CN117896163A

CN117896163A - Network flow monitoring system

Info

Publication number: CN117896163A
Application number: CN202410118772.9A
Authority: CN
Inventors: 李敬鑫; 刘玉婷
Original assignee: Guangzhou Zhuoguan Technology Co ltd
Current assignee: Guangzhou Zhuoguan Technology Co ltd
Priority date: 2024-01-29
Filing date: 2024-01-29
Publication date: 2024-04-16

Abstract

The invention discloses a network flow monitoring system, which comprises a refined topology construction module, an abnormal flow monitoring module and a network equipment control module; the method can divide a plurality of devices in each network more finely, construct a plurality of sub-network topologies of each network and obtain the network topology of each network; the operation flow of a plurality of devices can be monitored in real time, and abnormal devices and the abnormal degree of the abnormal devices in each network are determined; the invention can also determine the associated equipment and the associated degree of the abnormal equipment according to the network topology of each network, and take corresponding control measures according to the characteristic information and the abnormal degree of the abnormal equipment and the characteristic information and the associated degree of the associated equipment, and has the advantages that: the abnormal condition of the whole network can be comprehensively perceived, network faults and problems can be found and solved in time, the network performance is optimized, and the performance, stability and safety of the network are improved.

Description

Network flow monitoring system

Technical Field

The invention relates to the technical field of network control, in particular to a network flow monitoring system.

Background

With the rapid development of modern information technology, the network traffic monitoring technology plays an increasingly critical role in the effective application of the network, and can strengthen the effective control of the network output traffic and promote the efficient utilization of the traffic, thereby reducing the traffic cost of users. The behavior characteristics of the network can be reflected by the dynamic characteristics of the traffic carried by the network, so that various parameters of the traffic in the network, such as the size of a received datagram, the packet loss rate, the delay of the datagram and the like, can be monitored in a targeted manner, and the running state of the network can be analyzed from the parameters. By analyzing and studying traffic characteristics carried on the network, it is possible to provide an efficient way to explore the internal operating mechanisms of the network.

In addition, the operation flow reflects the operation state of the network and is a key for judging whether the network operates normally. If the traffic received by the network exceeds its actual carrying capacity, it causes a degradation in network performance. The flow measurement can reflect whether the network equipment such as a router, a switch and the like works normally or not, and can reflect the resource bottleneck of the whole network operation.

However, the network traffic monitoring system for monitoring and responding to traffic anomalies in real time in the prior art has the following problems:

1. The monitoring is usually only carried out on single equipment or transmitted data traffic in the network, other equipment directly or indirectly related to abnormal equipment is not necessarily considered, the abnormal condition of the whole network can not be comprehensively perceived, network faults and problems can not be timely found and solved, and the stability and the safety of the network are affected;

2. Without performing fine division and analysis on the network, a network topology graph is mostly generated according to connection relations among a plurality of devices in the network, and the network topology relation is determined, so that potential performance association and associated devices in the network can be ignored, and the performance and stability of the network are affected.

Disclosure of Invention

The present invention is directed to a network traffic monitoring system, so as to solve the problems set forth in the background art.

In order to achieve the above purpose, the present invention provides the following technical solutions: a network flow monitoring system comprises a refined topology construction module, an abnormal flow monitoring module, a network device control module and a visualization module;

The output end of the refined topology construction module is connected with the input end of the abnormal flow monitoring module, the output end of the refined topology construction module is connected with the input end of the network equipment control module, the output end of the abnormal flow monitoring module is connected with the input end of the network equipment control module, and the output end of the network equipment control module is connected with the input end of the visualization module;

The refined topology construction module is used for acquiring characteristic information of a plurality of devices of each network and acquiring interaction information among the plurality of devices of each network; the system is also used for dividing the plurality of devices of each network into a plurality of device sets according to the characteristic information of the plurality of devices through a graph attention network; constructing sub-network topologies respectively corresponding to the plurality of equipment sets according to the interaction information among the plurality of equipment by using a condensation hierarchical clustering algorithm; each device set corresponds to one sub-network topology; constructing a network topology of each network according to the sub-network topology;

The abnormal flow monitoring module is used for monitoring the operation flow of the plurality of devices in real time; determining equipment with abnormal flow in the operation flow as abnormal equipment, and determining the degree of abnormality of the abnormal equipment; each abnormal device corresponds to one degree of abnormality; determining a plurality of associated devices of the abnormal device according to the network topology of each network and the abnormality degree of the abnormal device, and determining the association degree of the plurality of associated devices; each association device corresponds to one association degree respectively;

The network device control module is configured to take corresponding control measures for the abnormal device and the corresponding multiple associated devices of each network according to the feature information and the degree of abnormality of the abnormal device, and according to the feature information and the degree of association corresponding to the multiple associated devices, respectively;

And the visualization module is used for displaying the network topology of each network and the control measures.

Optionally, the refined topology construction module includes:

An information acquisition unit, configured to acquire feature information of the plurality of devices, and acquire interaction information between the plurality of devices; the characteristic information comprises equipment type, an operating system, a service port, performance indexes and configuration parameters; the interaction information comprises a communication mode, a connection relation, data flow, a communication protocol and transmission delay data; the plurality of devices respectively correspond to one piece of characteristic information; the plurality of devices respectively correspond to one piece of interaction information;

The device dividing unit is used for dividing the plurality of devices of each network into a plurality of device sets according to the characteristic information of the plurality of devices through the graph attention network; each network comprising the plurality of device sets;

A network topology construction unit, configured to construct the sub-network topologies respectively corresponding to the multiple device sets according to the interaction information between the multiple devices through a condensation hierarchical clustering algorithm; and constructing the network topology of each network according to the sub-network topology.

Optionally, the abnormal flow monitoring module includes:

The real-time monitoring unit is used for monitoring the operation flow of the plurality of devices in real time;

An abnormality determination unit configured to obtain an abnormality monitoring model that takes as input operation flows of the plurality of devices, the abnormality devices of the plurality of devices, and degrees of abnormality of the abnormality devices as outputs; the abnormality monitoring model is used for determining the abnormal equipment in the plurality of equipment and determining the abnormality degree of the abnormal equipment;

And the association determining unit is used for determining a plurality of association devices of the abnormal device according to the network topology of each network and the abnormality degree of the abnormal device, and determining the association degrees respectively corresponding to the plurality of association devices.

Optionally, the network device control module includes:

the association degree conversion unit is used for obtaining the abnormal degrees corresponding to the plurality of association devices according to the association degrees corresponding to the plurality of association devices respectively according to a conversion rule; each associated device corresponds to one degree of abnormality;

A measure acquisition unit for obtaining a measure acquisition model taking the control measures respectively corresponding to the abnormal device and the plurality of associated devices as output; taking the characteristic information and the abnormality degree respectively corresponding to the abnormal equipment and the plurality of associated equipment as the measure acquisition model input, and outputting the abnormal equipment in the plurality of equipment and the control measure respectively corresponding to the plurality of associated equipment by using the measure acquisition model;

And the equipment control unit is used for executing the abnormal equipment in the plurality of equipment output by the measure acquisition model and the control measures respectively corresponding to the plurality of associated equipment to respectively control the abnormal equipment and the plurality of associated equipment in each network.

Optionally, in the device dividing unit, the dividing the plurality of devices of each network into the plurality of device sets according to the feature information of the plurality of devices specifically includes: firstly, respectively forming device feature vectors of the plurality of devices according to the feature information of the plurality of devices; each device corresponds to one device feature vector; finally, dividing the plurality of devices according to the device feature vectors respectively corresponding to the plurality of devices through the graph annotation force network to obtain a plurality of device sets;

In the network topology construction unit, the sub-network topology respectively corresponding to the plurality of device sets is constructed according to the interaction information among the plurality of devices, specifically: firstly, respectively forming interaction feature vectors of the plurality of devices according to interaction information among the plurality of devices; each device corresponds to one interaction feature vector; finally, through the aggregation hierarchical clustering algorithm, respectively dividing the plurality of equipment sets into a plurality of equipment clusters according to the interaction feature vectors respectively corresponding to each equipment in the plurality of equipment sets; each device set corresponds to one device cluster; and clustering the plurality of devices respectively corresponding to the plurality of device sets to form the sub-network topology respectively corresponding to the plurality of device sets.

Optionally, the anomaly monitoring model of the anomaly determination unit specifically includes: training a deep learning network model according to historical operation flow and an operation label corresponding to the historical operation flow to obtain the anomaly monitoring model; the operation labels comprise normal operation labels and abnormal operation labels; the normal operation label is used for indicating that the abnormal flow does not exist in the historical operation flow; the abnormal operation label is used for indicating that the historical operation flow exists the abnormal flow; the abnormal operation label is the abnormal degree, and the abnormal degree comprises a high grade and a low grade; taking the operation flow of the plurality of devices as the input of the abnormality monitoring model, and taking the abnormality degree of the abnormality devices in the plurality of devices as the output of the abnormality monitoring model;

The association determining unit determines a plurality of association devices of the abnormal device, specifically: according to the network topology of each network, determining the equipment of the operation flow direction of the abnormal equipment as first output equipment; determining a device of the operating flow flowing into the abnormal device as a first input device; determining a device of the operation flow direction of the first output device as a second output device; determining a device of the operating flow flowing into the first input device as a second input device; the plurality of associated devices of the abnormal device comprise the first output device, the first input device, the second output device and the second input device;

In the association determining unit, a determining rule for determining the association degrees corresponding to the plurality of association devices respectively is specifically: if the degree of abnormality of the abnormal device is the high level, determining the degree of association of the first output device as a first level association, determining the degree of association of the first input device as the first level association, determining the degree of association of the second output device as a second level association, and determining the degree of association of the second input device as the second level association; and if the degree of abnormality of the abnormal device is the low level, determining the degree of association of the first output device as the secondary association, determining the degree of association of the first input device as the secondary association, determining the degree of association of the second output device as no association, and determining the degree of association of the second input device as the no association.

Optionally, the conversion rule of the association degree conversion unit specifically includes: if the association degree corresponding to the association equipment is the first-level association, the abnormality degree corresponding to the association equipment is the high level; if the association degree corresponding to the association equipment is the secondary association, the abnormality degree corresponding to the association equipment is the low level; if the association degree corresponding to the association equipment is the unassociated one, the abnormal flow does not exist in the operation flow of the association equipment;

The measure acquisition model in the measure acquisition unit specifically includes: training the deep learning network according to training data to obtain the measure acquisition model; wherein the training data is a plurality of history control measures performed on each device; each history measure corresponds to one piece of characteristic information; each history measure corresponds to one degree of abnormality.

Optionally, the device dividing unit divides the plurality of devices according to the device feature vectors corresponding to the plurality of devices respectively through the graph attention network to obtain the plurality of device sets, which specifically includes: constructing the device feature vectors corresponding to the plurality of devices respectively into a graph structure; wherein each node constituting the graph structure corresponds to the plurality of devices, respectively;

The attention network comprises an attention mechanism, wherein the attention mechanism is used for learning association weights between every two nodes in the graph structure; the association weight is used for representing the correlation between every two of the plurality of devices; the greater the association weight, the greater the correlation; the smaller the association weight, the smaller the correlation; dividing the plurality of devices according to the correlation between every two of the plurality of devices to obtain the plurality of device sets, specifically: classifying the devices with large correlation into the same device set;

the network topology constructing unit divides the plurality of device sets into a plurality of device clusters according to the interaction feature vectors respectively corresponding to each device in the plurality of device sets by a condensation hierarchical clustering algorithm, specifically: performing similarity calculation on the interaction feature vector of each device in the plurality of device sets to obtain similarity among each device in the plurality of device sets; and merging a plurality of devices into one device cluster according to the similarity from high to low to obtain a plurality of device clusters respectively corresponding to the plurality of device sets.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Compared with the prior art, the invention has the beneficial effects that:

1. The operation flow of a plurality of devices can be monitored in real time through the refined topology construction module, the abnormal flow monitoring module and the network device control module, abnormal devices and the abnormal degree thereof in each network can be determined, the associated devices and the associated degrees of the abnormal devices can be determined according to the network topology of each network, and corresponding control measures are adopted according to the characteristic information and the abnormal degree of the abnormal devices and the characteristic information and the associated degrees of the associated devices, so that the abnormal condition of the whole network is comprehensively perceived, network faults and problems can be found and solved in time, and the stability and the safety of the network are improved;

2. through the graph meaning network and the aggregation hierarchical clustering algorithm of the refined topology construction module, a plurality of devices in each network can be finely divided, a plurality of sub-network topologies of each network are constructed, and the network topology of each network is obtained, so that potential performance association and associated devices in the network are found, network performance is optimized, and the performance and stability of the network are improved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It will be apparent to those skilled in the art from this disclosure that the drawings described below are merely exemplary and that other embodiments may be derived from the drawings provided without undue effort.

FIG. 1 is a block diagram of the overall system of the present invention;

FIG. 2 is a block diagram of a portion of the system of the present invention;

FIG. 3 is a second system block diagram of a portion of the present invention;

FIG. 4 is a block diagram of a portion of the system of the present invention.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus consistent with some aspects of the disclosure as detailed in the accompanying claims.

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Referring to fig. 1-4, the invention provides a network traffic monitoring system, which comprises a refined topology construction module, an abnormal traffic monitoring module, a network device control module and a visualization module;

The refined topology construction module is used for acquiring characteristic information of a plurality of devices of each network and acquiring interaction information among the plurality of devices of each network; the system is also used for dividing the plurality of devices of each network into a plurality of device sets according to the characteristic information of the plurality of devices through a graph attention network; constructing sub-network topologies respectively corresponding to the plurality of equipment sets according to the interaction information among the plurality of equipment by using a condensation hierarchical clustering algorithm; each device set corresponds to one of the sub-network topologies; constructing a network topology of each network according to the sub-network topology;

The network device control module is configured to take corresponding control measures for the abnormal device and the multiple associated devices corresponding to the abnormal device according to the characteristic information and the degree of abnormality of the abnormal device, and according to the characteristic information and the degree of association corresponding to the multiple associated devices, respectively;

Specifically, the characteristic information in the refined topology construction module comprises equipment type, an operating system, a service port, performance indexes and configuration parameters; the interaction information comprises a communication mode, a connection relation, data traffic, a communication protocol and transmission delay data; each device corresponds to one piece of characteristic information; each device corresponds to one interaction information; dividing the plurality of devices of each network into a plurality of device sets according to the characteristic information of the plurality of devices, namely dividing the plurality of devices in each network into a plurality of device sets according to the characteristic information of each device, wherein each network comprises a plurality of device sets; dividing a plurality of devices into a plurality of device sets through a graph attention network, and forming a graph structure of each network according to the characteristic information of each device, wherein the graph structure comprises a plurality of nodes, the number of which is the same as that of the devices, and each node represents one device; the graph attention network comprises an attention mechanism, wherein the attention mechanism can automatically learn the association weight between every two nodes in the graph structure, namely automatically learn the relativity between every two devices; wherein, the bigger the association weight, the bigger the correlation; the smaller the correlation weight, the smaller the correlation; classifying the devices with large correlation into the same device set; constructing sub-network topologies corresponding to the plurality of device sets respectively according to the interaction information among the plurality of devices, namely constructing the sub-network topology of each device set according to the interaction information of each device; the plurality of device sets respectively correspond to one sub-network topology, namely each device set corresponds to one sub-network topology; calculating the similarity between each device in a plurality of device sets according to the interaction information of each device through a condensation hierarchical clustering algorithm, namely respectively calculating the similarity between each two devices in each device set, merging the plurality of devices in each device set into a device cluster according to the similarity from high to low, wherein each device set comprises a plurality of device clusters; the plurality of equipment clusters included in each equipment set form a sub-network topology of each equipment set; the network topology of each network is composed of a plurality of device clusters respectively included by a plurality of device sets in each network; the method has the advantages that the devices in each network can be finely divided through the graph-meaning network and the aggregation hierarchical clustering algorithm of the fine topology construction module, a plurality of sub-network topologies of each network are constructed, and the network topology of each network is obtained, so that potential performance association and association devices in the network are found, network performance is optimized, and the performance and stability of the network are improved; the working mode solves the problems that in the prior art, network is not finely divided and analyzed, a network topological graph is mostly generated according to the connection relation among a plurality of devices in the network, and potential performance association and associated devices in the network can be ignored when the network topological relation is determined, so that the performance and stability of the network are influenced;

the abnormal flow monitoring module can monitor the operation flow of a plurality of devices in each network in real time, and if the operation flow has abnormal flow, the following situations may occur: network attacks, malware infections, equipment failures, configuration errors, etc.; determining the equipment with abnormal flow in the operation flow as abnormal equipment, and determining the abnormality degree of the abnormal equipment, namely determining the abnormality degree of the abnormal equipment according to the condition of causing the abnormal flow; the degree of abnormality includes a high level and a low level; for example, a network attack typically causes a large amount of malicious traffic to rush into the attacked device, which may cause network services to be unavailable, serious performance to be degraded, or even network to crash, so that the degree of abnormality corresponding to the abnormal device of the network attack is high; however, the device failure may cause the device to generate an abnormal flow mode, but the device will not have serious influence on the whole network, but the performance and functions of the device are affected, so the abnormal device with the device failure corresponds to a low level of abnormality; according to the network topology of each network, determining the equipment of the operation flow direction of the abnormal equipment as first output equipment, namely, connecting the output end of the abnormal equipment with the input end of the first output equipment; determining a device with running flow flowing into the abnormal device as a first input device, namely connecting the output end of the first input device with the input end of the abnormal device; if a certain device is connected with an abnormal device in a bidirectional way, the device is a first output device and a first input device at the same time; determining the equipment of the operation flow direction of the first output equipment as second output equipment, namely connecting the output end of the first output equipment with the input end of the second output equipment; determining a device with running flow flowing into the first input device as a second input device, namely, connecting an output end of the second input device with an input end of the first input device; the plurality of associated devices of the abnormal device comprise a first output device, a first input device, a second output device and a second input device; the method has the advantages that the plurality of associated devices of the abnormal device are determined according to the network topology, so that the associated devices which influence the network by the abnormal device can be determined, and the abnormal condition of the whole network is comprehensively perceived; if the abnormality degree of the abnormal equipment is high, determining the association degree of the first output equipment as first-level association, and determining the association degree of the first input equipment as first-level association; the association degree of the second output device is determined to be a secondary association, and the association degree of the second input device is determined to be a secondary association; if the abnormality degree of the abnormal equipment is low, determining the association degree of the first output equipment as secondary association, determining the association degree of the first input equipment as secondary association, determining the association degree of the second output equipment as no association, and determining the association degree of the second input equipment as no association; according to the abnormality degree of the abnormal equipment, the association degree of the associated equipment is determined, so that the influence degree of the abnormal equipment on the associated equipment can be determined, and the associated equipment is monitored and controlled in a targeted manner; the abnormal flow monitoring module is used for monitoring the operation flow of a plurality of devices in the network in real time, finding out the abnormal flow in time and determining the abnormal degree of the abnormal devices; by determining the abnormality degree of the abnormal equipment and the association degree of the associated equipment, the network flow monitoring system can be helped to find the abnormality in the network in time, so that measures can be taken in time to process and maintain; thus, the normal operation of the network can be effectively ensured, and the stability and the safety of the network are improved; in addition, a plurality of associated devices of the abnormal device can be determined through the network topology, so that the abnormal condition of the whole network is comprehensively perceived, the associated devices are monitored and controlled in a targeted manner, and the influence of the abnormal condition on the whole network is reduced to the greatest extent;

The network equipment control module is used for obtaining the abnormal degree of the associated equipment according to the association degree of the associated equipment, and specifically comprises the following steps: if the association degree corresponding to the association equipment is the first-level association, the abnormality degree corresponding to the association equipment is high-level; the primary association indicates that the influence of the abnormal equipment on the associated equipment is large, and the associated equipment can be caused to be abnormal at a high level; if the association degree corresponding to the association equipment is the secondary association, the abnormality degree corresponding to the association equipment is low-level; the secondary association indicates that the influence of the abnormal equipment on the associated equipment is small, and the associated equipment can be caused to have low-level abnormality; if the association degree corresponding to the association equipment is unassociated, the operation flow of the association equipment does not have abnormal flow; training the deep learning network according to the training data to obtain a measure acquisition model taking characteristic information and abnormality degree corresponding to the abnormal equipment and the associated equipment respectively as input and taking control measures corresponding to the abnormal equipment and the associated equipment respectively as output; finally, respectively executing measures to abnormal equipment and associated equipment to obtain control measures output by the model;

The operation flow of a plurality of devices can be monitored in real time through the refined topology construction module, the abnormal flow monitoring module and the network device control module, abnormal devices and the abnormal degree thereof in each network can be determined, the associated devices and the associated degrees of the abnormal devices can be determined according to the network topology of each network, and corresponding control measures are adopted according to the characteristic information and the abnormal degree of the abnormal devices and the characteristic information and the associated degrees of the associated devices, so that the abnormal condition of the whole network is comprehensively perceived, network faults and problems can be found and solved in time, and the stability and the safety of the network are improved; the working mode solves the problems that in the prior art, only a single device or transmitted data traffic in a network is monitored, other devices directly or indirectly related to abnormal devices are not considered, the abnormal condition of the whole network can not be comprehensively perceived, network faults and problems can not be timely found and solved, and the stability and the safety of the network are affected.

The visualization module is used for displaying the network topology of each network constructed by the refined topology construction module, so that a network manager can intuitively check the relation of a plurality of devices in each network, thereby helping the network manager to better manage the network and improving the safety, stability and performance of the network; the control measures corresponding to the abnormal equipment and the associated equipment are obtained by displaying the abnormal flow monitoring module, so that network personnel can intuitively check the control measures corresponding to the abnormal equipment and the associated equipment respectively, network management personnel are helped to comprehensively know the control measures corresponding to the equipment in the network, the network management personnel are helped to evaluate the security risk of the network, the control strategy is timely adjusted and optimized, and the security of the network is improved.

In one embodiment of the present invention, the refinement topology construction module includes:

Specifically, the feature information includes five data of a device type, an operating system, a service port, a performance index and a configuration parameter; the device type comprises, but is not limited to, a router, a switch and a server, and the function of the device can be determined according to the device type; the operating system is core software of the equipment, can influence the functions and the performances of the equipment, and is beneficial to analyzing the characteristics and the behaviors of the equipment; the service port is an entry for providing service for the equipment, different service ports are usually used for communication by different services, and the service port of the equipment is obtained, so that the service type and the communication mode provided by the equipment can be determined; the performance index includes, but is not limited to, CPU utilization, memory utilization and bandwidth utilization, and devices with similar performance can be divided into the same device set; configuration parameters include, but are not limited to, configuration files, network parameters and security policies, which affect the behavior of devices and can divide devices with similar behavior into the same device set; the plurality of devices in each network are divided into a plurality of device sets through the characteristic information, and the devices with similar performance can be classified, so that network management personnel can better allocate network resources and adjust device configuration, and network performance and stability are improved; classifying a plurality of devices through a drawing attention network, wherein the drawing attention network comprises an attention mechanism, the attention mechanism can classify the devices in an automatic learning mode, and the importance among different devices can be combined, so that a device set can be more accurately divided, and the classification accuracy and the network management efficiency are improved; the interaction information comprises five data, namely a communication mode, a connection relation, data flow, a communication protocol and transmission delay data; the communication mode is used for representing interaction rules and communication modes among the devices, and a communication path and a relationship among the devices can be constructed according to the communication mode; the connection relation comprises a physical connection relation and a logical connection relation, and a network topology structure is constructed according to the connection relation, so that the relevance between the devices can be understood; the data flow is used for evaluating the load condition and performance bottleneck of the network, and the network topology structure is constructed according to the data flow, so that the network flow distribution and management can be optimized; the communication protocol is used for representing communication rules and behaviors of communication between devices, and constructing a network topology structure according to the communication protocol can help understand the communication behaviors between the devices; the transmission delay data are used for evaluating the performance and stability of the network, and the network topology structure is constructed according to the transmission delay data, so that the transmission efficiency and stability of the network can be optimized; the sub-network topology is constructed through the interaction information, and then the network topology of each network is constructed according to the sub-network topology, so that the bottleneck and the fault point in the network can be identified, and network management personnel can adjust the network structure and the resource allocation in time, so that the network performance and the stability are improved; the sub-network topology is built for the equipment set through the aggregation hierarchical clustering algorithm, the equipment set can be gradually combined according to the similarity among the equipment, a more reasonable and clear sub-network topology structure is built, understanding of the communication mode and the relation among the equipment is facilitated, network bottlenecks and fault points are identified, and therefore network optimization and planning are supported.

In one embodiment of the present invention, the abnormal flow monitoring module includes:

Specifically, the operation flow of the equipment is monitored, whether the equipment is subjected to network attack, malicious software infection, equipment failure, configuration error and other abnormal conditions can be judged, if the equipment is subjected to the abnormal conditions, the operation flow of the equipment can be obviously increased or reduced, namely, the operation flow is fluctuated compared with the normal operation flow; the loss rate of data packets transmitted between devices may be increased, resulting in a large amount of retransmission or packet loss in the operation traffic, i.e., the transmission rate of the abnormal traffic may be reduced compared with the transmission rate of the normal operation traffic; according to the abnormal condition, the abnormal degree of the abnormal equipment can be determined; the degree of abnormality includes a high level and a low level; for example, a network attack typically causes a large amount of malicious traffic to rush into the attacked device, which may cause network services to be unavailable, serious performance to be degraded, or even network to crash, so that the degree of abnormality corresponding to the abnormal device of the network attack is high; however, the device failure may cause the device to generate an abnormal flow mode, but the device will not have serious influence on the whole network, but the performance and functions of the device are affected, so the abnormal device with the device failure corresponds to a low level of abnormality; the method has the advantages that the plurality of associated devices of the abnormal device are determined according to the network topology, so that the associated devices which influence the network by the abnormal device can be determined, and the abnormal condition of the whole network is comprehensively perceived; according to the abnormality degree of the abnormal equipment, the association degree of the associated equipment is determined, so that the influence degree of the abnormal equipment on the associated equipment can be determined, and the associated equipment is monitored and controlled in a targeted manner.

In one embodiment of the present invention, the network device control module includes:

Specifically, according to the association degrees respectively corresponding to the association devices, the corresponding abnormality degree of each association device is obtained, and the influence degree of the abnormality device on the association device can be accurately understood, so that accurate control measures are provided for the association device; the influence degree of the associated equipment on the network is expressed in an abnormal degree, the abnormal equipment and the associated equipment can be described in a unified description mode, and the influence degree of the abnormal equipment and the associated equipment on the network can be more intuitively known by a network manager; obtaining a measure acquisition model, specifically, training a deep learning network according to training data to obtain the measure acquisition model; wherein the training data is a plurality of history control measures performed on a plurality of devices; the plurality of historical measures respectively correspond to one piece of characteristic information; the plurality of historical measures respectively correspond to an abnormality degree; obtaining a measure acquisition model, specifically, training a deep learning network according to training data to obtain the measure acquisition model; wherein the training data is a plurality of history control measures performed on a plurality of devices; the plurality of historical measures respectively correspond to one piece of characteristic information; the plurality of historical measures respectively correspond to an abnormality degree; the method has the advantages that the model is obtained based on the deep learning measures, corresponding control measures can be obtained accurately according to the abnormality degree of abnormal equipment, namely associated equipment, the network flow management system can be helped to quickly respond to the abnormality condition of the equipment, the running stability and reliability of the equipment in the network are improved, meanwhile, the requirement for manual intervention is reduced, and the operation and maintenance cost is reduced; the abnormal equipment and the related equipment can be controlled rapidly through the equipment control unit, so that the real-time response capability of the network flow monitoring system to the abnormal condition of the equipment is improved.

In one embodiment of the present invention, in the device dividing unit, the dividing the plurality of devices of each network into the plurality of device sets according to the feature information of the plurality of devices specifically includes: firstly, respectively forming device feature vectors of the plurality of devices according to the feature information of the plurality of devices; each device corresponds to one device feature vector; finally, dividing the plurality of devices according to the device feature vectors respectively corresponding to the plurality of devices through the graph annotation force network to obtain a plurality of device sets;

Specifically, the feature information includes five data of a device type, an operating system, a service port, a performance index and a configuration parameter; the device type comprises, but is not limited to, a router, a switch and a server, and the function of the device can be determined according to the device type; the operating system is core software of the equipment, can influence the functions and the performances of the equipment, and is beneficial to analyzing the characteristics and the behaviors of the equipment; the service port is an entry for providing service for the equipment, different service ports are usually used for communication by different services, and the service port of the equipment is obtained, so that the service type and the communication mode provided by the equipment can be determined; the performance index includes, but is not limited to, CPU utilization, memory utilization and bandwidth utilization, and devices with similar performance can be divided into the same device set; configuration parameters include, but are not limited to, configuration files, network parameters and security policies, which affect the behavior of devices and can divide devices with similar behavior into the same device set; the plurality of devices in each network are divided into a plurality of device sets through the characteristic information, and the devices with similar performance can be classified, so that network management personnel can better allocate network resources and adjust device configuration, and network performance and stability are improved; the interaction information comprises five data, namely a communication mode, a connection relation, data flow, a communication protocol and transmission delay data; the communication mode is used for representing interaction rules and communication modes among the devices, and a communication path and a relationship among the devices can be constructed according to the communication mode; the connection relation comprises a physical connection relation and a logical connection relation, and a network topology structure is constructed according to the connection relation, so that the relevance between the devices can be understood; the data flow is used for evaluating the load condition and performance bottleneck of the network, and the network topology structure is constructed according to the data flow, so that the network flow distribution and management can be optimized; the communication protocol is used for representing communication rules and behaviors of communication between devices, and constructing a network topology structure according to the communication protocol can help understand the communication behaviors between the devices; the transmission delay data are used for evaluating the performance and stability of the network, and the network topology structure is constructed according to the transmission delay data, so that the transmission efficiency and stability of the network can be optimized; the sub-network topology is constructed through the interaction information, and then the network topology of each network is constructed according to the sub-network topology, so that the bottleneck and the fault point in the network can be identified, and network management personnel can adjust the network structure and the resource allocation in time, so that the network performance and the stability are improved.

In one embodiment of the present invention, the anomaly monitoring model of the anomaly determination unit is specifically: training a deep learning network model according to historical operation flow and an operation label corresponding to the historical operation flow to obtain the anomaly monitoring model; the operation labels comprise normal operation labels and abnormal operation labels; the normal operation label is used for indicating that the abnormal flow does not exist in the historical operation flow; the abnormal operation label is used for indicating that the historical operation flow exists the abnormal flow; the abnormal operation label is the abnormal degree, and the abnormal degree comprises a high grade and a low grade; taking the operation flow of the plurality of devices as the input of the abnormality monitoring model, and taking the abnormality degree of the abnormality devices in the plurality of devices as the output of the abnormality monitoring model;

Specifically, based on the anomaly monitoring model of deep learning, the historical operation flow and the corresponding operation labels are utilized for training, so that the operation flow of a plurality of devices in the network is monitored and analyzed in real time, the anomaly devices are identified and the anomaly degree is determined, further other devices associated with the anomaly devices and the association degree thereof can be determined, thereby helping network operation and maintenance personnel to quickly find and respond to the network anomaly condition and improving the stability and reliability of the network; the method has the advantages that the plurality of associated devices of the abnormal device are determined according to the network topology, the associated devices which influence the network by the abnormal device can be determined, and therefore the abnormal condition of the whole network can be comprehensively perceived; according to the abnormality degree of the abnormal equipment, the association degree of the associated equipment is determined, so that the influence degree of the abnormal equipment on the associated equipment can be determined, and the associated equipment is monitored and controlled in a targeted manner.

In one embodiment of the present invention, the conversion rule of the association degree conversion unit is specifically: if the association degree corresponding to the association equipment is the first-level association, the abnormality degree corresponding to the association equipment is the high level; if the association degree corresponding to the association equipment is the secondary association, the abnormality degree corresponding to the association equipment is the low level; if the association degree corresponding to the association equipment is the unassociated one, the abnormal flow does not exist in the operation flow of the association equipment;

Specifically, if the association degree corresponding to the association equipment is first-level association, the first-level association indicates that the influence of the abnormal equipment on the association equipment is large, and high-level abnormality can be caused to occur to the association equipment, and the abnormality degree corresponding to the association equipment is determined to be high-level; if the association degree corresponding to the association equipment is two-level association, the two-level association indicates that the influence of the abnormal equipment on the association equipment is small, and low-level abnormality can be caused to occur to the association equipment, and the corresponding abnormality degree of the association equipment is determined to be low-level; if the association degree corresponding to the association equipment is unassociated, the unassociated equipment has no influence on the association equipment, the association equipment cannot be abnormal, and the operation flow of the association equipment does not have abnormal flow; according to the association degrees respectively corresponding to the association devices, the corresponding abnormality degree of each association device is obtained, and the influence degree of the abnormality device on the association device can be accurately understood, so that accurate control measures are provided for the association device; the influence degree of the associated equipment on the network is expressed in an abnormal degree, the abnormal equipment and the associated equipment can be described in a unified description mode, and the influence degree of the abnormal equipment and the associated equipment on the network can be more intuitively known by a network manager; the method has the advantages that the model is obtained based on the deep learning measures, corresponding control measures can be obtained accurately according to the abnormality degree of abnormal equipment, namely associated equipment, the network flow management system can be helped to quickly respond to the abnormality condition of the equipment, the running stability and reliability of the equipment in the network are improved, meanwhile, the requirement for manual intervention is reduced, and the operation and maintenance cost is reduced; the plurality of historical measures respectively correspond to one piece of characteristic information; the plurality of historical measures respectively correspond to one degree of abnormality, namely equipment with different characteristic information and equipment with different degree of abnormality, the adopted control measures are different, and the control measures are determined according to the characteristic information and the degree of abnormality of the equipment, so that targeted control measures can be obtained; for example, the equipment type is the equipment of the router, the degree of abnormality is high, the measures are taken to isolate the router from the network, automatically adjust the flow distribution of the router, and transfer the flow to other routers in normal states so as to lighten the burden of the router; therefore, the interference to the network can be reduced to the greatest extent, and the stability and reliability of the network are improved.

In an embodiment of the present invention, the device dividing unit divides the plurality of devices according to the device feature vectors corresponding to the plurality of devices respectively through the graph meaning network to obtain the plurality of device sets, specifically: constructing the device feature vectors corresponding to the plurality of devices respectively into a graph structure; wherein each node constituting the graph structure corresponds to the plurality of devices, respectively;

Specifically, the devices are classified through the attention network, the attention network comprises an attention mechanism, the attention mechanism can classify the devices in an automatic learning mode, and the importance among different devices can be combined, so that the device set is divided more accurately, and the classification accuracy and the network management efficiency are improved; the sub-network topology is built for the equipment set through the aggregation hierarchical clustering algorithm, equipment clusters can be gradually combined according to the similarity among the equipment, a more reasonable and clear sub-network topology structure is built, understanding of communication modes and relations among the equipment is facilitated, network bottlenecks and fault points are identified, and therefore network optimization and planning are supported; and the topology structure with any shape can be found out without being limited by the shape of the topology structure, so that the method can adapt to different network environments.

Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

The present invention and its embodiments have been described above with no limitation, and the embodiments of the present invention are shown in the drawings, and the actual content is not limited thereto, so that those skilled in the art, without departing from the spirit of the invention, should not creatively design similar structural means and examples to the technical solutions to fall within the protection scope of the present invention.

Claims

1. The network flow monitoring system is characterized by comprising a refined topology construction module, an abnormal flow monitoring module, a network equipment control module and a visualization module;

2. The network traffic monitoring system of claim 1, wherein the refined topology construction module comprises:

3. The network traffic monitoring system of claim 2, wherein the abnormal traffic monitoring module comprises:

4. A network traffic monitoring system according to claim 3, wherein the network device control module comprises:

5. The network traffic monitoring system according to claim 4, wherein the device dividing unit divides the plurality of devices of each network into the plurality of device sets according to the characteristic information of the plurality of devices, specifically: firstly, respectively forming device feature vectors of the plurality of devices according to the feature information of the plurality of devices; each device corresponds to one device feature vector; finally, dividing the plurality of devices according to the device feature vectors respectively corresponding to the plurality of devices through the graph annotation force network to obtain a plurality of device sets;

6. The network traffic monitoring system according to claim 5, wherein the anomaly monitoring model of the anomaly determination unit is specifically: training a deep learning network model according to historical operation flow and an operation label corresponding to the historical operation flow to obtain the anomaly monitoring model; the operation labels comprise normal operation labels and abnormal operation labels; the normal operation label is used for indicating that the abnormal flow does not exist in the historical operation flow; the abnormal operation label is used for indicating that the historical operation flow exists the abnormal flow; the abnormal operation label is the abnormal degree, and the abnormal degree comprises a high grade and a low grade; taking the operation flow of the plurality of devices as the input of the abnormality monitoring model, and taking the abnormality degree of the abnormality devices in the plurality of devices as the output of the abnormality monitoring model;

7. The network traffic monitoring system according to claim 6, wherein the conversion rule of the association degree conversion unit is specifically: if the association degree corresponding to the association equipment is the first-level association, the abnormality degree corresponding to the association equipment is the high level; if the association degree corresponding to the association equipment is the secondary association, the abnormality degree corresponding to the association equipment is the low level; if the association degree corresponding to the association equipment is the unassociated one, the abnormal flow does not exist in the operation flow of the association equipment;

8. The network traffic monitoring system according to claim 7, wherein the device dividing unit divides the plurality of devices according to the device feature vectors corresponding to the plurality of devices respectively to obtain the plurality of device sets, specifically: constructing the device feature vectors corresponding to the plurality of devices respectively into a graph structure; wherein each node constituting the graph structure corresponds to the plurality of devices, respectively;