CN117675691A

CN117675691A - Remote fault monitoring method, device, equipment and storage medium of router

Info

Publication number: CN117675691A
Application number: CN202410076372.6A
Authority: CN
Inventors: 郑佳林; 郑佳欣; 杨红坤; 高彩蝶; 段理昊; 张敏
Original assignee: Shenzhen Hongxia Technology Co ltd
Current assignee: Shenzhen Hongxia Technology Co ltd
Priority date: 2024-01-18
Filing date: 2024-01-18
Publication date: 2024-03-08

Abstract

The application relates to the technical field of router monitoring and discloses a remote fault monitoring method, device and equipment of a router and a storage medium. The method comprises the following steps: the method comprises the steps that log monitoring is conducted on a plurality of network devices corresponding to a target router through a monitoring system, historical log data are obtained, and characteristic analysis is conducted on the historical log data, so that network flow characteristic data are obtained; carrying out event identification to obtain a plurality of target events and constructing an event relation diagram; performing anomaly identification to obtain a plurality of anomaly events, performing cluster analysis and anomaly modeling to obtain an anomaly model set; performing real-time monitoring of network traffic to obtain network traffic monitoring data, and performing sequence feature extraction and vector coding to obtain a network traffic sequence vector; performing anomaly analysis through the anomaly model set to obtain an anomaly analysis result; and performing fault response strategy matching and optimization to obtain a target fault response strategy.

Description

Remote fault monitoring method, device, equipment and storage medium of router

Technical Field

The present disclosure relates to the field of router monitoring technologies, and in particular, to a method, an apparatus, a device, and a storage medium for remote fault monitoring of a router.

Background

In the environment of the current internet growing, routers play a vital role as core components of the network architecture. However, with the increasing size and complexity of networks, remote fault monitoring is one of the vital tasks to ensure network stability and reliability. The traditional monitoring method is difficult to cope with complex and changeable network environments, so the requirement for designing an efficient and intelligent remote fault monitoring method is increasingly urgent. Current problems mainly include difficulties in accurate identification and quick response to network anomalies, as well as the full utilization of historical data and lack of effective means of handling dynamic changes in network traffic patterns. In addition, formulation and optimization of fault response strategies is challenging, and more flexible and intelligent methods are needed to accommodate diverse network fault scenarios.

In the conventional monitoring method, the requirement of a complex network environment is difficult to meet only by means of simple threshold detection and rule matching. Under-utilization of historical data results in an insufficient ability to track and predict changes in network traffic. Meanwhile, the integration of multi-source heterogeneous data and the mining of event relationships are also a problem to be solved urgently. In the aspect of fault response, a single rigid strategy is difficult to cope with different fault scenes, so how to perform personalized matching and optimization on the fault response strategy through an intelligent algorithm so as to realize more accurate and efficient network fault management is a problem to be solved in the current research.

Disclosure of Invention

The application provides a remote fault monitoring method, device and equipment of a router and a storage medium, which are used for improving the remote fault monitoring accuracy of the router.

In a first aspect, the present application provides a remote fault monitoring method for a router, where the remote fault monitoring method for a router includes:

the method comprises the steps of carrying out log monitoring on a plurality of network devices corresponding to a target router through a preset monitoring system to obtain historical log data, and carrying out feature analysis on the historical log data to obtain network flow feature data;

carrying out event identification on the network flow characteristic data to obtain a plurality of target events, and constructing an event relation diagram of the plurality of target events;

based on the event relation diagram, carrying out anomaly identification on the plurality of target events to obtain a plurality of anomaly events, and carrying out cluster analysis and anomaly modeling on the plurality of anomaly events to obtain an anomaly model set;

the network traffic is monitored in real time by the target router to obtain network traffic monitoring data, and the network traffic monitoring data is subjected to time sequence feature extraction and vector coding by a preset ARIMA model to obtain a network traffic time sequence vector;

Inputting the network flow time sequence vector into the anomaly model set for anomaly analysis to obtain an anomaly analysis result;

and performing fault response strategy matching on the target router according to the abnormal fault analysis result to obtain an initial fault response strategy, and performing strategy optimization on the initial fault response strategy to obtain a target fault response strategy.

In a second aspect, the present application provides a remote fault monitoring device of a router, the remote fault monitoring device of a router includes:

the monitoring module is used for carrying out log monitoring on a plurality of network devices corresponding to the target router through a preset monitoring system to obtain historical log data, and carrying out feature analysis on the historical log data to obtain network flow feature data;

the identification module is used for carrying out event identification on the network flow characteristic data to obtain a plurality of target events and constructing an event relation diagram of the plurality of target events;

the modeling module is used for carrying out anomaly identification on the plurality of target events based on the event relation graph to obtain a plurality of abnormal events, and carrying out cluster analysis and anomaly modeling on the plurality of abnormal events to obtain an anomaly model set;

The coding module is used for carrying out real-time monitoring on the network traffic of the target router to obtain network traffic monitoring data, and carrying out time sequence feature extraction and vector coding on the network traffic monitoring data through a preset ARIMA model to obtain a network traffic time sequence vector;

the analysis module is used for inputting the network flow time sequence vector into the abnormal model set for carrying out abnormal analysis to obtain an abnormal analysis result;

and the optimization module is used for carrying out fault response strategy matching on the target router according to the abnormal fault analysis result to obtain an initial fault response strategy, and carrying out strategy optimization on the initial fault response strategy to obtain a target fault response strategy.

A third aspect of the present application provides a remote fault monitoring device for a router, including: a memory and at least one processor, the memory having instructions stored therein; the at least one processor invokes the instructions in the memory to cause the remote failure monitoring device of the router to perform the remote failure monitoring method of the router described above.

A fourth aspect of the present application provides a computer readable storage medium having instructions stored therein, which when run on a computer, cause the computer to perform the above-described remote failure monitoring method of a router.

In the technical scheme provided by the application, the capability of multidimensional data analysis is provided by combining the historical log data, the flow characteristic data and the event relation diagram, so that the comprehensive understanding of the network state and the abnormal situation is facilitated. Through the abnormal model set, abnormal events can be automatically identified, cluster analysis and abnormal modeling can be performed, rapid positioning of fault points can be facilitated, and accuracy and efficiency of fault detection can be improved. The method can monitor the network traffic of the target router in real time, extract the time sequence characteristics and perform vector coding, so that the monitoring of the network state can respond to the change in time, and the method is favorable for quickly finding and coping with new fault types. By constructing the event relation graph, association rules among a plurality of target events can be intuitively displayed, and an administrator is helped to understand the occurrence and influence of complex events in the network. The method provides matching and optimization of the abnormal fault analysis result and the fault response strategy, and generates the target fault response strategy through the multi-island optimization algorithm, so that the intelligent level of fault response is improved. Through the operations of sorting, mutation, crossing and the like of the algorithm, the fault response strategy is continuously optimized, so that the response strategy can be continuously adapted and optimized in a continuously-changing network environment, and the remote fault monitoring accuracy of the router is further improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained based on these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of one embodiment of a remote fault monitoring method of a router according to an embodiment of the present application;

fig. 2 is a schematic diagram of an embodiment of a remote fault monitoring device of a router according to an embodiment of the present application.

Detailed Description

The embodiment of the application provides a remote fault monitoring method, device and equipment of a router and a storage medium. The terms "first," "second," "third," "fourth" and the like in the description and in the claims of this application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.

For ease of understanding, a specific flow of an embodiment of the present application is described below, referring to fig. 1, and one embodiment of a remote fault monitoring method for a router in an embodiment of the present application includes:

step S101, carrying out log monitoring on a plurality of network devices corresponding to a target router through a preset monitoring system to obtain historical log data, and carrying out feature analysis on the historical log data to obtain network flow feature data;

it may be understood that the execution body of the present application may be a remote fault monitoring device of a router, and may also be a terminal or a server, which is not limited herein. The embodiment of the present application will be described by taking a server as an execution body.

Specifically, log monitoring is performed on a plurality of network devices corresponding to the target router through a preset monitoring system, and historical log data generated by the router and the network devices thereof are continuously collected, wherein the data comprise flow information, connection states, error reports and the like. And analyzing the historical log data by using a flow characteristic named entity recognition technology. Named entity recognition is a natural language processing technique that is capable of identifying entities from text that have a particular meaning, such as device names, IP addresses, error codes, etc., thereby converting cluttered log information into structured, meaningful data. And further analyzing the historical log data according to the result of the named entity identification to extract the initial data of the network traffic. By flushing, converting and categorizing the log data, critical information about network traffic, such as traffic size, duration, source and destination, etc., is extracted from complex log entries. And extracting the characteristics of the initial data of the network traffic through a preset first long-short time memory network (LSTM) and a preset second long-short time memory network respectively. The long and short term memory network is a special recurrent neural network suitable for processing and predicting time series data. By analyzing the two LSTM networks, not only the time dependence and the long-term dependence of the flow data can be captured, but also rich flow characteristics such as periodical changes, the influence of sudden events and the like can be extracted from different dimensions and angles. And performing feature integration on the first flow feature data and the second flow feature data. Feature integration is a process involving data fusion and optimization, combining two different feature data into a unified, comprehensive network traffic feature data set. This not only enhances the expressive power of the data, but also improves the accuracy and efficiency of subsequent anomaly identification and analysis.

Step S102, carrying out event identification on network flow characteristic data to obtain a plurality of target events, and constructing an event relation diagram of the plurality of target events;

specifically, curve fitting is performed on the network flow characteristic data to obtain a network flow characteristic curve. Curve fitting is an analytical technique in mathematics and statistics for determining a curve that best fits the trend of a dataset, which can intuitively demonstrate the trend and pattern of network traffic. And carrying out characteristic point identification on the network flow characteristic curve to obtain a plurality of curve characteristic points. Feature point recognition is a key signal processing technique that can extract representative or critical points, such as peaks, valleys, or inflection points, from complex data curves. These curve feature points are important basis for understanding and analyzing network traffic behavior, and represent key events such as abnormal events, traffic surge or sudden drop in the network. And classifying and screening the curve characteristic points through a preset Support Vector Machine (SVM) model. The SVM is a supervised learning model and is widely applied to classification and regression analysis. Through the SVM model, the most representative and critical characteristic points, namely target characteristic points, can be screened from a plurality of curve characteristic points according to a predefined classification standard. These target feature points are then event defined, each feature point being defined as a specific network event, such as a "traffic surge event" or a "connection break event", based on their location in the curve, values and surrounding context information. Thereby obtaining a plurality of target events. In order to further analyze the relationships and interactions between these target events, association rule mining is performed by a preset Apriori algorithm. The Apriori algorithm is a classical data mining algorithm, mainly used for finding association rules in large data sets. By means of the algorithm, association rules between the target events can be mined from the target events, such as events which occur frequently and simultaneously, events which are the leading cause or the result of other events and the like. A plurality of initial relationship nodes are created based on a plurality of target events, and a plurality of relationship edges are created based on the mined event association rules. These relationship nodes and relationship edges constitute the basic elements of the event relationship graph. The initial relationship nodes represent respective target events, and the relationship edges represent the associations between the events. By combining these nodes and edges, a corresponding event relationship graph can be generated. The relationship diagram not only intuitively shows the relationship among all events, but also helps monitoring personnel and systems understand and analyze complex event sequences in the network and provides information for remote fault monitoring.

Step S103, based on the event relation diagram, carrying out anomaly identification on a plurality of target events to obtain a plurality of anomaly events, and carrying out cluster analysis and anomaly modeling on the plurality of anomaly events to obtain an anomaly model set;

specifically, key point identification is performed on a plurality of initial relationship nodes in the event relationship graph through a preset PageRank algorithm, and key relationship nodes with important influence in the network are identified from a plurality of event relationship nodes, and are often key areas where abnormal events occur. And carrying out cluster analysis on the key relation nodes through a preset graph clustering algorithm. The graph clustering algorithm can group the nodes according to the connection relation between the nodes and the attribute of the nodes, so that the node similarity in the same group is high, and the node similarity between different groups is low. The node clustering results of each key relationship node not only reflect their role and role in the network, but also reveal their relationship patterns with other nodes, which helps to understand and analyze network structure and function. And carrying out abnormal relation node division on the key relation nodes according to the node clustering result. The cluster attributes of each node and their location throughout the network are analyzed to determine which nodes are distinctive in their pattern of behavior, representing anomalies or faults in the network. The obtained abnormal division information of each key relation node provides important basis for subsequent abnormal event identification. Based on the anomaly partition information and the key relationship nodes, a corresponding plurality of anomaly events are determined. Each anomaly event is comprised of one or more anomaly relationship nodes that represent a particular anomaly or failure mode in the network. An anomaly association data set for each anomaly event is obtained, the data sets containing all information associated with each anomaly event, such as time of occurrence, duration, extent of impact, etc. In order to identify the abnormal pattern from the abnormal associated data sets, cluster analysis is performed by a preset DBSCAN algorithm. DBSCAN is a density-based clustering algorithm capable of grouping data points according to density connectivity between the data points, suitable for finding clusters with complex shapes and identifying noise and outliers. By means of the DBSCAN algorithm, a plurality of anomaly patterns can be identified from the anomaly association data set, each anomaly pattern representing a particular anomaly behavior or type of fault. And carrying out anomaly modeling on a plurality of anomaly modes based on a preset decision tree network. Decision trees are a commonly used predictive modeling tool that models the outcome of a decision process and by constructing a tree structure. The system uses the decision tree network to respectively establish an abnormality model for each abnormality mode, and the models can accurately describe and predict the occurrence and development of various abnormal events. In order to improve the prediction accuracy and robustness of the models, model integration is performed on the abnormal models, and the prediction results of the models are comprehensively considered to form a final abnormal model set.

Step S104, monitoring the network traffic of the target router in real time to obtain network traffic monitoring data, and extracting time sequence characteristics and carrying out vector coding on the network traffic monitoring data through a preset ARIMA model to obtain a network traffic time sequence vector;

specifically, the network traffic of the target router is monitored in real time by a preset CUSUM (cumulative and control graph) algorithm. The CUSUM algorithm is a statistical technique, is commonly used for monitoring change points in a data sequence, and is suitable for real-time monitoring. When the CUSUM algorithm is applied to network traffic monitoring, it can detect small changes in traffic in real time, and can effectively operate even under extremely complex network conditions, thereby obtaining accurate network traffic monitoring data. And extracting time sequence characteristics of the network traffic monitoring data through a preset ARIMA (autoregressive integral moving average model). The ARIMA model is a widely used time series prediction method that is capable of modeling and predicting complex patterns observed in time series data. When used with network traffic data, the ARIMA model is able to predict future traffic trends based on historical traffic data, thereby extracting a number of initial timing characteristics such as periodic changes, trends, seasonal components, etc. of traffic. To ensure quality and availability of the timing features, feature screening is performed on these initial timing features. By comparing each timing feature to a preset feature threshold, it is determined which features are important and which features can be ignored. Feature screening can not only reduce the dimensionality of data, but also improve the efficiency of subsequent analysis and calculation. After screening, a plurality of target time sequence characteristics are obtained, and the characteristics are more representative and have analysis value. Feature encoding and vector conversion are performed on a plurality of target timing features. Feature encoding refers to converting feature data into a format that can be understood by a machine learning model, and vector conversion refers to converting encoded feature data into a vector form. In this way, each target timing characteristic is converted into a series of values, which form a multi-dimensional network traffic timing vector.

Step S105, inputting the network flow time sequence vector into an abnormal model set for abnormal analysis to obtain an abnormal analysis result;

specifically, a network traffic timing vector is input into the anomaly model set. The anomaly model set is composed of a plurality of different machine learning models, each of which is trained to identify and analyze a particular type of network anomaly. When a network traffic timing vector is input to this set of models, the system automatically matches at least two target models corresponding to the vector. These target models are selected by analyzing the characteristics of the input vector and the characteristics of each model in the set of models in order to ensure that the selected model is best suited to handle the current network conditions. And respectively carrying out anomaly analysis on the network flow time sequence vectors through a decision tree algorithm in the target model. The decision tree is a machine learning method, and can effectively solve complex classification problems by constructing a tree structure to simulate a decision process. When applied to network traffic analysis, the decision tree can branch based on the characteristics of the data, gradually narrowing the scope of the problem until the final decision result is found. By the method, each target model can analyze the input network traffic time sequence vector according to the internal decision tree logic, and an initial analysis result is obtained. These initial results include assessment and prediction of network traffic anomalies by the model. However, the initial analysis result of a single model is limited by model characteristics and training data, and in order to improve the accuracy and reliability of analysis, the initial results are fused to obtain model weight data of at least two target models. Model weight data reflects the importance and credibility of each model in the entire model set, typically calculated based on the model's performance on historical data. And carrying out weighted fusion on the initial analysis result of each target model according to the model weight data. This process involves calculating a weighted average of each initial result or employing a fusion algorithm to obtain the final anomaly analysis result.

And step S106, performing fault response strategy matching on the target router according to the abnormal fault analysis result to obtain an initial fault response strategy, and performing strategy optimization on the initial fault response strategy to obtain the target fault response strategy.

Specifically, according to the abnormal fault analysis result, performing fault response strategy matching on the target router. And analyzing the content and the characteristics of the abnormal analysis result, and selecting a strategy matched with the abnormal analysis result from a preset fault response strategy library as an initial fault response strategy. This library contains a plurality of response strategies for different faults and anomalies, each defining a series of response measures and operating steps. By this matching process, a most appropriate initial response strategy is selected for each abnormal or fault condition. And initializing strategy groups for the initial fault response strategies through a preset multi-island optimization algorithm. The multi-island optimization algorithm is an efficient global optimization algorithm that improves search efficiency and quality by performing search processes on multiple "islands" in parallel. Each "island" has a set of strategic populations that will evolve and optimize independently. By the method, searching can be widely performed in the strategy space, and a plurality of first fault response strategies can be obtained. And respectively calculating the fitness value of each strategy. The fitness value is an index for measuring the quality of the strategy, and is usually calculated based on factors such as efficiency, effect and resource consumption of the strategy on fault response. And sequencing all the first fault response strategies according to the fitness values to obtain a fault response strategy sequence. The first failure response strategy of the first 50% in the strategy sequence is propagated, mutated and crossed. Propagation refers to replicating the current optimal strategy, mutation refers to introducing small random variations in the strategy to increase diversity, and crossover refers to combining parts of two or more strategies to create a new strategy. These three operations are those commonly used in genetic algorithms and evolution strategies that can effectively drive the evolution of a strategy population, generating a plurality of second fault response strategies. The second fault response strategy is optimally solved to determine which strategies are most efficient. And (3) calculating the fitness value again for each strategy, comparing and selecting, and screening the optimal target fault response strategy from the plurality of candidate strategies. The target strategy not only can effectively respond and process the current fault or abnormal situation, but also can ensure the best performance of the target strategy in the aspects of efficiency, effect, resource consumption and the like through strict optimization.

In the embodiment of the application, the capability of multidimensional data analysis is provided by combining the historical log data, the flow characteristic data and the event relation diagram, so that the network state and the abnormal situation can be comprehensively understood. Through the abnormal model set, abnormal events can be automatically identified, cluster analysis and abnormal modeling can be performed, rapid positioning of fault points can be facilitated, and accuracy and efficiency of fault detection can be improved. The method can monitor the network traffic of the target router in real time, extract the time sequence characteristics and perform vector coding, so that the monitoring of the network state can respond to the change in time, and the method is favorable for quickly finding and coping with new fault types. By constructing the event relation graph, association rules among a plurality of target events can be intuitively displayed, and an administrator is helped to understand the occurrence and influence of complex events in the network. The method provides matching and optimization of the abnormal fault analysis result and the fault response strategy, and generates the target fault response strategy through the multi-island optimization algorithm, so that the intelligent level of fault response is improved. Through the operations of sorting, mutation, crossing and the like of the algorithm, the fault response strategy is continuously optimized, so that the response strategy can be continuously adapted and optimized in a continuously-changing network environment, and the remote fault monitoring accuracy of the router is further improved.

In a specific embodiment, the process of executing step S101 may specifically include the following steps:

(1) The method comprises the steps that log monitoring is conducted on a plurality of network devices corresponding to a target router through a preset monitoring system, and historical log data are obtained;

(2) Carrying out flow characteristic named entity recognition on the historical log data to obtain named entity recognition results;

(3) Carrying out data analysis on the historical log data according to the named entity identification result to obtain initial data of the network flow;

(4) Extracting the characteristics of the network flow initial data through a preset first long-short-time memory network to obtain first flow characteristic data, and extracting the characteristics of the network flow initial data through a preset second long-short-time memory network to obtain second flow characteristic data;

(5) And performing feature integration on the first flow feature data and the second flow feature data to obtain network flow feature data.

Specifically, log monitoring is performed on a plurality of network devices corresponding to the target router through a preset monitoring system, and the running logs of the router and related devices are continuously captured and recorded. Such log data includes device status information, network traffic data, access records, error reports, and the like. And carrying out flow characteristic named entity identification on the history log data. Named entity recognition is a technology in the field of natural language processing that is capable of recognizing entities from text that have a particular meaning, such as person names, places, organization names, time expressions, and so forth. In this embodiment, the named entity identification is used to extract key information related to network traffic, such as IP address, port number, protocol type, packet size, etc., from complex log text. And carrying out further data analysis on the history log data according to the named entity recognition result. And generating initial data of the network traffic by analyzing, sorting and converting the information obtained by the named entity identification. These initial data will be presented in a more organized and easily analyzed format, e.g., organizing information such as IP addresses, port numbers, packet sizes, etc., into individual record entries, each representing a network communication event. Thereby forming an initial data set containing the basic characteristics of the network traffic. And processing the network traffic initial data through a preset first long-short time memory network (LSTM) and a preset second long-short time memory network respectively. The long-time and short-time memory network is a special cyclic neural network and is good at processing and predicting time series data. The method can learn the long-term dependency relationship in the data, and is suitable for analyzing the data of the network flow which changes with time. When the first LSTM network and the second LSTM network act on network traffic initial data, respectively, they may extract characteristics of the traffic data from different angles and levels, such as periodic changes of traffic, impact of emergencies, long-term trends, etc. These features extracted by two different LSTM networks are referred to as first traffic feature data and second traffic feature data, respectively. And performing feature integration on the first flow feature data and the second flow feature data. The two sets of feature data are combined into a unified, comprehensive feature set. This process includes a variety of techniques including feature selection, feature fusion, feature weighting, etc. In this way, traffic characteristics from different LSTM networks are taken into account in combination to form a comprehensive and detailed network traffic characteristics data set. For example, if a first LSTM network is focused on analyzing short-term changes in traffic and a second LSTM network is focused on capturing long-term trends in traffic, the results after feature integration will contain both of these information, providing a more comprehensive view of traffic features.

In a specific embodiment, the process of executing step S102 may specifically include the following steps:

(1) Performing curve fitting on the network flow characteristic data to obtain a network flow characteristic curve, and performing characteristic point identification on the network flow characteristic curve to obtain a plurality of curve characteristic points;

(2) Inputting a plurality of curve characteristic points into a preset SVM model for characteristic point classification screening to obtain a plurality of target characteristic points, and carrying out event definition on the plurality of target characteristic points to obtain a plurality of target events;

(3) Performing association rule mining on a plurality of target events through a preset Apriori algorithm to obtain a plurality of corresponding event association rules;

(4) Creating a plurality of initial relationship nodes based on a plurality of target events and a plurality of relationship edges based on a plurality of event association rules;

(5) Based on the plurality of initial relationship nodes and the plurality of relationship edges, a corresponding event relationship graph is generated.

Specifically, curve fitting is performed on the network traffic characteristic data. Curve fitting is a statistical tool used to find the curve that best represents the data distribution. The change in network traffic over time is modeled using methods such as polynomial regression, exponential smoothing, or other suitable time series data. And carrying out characteristic point identification on the network flow characteristic curve to obtain a plurality of curve characteristic points. Feature points are often important points on a curve, such as peaks, valleys, inflection points, etc., that represent key attributes and points of change of the curve. And then, inputting the characteristic points of the curve into a preset Support Vector Machine (SVM) model to carry out characteristic point classification screening. SVM is an efficient classifier that distinguishes between classes of data points by constructing one or more hyperplanes. In this process, the SVM classifies the feature points according to their attributes such as position, size, shape, etc., and screens out the most representative and informative points, i.e., target feature points. For example, if there are two peaks, one very sharp and one very flat, the SVM recognizes the sharp peak as the target feature point because it represents a more pronounced flow change. Event definition is performed on a plurality of target feature points, and each feature point is associated with a specific network event. By analyzing the context information of the feature points, such as their time stamps, duration, relation to other feature points, etc. In this way, each target feature point is defined as a specific target event, such as "peak flow event", "sudden flow drop event", and the like. And carrying out association rule mining on the target events through a preset Apriori algorithm. The Apriori algorithm is an algorithm for finding relationships between frequent item sets and learning rules, which mines association rules by iteratively finding combinations of frequent item sets. In this embodiment, it may be used to discover relationships between different events, such as a "peak flow event" that typically occurs after a "specific activity event". Based on the target event and the association rule, a plurality of initial relationship nodes and a plurality of relationship edges are created. The initial relationship nodes represent each target event, and the relationship edges represent association rules between events. Based on the plurality of initial relationship nodes and the relationship edges, a corresponding event relationship graph is generated. This figure is a visual representation showing all the target events and their relationships to each other.

In a specific embodiment, the process of executing step S103 may specifically include the following steps:

(1) Carrying out key point identification on a plurality of initial relation nodes in the event relation graph through a preset PageRank algorithm to obtain a plurality of key relation nodes;

(2) Clustering analysis is carried out on a plurality of key relation nodes through a preset graph clustering algorithm, and a node clustering result of each key relation node is obtained;

(3) Performing abnormal relation node division on the plurality of key relation nodes according to the node clustering result to obtain abnormal division information of each key relation node;

(4) Determining a plurality of corresponding abnormal events according to the abnormal partition information and the plurality of key relation nodes;

(5) Acquiring an abnormal associated data set of each abnormal event, and carrying out cluster analysis on the abnormal associated data set through a preset DBSCAN algorithm to obtain a plurality of abnormal modes;

(6) Performing anomaly modeling on a plurality of anomaly modes based on a preset decision tree network to obtain a plurality of anomaly models, and performing model integration on the plurality of anomaly models to obtain an anomaly model set.

Specifically, a preset PageRank algorithm is used for identifying key points of a plurality of initial relation nodes in the event relation graph. The PageRank algorithm is an algorithm for identifying the importance of each page through a network link structure, and is used for evaluating and identifying the importance of each node in the graph. Critical nodes are typically those nodes that are connected to many other nodes, or to other important nodes. Through the PageRank algorithm, a number of key relationship nodes are identified from a complex event relationship graph, which are key to understanding network behavior patterns and identifying potential problems. And carrying out cluster analysis on the key relation nodes through a preset graph clustering algorithm. Graph clustering is a technique for discovering clusters of nodes in a network that may reveal modular structures or communities in the network. In the process, each key relation node is distributed into a corresponding group according to the connection relation and the similarity of the key relation node and other nodes, so that a node clustering result of each key relation node is obtained. For example, if some critical relationship nodes are all associated with high traffic events in the network, they may be clustered together. And carrying out abnormal relation node division on the key relation nodes according to the node clustering result. The behavior and attributes of the nodes in each cluster are analyzed to determine which nodes behave in a significantly different pattern than the other nodes, representing an anomaly or failure. The obtained abnormal division information of each key relation node provides important basis for subsequent abnormal event identification. For example, if a node is present during peak traffic hours and is different from the expected pattern, it is marked as an anomalous node. Based on the anomaly partition information and the key relationship nodes, a corresponding plurality of anomaly events are determined. Each anomaly event is comprised of one or more anomaly relationship nodes that represent a particular anomaly or failure mode in the network. For example, a series of abnormal nodes represent network attacks or device failures. An anomaly association dataset for each anomaly event is obtained. These datasets contain all the information associated with each abnormal event, such as the time of occurrence, duration, extent of impact, etc. of the event. Cluster analysis is performed by a preset DBSCAN (density-based spatial clustering application with noise) algorithm. DBSCAN is a clustering method that groups data points according to their "degree of closeness" between them and identifies noise or outliers. A plurality of anomaly patterns are identified from the anomaly association data set by a DBSCAN algorithm, each anomaly pattern representing a particular anomaly behavior or fault type. The anomaly models are anomaly modeled based on a preset decision tree network. Decision trees are a commonly used predictive modeling tool that models the outcome of a decision process and by constructing a tree structure. The system will use the decision tree network to build an anomaly model for each anomaly mode, respectively, which can accurately describe and predict the occurrence and development of various anomaly events. In order to improve the prediction accuracy and robustness of the models, model integration is performed on the abnormal models, and the prediction results of the models are comprehensively considered to form a final abnormal model set.

In a specific embodiment, the process of executing step S104 may specifically include the following steps:

(1) The network traffic of the target router is monitored in real time through a preset CUSUM algorithm, and network traffic monitoring data are obtained;

(2) Extracting time sequence characteristics of the network flow monitoring data through a preset ARIMA model to obtain a plurality of initial time sequence characteristics;

(3) Based on a preset feature threshold, performing feature screening on the plurality of initial time sequence features to obtain a plurality of target time sequence features;

(4) And performing feature coding and vector conversion on the plurality of target time sequence features to obtain a network traffic time sequence vector.

Specifically, the network traffic of the target router is monitored in real time through a preset CUSUM algorithm. CUSUM, the accumulation and control plot, is a statistical tool that is widely used for change detection. It rapidly identifies small changes in the data by accumulating deviations of the recorded data from some target value or average value. In this embodiment, the CUSUM algorithm may analyze information such as the number, size, and frequency of incoming and outgoing packets in real time, so as to discover abnormal fluctuations or trend changes of the traffic in time. For example, if the normal traffic pattern of a certain router is 1000 packets per second, and the CUSUM detects a sudden increase in traffic to 2000 packets per second, this is indicative of the onset of a network attack or failure. And extracting time sequence characteristics of the monitored network flow monitoring data through a preset ARIMA model. The ARIMA model, the autoregressive integral moving average model, is a time series prediction method. It is able to reveal the time-dependent structure and implicit patterns of data by taking into account the autoregressive, differential and moving averages of the data. The ARIMA model can be used for identifying the characteristics of periodic change, long-term trend, seasonal effect and the like of the flow data, and extracting a series of initial time sequence characteristics from the original network flow data, wherein the characteristics reflect the basic time sequence structure and dynamic change rule of the flow. The initial timing characteristics are filtered. Each feature is compared with a preset feature threshold value, and according to the comparison result, which features are important and which can be ignored are determined. The feature threshold is typically determined based on historical data or business requirements, which represents the lowest criterion for the significance or importance of the feature. The features with the most information quantity and analysis value, namely target time sequence features, are screened from a plurality of initial time sequence features. And performing feature coding and vector conversion on the target time sequence features. Feature encoding refers to converting feature data into a format suitable for further analysis and modeling, and vector conversion refers to converting encoded feature data into a vector form. This typically involves processes such as digitizing, normalization and dimensionality in order to convert the different feature data into a unified numerical vector for mathematical calculations and modeling. In this way, each target timing characteristic is converted into a series of values, which form a multi-dimensional network traffic timing vector.

In a specific embodiment, the process of executing step S105 may specifically include the following steps:

(1) Inputting the network traffic time sequence vector into an abnormal model set, and matching at least two target models corresponding to the network traffic time sequence vector through the abnormal model set;

(2) Performing anomaly analysis on the network flow time sequence vectors through decision tree algorithms in at least two target models to obtain an initial analysis result of each target model;

(3) And obtaining model weight data of at least two target models, and carrying out analysis result fusion on the initial analysis result of each target model according to the model weight data to obtain an abnormal analysis result.

Specifically, an anomaly model set comprising a plurality of anomaly detection models is constructed and configured. This set includes models based on different algorithms and strategies, such as statistical-based models, machine-learning-based models, and the like. Each model is trained and adapted to identify and analyze particular types or patterns of network anomalies. When a network traffic timing vector is input into this set of models, at least two target models most relevant to it are selected based on matching the characteristics of the vector and the characteristics of each model. For example, if the network traffic timing vector exhibits periodic anomaly fluctuations, a model dedicated to detecting periodic anomalies is selected as one of the target models. And carrying out anomaly analysis on the network traffic time sequence vector through a decision tree algorithm in the target model. Decision trees are machine learning algorithms that predict the value of a target variable by learning decision rules from the data. The decision tree can construct a series of decision rules based on normal and abnormal patterns in the training data and then apply these rules to analyze whether the new data point is abnormal. In this way, each object model will analyze the incoming network traffic timing vector and derive an initial analysis result based on its internal decision tree logic. These initial results include the model's assessment of whether the vector is abnormal, as well as information about the type and extent of the abnormality. However, the initial analysis results of a single model are limited by the model characteristics and training data, and these initial results are fused in order to improve the accuracy and reliability of the analysis. Model weight data of at least two target models are obtained. The model weight data reflects the importance and trustworthiness of each model throughout the model collection, typically determined based on the model's performance on historical data or business rules. And carrying out weighted fusion on the initial analysis result of each target model according to the model weight data. This process involves calculating a weighted average of each initial result, applying a voting mechanism, or employing a fusion algorithm to obtain the final anomaly analysis result. By the method, analysis results of a plurality of models can be comprehensively considered, influence of single model deviation is reduced, and overall analysis accuracy and reliability are improved.

In a specific embodiment, the process of executing step S106 may specifically include the following steps:

(1) Performing fault response strategy matching on the target router according to the abnormal fault analysis result to obtain an initial fault response strategy;

(2) Carrying out strategy group initialization on the initial fault response strategies through a preset multi-island optimization algorithm to obtain a plurality of first fault response strategies;

(3) Calculating the fitness value of each first fault response strategy respectively, and carrying out strategy sequencing on a plurality of first fault response strategies according to the fitness value to obtain a fault response strategy sequence;

(4) Propagating, mutating and crossing the first fault response strategies of the first 50% in the fault response strategy sequence to generate a plurality of second fault response strategies;

(5) And carrying out optimization solution on the plurality of second fault response strategies to obtain a target fault response strategy.

Specifically, fault response strategy matching is performed on the target router according to the abnormal fault analysis result, and each strategy defines a series of response measures and operation steps. And carrying out strategy group initialization on the initial fault response strategy through a preset multi-island optimization algorithm. The multi-island optimization algorithm is a variant of the evolution algorithm that spreads the population over multiple "islands," where the population on each island is independently subjected to evolutionary operations such as selection, crossover, and mutation, and then periodically migrates individuals between islands. The method can accelerate the search of the global optimal solution while maintaining the diversity of the population. In this scenario, each "island" will independently generate a set of first fault response policies, starting from the initial fault response policy, which are variants of the initial policy, each with different features and advantages. And respectively calculating the fitness value of each first fault response strategy. The fitness value is an index for measuring the quality of a policy, and is usually calculated based on factors such as the effectiveness, efficiency, cost, risk and the like of the policy. And sequencing all the first fault response strategies according to the fitness values to form a fault response strategy sequence. Propagating, mutating and crossing the first failure response strategy of the first 50% in the failure response strategy sequence. Reproduction refers to the selection of some well performing individuals from the current population to the next generation, mutation refers to the random alteration of some portion of the individuals to introduce new features, and crossover refers to the combination of partial features of two or more individuals to create new individuals. Through these operations, a plurality of new, more optimal second fault response policies are generated from the first fault response policies. The second fault response strategy is optimally solved to determine which strategies are most efficient. And calculating the fitness value again for each strategy, comparing and selecting, and screening the optimal target fault response strategy from the plurality of candidate strategies. The target strategy not only can effectively respond and process the current fault or abnormal situation, but also can ensure the best performance of the target strategy in the aspects of efficiency, effect, resource consumption and the like through strict optimization.

The foregoing describes a method for monitoring a remote failure of a router in an embodiment of the present application, and the following describes a device for monitoring a remote failure of a router in an embodiment of the present application, referring to fig. 2, one embodiment of the device for monitoring a remote failure of a router in an embodiment of the present application includes:

the monitoring module 201 is configured to monitor logs of a plurality of network devices corresponding to a target router through a preset monitoring system, obtain historical log data, and perform feature analysis on the historical log data to obtain network traffic feature data;

the identifying module 202 is configured to identify the event of the network traffic feature data, obtain a plurality of target events, and construct an event relationship graph of the plurality of target events;

the modeling module 203 is configured to perform anomaly identification on the plurality of target events based on the event relationship graph to obtain a plurality of abnormal events, and perform cluster analysis and anomaly modeling on the plurality of abnormal events to obtain an anomaly model set;

the encoding module 204 is configured to monitor the network traffic of the target router in real time to obtain network traffic monitoring data, and extract time sequence features and encode vectors of the network traffic monitoring data through a preset ARIMA model to obtain a time sequence vector of the network traffic;

The analysis module 205 is configured to input the network traffic timing vector into the anomaly model set for anomaly analysis, so as to obtain an anomaly analysis result;

and the optimization module 206 is configured to perform fault response policy matching on the target router according to the abnormal fault analysis result to obtain an initial fault response policy, and perform policy optimization on the initial fault response policy to obtain a target fault response policy.

Through the cooperation of the components, the capability of multidimensional data analysis is provided by combining the historical log data, the flow characteristic data and the event relation diagram, and the comprehensive understanding of the network state and the abnormal situation is facilitated. Through the abnormal model set, abnormal events can be automatically identified, cluster analysis and abnormal modeling can be performed, rapid positioning of fault points can be facilitated, and accuracy and efficiency of fault detection can be improved. The method can monitor the network traffic of the target router in real time, extract the time sequence characteristics and perform vector coding, so that the monitoring of the network state can respond to the change in time, and the method is favorable for quickly finding and coping with new fault types. By constructing the event relation graph, association rules among a plurality of target events can be intuitively displayed, and an administrator is helped to understand the occurrence and influence of complex events in the network. The method provides matching and optimization of the abnormal fault analysis result and the fault response strategy, and generates the target fault response strategy through the multi-island optimization algorithm, so that the intelligent level of fault response is improved. Through the operations of sorting, mutation, crossing and the like of the algorithm, the fault response strategy is continuously optimized, so that the response strategy can be continuously adapted and optimized in a continuously-changing network environment, and the remote fault monitoring accuracy of the router is further improved.

The present application also provides a remote fault monitoring device of a router, where the remote fault monitoring device of a router includes a memory and a processor, where the memory stores computer readable instructions that, when executed by the processor, cause the processor to execute the steps of the remote fault monitoring method of a router in the foregoing embodiments.

The present application also provides a computer readable storage medium, which may be a non-volatile computer readable storage medium, and may also be a volatile computer readable storage medium, where instructions are stored in the computer readable storage medium, when the instructions are executed on a computer, cause the computer to perform the steps of the remote fault monitoring method of a router.

It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, systems and units may refer to the corresponding processes in the foregoing method embodiments, which are not repeated herein.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random acceS memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The above embodiments are merely for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims

1. The remote fault monitoring method for the router is characterized by comprising the following steps of:

2. The method for remote fault monitoring of a router according to claim 1, wherein the performing log monitoring on a plurality of network devices corresponding to a target router by a preset monitoring system to obtain historical log data, and performing feature analysis on the historical log data to obtain network traffic feature data includes:

the method comprises the steps that log monitoring is conducted on a plurality of network devices corresponding to a target router through a preset monitoring system, and historical log data are obtained;

carrying out flow characteristic named entity recognition on the history log data to obtain named entity recognition results;

Carrying out data analysis on the history log data according to the named entity identification result to obtain initial data of network traffic;

extracting the characteristics of the network flow initial data through a preset first long-short time memory network to obtain first flow characteristic data, and extracting the characteristics of the network flow initial data through a preset second long-short time memory network to obtain second flow characteristic data;

and performing feature integration on the first flow feature data and the second flow feature data to obtain network flow feature data.

3. The method for remote fault monitoring of a router according to claim 1, wherein the performing event recognition on the network traffic feature data to obtain a plurality of target events and constructing an event relationship graph of the plurality of target events includes:

performing curve fitting on the network flow characteristic data to obtain a network flow characteristic curve, and performing characteristic point identification on the network flow characteristic curve to obtain a plurality of curve characteristic points;

inputting the curve feature points into a preset SVM model for feature point classification screening to obtain a plurality of target feature points, and carrying out event definition on the target feature points to obtain a plurality of target events;

Performing association rule mining on the plurality of target events through a preset Apriori algorithm to obtain a plurality of corresponding event association rules;

creating a plurality of initial relationship nodes based on the plurality of target events and a plurality of relationship edges based on the plurality of event association rules;

and generating a corresponding event relation graph based on the plurality of initial relation nodes and the plurality of relation edges.

4. The method for remote fault monitoring of a router according to claim 3, wherein the performing anomaly identification on the plurality of target events based on the event relationship graph to obtain a plurality of anomaly events, performing cluster analysis and anomaly modeling on the plurality of anomaly events to obtain an anomaly model set includes:

performing key point identification on a plurality of initial relationship nodes in the event relationship graph through a preset PageRank algorithm to obtain a plurality of key relationship nodes;

performing cluster analysis on the plurality of key relation nodes through a preset graph clustering algorithm to obtain a node clustering result of each key relation node;

performing abnormal relation node division on the plurality of key relation nodes according to the node clustering result to obtain abnormal division information of each key relation node;

Determining a plurality of corresponding abnormal events according to the abnormal partition information and the plurality of key relation nodes;

acquiring an abnormal associated data set of each abnormal event, and performing cluster analysis on the abnormal associated data set through a preset DBSCAN algorithm to obtain a plurality of abnormal modes;

performing anomaly modeling on the plurality of anomaly modes based on a preset decision tree network to obtain a plurality of anomaly models, and performing model integration on the plurality of anomaly models to obtain an anomaly model set.

5. The method for remote fault monitoring of router according to claim 1, wherein the performing real-time network traffic monitoring on the target router to obtain network traffic monitoring data, and performing time sequence feature extraction and vector coding on the network traffic monitoring data through a preset ARIMA model to obtain a network traffic time sequence vector comprises:

the network flow of the target router is monitored in real time through a preset CUSUM algorithm, and network flow monitoring data are obtained;

extracting time sequence characteristics of the network flow monitoring data through a preset ARIMA model to obtain a plurality of initial time sequence characteristics;

based on a preset feature threshold, performing feature screening on the plurality of initial time sequence features to obtain a plurality of target time sequence features;

And performing feature coding and vector conversion on the plurality of target time sequence features to obtain a network traffic time sequence vector.

6. The method for remote fault monitoring of a router according to claim 1, wherein the inputting the network traffic timing vector into the anomaly model set for anomaly analysis, obtaining anomaly analysis results, includes:

inputting the network traffic time sequence vector into the abnormal model set, and matching at least two target models corresponding to the network traffic time sequence vector through the abnormal model set;

performing anomaly analysis on the network flow time sequence vectors through decision tree algorithms in the at least two target models to obtain an initial analysis result of each target model;

and obtaining model weight data of the at least two target models, and carrying out analysis result fusion on the initial analysis result of each target model according to the model weight data to obtain an abnormal analysis result.

7. The method for remote fault monitoring of a router according to claim 1, wherein the performing fault response policy matching on the target router according to the abnormal fault analysis result to obtain an initial fault response policy, and performing policy optimization on the initial fault response policy to obtain a target fault response policy, includes:

Performing fault response strategy matching on the target router according to the abnormal fault analysis result to obtain an initial fault response strategy;

carrying out strategy group initialization on the initial fault response strategy through a preset multi-island optimization algorithm to obtain a plurality of first fault response strategies;

calculating the fitness value of each first fault response strategy respectively, and carrying out strategy sequencing on the plurality of first fault response strategies according to the fitness value to obtain a fault response strategy sequence;

propagating, mutating and crossing the first failure response strategies of the first 50% in the failure response strategy sequence to generate a plurality of second failure response strategies;

and carrying out optimization solution on the plurality of second fault response strategies to obtain a target fault response strategy.

8. A remote fault monitoring device for a router, the remote fault monitoring device for a router comprising:

9. A remote failure monitoring device of a router, the remote failure monitoring device of the router comprising: a memory and at least one processor, the memory having instructions stored therein;

The at least one processor invoking the instructions in the memory to cause the remote failure monitoring device of the router to perform the remote failure monitoring method of the router of any of claims 1-7.

10. A computer readable storage medium having instructions stored thereon, which when executed by a processor, implement the remote fault monitoring method of a router as claimed in any one of claims 1 to 7.