CN116996391B - Network topology visualization method based on host network connection - Google Patents
Network topology visualization method based on host network connection Download PDFInfo
- Publication number
- CN116996391B CN116996391B CN202311247707.8A CN202311247707A CN116996391B CN 116996391 B CN116996391 B CN 116996391B CN 202311247707 A CN202311247707 A CN 202311247707A CN 116996391 B CN116996391 B CN 116996391B
- Authority
- CN
- China
- Prior art keywords
- network connection
- arrow
- host
- service group
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007794 visualization technique Methods 0.000 title claims abstract description 12
- 238000012800 visualization Methods 0.000 claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 17
- 230000002776 aggregation Effects 0.000 claims abstract description 4
- 238000004220 aggregation Methods 0.000 claims abstract description 4
- 241001061076 Melanonus zugmayeri Species 0.000 claims 4
- 230000005856 abnormality Effects 0.000 abstract description 6
- 238000001514 detection method Methods 0.000 abstract description 6
- 230000003993 interaction Effects 0.000 abstract description 4
- 230000002159 abnormal effect Effects 0.000 description 8
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Human Computer Interaction (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a network topology visualization method based on host network connection, which comprises the following steps: s1: collecting network connection data of a Linux operating system by using Linux audio, or collecting network connection data of the Windows operating system by using Windows audio and ETW; s2: setting a white list policy, marking a first label for the network connection according with the policy, marking a second label for the network connection which does not meet the policy requirement, and performing label matching on the network connection data acquired in the step S1; s3: the network connection data after label matching is subjected to database storage after five-tuple aggregation, and S4; requesting to acquire network connection data of a database; s5: the network connection data of the database which is requested to be acquired is displayed by using the visualization library, a network connection topology visualization scheme is obtained, and the network connection relation is displayed in a multi-dimensional visualization mode, so that the method has the characteristics of strong intuitiveness, strong abnormality detection capability, simple decision support and convenience in user interaction.
Description
Technical Field
The application belongs to the technical field of computers, and particularly relates to a network topology visualization method based on host network connection.
Background
With the increasing importance of countries and large enterprises on network security, network connection relations need to be carded and managed uniformly. The traditional network connection is viewed from a list, is not intuitive and is complex to understand, so that the network connection visualization gradually becomes a new research trend, and most of network connection acquisition visualizations at present only have one dimensional view to display, have no strategy matching and require a large amount of manpower to analyze the network connection relation. There are therefore the following disadvantages:
1. the intuitiveness is poor, the network connection display often only uses a list to list connected hosts, and the network connection display does not have the multidimensional display function, such as information of a connection initiating terminal, a receiving terminal, a process and the like.
2. The abnormality detection capability is weak, the abnormality detection needs to be checked step by step, and it is not possible to intuitively determine which host in the service group the abnormality is connected to.
3. The user interaction is inconvenient and does not have the function of deep exploration and analysis of network connection by operating and controlling the visual elements.
Disclosure of Invention
In order to solve the problems in the background art, the application provides a network topology visualization method based on host network connection, which aims to solve the problems of poor intuitiveness, weak abnormality detection capability and inconvenient user interaction in the prior art.
In order to achieve the above purpose, the present application provides the following technical solutions:
a network topology visualization method based on host network connection, comprising the steps of:
s1: collecting network connection data of a Linux operating system by using Linux audio, or collecting network connection data of the Windows operating system by using Windows audio and ETW;
s2: setting a white list policy, wherein the white list policy is configured with related identifiers of the interviewees and the interviewees, port protocols and processes, the network connection conforming to the white list policy is marked with a first label, the network connection not conforming to the white list policy is marked with a second label, and the label matching is carried out on the network connection data acquired in the S1;
s3: the network connection data after label matching is subjected to database storage after five-tuple aggregation;
s4, performing S4; requesting to acquire network connection data of a database, wherein the network connection data comprises service group information, information of a host and network connection relation information;
s5: and displaying the network connection data of the database acquired by the request by using the visualization library to obtain a network connection topology visualization scheme.
Preferably, the network connection topology visualization scheme in S5 is an overview, where the overview includes a network connection relationship between service groups, each service group includes a service group name and the number of hosts in the service group, and the first label and the second label are respectively expressed as a solid line with an arrow and a dashed line with an arrow, and the direction of the arrow is a network connection direction.
Preferably, the network connection topology visualization scheme in S5 is a global view, where the global view includes a network connection relationship between hosts, each host includes an ip of the host, a name of a service group to which the host belongs, and an access connection relationship between the host and an internal and external network, and the first label and the second label are respectively expressed as a solid line with an arrow and a dashed line with an arrow, and the direction of the arrow is a network connection direction.
Preferably, the network connection topology visualization scheme in S5 is a focus service group view, where the focus service group view includes a network connection relationship between a service group and a service group, the service group includes a name of the service, a host belonging to the service group, and a network connection relationship between hosts, and further includes a number of network connections with other service groups, and the first label and the second label are expressed as a solid line with an arrow and a dashed line with an arrow, respectively, and an arrow direction is a network connection direction.
Preferably, the network connection topology visualization scheme in S5 is an associated service group view, where the associated service group view includes host information for accessing or being accessed by a host in a service group, names of the service groups, and host information for generating network connection, and the first tag and the second tag are respectively expressed as a solid line with an arrow and a dashed line with an arrow, and a direction of the arrow is a network connection direction.
Preferably, G6.js is used for the visualization library.
Compared with the prior art, the application has the beneficial effects that:
1. the application has strong intuitiveness, and the network connection is intuitively displayed in the forms of graphics, animation and the like through the visualization technology, so that the complex network structure and data relationship are easier to understand and read. The method is beneficial to users to quickly capture the modes, trends and abnormal conditions of network connection, and network access is represented by labels, so that the method clearly indicates where access is initiated, which host is accessed, and information such as ports, processes and the like can be added to represent normal and abnormal access.
2. The application distinguishes the identification of the abnormal network access connection through the connection style, can enable the user to find the abnormal network access connection at one glance and process the problem
4. The decision support is simple, and the data, trend and relevance of network connection can be better understood through the visualized network connection relation, so that more accurate and more basic decisions such as network planning, resource allocation, fault detection and the like can be made
5. The user interaction is simple and convenient, the visualization provides an interactive user interface, and the user can deeply explore and analyze the network connection by operating and controlling the visualization elements. This interactivity enables users to conduct personalized data exploration and query according to their own needs.
Drawings
FIG. 1 is a schematic flow chart of the method of the present application;
FIG. 2 is a schematic diagram of a five-tuple structure;
FIG. 3 is an overview view;
FIG. 4 is a global view;
FIG. 5 is a focal service group view;
fig. 6 is an associated service set view.
Detailed Description
The present application will be further described in detail below with reference to the accompanying drawings and specific examples in order to facilitate understanding of the technical content of the present application by those skilled in the art. It should be understood that the specific examples described herein are intended to illustrate the application and are not intended to limit the application.
Explanation will now be made on each noun in the embodiments:
service group: groups divided on the basis of business, such as personnel department, research and development department, and the like;
the interviewee: in the primary network connection relationship, the party to be accessed;
the visitor: in the primary network connection relationship, the party initiating access;
strategy: some access rules configured according to network connection relationships;
ETW: the whole process of the ETW is Event Tracing for Windows, which is an efficient event tracking technology in a Windows operating system;
host mode: the method is suitable for strictly controlling the scenes of all service ports. For all service ports of the host, the access conforming to the strategy is normal, and other accesses are abnormal;
service mode: the method is suitable for the scene of only controlling part of key service ports. For the service port with the strategy, the access conforming to the strategy is normal, and the other accesses are abnormal; access to the non-policy port is in an unprocessed state.
Example 1:
a network topology visualization method based on host network connection, as shown in fig. 1 and 2, comprises the following steps:
s1: collecting network connection data of a Linux operating system by using Linux audio (if occupied, the mode of automatically converting into a grabbing packet), or collecting network connection data of the Windows operating system by using Windows audio and ETW;
s2: setting a white list policy, wherein the white list policy is configured with relevant identifiers of the interviewees and the interviewees, a port protocol and a process, and if the host opens an alarm mode, a second label is marked on the network connection which does not meet the policy requirements according to the set management mode [ host mode and service mode ], and the label matching is carried out on the network connection data acquired in the S1;
s3: the network connection data after the label matching is subjected to database storage after five-tuple aggregation, if dst, src, dstPort, proto, pname of the two network connection data are the same, the two connections are considered to be one connection, the access times can be increased by 1, but only one network connection data can be stored;
s4, performing S4; requesting to acquire network connection data of a database, wherein the network connection data comprises service group information, information of a host and network connection relation information;
s5: and displaying the network connection data of the database acquired by the request by using the visualization library to obtain a network connection topology visualization scheme.
In the embodiment, the network connection is intuitively displayed in the forms of graphics, animation and the like through the visualization technology, so that the complex network structure and data relationship are easier to understand and read. The method is beneficial to a user to quickly capture the mode, trend and abnormal condition of network connection, the network access is represented by a label, the information such as a port, a process and the like can be added to indicate which host is accessed from where, so that normal and abnormal access can be represented, and the abnormality detection capability is strong. This interactivity enables users to conduct personalized data exploration and query according to their own needs.
Example 2:
the difference between this embodiment and embodiment 1 is that, as shown in fig. 3, the network connection topology visualization scheme in S5 is an overview, where the overview includes a network connection relationship between service groups, each service group includes a service group name and the number of hosts owned by the service group, and the first label and the second label are respectively expressed as a solid line with an arrow and a dashed line with an arrow, and the direction of the arrow is the network connection direction.
Example 3:
the difference between this embodiment and embodiment 1 is that, as shown in fig. 4, the network connection topology visualization scheme in S5 is a global view, where the global view includes a network connection relationship between hosts, each host includes ip of the host, a service group name to which the host belongs, and an access connection relationship between the host and an internal and external network, and the first label and the second label are respectively expressed as a solid line with an arrow and a dashed line with an arrow, and the arrow direction is a network connection direction.
Example 4:
the difference between this embodiment and embodiment 1 is that, as shown in fig. 5, the network connection topology visualization scheme in S5 is a focal service group view, where the focal service group view includes a network connection relationship between the inside and the outside of a service group, the service group includes a name of the service, a host belonging to the service group, and a network connection relationship between hosts, and further includes the number of network connections with other service groups, and the first label and the second label are expressed as a solid line with an arrow and a dotted line with an arrow, respectively, and the direction of the arrow is a network connection direction.
Example 5:
the difference between this embodiment and embodiment 1 is that, as shown in fig. 6, the network connection topology visualization scheme in S5 is an associated service group view, where the associated service group view includes host information for accessing or being accessed by a host in a service group, names of the service groups, and host information for generating network connection, and the first tag and the second tag are expressed as a solid line with an arrow and a dotted line with an arrow, respectively, and the arrow direction is the network connection direction.
Example 6:
the difference between this embodiment and embodiment 1 is that, as shown in fig. 3, fig. 4, fig. 5, and fig. 6, the visualization library adopts g6.js, and when the visualization library is used, the common part of the view of the network connection topology visualization scheme is:
the upper left corner and the upper right corner are screening functions, can screen according to service groups, IP, host names, ports, processes and protocols, and can only visually display specific parts;
the lower right corner is a function button and thumbnail display, and provides the functions of enlarging, reducing and displaying 100%; the right side provides refresh data, legend, data range, and switch view functions.
Claims (6)
1. The network topology visualization method based on the host network connection is characterized by comprising the following steps:
s1: collecting network connection data of a Linux operating system by using Linux audio, or collecting network connection data of the Windows operating system by using Windows audio and ETW;
s2: setting a white list policy, wherein the white list policy is configured with related identifiers of the interviewees and the interviewees, port protocols and processes, the network connection conforming to the white list policy is marked with a first label, the network connection not conforming to the white list policy is marked with a second label, and the label matching is carried out on the network connection data acquired in the S1;
s3: the network connection data after label matching is subjected to database storage after five-tuple aggregation;
s4, performing S4; requesting to acquire network connection data of a database, wherein the network connection data comprises service group information, information of a host and network connection relation information;
s5: and displaying the network connection data of the database acquired by the request by using the visualization library to obtain a network connection topology visualization scheme.
2. The network topology visualization method of claim 1, wherein the network connection topology visualization scheme in S5 is an overview, the overview includes a network connection relationship between service groups, each service group includes a name of the service group and a number of hosts owned by the service group, the first tag and the second tag are respectively expressed as a solid line with an arrow and a dashed line with an arrow, the directions of the arrows of the solid line and the dashed line are both data flow directions, the arrows point to the accessed service group, and the arrow tail points to the accessed service group.
3. The network topology visualization method based on network connection of the host machine according to claim 1, wherein the network connection topology visualization scheme in S5 is a global view, the global view includes network connection relations between the host machines, each host machine includes ip of the host machine, a service group name to which the host machine belongs, and access connection relations between the host machine and the internal and external networks, the first label and the second label are respectively expressed as a solid line with an arrow and a dotted line with an arrow, the arrow pointing directions of the solid line and the dotted line are data flow directions, the arrow points to the accessed host machine, and the arrow tail points to the access host machine.
4. The network topology visualization method of claim 1, wherein the network topology visualization scheme in S5 is a focus service group view, the focus service group view includes a network connection relationship between a group inside and a group outside of a service group, the service group includes a name of the service, hosts belonging to the service group, and network connection relationships between hosts, and further includes the number of network connections to occur with other service groups, the first tag and the second tag are expressed as a solid line with an arrow and a dashed line with an arrow, the arrows of the solid line and the dashed line point in a data flow direction, the arrows point to the accessed hosts, and the arrow tails point to the accessing hosts, respectively.
5. The network topology visualization method according to claim 1, wherein the network connection topology visualization scheme in S5 is an associated service group view, the associated service group view includes host information of a host in the access service group or accessed by the host in the service group, names of the respective service groups, and host information of the network connection, the first label and the second label are expressed as a solid line with an arrow and a dotted line with an arrow, respectively, the arrow directions of the solid line and the dotted line are both data flow directions, the arrow points to the accessed host, and the arrow tail points to the access host.
6. The method for visualizing a network topology based on a host network connection of claim 1, wherein the visualization library employs g6.js.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311247707.8A CN116996391B (en) | 2023-09-26 | 2023-09-26 | Network topology visualization method based on host network connection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311247707.8A CN116996391B (en) | 2023-09-26 | 2023-09-26 | Network topology visualization method based on host network connection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116996391A CN116996391A (en) | 2023-11-03 |
| CN116996391B true CN116996391B (en) | 2023-12-05 |
Family
ID=88526947
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311247707.8A Active CN116996391B (en) | 2023-09-26 | 2023-09-26 | Network topology visualization method based on host network connection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116996391B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612733A (en) * | 2017-09-19 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of network audit and monitoring method and its system based on industrial control system |
| CN114238489A (en) * | 2021-11-19 | 2022-03-25 | 深圳市云盾科技有限公司 | Service access topology display method and system based on network flow monitoring data |
| CN115174269A (en) * | 2022-09-05 | 2022-10-11 | 中国人民解放军国防科技大学 | Linux host network communication security protection method and device |
| CN116016196A (en) * | 2022-12-14 | 2023-04-25 | 四川新网银行股份有限公司 | Method and system for constructing system architecture topology in real time |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11271816B2 (en) * | 2020-02-24 | 2022-03-08 | At&T Intellectual Property I, L.P. | Network topology management using network element differential history |
-
2023
- 2023-09-26 CN CN202311247707.8A patent/CN116996391B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612733A (en) * | 2017-09-19 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of network audit and monitoring method and its system based on industrial control system |
| CN114238489A (en) * | 2021-11-19 | 2022-03-25 | 深圳市云盾科技有限公司 | Service access topology display method and system based on network flow monitoring data |
| CN115174269A (en) * | 2022-09-05 | 2022-10-11 | 中国人民解放军国防科技大学 | Linux host network communication security protection method and device |
| CN116016196A (en) * | 2022-12-14 | 2023-04-25 | 四川新网银行股份有限公司 | Method and system for constructing system architecture topology in real time |
Non-Patent Citations (3)
| Title |
|---|
| DGS/MOI-0002.Group Specification Measurement Ontology for IP traffic (MOI) * |
| Requirements for IP traffic measurement ontologies development Disclaimer This document has been produced and approved by the Measurement Ontology for IP traffic (MOI) ETSI Industry Specification Group (ISG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership..ETSI GS MOI 002.2012,(V1.1.1),全文. * |
| 网络管理系统及链路层拓扑发现技术的研究与实现;程正君;中国优秀硕士学位论文全文数据库;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116996391A (en) | 2023-11-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11372923B1 (en) | Monitoring I.T. service-level performance using a machine data key performance indicator (KPI) correlation search | |
| US10891270B2 (en) | Systems and methods for modelling virtual schemas in non-relational databases | |
| US11531679B1 (en) | Incident review interface for a service monitoring system | |
| US10521409B2 (en) | Automatic associations in an I.T. monitoring system | |
| US10503745B2 (en) | Creating an entity definition from a search result set | |
| US9960970B2 (en) | Service monitoring interface with aspect and summary indicators | |
| US9838280B2 (en) | Creating an entity definition from a file | |
| Makanju et al. | Logview: Visualizing event log clusters | |
| US20210027458A1 (en) | Geofence-based object identification in an extended reality environment | |
| US11145123B1 (en) | Generating extended reality overlays in an industrial environment | |
| US20160103918A1 (en) | Associating entities with services using filter criteria | |
| US20170286532A1 (en) | System and method for generating visual queries in non-relational databases | |
| US11805144B1 (en) | Polygon based interactive security visualization of network entity data | |
| US11275944B1 (en) | External asset database management in an extended reality environment | |
| CN113542074B (en) | Method and system for visually managing east-west network flow of kubernets cluster | |
| Zhuo et al. | MalwareVis: entity-based visualization of malware network traces | |
| CN112256682B (en) | Data quality detection method and device for multi-dimensional heterogeneous data | |
| US11699268B1 (en) | Techniques for placement of extended reality objects relative to physical objects in an extended reality environment | |
| US11302083B1 (en) | Web-based three-dimensional extended reality workspace editor | |
| CN116996391B (en) | Network topology visualization method based on host network connection | |
| US11494381B1 (en) | Ingestion and processing of both cloud-based and non-cloud-based data by a data intake and query system | |
| US11909750B1 (en) | Data reduction and evaluation via link analysis | |
| US11276236B1 (en) | Techniques for placement of extended reality objects relative to other extended reality objects in an extended reality environment | |
| US11947528B1 (en) | Automatic generation of queries using non-textual input | |
| US11402979B1 (en) | Interactive expandable histogram timeline module for security flagged events |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |