JP2015170983A - Network quality monitoring device, program and network quality monitoring method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To accelerate a quality measurement process and monitor the quality of a network even when a message is encrypted.SOLUTION: A network quality monitoring device comprises: a message acquisition unit 13 which acquires request messages and response messages that are transmitted/received between any one of network device combinations; a message feature extraction unit 15 which lists the information indicating a transmission source, the information indicating a destination and the information indicating the message size of each acquired message in an acquisition order; a message mapping unit 19 which identifies a response message that has a message size equal to or smaller than the size of any one of the request messages and is transmitted within a prescribed time for the one request message from the list; and a response time measurement unit 21 which measures a response time from acquisition of the one request message to acquisition of the identified response message.

Description

  The present invention relates to a network quality monitoring apparatus, a program, and a network quality monitoring method for monitoring network quality.

  Conventionally, techniques for managing network quality have been proposed. For example, Patent Document 1 proposes a network quality monitoring apparatus and a network quality monitoring method for a SIP (Session Initiation Protocol) network. Specifically, this technology captures SIP signaling messages in a capture device installed in a SIP network, measures response times from request transmission to response reception for each capture interval, and calculates these statistics. As a result of processing, when an upper limit value determined to be abnormal is exceeded, it is determined that an abnormality has occurred in the corresponding section. Such a network quality monitoring device and a network quality monitoring method are considered to be applicable not only to SIP networks but also to LTE networks by defining LTE (Long Term Evolution) signaling messages.

JP 2008-193482 A

  However, in the conventional technology as described above, in order to identify the request message and the response message flowing through the monitoring section, the message is deeply analyzed using the DPI (Deep Packet Inspection) technology, and the sequence number is extracted. Therefore, it is necessary to map request message and response message. For this reason, when monitoring a network, a device capable of performing DPI analysis of a large number of messages at high speed is required. In addition, when these messages are encrypted, there is a problem that the message type cannot be specified or mapped, and the network cannot be monitored.

  The present invention has been made in view of such circumstances, and is capable of speeding up the process of measuring quality and monitoring the quality of the network even when the message is encrypted. An object is to provide a quality monitoring apparatus, a program, and a network quality monitoring method.

  (1) In order to achieve the above object, the present invention takes the following measures. That is, the network quality monitoring device of the present invention is a network quality monitoring device that monitors network quality, and a message acquisition unit that acquires a request message and a response message transmitted and received between any one set of network devices; A message feature extraction unit that lists information indicating the source of each acquired message, information indicating a destination, and information indicating a message size in the order of acquisition, and the message size of any one request message from the list A message mapping unit that specifies a response message transmitted within a predetermined time with respect to any one of the request messages, and after obtaining the one of the request messages. Identified response A response time measuring unit for measuring a response time of obtaining messages, characterized in that it comprises a.

  In this way, the information indicating the sender of each message, the information indicating the destination, and the information indicating the message size are listed in the acquired order, and from this list, a message size equal to or smaller than the message size of any one request message is listed. A response message transmitted within a predetermined time with respect to any one request message, and the response from the acquisition of any one request message to the acquisition of the specified response message Since the time is measured, the quality of the network can be monitored without performing DPI (Deep Packet Inspection). As a result, even if the message is encrypted, it is possible to monitor the quality of the network. On the other hand, even if the message is not encrypted, DPI is unnecessary. The analysis processing for each message is reduced, and it is possible to speed up the processing for measuring quality. “Having a message size equal to or smaller than the message size of any one request message” means “having a message size smaller than the message size of any one request message” or “any one request message” Means that the message size is the same as the message size.

  (2) In the network quality monitoring apparatus of the present invention, the message mapping unit specifies a frequency at which a combination of any one of the request messages and the specified response message appears within a predetermined time interval. And the said response time measurement part measures the said response time when the said frequency is more than a 1st threshold value, It is characterized by the above-mentioned.

  In this way, the frequency of occurrence of any one request message and the specified response message combination within a predetermined time interval is specified, and the response time is measured when the frequency is equal to or greater than the first threshold. Therefore, it is possible to exclude only combinations in which responses to requests are not established and target only combinations that should be truly measured. As a result, it is possible to speed up the process of measuring quality.

  (3) Further, in the network quality monitoring apparatus of the present invention, the message feature extraction unit specifies the frequency of the request message and the response message that appear within the predetermined time interval, and the frequency is A request message or a response message that is equal to or smaller than a second threshold value is excluded from the list.

  In this way, the frequency of request messages and response messages that appear within a predetermined time interval is specified, and request messages or response messages each having a frequency equal to or lower than the second threshold are excluded from the list. It is possible to speed up the measurement process. That is, for a message with a low appearance frequency within a predetermined time interval, it is difficult to measure the response time, and therefore it is excluded in advance.

  (4) A program of the present invention is a program of a network quality monitoring device for monitoring the quality of a network, and obtains a request message and a response message transmitted / received between any one set of network devices, A process of listing information indicating the source of each acquired message, information indicating a destination, and information indicating a message size in the order of acquisition, and a message not larger than the message size of any one request message from the list A process for identifying a response message transmitted within a predetermined time with respect to any one of the request messages, and acquiring the any one request message, and then identifying the identified response message. Process for measuring the response time until When, characterized in that to execute a series of processing to computer.

  In this way, the information indicating the sender of each message, the information indicating the destination, and the information indicating the message size are listed in the acquired order, and from this list, a message size equal to or smaller than the message size of any one request message is listed. A response message transmitted within a predetermined time with respect to any one request message, and the response from the acquisition of any one request message to the acquisition of the specified response message Since the time is measured, the quality of the network can be monitored without performing DPI (Deep Packet Inspection). As a result, even if the message is encrypted, it is possible to monitor the quality of the network. On the other hand, even if the message is not encrypted, DPI is unnecessary. The analysis processing for each message is reduced, and it is possible to speed up the processing for measuring quality. “Having a message size equal to or smaller than the message size of any one request message” means “having a message size smaller than the message size of any one request message” or “any one request message” Means that the message size is the same as the message size.

  (5) Moreover, the network quality monitoring method of the present invention is a network quality monitoring method for monitoring the quality of a network, and acquires a request message and a response message transmitted / received between any one set of network devices; A list of information indicating the transmission source of each acquired message, information indicating a destination, and information indicating a message size in the acquired order; and from the list, the message size is less than or equal to the message size of any one request message A step of identifying a response message having a message size and transmitted within a predetermined time with respect to any one of the request messages; and obtaining the one of the request messages, and then identifying the identified response. When responding to get a message Characterized in that it comprises at least the steps of measuring, the a.

  In this way, the information indicating the sender of each message, the information indicating the destination, and the information indicating the message size are listed in the acquired order, and from this list, a message size equal to or smaller than the message size of any one request message is listed. A response message transmitted within a predetermined time with respect to any one request message, and the response from the acquisition of any one request message to the acquisition of the specified response message Since the time is measured, the quality of the network can be monitored without performing DPI (Deep Packet Inspection). As a result, even if the message is encrypted, it is possible to monitor the quality of the network. On the other hand, even if the message is not encrypted, DPI is unnecessary. The analysis processing for each message is reduced, and it is possible to speed up the processing for measuring quality. “Having a message size equal to or smaller than the message size of any one request message” means “having a message size smaller than the message size of any one request message” or “any one request message” Means that the message size is the same as the message size.

  According to the present invention, it is possible to monitor the quality of a network without performing DPI (Deep Packet Inspection). As a result, even if the message is encrypted, it is possible to monitor the quality of the network. On the other hand, even if the message is not encrypted, DPI is unnecessary. The analysis processing for each message is reduced, and it is possible to speed up the processing for measuring quality.

It is a figure which shows an example of the LTE (Long Term Evolution) network to which the network quality monitoring apparatus which concerns on this embodiment is applied. It is a figure which shows a mode that an MME apparatus and an SGW apparatus perform transmission / reception of a message. It is a block diagram which shows schematic structure of the network quality monitoring apparatus which concerns on this embodiment. It is a flowchart which shows a part of operation | movement of the network quality monitoring apparatus which concerns on this embodiment. It is a flowchart which shows the operation | movement regarding the monitoring of the network quality monitoring apparatus 10 which concerns on this embodiment. It is a figure which shows an example of a message list. It is a figure which shows the state which extracted the thing whose appearance frequency is 3 or more among message lists. It is a figure which shows the updated message list. It is a figure which shows an example of a message list. It is a figure which shows the message mapping result at the time of using the algorithm which concerns on this embodiment, and the measured response time.

  The present inventors pay attention to the fact that when the message is encrypted, it is impossible to monitor the network using the conventional DPI technology, and the request message and response appearing within a certain period of time. It is determined whether the combination with the message satisfies a predetermined condition, and when the predetermined condition is satisfied, it is found that a network abnormality can be detected by measuring a response time from a request to a response, It came to make this invention.

  That is, the network quality monitoring apparatus of the present invention is a network quality monitoring apparatus for monitoring the quality of a network, and acquires a message for acquiring a request message and a response message transmitted / received between any one set of network apparatuses. A message feature extraction unit that lists information indicating a transmission source of each acquired message, information indicating a destination, and information indicating a message size in an acquired order, and any one request message from the list A message mapping unit that specifies a response message transmitted within a predetermined time with respect to any one of the request messages, and obtains any one of the request messages. From the specified A response time measuring unit for measuring a response time to get a response message, characterized in that it comprises a.

  As a result, the inventors have made it possible to monitor the quality of the network without performing DPI (Deep Packet Inspection). As a result, even if the message is encrypted, it is possible to monitor the quality of the network. On the other hand, even if the message is not encrypted, DPI is unnecessary. The analysis process for each message has been reduced, and it has become possible to speed up the process of measuring quality. Embodiments of the present invention will be specifically described below with reference to the drawings.

  FIG. 1 is a diagram illustrating an example of an LTE (Long Term Evolution) network to which the network quality monitoring apparatus according to the present embodiment is applied. As shown in FIG. 1, the LTE network is composed of a radio network called an eUTRAN (Evolved Universal Terrestrial Radio Network) and a core network called an EPC (Evolved Packet Core).

  The eUTRAN is composed only of the base station device 1 (eNodeB), and the EPC is an MME (Mobility Management Entity) device 3, an SGW (Serving Gateway) device 5, a PGW (PDN: Packet data network Gateway) device 7, an HSS (Home). (Subscriber System) device 9 and the like.

  The network quality monitoring device 10 is installed in, for example, a section between the MME device 3 and the SGW device 5, and captures and monitors a signaling message transmitted and received between the MME device 3 and the SGW device 5. For example, when the LTE terminal is powered on by a user operation, the corresponding terminal is connected to the LTE network for the first time, and the MME device 3 transmits a session establishment request message (Create Session Request) to the SGW device 5, The SGW apparatus 5 performs a necessary process and then returns a session establishment response (Create Session Response) message to the MME apparatus 3.

  At this time, in the prior art, as shown in FIG. 2, in this monitoring section, the session establishment request message and the session establishment response message are first identified, the sequence numbers in the signaling message are extracted, and the sequence numbers match. Response time was measured from signaling messages. Thereafter, the response time measured at regular intervals is statistically processed, and abnormality determination of the corresponding section is performed based on whether or not the threshold is exceeded.

  However, when the signaling message flowing through the section between the MME device 3 and the SGW device 5 is encrypted, the conventional technology cannot extract the signaling message type and extract the sequence number, and measure the network quality in the corresponding section. I couldn't. Therefore, in this embodiment, the network quality is monitored using a signaling message that flows in the same monitoring section as in FIG. 2 as follows.

  FIG. 3 is a block diagram showing a schematic configuration of the network quality monitoring apparatus according to the present embodiment. In the network quality monitoring apparatus 10, the message acquisition unit 13 acquires a request message and a response message transmitted / received between any one set of network apparatuses. Here, the request message and the response message transmitted / received between the MME device 3 and the SGW device 5 are acquired, but the present invention is not limited to this. The message feature extraction unit 15 lists the information indicating the transmission source of each message acquired by the message acquisition unit 13, the information indicating the destination, and the information indicating the message size in the acquired order, and stores them in the message list database 17.

  The message mapping unit 19 has a message size equal to or smaller than the message size of any one request message from the list created by the message feature extraction unit 15, and is transmitted within a predetermined time for any one request message. Identify the response message. The response time measuring unit 21 measures the response time from acquiring any one request message until acquiring the identified response message.

  FIG. 4 is a flowchart showing a part of the operation of the network quality monitoring apparatus according to the present embodiment. As illustrated in FIG. 4, the network quality monitoring apparatus according to the present embodiment acquires a request message and a response message transmitted / received between the MME apparatus 3 and the SGW apparatus 5 in the message acquisition unit 13 (step S1). .

  Next, the message feature extraction unit 15 creates a list by arranging the collected messages from the MME device 3 to the SGW device 5 and the messages from the SGW device 5 to the MME device 3 in the observed order (step S2). Store in the list database 17 (step S3). A group of messages obtained in this way for a certain period of time is called a “message list”. FIG. 6 is a diagram illustrating an example of a message list. Information handled in the message list is the source IP address, destination IP address, and message size of each message. Here, this is called “message type”. Since all of these pieces of information can be acquired from the IP header, analysis after the transport layer in the IP packet is unnecessary. In FIG. 6, as an example, the IP address of the MME device 3 is set to 192.168.0.1, and the IP address of the SGW device 5 is set to 192.168.0.2. Thereby, the direction of the message can be grasped.

  FIG. 5 is a flowchart showing an operation related to monitoring of the network quality monitoring apparatus 10 according to the present embodiment. As shown in steps S1 to S3 above, when a message list is created (step S4), the appearance frequency of the source IP address, the destination IP address, and the message size is tabulated from the created message list, and the appearance frequency is Messages that are low (for example, a threshold is α and less than α) are excluded (step S5). This is because it is difficult to measure the response time when the frequency of appearance within a certain time is low. FIG. 7 is a diagram illustrating a state in which messages having an appearance frequency of 3 or more are extracted from the message list illustrated in FIG. Here, as a result of assuming α = 3, the top four message types are extracted in FIG.

Next, the message list is updated when α = 3 is set as a threshold value. FIG. 8 is a diagram showing an updated message list. Here, No. 2 in FIG. 6 and no. Ten were excluded. Next, the request message and the response message are mapped according to the following algorithm.
(A) The first message in the message list is the initial message.
(B) With respect to the source IP address and destination IP address of the initial message, search for a message that satisfies the following conditions among the messages after the source IP address and destination IP address are reversed (step S6).

(A) A message whose message size is smaller than the message size of the initial message. It is also possible to target a message having the same message size as that of the initial message.
(A) A message that is observed within β milliseconds (for example, β = 5) from the observation time of the initial message.

  As a result of the above (B), when there is no corresponding message (NO in step S6), the initial message is deleted from the message list, and the message list is updated. This is because these messages are considered to be messages that do not have a one-way response. If a message remains in the message list, the process returns to (A) above.

  As a result of the above (B), when the corresponding message exists, the initial message is set as a temporary request message, and the corresponding message is set as a temporary response message (step S7).

  (C) A search is made as to whether a temporary request message and a temporary response message exist in the message list more than γ times under the same conditions as in (B) above. (For example, γ = 3) (Step S8). Here, for example, the traffic frequency is limited to 1 to 5 minutes, and the appearance frequency within the time interval may be measured.

  In step S8, if it does not exist more than γ times, it is determined that the mapping is incorrect, and the process returns to (B) to search for another message. In step S8, if there are more than γ times, the message types are determined to be a true request message and a true response message, and response times are measured from all matching messages in the message list (step S9). In addition, these messages are regarded as measured and the message list is updated. FIG. 8 is a diagram showing an updated message list.

  Finally, it is determined whether or not the message list is empty (step S10). If a message remains in the message list, the process proceeds to step S5. If the message list is empty, the process ends.

  Thus, in the example shown in FIG. 1 and no. Two messages are extracted. However, in the subsequent message list, since mapping cannot be performed more than γ times under the same conditions, these messages are determined to be incorrect mapping, and then No. 1 and no. 5 is extracted. Since subsequent message lists can be mapped more than γ times, the response time is measured under these conditions.

  Next, mapping is performed in the same manner in the message list shown in FIG. 9 excluding these message types. First, no. 2 is excluded because there is no message with a smaller message size. Subsequently, no. 3 as the initial message. 4 is mapped, and since these can be mapped more than γ times, the response time is measured under these conditions.

  FIG. 10 is a diagram showing message mapping results and measured response times when the above algorithm is used. For example, if a packet with a response time of 5 milliseconds or less is 99% or more, it can be considered normal. In other cases, for example, if there is a packet with a response time exceeding 5 milliseconds or a packet with a response time of 5 milliseconds or less is less than 99%, it can be determined as abnormal. It is.

  It is also possible to provide a control device having the function according to the present invention on the network and to monitor the quality of the network centrally in the control device using a message acquired by the capture device between each network device. It is.

  As described above, the session establishment request (Create Session Request) message and the session establishment response (Create Session Response) message transmitted and received in the section between the MME device 3 and the SGW device 5 have been described as examples. It is not limited. Similarly, it is not limited to the signaling message transmitted / received in the section between the MME device 3 and the SGW device 5.

  As described above, according to the present embodiment, it is possible to monitor the quality of the network without performing DPI (Deep Packet Inspection). As a result, even if the message is encrypted, it is possible to monitor the quality of the network. On the other hand, even if the message is not encrypted, DPI is unnecessary. The analysis processing for each message is reduced, and it is possible to speed up the processing for measuring quality.

DESCRIPTION OF SYMBOLS 1 Base station apparatus 3 MME apparatus 5 SGW apparatus 7 PGW apparatus 9 HSS apparatus 10 Network quality monitoring apparatus 13 Message acquisition part 15 Message feature extraction part 17 Message list database 19 Message mapping part 21 Response time measurement part

Claims (5)

A network quality monitoring device for monitoring network quality,
A message acquisition unit for acquiring a request message and a response message transmitted and received between any one set of network devices;
A message feature extraction unit that lists information indicating a transmission source of each acquired message, information indicating a destination, and information indicating a message size in an acquired order;
A message mapping unit that has a message size equal to or smaller than the message size of any one request message from the list, and identifies a response message transmitted within a predetermined time with respect to any one request message;
A network quality monitoring apparatus, comprising: a response time measuring unit that measures a response time from acquisition of any one of the request messages to acquisition of the identified response message. The message mapping unit identifies a frequency at which a combination of the one request message and the identified response message appears within a predetermined time interval;
The network quality monitoring apparatus according to claim 1, wherein the response time measurement unit measures the response time when the frequency is equal to or higher than a first threshold.   The message feature extraction unit identifies the frequency of the request message and the response message that appear within the predetermined time interval, respectively, and the request message or the response message in which each frequency is a second threshold value or less. 3. The network quality monitoring apparatus according to claim 2, wherein the network quality monitoring apparatus is excluded from the list. A network quality monitoring device program for monitoring network quality,
Processing for obtaining a request message and a response message transmitted / received between any one set of network devices;
A process of listing information indicating the source of each acquired message, information indicating a destination, and information indicating a message size in the order of acquisition;
A process having a message size equal to or smaller than the message size of any one request message from the list, and identifying a response message transmitted within a predetermined time with respect to any one request message;
A program for causing a computer to execute a series of processes of measuring a response time from acquiring any one of the request messages to acquiring the specified response message. A network quality monitoring method for monitoring network quality,
Obtaining a request message and a response message transmitted and received between any one set of network devices;
Listing information indicating the source of each acquired message, information indicating a destination, and information indicating a message size in the order of acquisition;
Identifying a response message having a message size equal to or smaller than the message size of any one request message from the list and transmitted within a predetermined time for the any one request message;
A network quality monitoring method comprising: at least a step of measuring a response time from the acquisition of any one of the request messages to the acquisition of the identified response message.

Images