CN116170322B - Network topology discovery method combining active and passive detection - Google Patents

Network topology discovery method combining active and passive detection Download PDF

Info

Publication number
CN116170322B
CN116170322B CN202310423579.1A CN202310423579A CN116170322B CN 116170322 B CN116170322 B CN 116170322B CN 202310423579 A CN202310423579 A CN 202310423579A CN 116170322 B CN116170322 B CN 116170322B
Authority
CN
China
Prior art keywords
detection
nodes
network
node
active
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310423579.1A
Other languages
Chinese (zh)
Other versions
CN116170322A (en
Inventor
刘东海
徐育毅
刘玉环
庞辉富
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Youyun Software Co ltd
Beijing Guangtong Youyun Technology Co ltd
Original Assignee
Hangzhou Youyun Software Co ltd
Beijing Guangtong Youyun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Youyun Software Co ltd, Beijing Guangtong Youyun Technology Co ltd filed Critical Hangzhou Youyun Software Co ltd
Priority to CN202310423579.1A priority Critical patent/CN116170322B/en
Publication of CN116170322A publication Critical patent/CN116170322A/en
Application granted granted Critical
Publication of CN116170322B publication Critical patent/CN116170322B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network topology discovery method combining active and passive detection, which comprises the following steps: passive detection: setting monitoring nodes in a network to generate a detection node candidate set U1; node screening: on the basis of passive detection, further screening the undetected IP to obtain a detection node candidate set U2; active detection: and actively detecting the two detection node candidate sets to obtain a link set, processing the link set by an anonymous router, and representing the link set by an adjacency matrix. The beneficial effects of the invention are as follows: and preprocessing the detected target address set based on the occurrence times of the source IP and the average length of the data packet, thereby obtaining a relatively reasonable target address set. And the node set for performing Traceroute on the small-range subnet is determined by adopting passive detection and active detection in a forward merging mode, so that the number of target nodes for performing Traceroute detection is greatly reduced, and the efficiency of active detection is improved.

Description

Network topology discovery method combining active and passive detection
Technical Field
The invention relates to the field of intelligent IT operation and maintenance, in particular to a network topology discovery method combining active and passive detection.
Background
Network topology discovery techniques are classified into active network topology discovery techniques and passive network topology discovery techniques according to whether a large amount of data needs to be injected into the network. The main principle of the active network topology discovery technology is that a large number of detection data packets are sent to a target network, and the data packets are often carefully designed to meet different detection purposes. The principle of the passive network topology discovery technology is that by arranging monitoring nodes in a target network, monitoring and recording network data packets, and deducing a network topology structure according to related information in the data packets, the technology has less influence on the network, so that the technology is suitable for the network limiting large-scale detection.
The network topology passive measurement method is divided into two types, one is based on the passive measurement of a specific protocol. For example, a passive measurement method based on SNMP protocol. Network topology inference algorithms based on specific protocols under passive measurements require that the network device support a specific network protocol, such as the OSPF protocol, but this approach cannot infer the topology of a network that does not support the OSPF protocol. Another passive measurement method is a passive measurement method based on time to live. Network topology inference algorithms based on time-to-live require a small number of active probes, such as Traceroute, which cannot infer networks that are prohibited from active probes. In an actual environment, there may be some networks with higher security levels, and all network devices do not support a specific network protocol and do not respond to ICMP messages, and an existing network topology inference algorithm based on passive measurement cannot infer a corresponding network topology in the environment. How to use the fusion method of active and passive measurement, the invention provides a network topology discovery method combining active and passive detection in consideration of the measured load and the topology integrity of the network to be measured.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a network topology discovery method combining active and passive detection, which mainly takes the load and the topology integrity of a network to be tested into consideration.
The invention aims at being completed by the following technical scheme: a network topology discovery method combining active and passive probing, the method comprising the steps of:
(1) Passive detection: setting a monitoring node in a target network, monitoring and recording network data packets, and generating a detection node candidate set U1;
(2) Node screening: on the basis of passive detection, further screening all undetected IP to obtain a detection node candidate set U2;
(3) Active detection: and actively detecting the two detection node candidate sets to obtain a link set, processing the link set by an anonymous router, and representing the link set by an adjacency matrix to obtain a complete network topology structure.
Further, in the step (1), the specific method is as follows:
(2.1) analyzing the monitored network data packet, and storing the data and the data packet length value after the four-tuple formatting of the extracted TCP/IP messages of the source IP, the destination IP, the source port and the destination port in a database;
(2.2) judging whether the source port in the TCP/IP message quadruple is a specific port, if so, directly adding the source IP of the data into the detection object candidate set U1, and if not, counting the total length Len of the data packet sent by the IP address i in a period of time i And the number of data packets Count i, All the monitored data packet number Count sum And all packet lengths Len sum
(2.3) calculating the average length Avg of the data packet transmitted by the IP address i in the time period i And the average length Avg of all data packets monitored sum
(2.4) sorting the occurrence times of the source IPs, and selecting 50 percent of the source IPs before sorting to be added into the detection node candidate set U1; comparison of Avg i And Avg sum If Avg i Greater than Avg sum And adding the node corresponding to the IP address into the detection node candidate set U1.
Further, in the step (2), the specific method is as follows:
(3.1) rapidly and actively detecting all the active equipment sets P1 in the detected network by using a rapid scanning tool, wherein the detected network refers to a local area network where nodes in the detected node candidate set U1 are located;
(3.2) setting the previous j bits as network numbers, and screening all nodes with the same previous j bits from the set P1, wherein j is a CIDR value of a subnet where the nodes are located;
(3.3) judging whether the front-end nodes of the nodes are the same router;
(3.4) if the router is the same router, randomly selecting one of the nodes to be added to the probe node candidate set U2, and removing the nodes from P1; if the leading nodes of part of the nodes are the same router and the leading nodes of the other nodes are not the same router, arbitrarily selecting one from the node set of which the leading nodes are the same router to be added into the detection node candidate set U2, and removing the other nodes in the set from P1;
and (3.5) subtracting 1 from the j value, if the j value is still greater than N, and N is the CIDR value of the local area network, returning to the first step, continuing to execute, and finally obtaining the node set in the detected node candidate set U2 as the node object to be actively detected after screening.
Further, in the step (3), the specific method is as follows:
(4.1) performing Traceroute detection on the detection node candidate sets U1 and U2 to obtain a Traceroute link set;
(4.2) identifying anonymous routers in the Traceroute link set, merging nodes belonging to the same anonymous router, deleting redundant virtual edges, and correcting the whole network topology map;
and (4.3) representing the data in the Traceroute link set identified by the anonymous router by using an adjacency matrix to obtain a complete network topology structure.
The beneficial effects of the invention are as follows:
1. in order to ensure that relatively complete topology information is acquired and the detection efficiency is improved, the invention preprocesses the detected target address set based on the occurrence times of the source IP and the average length of the data packet, thereby obtaining a relatively reasonable target address set.
2. The method adopts passive detection and active detection, wherein the passive detection utilizes two strategies of setting monitoring nodes in a network and setting monitoring nodes at network outlets to acquire flow information in the network, the information of the former is used for directly generating passive network topology after being correlated, and the information of the latter is extracted to establish a detection node candidate set for an active detection object; the node set for performing Traceroute on the small-range subnet is determined in a forward merging mode by distinguishing the subnets based on the IP prefix, so that the number of target nodes for performing Traceroute detection is greatly reduced, and the efficiency of active detection is improved.
Drawings
FIG. 1 is a schematic flow chart of the present invention.
Detailed Description
The invention will be described in detail below with reference to the attached drawings:
active network topology detection acquires relatively complete network topology information by detecting a large number of target addresses, optimally by detecting addresses in the entire network, but this is not achievable. In order to ensure that relatively complete topology information is acquired and the detection efficiency is improved, the invention preprocesses the detected target address set based on the occurrence times of the source IP and the average length of the data packet, thereby obtaining a relatively reasonable target address set.
The invention provides a network topology discovery method combining active and passive, which is divided into passive detection and active detection, wherein the passive detection utilizes two strategies of setting monitoring nodes in a network and setting monitoring nodes at network outlets to acquire flow information in the network, the information of the former is used for directly generating passive network topology after relevant processing, and the information of the latter is extracted as an active detection object to establish a detection node candidate set; the node set for performing Traceroute on the small-range subnet is determined in a forward merging mode by distinguishing the subnets based on the IP prefix, so that the number of target nodes for performing Traceroute detection is greatly reduced, and the efficiency of active detection is improved.
As shown in fig. 1, the present invention provides a network topology discovery method combining active and passive probing, which includes the following steps:
(1) Passive detection: setting a monitoring node in a target network, monitoring and recording network data packets, and providing a detection node candidate set U1 for active detection;
the specific method comprises the following steps:
(1.1) analyzing the monitored data message by using an Etheal tool, and storing the data and the data packet length values of the four-tuple formatted data of the extracted source IP, the destination IP, the source port and the TCP/IP message of the destination port in a database;
(1.2) judging whether the source port in the TCP/IP message quadruple is a specific port, if yes, directly adding the source IP of the data into the detection object candidate set U1, if not, counting the total length Len of the data packet sent by the IP address i in a period of time i And the number of data packets Count i, All the monitored data packet number Count sum And all packet lengths Len sum
(1.3) calculating the average length Avg of the data packet transmitted by the IP address i in the time period i And the average length Avg of all data packets monitored sum
(1.4) sorting the occurrence times of the source IP, and selecting 50 percent of the source IP before sorting to be added into the detection node candidate set U1; comparison of Avg i And Avg sum If Avg i Greater than Avg sum And adding the node corresponding to the IP address into the detection node candidate set U1.
(2) Node screening: on the basis of passive detection, further screening all undetected IP to obtain a detection node candidate set U2;
the specific method comprises the following steps:
(2.1) rapidly and actively detecting all active equipment sets P1 in a detected network by using rapid scanning tools such as Nmap, masscan and the like, wherein the detected network refers to a local area network where nodes in a detected node candidate set U1 are located;
(2.2) setting the previous j bits as network numbers, and screening all nodes with the same previous j bits from the set P1, wherein j is a CIDR value of a subnet where the nodes are located;
(2.3) judging whether the front-end nodes of the nodes are the same router;
(2.4) if the router is the same router, randomly selecting one of the nodes to be added to the probe node candidate set U2, and removing the nodes from P1; if the leading nodes of part of the nodes are the same router and the leading nodes of the other nodes are not the same router, arbitrarily selecting one from the node set of which the leading nodes are the same router to be added into the set U2, and removing the other nodes in the set from P1;
and (2.5) subtracting 1 from the j value, if the j value is still greater than N, and N is the CIDR value of the local area network, returning to the first step, continuing to execute, and finally obtaining the node set in the detected node candidate set U2 as the node object to be actively detected after screening.
(3) Active detection: and actively detecting the two detection node candidate sets to obtain a link set, processing the link set by an anonymous router, and representing the link set by an adjacency matrix to obtain a complete network topology structure.
The specific method comprises the following steps:
(3.1) performing Traceroute detection on the detection node candidate sets U1 and U2 to obtain a Traceroute link set; this method is a well-known method, and the present invention will not be described in detail;
(3.2) identifying anonymous routers in the Traceroute link set, merging nodes belonging to the same anonymous router, deleting redundant virtual edges, and correcting the whole network topology map; the identification of the anonymous router adopts a method based on network tomography, which belongs to a known method and is not described in detail in the invention;
and (3.3) representing the data in the Traceroute link set identified by the anonymous router by using an adjacency matrix to obtain a complete network topology structure.
The mechanism of the invention:
in the invention, the network is firstly monitored, then the node candidate set is screened, and finally the active detection is carried out to obtain the link set. When the topology discovery method is used for topology discovery, no great flow burden is brought to the network to be tested, and when the network equipment does not support a specific network protocol and does not respond to an ICMP message, the integrity of network topology detection is higher, and particularly when the topology discovery is carried out on a large-scale network to be tested, the influence on the network is lower, and the method has a better effect.
In the invention, the detected target address set is preprocessed based on the occurrence times of the source IP and the average length of the data packet by judging whether the port is a special port, so that a relatively reasonable target address set is obtained. The method of combining node monitoring and node traffic analysis to select candidate sets can enhance the integrity of the final generated network topology.
In the invention, the sub-network is distinguished based on the IP prefix, and the node set for performing Traceroute on the small-range sub-network is determined in a forward merging mode, so that the number of target nodes for performing Traceroute detection is greatly reduced, and the efficiency of active detection is improved.
It should be understood that equivalents and modifications to the technical scheme and the inventive concept of the present invention should fall within the scope of the claims appended hereto.

Claims (3)

1. A network topology discovery method combining active and passive detection is characterized in that: the method comprises the following steps:
(1) Passive detection: setting a monitoring node in a target network, monitoring and recording network data packets, and generating a detection node candidate set U1;
(2) Node screening: on the basis of passive detection, further screening all undetected IP to obtain a detection node candidate set U2;
(3) Active detection: actively detecting two detection node candidate sets to obtain a link set, processing the link set by an anonymous router, and then representing the link set by an adjacency matrix to obtain a complete network topology structure;
in the step (1), the specific method is as follows:
analyzing the monitored network data packet, and storing the data and the data packet length value of the four formatted packets of the extracted source IP, the destination IP, the source port and the TCP/IP message of the destination port in a database;
(1.2) judging whether the source port in the TCP/IP message quadruple is a specific port, if so, directly adding the source IP of the data into the detection node candidate set U1, and if not, counting the total length Len of the data packet sent by the IP address i in a period of time i And the number of data packets Count i, All the monitored data packet number Count sum And all packet lengths Len sum
(1.3) calculating the average length Avg of the data packet transmitted by the IP address i in the time period i And the average length Avg of all data packets monitored sum
(1.4) sorting the occurrence times of the source IP, and selecting 50 percent of the source IP before sorting to be added into the detection node candidate set U1; comparison of Avg i And Avg sum If Avg i Greater than Avg sum And adding the node corresponding to the IP address into the detection node candidate set U1.
2. The network topology discovery method of active and passive probing combination of claim 1, wherein: in the step (2), the specific method is as follows:
(2.1) rapidly and actively detecting all the active equipment sets P1 in the detected network by using a rapid scanning tool, wherein the detected network is a local area network where nodes in the detected node candidate set U1 are located;
(2.2) setting the previous j bits as network numbers, and screening all nodes with the same previous j bits from the set P1, wherein j is a CIDR value of a subnet where the nodes are located;
(2.3) judging whether the front-end nodes of the nodes are the same router;
(2.4) if the router is the same router, randomly selecting one of the nodes to be added to the probe node candidate set U2, and removing the nodes from P1; if the leading nodes of part of the nodes are the same router and the leading nodes of the other nodes are not the same router, arbitrarily selecting one from the node set of which the leading nodes are the same router to be added into the detection node candidate set U2, and removing the other nodes in the set from P1;
and (2.5) subtracting 1 from the j value, if the j value is still greater than N, and N is the CIDR value of the local area network, returning to the first step, continuing to execute, and finally obtaining the node set in the detected node candidate set U2 as the node object to be actively detected after screening.
3. The network topology discovery method of active and passive probing combination of claim 2, wherein: in the step (3), the specific method is as follows:
(3.1) performing Traceroute detection on the detection node candidate sets U1 and U2 to obtain a Traceroute link set;
(3.2) identifying anonymous routers in the Traceroute link set, merging nodes belonging to the same anonymous router, deleting redundant virtual edges, and correcting the whole network topology map;
and (3.3) representing the data in the Traceroute link set identified by the anonymous router by using an adjacency matrix to obtain a complete network topology structure.
CN202310423579.1A 2023-04-20 2023-04-20 Network topology discovery method combining active and passive detection Active CN116170322B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310423579.1A CN116170322B (en) 2023-04-20 2023-04-20 Network topology discovery method combining active and passive detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310423579.1A CN116170322B (en) 2023-04-20 2023-04-20 Network topology discovery method combining active and passive detection

Publications (2)

Publication Number Publication Date
CN116170322A CN116170322A (en) 2023-05-26
CN116170322B true CN116170322B (en) 2023-07-18

Family

ID=86422150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310423579.1A Active CN116170322B (en) 2023-04-20 2023-04-20 Network topology discovery method combining active and passive detection

Country Status (1)

Country Link
CN (1) CN116170322B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104202211A (en) * 2014-08-25 2014-12-10 电子科技大学 Autonomous system level network topology identification method combining active and passive measurement
CN109088756A (en) * 2018-08-01 2018-12-25 南京邮电大学 A kind of network topology complementing method based on network equipment identification
CN109617728A (en) * 2018-12-14 2019-04-12 中国电子科技网络信息安全有限公司 A kind of distributed IP grade network topology probe method based on multi-protocols
CN112583657A (en) * 2020-11-13 2021-03-30 东北大学 Distributed routing level network topology detection method based on embedded equipment
CN112671553A (en) * 2020-11-26 2021-04-16 中国电子科技网络信息安全有限公司 Industrial control network topological graph generation method based on active and passive detection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104202211A (en) * 2014-08-25 2014-12-10 电子科技大学 Autonomous system level network topology identification method combining active and passive measurement
CN109088756A (en) * 2018-08-01 2018-12-25 南京邮电大学 A kind of network topology complementing method based on network equipment identification
CN109617728A (en) * 2018-12-14 2019-04-12 中国电子科技网络信息安全有限公司 A kind of distributed IP grade network topology probe method based on multi-protocols
CN112583657A (en) * 2020-11-13 2021-03-30 东北大学 Distributed routing level network topology detection method based on embedded equipment
CN112671553A (en) * 2020-11-26 2021-04-16 中国电子科技网络信息安全有限公司 Industrial control network topological graph generation method based on active and passive detection

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于网络流量分 析的网络拓扑发现关键 技术研究;袁志伟;中国优秀硕士学位论全文数 据库信息科技辑(2020年第02期);全文 *
基于网络流量分析的网络拓扑关键技术研究;邬俊阳;电脑编程技巧与维护(2020年第09期);全文 *

Also Published As

Publication number Publication date
CN116170322A (en) 2023-05-26

Similar Documents

Publication Publication Date Title
Lakhina et al. Characterization of network-wide anomalies in traffic flows
Spring et al. Measuring ISP topologies with Rocketfuel
Sherwood et al. Discarte: a disjunctive internet cartographer
Law et al. You can run, but you can't hide: an effective statistical methodology to trace back DDoS attackers
CN109714343B (en) Method and device for judging network traffic abnormity
CN110224883B (en) Gray fault diagnosis method applied to telecommunication bearer network
US20060165003A1 (en) Method and apparatus for monitoring data routing over a network
Vermeulen et al. Multilevel MDA-lite Paris traceroute
US20090282478A1 (en) Method and apparatus for processing network attack
CN104202336A (en) DDoS (distributed denial of service) attach detection method based on information entropy
JP5015014B2 (en) Traffic analysis / diagnosis device, traffic analysis / diagnosis system, and traffic tracking system
CN112583657A (en) Distributed routing level network topology detection method based on embedded equipment
CN113206860B (en) DRDoS attack detection method based on machine learning and feature selection
US20040260755A1 (en) Detection of load balanced links in internet protocol networks
CN110557286A (en) Method for effectively measuring and constructing IPv6 network topology
CN106789625A (en) A kind of loop detecting method and device
JP2008283621A (en) Apparatus and method for monitoring network congestion state, and program
Aksoy et al. Operating system classification performance of tcp/ip protocol headers
Zhang et al. Quantifying the pitfalls of traceroute in AS connectivity inference
CN109088756B (en) Network topology completion method based on network equipment identification
CN116170322B (en) Network topology discovery method combining active and passive detection
Sperotto et al. Anomaly characterization in flow-based traffic time series
CN116319353A (en) Method, device, equipment and medium for detecting network topology structure
Marchetta et al. Measuring networks using IP options
Chen et al. Where the Sidewalk Ends: Extending theInternet AS Graph Using Traceroutesfrom P2P Users

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant