CN116170322B - Network topology discovery method combining active and passive detection - Google Patents
Network topology discovery method combining active and passive detection Download PDFInfo
- Publication number
- CN116170322B CN116170322B CN202310423579.1A CN202310423579A CN116170322B CN 116170322 B CN116170322 B CN 116170322B CN 202310423579 A CN202310423579 A CN 202310423579A CN 116170322 B CN116170322 B CN 116170322B
- Authority
- CN
- China
- Prior art keywords
- detection
- nodes
- network
- node
- active
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network topology discovery method combining active and passive detection, which comprises the following steps: passive detection: setting monitoring nodes in a network to generate a detection node candidate set U1; node screening: on the basis of passive detection, further screening the undetected IP to obtain a detection node candidate set U2; active detection: and actively detecting the two detection node candidate sets to obtain a link set, processing the link set by an anonymous router, and representing the link set by an adjacency matrix. The beneficial effects of the invention are as follows: and preprocessing the detected target address set based on the occurrence times of the source IP and the average length of the data packet, thereby obtaining a relatively reasonable target address set. And the node set for performing Traceroute on the small-range subnet is determined by adopting passive detection and active detection in a forward merging mode, so that the number of target nodes for performing Traceroute detection is greatly reduced, and the efficiency of active detection is improved.
Description
Technical Field
The invention relates to the field of intelligent IT operation and maintenance, in particular to a network topology discovery method combining active and passive detection.
Background
Network topology discovery techniques are classified into active network topology discovery techniques and passive network topology discovery techniques according to whether a large amount of data needs to be injected into the network. The main principle of the active network topology discovery technology is that a large number of detection data packets are sent to a target network, and the data packets are often carefully designed to meet different detection purposes. The principle of the passive network topology discovery technology is that by arranging monitoring nodes in a target network, monitoring and recording network data packets, and deducing a network topology structure according to related information in the data packets, the technology has less influence on the network, so that the technology is suitable for the network limiting large-scale detection.
The network topology passive measurement method is divided into two types, one is based on the passive measurement of a specific protocol. For example, a passive measurement method based on SNMP protocol. Network topology inference algorithms based on specific protocols under passive measurements require that the network device support a specific network protocol, such as the OSPF protocol, but this approach cannot infer the topology of a network that does not support the OSPF protocol. Another passive measurement method is a passive measurement method based on time to live. Network topology inference algorithms based on time-to-live require a small number of active probes, such as Traceroute, which cannot infer networks that are prohibited from active probes. In an actual environment, there may be some networks with higher security levels, and all network devices do not support a specific network protocol and do not respond to ICMP messages, and an existing network topology inference algorithm based on passive measurement cannot infer a corresponding network topology in the environment. How to use the fusion method of active and passive measurement, the invention provides a network topology discovery method combining active and passive detection in consideration of the measured load and the topology integrity of the network to be measured.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a network topology discovery method combining active and passive detection, which mainly takes the load and the topology integrity of a network to be tested into consideration.
The invention aims at being completed by the following technical scheme: a network topology discovery method combining active and passive probing, the method comprising the steps of:
(1) Passive detection: setting a monitoring node in a target network, monitoring and recording network data packets, and generating a detection node candidate set U1;
(2) Node screening: on the basis of passive detection, further screening all undetected IP to obtain a detection node candidate set U2;
(3) Active detection: and actively detecting the two detection node candidate sets to obtain a link set, processing the link set by an anonymous router, and representing the link set by an adjacency matrix to obtain a complete network topology structure.
Further, in the step (1), the specific method is as follows:
(2.1) analyzing the monitored network data packet, and storing the data and the data packet length value after the four-tuple formatting of the extracted TCP/IP messages of the source IP, the destination IP, the source port and the destination port in a database;
(2.2) judging whether the source port in the TCP/IP message quadruple is a specific port, if so, directly adding the source IP of the data into the detection object candidate set U1, and if not, counting the total length Len of the data packet sent by the IP address i in a period of time i And the number of data packets Count i, All the monitored data packet number Count sum And all packet lengths Len sum ;
(2.3) calculating the average length Avg of the data packet transmitted by the IP address i in the time period i And the average length Avg of all data packets monitored sum ,
,
(2.4) sorting the occurrence times of the source IPs, and selecting 50 percent of the source IPs before sorting to be added into the detection node candidate set U1; comparison of Avg i And Avg sum If Avg i Greater than Avg sum And adding the node corresponding to the IP address into the detection node candidate set U1.
Further, in the step (2), the specific method is as follows:
(3.1) rapidly and actively detecting all the active equipment sets P1 in the detected network by using a rapid scanning tool, wherein the detected network refers to a local area network where nodes in the detected node candidate set U1 are located;
(3.2) setting the previous j bits as network numbers, and screening all nodes with the same previous j bits from the set P1, wherein j is a CIDR value of a subnet where the nodes are located;
(3.3) judging whether the front-end nodes of the nodes are the same router;
(3.4) if the router is the same router, randomly selecting one of the nodes to be added to the probe node candidate set U2, and removing the nodes from P1; if the leading nodes of part of the nodes are the same router and the leading nodes of the other nodes are not the same router, arbitrarily selecting one from the node set of which the leading nodes are the same router to be added into the detection node candidate set U2, and removing the other nodes in the set from P1;
and (3.5) subtracting 1 from the j value, if the j value is still greater than N, and N is the CIDR value of the local area network, returning to the first step, continuing to execute, and finally obtaining the node set in the detected node candidate set U2 as the node object to be actively detected after screening.
Further, in the step (3), the specific method is as follows:
(4.1) performing Traceroute detection on the detection node candidate sets U1 and U2 to obtain a Traceroute link set;
(4.2) identifying anonymous routers in the Traceroute link set, merging nodes belonging to the same anonymous router, deleting redundant virtual edges, and correcting the whole network topology map;
and (4.3) representing the data in the Traceroute link set identified by the anonymous router by using an adjacency matrix to obtain a complete network topology structure.
The beneficial effects of the invention are as follows:
1. in order to ensure that relatively complete topology information is acquired and the detection efficiency is improved, the invention preprocesses the detected target address set based on the occurrence times of the source IP and the average length of the data packet, thereby obtaining a relatively reasonable target address set.
2. The method adopts passive detection and active detection, wherein the passive detection utilizes two strategies of setting monitoring nodes in a network and setting monitoring nodes at network outlets to acquire flow information in the network, the information of the former is used for directly generating passive network topology after being correlated, and the information of the latter is extracted to establish a detection node candidate set for an active detection object; the node set for performing Traceroute on the small-range subnet is determined in a forward merging mode by distinguishing the subnets based on the IP prefix, so that the number of target nodes for performing Traceroute detection is greatly reduced, and the efficiency of active detection is improved.
Drawings
FIG. 1 is a schematic flow chart of the present invention.
Detailed Description
The invention will be described in detail below with reference to the attached drawings:
active network topology detection acquires relatively complete network topology information by detecting a large number of target addresses, optimally by detecting addresses in the entire network, but this is not achievable. In order to ensure that relatively complete topology information is acquired and the detection efficiency is improved, the invention preprocesses the detected target address set based on the occurrence times of the source IP and the average length of the data packet, thereby obtaining a relatively reasonable target address set.
The invention provides a network topology discovery method combining active and passive, which is divided into passive detection and active detection, wherein the passive detection utilizes two strategies of setting monitoring nodes in a network and setting monitoring nodes at network outlets to acquire flow information in the network, the information of the former is used for directly generating passive network topology after relevant processing, and the information of the latter is extracted as an active detection object to establish a detection node candidate set; the node set for performing Traceroute on the small-range subnet is determined in a forward merging mode by distinguishing the subnets based on the IP prefix, so that the number of target nodes for performing Traceroute detection is greatly reduced, and the efficiency of active detection is improved.
As shown in fig. 1, the present invention provides a network topology discovery method combining active and passive probing, which includes the following steps:
(1) Passive detection: setting a monitoring node in a target network, monitoring and recording network data packets, and providing a detection node candidate set U1 for active detection;
the specific method comprises the following steps:
(1.1) analyzing the monitored data message by using an Etheal tool, and storing the data and the data packet length values of the four-tuple formatted data of the extracted source IP, the destination IP, the source port and the TCP/IP message of the destination port in a database;
(1.2) judging whether the source port in the TCP/IP message quadruple is a specific port, if yes, directly adding the source IP of the data into the detection object candidate set U1, if not, counting the total length Len of the data packet sent by the IP address i in a period of time i And the number of data packets Count i, All the monitored data packet number Count sum And all packet lengths Len sum ;
(1.3) calculating the average length Avg of the data packet transmitted by the IP address i in the time period i And the average length Avg of all data packets monitored sum ,
,
(1.4) sorting the occurrence times of the source IP, and selecting 50 percent of the source IP before sorting to be added into the detection node candidate set U1; comparison of Avg i And Avg sum If Avg i Greater than Avg sum And adding the node corresponding to the IP address into the detection node candidate set U1.
(2) Node screening: on the basis of passive detection, further screening all undetected IP to obtain a detection node candidate set U2;
the specific method comprises the following steps:
(2.1) rapidly and actively detecting all active equipment sets P1 in a detected network by using rapid scanning tools such as Nmap, masscan and the like, wherein the detected network refers to a local area network where nodes in a detected node candidate set U1 are located;
(2.2) setting the previous j bits as network numbers, and screening all nodes with the same previous j bits from the set P1, wherein j is a CIDR value of a subnet where the nodes are located;
(2.3) judging whether the front-end nodes of the nodes are the same router;
(2.4) if the router is the same router, randomly selecting one of the nodes to be added to the probe node candidate set U2, and removing the nodes from P1; if the leading nodes of part of the nodes are the same router and the leading nodes of the other nodes are not the same router, arbitrarily selecting one from the node set of which the leading nodes are the same router to be added into the set U2, and removing the other nodes in the set from P1;
and (2.5) subtracting 1 from the j value, if the j value is still greater than N, and N is the CIDR value of the local area network, returning to the first step, continuing to execute, and finally obtaining the node set in the detected node candidate set U2 as the node object to be actively detected after screening.
(3) Active detection: and actively detecting the two detection node candidate sets to obtain a link set, processing the link set by an anonymous router, and representing the link set by an adjacency matrix to obtain a complete network topology structure.
The specific method comprises the following steps:
(3.1) performing Traceroute detection on the detection node candidate sets U1 and U2 to obtain a Traceroute link set; this method is a well-known method, and the present invention will not be described in detail;
(3.2) identifying anonymous routers in the Traceroute link set, merging nodes belonging to the same anonymous router, deleting redundant virtual edges, and correcting the whole network topology map; the identification of the anonymous router adopts a method based on network tomography, which belongs to a known method and is not described in detail in the invention;
and (3.3) representing the data in the Traceroute link set identified by the anonymous router by using an adjacency matrix to obtain a complete network topology structure.
The mechanism of the invention:
in the invention, the network is firstly monitored, then the node candidate set is screened, and finally the active detection is carried out to obtain the link set. When the topology discovery method is used for topology discovery, no great flow burden is brought to the network to be tested, and when the network equipment does not support a specific network protocol and does not respond to an ICMP message, the integrity of network topology detection is higher, and particularly when the topology discovery is carried out on a large-scale network to be tested, the influence on the network is lower, and the method has a better effect.
In the invention, the detected target address set is preprocessed based on the occurrence times of the source IP and the average length of the data packet by judging whether the port is a special port, so that a relatively reasonable target address set is obtained. The method of combining node monitoring and node traffic analysis to select candidate sets can enhance the integrity of the final generated network topology.
In the invention, the sub-network is distinguished based on the IP prefix, and the node set for performing Traceroute on the small-range sub-network is determined in a forward merging mode, so that the number of target nodes for performing Traceroute detection is greatly reduced, and the efficiency of active detection is improved.
It should be understood that equivalents and modifications to the technical scheme and the inventive concept of the present invention should fall within the scope of the claims appended hereto.
Claims (3)
1. A network topology discovery method combining active and passive detection is characterized in that: the method comprises the following steps:
(1) Passive detection: setting a monitoring node in a target network, monitoring and recording network data packets, and generating a detection node candidate set U1;
(2) Node screening: on the basis of passive detection, further screening all undetected IP to obtain a detection node candidate set U2;
(3) Active detection: actively detecting two detection node candidate sets to obtain a link set, processing the link set by an anonymous router, and then representing the link set by an adjacency matrix to obtain a complete network topology structure;
in the step (1), the specific method is as follows:
analyzing the monitored network data packet, and storing the data and the data packet length value of the four formatted packets of the extracted source IP, the destination IP, the source port and the TCP/IP message of the destination port in a database;
(1.2) judging whether the source port in the TCP/IP message quadruple is a specific port, if so, directly adding the source IP of the data into the detection node candidate set U1, and if not, counting the total length Len of the data packet sent by the IP address i in a period of time i And the number of data packets Count i, All the monitored data packet number Count sum And all packet lengths Len sum ;
(1.3) calculating the average length Avg of the data packet transmitted by the IP address i in the time period i And the average length Avg of all data packets monitored sum ,
(1.4) sorting the occurrence times of the source IP, and selecting 50 percent of the source IP before sorting to be added into the detection node candidate set U1; comparison of Avg i And Avg sum If Avg i Greater than Avg sum And adding the node corresponding to the IP address into the detection node candidate set U1.
2. The network topology discovery method of active and passive probing combination of claim 1, wherein: in the step (2), the specific method is as follows:
(2.1) rapidly and actively detecting all the active equipment sets P1 in the detected network by using a rapid scanning tool, wherein the detected network is a local area network where nodes in the detected node candidate set U1 are located;
(2.2) setting the previous j bits as network numbers, and screening all nodes with the same previous j bits from the set P1, wherein j is a CIDR value of a subnet where the nodes are located;
(2.3) judging whether the front-end nodes of the nodes are the same router;
(2.4) if the router is the same router, randomly selecting one of the nodes to be added to the probe node candidate set U2, and removing the nodes from P1; if the leading nodes of part of the nodes are the same router and the leading nodes of the other nodes are not the same router, arbitrarily selecting one from the node set of which the leading nodes are the same router to be added into the detection node candidate set U2, and removing the other nodes in the set from P1;
and (2.5) subtracting 1 from the j value, if the j value is still greater than N, and N is the CIDR value of the local area network, returning to the first step, continuing to execute, and finally obtaining the node set in the detected node candidate set U2 as the node object to be actively detected after screening.
3. The network topology discovery method of active and passive probing combination of claim 2, wherein: in the step (3), the specific method is as follows:
(3.1) performing Traceroute detection on the detection node candidate sets U1 and U2 to obtain a Traceroute link set;
(3.2) identifying anonymous routers in the Traceroute link set, merging nodes belonging to the same anonymous router, deleting redundant virtual edges, and correcting the whole network topology map;
and (3.3) representing the data in the Traceroute link set identified by the anonymous router by using an adjacency matrix to obtain a complete network topology structure.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310423579.1A CN116170322B (en) | 2023-04-20 | 2023-04-20 | Network topology discovery method combining active and passive detection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310423579.1A CN116170322B (en) | 2023-04-20 | 2023-04-20 | Network topology discovery method combining active and passive detection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116170322A CN116170322A (en) | 2023-05-26 |
CN116170322B true CN116170322B (en) | 2023-07-18 |
Family
ID=86422150
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310423579.1A Active CN116170322B (en) | 2023-04-20 | 2023-04-20 | Network topology discovery method combining active and passive detection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116170322B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104202211A (en) * | 2014-08-25 | 2014-12-10 | 电子科技大学 | Autonomous system level network topology identification method combining active and passive measurement |
CN109088756A (en) * | 2018-08-01 | 2018-12-25 | 南京邮电大学 | A kind of network topology complementing method based on network equipment identification |
CN109617728A (en) * | 2018-12-14 | 2019-04-12 | 中国电子科技网络信息安全有限公司 | A kind of distributed IP grade network topology probe method based on multi-protocols |
CN112583657A (en) * | 2020-11-13 | 2021-03-30 | 东北大学 | Distributed routing level network topology detection method based on embedded equipment |
CN112671553A (en) * | 2020-11-26 | 2021-04-16 | 中国电子科技网络信息安全有限公司 | Industrial control network topological graph generation method based on active and passive detection |
-
2023
- 2023-04-20 CN CN202310423579.1A patent/CN116170322B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104202211A (en) * | 2014-08-25 | 2014-12-10 | 电子科技大学 | Autonomous system level network topology identification method combining active and passive measurement |
CN109088756A (en) * | 2018-08-01 | 2018-12-25 | 南京邮电大学 | A kind of network topology complementing method based on network equipment identification |
CN109617728A (en) * | 2018-12-14 | 2019-04-12 | 中国电子科技网络信息安全有限公司 | A kind of distributed IP grade network topology probe method based on multi-protocols |
CN112583657A (en) * | 2020-11-13 | 2021-03-30 | 东北大学 | Distributed routing level network topology detection method based on embedded equipment |
CN112671553A (en) * | 2020-11-26 | 2021-04-16 | 中国电子科技网络信息安全有限公司 | Industrial control network topological graph generation method based on active and passive detection |
Non-Patent Citations (2)
Title |
---|
基于网络流量分 析的网络拓扑发现关键 技术研究;袁志伟;中国优秀硕士学位论全文数 据库信息科技辑(2020年第02期);全文 * |
基于网络流量分析的网络拓扑关键技术研究;邬俊阳;电脑编程技巧与维护(2020年第09期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN116170322A (en) | 2023-05-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Spring et al. | Measuring ISP topologies with Rocketfuel | |
Lakhina et al. | Characterization of network-wide anomalies in traffic flows | |
Spring et al. | Measuring ISP topologies with Rocketfuel | |
Sherwood et al. | Discarte: a disjunctive internet cartographer | |
Anagnostakis et al. | cing: Measuring network-internal delays using only existing infrastructure | |
Law et al. | You can run, but you can't hide: an effective statistical methodology to trace back DDoS attackers | |
CN109714343B (en) | Method and device for judging network traffic abnormity | |
Vermeulen et al. | Multilevel MDA-lite Paris traceroute | |
CN110224883B (en) | Gray fault diagnosis method applied to telecommunication bearer network | |
US20060165003A1 (en) | Method and apparatus for monitoring data routing over a network | |
US20090282478A1 (en) | Method and apparatus for processing network attack | |
JP5015014B2 (en) | Traffic analysis / diagnosis device, traffic analysis / diagnosis system, and traffic tracking system | |
CN104202336A (en) | DDoS attack detection method based on information entropy | |
CN112583657A (en) | Distributed routing level network topology detection method based on embedded equipment | |
US20040260755A1 (en) | Detection of load balanced links in internet protocol networks | |
CN110557286A (en) | Method for effectively measuring and constructing IPv6 network topology | |
CN113206860A (en) | DRDoS attack detection method based on machine learning and feature selection | |
JP2008283621A (en) | Apparatus and method for monitoring network congestion state, and program | |
CN109088756B (en) | Network topology completion method based on network equipment identification | |
CN116170322B (en) | Network topology discovery method combining active and passive detection | |
Sperotto et al. | Anomaly characterization in flow-based traffic time series | |
CN116319353A (en) | Method, device, equipment and medium for detecting network topology structure | |
CN107682377A (en) | A kind of online Traffic anomaly detection method and device | |
Marchetta et al. | Measuring networks using IP options | |
Muraleedharan | Analysis of TCP flow data for traffic anomaly and scan detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |