graph, and the standard knowledge-graph framework is established by the connection relation of the network entity and the event entity.
3. The method of claim 2, wherein populating an edge frame in the standard knowledgegraph frame with non-common network entities and non-common event entities in a configuration file of each network device to obtain an edge knowledgegraph comprises:
and filling the non-common network entities and the non-common event entities in the configuration files of the network equipment belonging to the same equipment type in the plurality of network equipment into an edge frame of one area to obtain an edge knowledge graph corresponding to each type of network equipment.
4. The method according to claim 3, wherein after obtaining the edge knowledge graph corresponding to each type of network device, the method further comprises:
identifying an edge knowledge graph corresponding to each type of network equipment according to the equipment type;
the step of responding to the comparison instruction, comparing the knowledge graph corresponding to the network device to be detected with the standard knowledge graph to obtain the abnormal network entity and the abnormal event entity in the configuration file of the network device to be detected comprises:
responding to the comparison instruction, and determining an edge knowledge graph to which the knowledge graph corresponding to the network equipment to be detected belongs according to the equipment type of the network equipment to be detected and the equipment type identification of the edge knowledge graph; the edge knowledge graph and the central knowledge graph which the knowledge graph corresponding to the network equipment to be detected belongs to form a standard knowledge graph to be compared;
and comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to be compared to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network equipment to be detected.
5. The method according to any one of claims 1 to 4, wherein after comparing the knowledge graph and the standard knowledge graph corresponding to the network device to be detected to obtain the abnormal network entity and the abnormal event entity in the configuration file of the network device to be detected, the method further comprises:
acquiring a key abnormal network entity in the abnormal network entities and a key abnormal event entity in the abnormal event entities based on the connection relation of the standard knowledge graph;
the key abnormal network entity is a network entity which is connected with the most abnormal event entities in the abnormal network entities;
the key abnormal event entity is an abnormal event which is connected with the most abnormal network entities in the abnormal event entities.
6. The method according to any one of claims 1 to 4, wherein the constructing the knowledge graph corresponding to the network device to be detected according to the configuration file of the network device to be detected includes:
and extracting a network entity and an event entity from the configuration file of the network equipment to be detected, and filling the extracted network entity and event entity into a knowledge graph frame to be detected to obtain a knowledge graph corresponding to the network equipment to be detected.
7. An apparatus for analyzing an abnormality of a network device, comprising:
the acquisition module is used for acquiring a configuration file of the network equipment to be detected;
the construction module is used for constructing a knowledge graph corresponding to the network equipment to be detected according to the configuration file of the network equipment to be detected;
the receiving module is used for receiving a comparison instruction;
the processing module is used for responding to the comparison instruction, comparing the knowledge graph corresponding to the network equipment to be detected with the standard knowledge graph to obtain an abnormal network entity and an abnormal event entity in the configuration file of the network equipment to be detected; the abnormal network entity is a network entity which generates an abnormal event, and the abnormal event entity is used for indicating the abnormal event generated by the abnormal network entity; the standard knowledge graph is constructed by configuration files of a plurality of network devices, and the network device to be detected and the plurality of network devices are in the same network;
the knowledge graph and the standard knowledge graph are both composed of a network entity and an event entity, and the event entity is connected with the network entity; the types of network entities include at least network devices, interfaces, protocols, and traffic.
8. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer execution instructions;
the processor executes the computer-executable instructions stored by the memory to implement the network device anomaly analysis method of any one of claims 1-6.
9. A computer-readable storage medium having computer-executable instructions stored therein, which when executed, cause a computer to perform the network device anomaly analysis method of any one of claims 1-6.
10. A computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements the network device anomaly analysis method of any one of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111134740.0A CN115883320B (en) | 2021-09-27 | 2021-09-27 | Network equipment abnormality analysis method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111134740.0A CN115883320B (en) | 2021-09-27 | 2021-09-27 | Network equipment abnormality analysis method and device, electronic equipment and readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115883320A true CN115883320A (en) | 2023-03-31 |
CN115883320B CN115883320B (en) | 2024-10-01 |
Family
ID=85762868
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111134740.0A Active CN115883320B (en) | 2021-09-27 | 2021-09-27 | Network equipment abnormality analysis method and device, electronic equipment and readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115883320B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090055684A1 (en) * | 2007-08-23 | 2009-02-26 | Jamjoom Hani T | Method and apparatus for efficient problem resolution via incrementally constructed causality model based on history data |
US20120005533A1 (en) * | 2010-07-02 | 2012-01-05 | Oracle International Corporation | Methods And Apparatus For Cross-Host Diagnosis Of Complex Multi-Host Systems In A Time Series With Probablistic Inference |
CN109992440A (en) * | 2019-04-02 | 2019-07-09 | 北京睿至大数据有限公司 | A kind of IT root accident analysis recognition methods of knowledge based map and machine learning |
CN111682960A (en) * | 2020-05-14 | 2020-09-18 | 深圳市有方科技股份有限公司 | Fault diagnosis method and device for Internet of things network and equipment |
CN112491636A (en) * | 2019-09-11 | 2021-03-12 | 华为技术有限公司 | Data processing method and device and computer storage medium |
CN112787841A (en) * | 2019-11-11 | 2021-05-11 | 华为技术有限公司 | Fault root cause positioning method and device and computer storage medium |
CN112887119A (en) * | 2019-11-30 | 2021-06-01 | 华为技术有限公司 | Fault root cause determination method and device and computer storage medium |
-
2021
- 2021-09-27 CN CN202111134740.0A patent/CN115883320B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090055684A1 (en) * | 2007-08-23 | 2009-02-26 | Jamjoom Hani T | Method and apparatus for efficient problem resolution via incrementally constructed causality model based on history data |
US20120005533A1 (en) * | 2010-07-02 | 2012-01-05 | Oracle International Corporation | Methods And Apparatus For Cross-Host Diagnosis Of Complex Multi-Host Systems In A Time Series With Probablistic Inference |
CN109992440A (en) * | 2019-04-02 | 2019-07-09 | 北京睿至大数据有限公司 | A kind of IT root accident analysis recognition methods of knowledge based map and machine learning |
CN112491636A (en) * | 2019-09-11 | 2021-03-12 | 华为技术有限公司 | Data processing method and device and computer storage medium |
CN112787841A (en) * | 2019-11-11 | 2021-05-11 | 华为技术有限公司 | Fault root cause positioning method and device and computer storage medium |
CN112887119A (en) * | 2019-11-30 | 2021-06-01 | 华为技术有限公司 | Fault root cause determination method and device and computer storage medium |
US20210168021A1 (en) * | 2019-11-30 | 2021-06-03 | Huawei Technologies Co., Ltd. | Fault Root Cause Determining Method and Apparatus, and Computer Storage Medium |
CN111682960A (en) * | 2020-05-14 | 2020-09-18 | 深圳市有方科技股份有限公司 | Fault diagnosis method and device for Internet of things network and equipment |
Non-Patent Citations (4)
Title |
---|
BINGFENG CUI: ""Electric Device Abnormal Detection Based on IoT and Knowledge Graph"", 《IEEE》, 31 May 2019 (2019-05-31) * |
JUAN QIU: ""A Causality Mining and Knowledge Graph Based Method of Root Cause Diagnosis for Performance Anomaly in Cloud Applications"", 《MDPI》, 22 March 2020 (2020-03-22) * |
田莉霞;: "知识图谱研究综述", 软件, no. 04, 15 April 2020 (2020-04-15) * |
赵倩;: "数控设备故障知识图谱的构建与应用", 航空制造技术, no. 03, 1 February 2020 (2020-02-01) * |
Also Published As
Publication number | Publication date |
---|---|
CN115883320B (en) | 2024-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111680068B (en) | Verification method, device, equipment and storage medium | |
CN112199276B (en) | Method, device, server and storage medium for detecting change of micro-service architecture | |
CN108491321B (en) | Method and device for determining test case range and storage medium | |
CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
CN106484611B (en) | Fuzzy test method and device based on automatic protocol adaptation | |
CN111008380A (en) | Method and device for detecting industrial control system bugs and electronic equipment | |
CN110708315A (en) | Asset vulnerability identification method, device and system | |
CN112511561A (en) | Network attack path determination method, equipment, storage medium and device | |
CN111711540B (en) | Method and device for identifying government and enterprise business alarm | |
CN112087462A (en) | Vulnerability detection method and device of industrial control system | |
CN115333923B (en) | Fault point tracing analysis method, device, equipment and medium | |
CN112738094A (en) | Expandable network security vulnerability monitoring method, system, terminal and storage medium | |
CN108959659B (en) | Log access analysis method and system for big data platform | |
CN114329452A (en) | Abnormal behavior detection method and device and related equipment | |
CN107360062B (en) | DPI equipment identification result verification method and system and DPI equipment | |
CN115883320B (en) | Network equipment abnormality analysis method and device, electronic equipment and readable storage medium | |
CN107612755A (en) | The management method and its device of a kind of cloud resource | |
CN109981573B (en) | Security event response method and device | |
CN109614382B (en) | Log segmentation method and device for application | |
CN109560964B (en) | Equipment compliance checking method and device | |
CN115174245B (en) | Test method and system based on DoIP protocol detection | |
CN116561818A (en) | Industrial control system internal logic analysis method, system, equipment and medium | |
CN103326892B (en) | The operating method and device of web interface | |
CN114154169A (en) | Jenkins and JMeter-based automatic test method and device | |
CN112583825A (en) | Method and device for detecting abnormality of industrial system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |