JP6325993B2 - Service monitoring apparatus and service monitoring method - Google Patents

Description

  The present invention relates to a technique for monitoring a service provided on a network.

  In network operation management, it is very important to monitor currently provided services, and various abnormality detection methods for detecting abnormalities on the network are conventionally known (for example, see Patent Documents 1 and 2). ). According to the prior art, it is possible to identify a network device that exhibits abnormal behavior (device monitoring).

  For example, a conventional service has a form in which a single service is provided on a single network, such as a voice call service. Therefore, the alive state and abnormal state of a network device correspond to the service on a one-to-one basis. It was. For this reason, even in the prior art, the service can be appropriately monitored.

  However, with regard to recent IP (Internet Protocol) networks, a form in which a plurality of services are provided on a single network is generalized, and therefore, in the conventional device monitoring, a plurality of services to be provided are monitored. It is difficult. At present, as shown in FIG. 8, the operator performs 1 call test or port alive monitoring on the server 3 that provides services such as the DNS server 3 a (3), the Web server 3 b (3), and the DB server 3 c (3). Service monitoring is performed by an HMI (Human Machine Interface) device 5 operated by the user.

JP 2013-150083 A JP 2014-107650 A

  However, as shown in FIG. 8, conventional service monitoring such as the 1call test is limited to a part of the network device group G for a network in which a plurality of services are provided. (See arrow indicated by symbol Z). Certain users (terminals 4) cannot use the service being provided (see arrow indicated by symbol X) because the specific network device 2 is exposed to a DoS attack (Denial of Service attack), etc. If the network device 2 is congested, the quality of the service being provided (the arrow indicated by the symbol Y) is degraded for some users (terminals 4), and so on. Traditional service monitoring such as testing is not possible.

  The present invention has been made in view of such a background, and it is an object of the present invention to be able to monitor a service being provided for a network in which a plurality of services are provided. To do.

In order to solve the above-described problem, the invention according to claim 1 is a service monitoring device that monitors a plurality of services being provided using flow data collected from a plurality of network devices, wherein the collected flows An extractor that extracts request traffic and response traffic for each of the plurality of services from the data, and continuity between the request traffic and the response traffic based on the extracted request traffic and response traffic Each of the plurality of services depends on how much the relationship between the stationarity calculating unit that calculates the relationship between the request traffic and the response traffic within a specific period deviates from the calculated stationarity. And a determination unit that determines the quality of the image.
The invention according to claim 2 is the service monitoring apparatus according to claim 1, wherein the extraction unit extracts flow data of a specific destination port number as the request traffic, and a specific source port The flow data of the number is extracted as the response traffic, and the continuity calculation unit calculates the number of request flows that is the amount of the extracted request traffic and the number of response flows that are the amount of the extracted response traffic. For each network device and for each predetermined period, a correlation coefficient based on the number of requested flows and the number of response flows is determined for each predetermined period, and an average value of the correlation coefficients for each predetermined period is calculated as the steady state The determination unit determines the quality of the plurality of services according to how much the correlation coefficient within the specific period deviates from the stationarity. It determines people, characterized in that.
The invention according to claim 3 is the service monitoring apparatus according to claim 1, wherein the extraction unit extracts the flow data of a specific destination port number as the request traffic, and the specific source port The flow data of the number is extracted as the response traffic, and the continuity calculation unit calculates the number of request flows that is the amount of the extracted request traffic and the number of response flows that are the amount of the extracted response traffic. Obtained for each network device, clustering is performed on the number of requested flows and the number of response flows, the number of clusters and the center of gravity when service quality is stable are set as the stationarity, and the determination unit is within the specific period. The number of clusters and the centroid by the clustering of Determining each of the quality of the number of services, characterized in that.
The invention according to claim 4 is the service monitoring apparatus according to claim 1, wherein the extraction unit extracts flow data of a specific destination port number as the request traffic, and the specific source port The flow data of the number is extracted as the response traffic, and the continuity calculation unit calculates the number of request flows that is the amount of the extracted request traffic and the number of response flows that are the amount of the extracted response traffic. Obtained for each network device and for each predetermined period, and for each predetermined period, a cosine similarity or Jaccard count between the histogram of the request flow number and the histogram of the response flow number is obtained, and for each predetermined period The cosine similarity or the average value of the Jaccard count is set as the stationarity, and the determination unit performs the cosine within the specific period. Depending similarity or the Jaccard count deviates much from the stationarity determines each of the quality of the plurality of services, characterized in that.

The invention according to claim 5 is a service monitoring method in a service monitoring apparatus that monitors a plurality of services being provided using flow data collected from a plurality of network devices, the service monitoring method comprising: Extracting the request traffic and the response traffic for each of the plurality of services , and calculating the continuity between the request traffic and the response traffic based on the extracted request traffic and response traffic The quality of each of the plurality of services depends on how far the relationship between the requesting steadiness calculation step and the request traffic and the response traffic within a specific period deviates from the calculated continuity. A determination step for determining That.
The invention according to claim 6 is the service monitoring method according to claim 5, wherein in the extraction step, flow data of a specific destination port number is extracted as the request traffic, and a specific source port is specified. The flow data of the number is extracted as the response traffic, and in the continuity calculation step, the number of request flows that is the amount of the extracted request traffic, and the number of response flows that are the amount of the extracted response traffic, For each network device and for each predetermined period, a correlation coefficient based on the number of requested flows and the number of response flows is determined for each predetermined period, and an average value of the correlation coefficients for each predetermined period is calculated as the steady state Depending on how far the correlation coefficient within the specific period deviates from the stationarity in the determining step. Determining each of the quality of service, characterized in that.
The invention according to claim 7 is the service monitoring method according to claim 5, wherein in the extraction step, flow data of a specific destination port number is extracted as the request traffic, and a specific source port is specified. The flow data of the number is extracted as the response traffic, and in the continuity calculation step, the number of request flows that is the amount of the extracted request traffic, and the number of response flows that are the amount of the extracted response traffic, Obtained for each network device, clustering is performed on the number of requested flows and the number of response flows, and the number of clusters and the center of gravity at the time of stable service quality are set as the stationarity, and in the determination step, within the specific period How many clusters and centroids deviate from the stationarity due to the clustering of Or by determining the respective quality of said plurality of services, it is characterized.
The invention according to claim 8 is the service monitoring method according to claim 5, wherein in the extraction step, flow data of a specific destination port number is extracted as the request traffic, and a specific source port is specified. The flow data of the number is extracted as the response traffic, and in the continuity calculation step, the number of request flows that is the amount of the extracted request traffic, and the number of response flows that are the amount of the extracted response traffic, Obtained for each network device and for each predetermined period, and for each predetermined period, a cosine similarity or Jaccard count between the histogram of the request flow number and the histogram of the response flow number is obtained, and for each predetermined period Of the cosine similarity or the average value of the Jaccard count as the stationarity, and in the determination step, the specific period The in the, or the the cosine similarity or the Jaccard counted deviates much from the stationarity determines each of the quality of the plurality of services, it is characterized.

According to the first to eighth aspects of the present invention, the flow data collected from the network data is used to identify a plurality of services being provided, and request traffic and response traffic for the identified services. Can be found between the stationary. For this reason, service quality can be quantitatively evaluated as the degree of deviation from continuity. As a result, it is possible to monitor a service being provided for a network in which a plurality of services are provided.

  According to the present invention, it is possible to monitor a service being provided for a network in which a plurality of services are provided.

1 is an overall configuration diagram of a network. It is a functional block diagram of the service monitoring apparatus of this embodiment. It is a flowchart which shows the process of the service monitoring apparatus of this embodiment. 2 is an explanatory diagram of Embodiment 1. FIG. FIG. 6 is an explanatory diagram of Example 2. 10 is an explanatory diagram of Example 3. FIG. It is a figure which shows the computer which executes the program for service monitoring. It is a figure explaining the conventional service monitoring.

<Configuration>
As shown in FIG. 1, the service monitoring apparatus 1 according to the present embodiment collects flow data from each of the network devices 2 in the network device group G, and provides the data to the terminal 4 from the server 3 using the collected flow data. Service (represented by arrows with signs X and Y in FIG. 1). The flow data collection method is a well-known method such as NetFlow, sFlow, etc. (for example, Reference 1: B. Claise, “Cisco Systems NetFlow Services Export Version 9,” IETF RFC3954, October 2004. http: //www.ietf .org / rfc / rfc3954 and Reference 2: P. Phaal, S. Panchen, and N. McKee, "InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks," IETF RFC3176, September 2001. http: //www.ietf.org/rfc/rfc3176, etc.)

  Flow data includes information such as the source IP address, destination IP address (or destination IP address), source port number, destination port number (or destination port number), protocol type, number of packets, number of bytes, etc. Part or all of Flow data is collected in predetermined time units, and the collection time can be included in the flow data. By specifying the source port number or destination port number of the flow data, it is possible to specify the service being provided for which the service quality is to be determined.

The service monitoring apparatus 1 according to the present embodiment functions as, for example, an IPFIX (Internet Protocol Flow Information Export) flow collector, and can collect flow data from each of the network apparatuses 2.
The network device 2 is, for example, a router, a bridge, a repeater, or a gateway. The network device 2 functions as, for example, an IPFIX flow exporter. The network device group G may include a network device 2 that does not function as a flow exporter. Such a traffic state in the network device 2 can be indirectly specified by analyzing the flow data provided by the network device 2 functioning as a flow exporter by a known method.

The server 3 is, for example, a DNS server 3a, a Web server 3b, and a DB server 3c, and provides a predetermined service to the terminal 4. Note that the server 3 may have a flow exporter function.
The terminal 4 is a device that a user operates to use a service. Note that the terminal 4 may have a flow exporter function.
The HMI device 5 is a management console for the operator to control the service monitoring device 1. The service monitoring device 1 outputs a service alarm or the like to the HMI device 5 as necessary based on the flow data collected from the network device 2.

As shown in FIG. 2, the service monitoring apparatus 1 of this embodiment includes a processing unit 10, an input / output unit 20, and a storage unit 30.
The processing unit 10 manages the processing of the service monitoring apparatus 1. The processing unit 10 includes functional units such as a traffic extraction unit 11 (extraction unit), a continuity calculation unit 12, a service quality determination unit 13 (determination unit), and a result output unit 14. These functional units will be described later.
The input / output unit 20 constitutes an input / output interface of the service monitoring apparatus 1. The input / output unit 20 includes an input unit 21 and an output unit 22. The input unit 21 acquires input from the HMI device 5 and flow data from the network device 2. The output unit 22 outputs the processing result by the processing unit 10 as a file f or the like.
The storage unit 30 stores predetermined data in a predetermined format. The storage unit 30 includes functional units such as a flow data storage unit 31, a continuity data storage unit 32, and a detailed data storage unit 33. These functional units will be described later.

  The traffic extraction unit 11 extracts request traffic and response traffic for a predetermined service being provided from the flow data collected from the network device 2.

  The “request traffic” is information necessary for service realization directed from the terminal 4 that uses the service to the server 3 that provides the service. The terminal 4 that transmits the requested traffic can be identified from the source IP address of the flow data. The server 3 that receives the requested traffic can be identified from the destination IP address of the flow data.

  The “response traffic” is information necessary for realizing the service directed from the server 3 that provides the service to the terminal 4 that uses the service. The server 3 that transmits the response traffic can be identified from the source IP address of the flow data. The terminal 4 that receives the response traffic can be identified from the destination IP address of the flow data.

The stationarity calculation unit 12 calculates stationarity between the request traffic and the response traffic based on the request traffic and the response traffic extracted by the traffic extraction unit 11. When the service is normally provided from the server 3 to the terminal 4, it is considered that a certain tendency occurs between the request traffic and the response traffic, and a predetermined steady state is formed. The stationarity calculated by the stationarity calculation unit 12 is a quantitative expression of this steady state. If the server 3 cannot provide a service due to a DoS attack or the like, it can be said that the response traffic is extremely small with respect to the request traffic and the stationarity is broken.
The continuity calculation by the continuity calculation unit 12 is performed every predetermined unit time. There are various methods for calculating the stationarity, and details will be described later.

  The service quality determination unit 13 determines the quality of service according to how much the relationship between the request traffic and the response traffic within a specific period deviates from the continuity calculated by the continuity calculation unit 12. . The “specific period” can be, for example, a period later than the period targeted when the continuity calculation unit 12 calculates the continuity. The “relationship between request traffic and response traffic” is expressed by the same physical quantity as the stationarity calculated by the stationarity calculation unit 12. It is assumed that the quality of service decreases as the degree of deviation between the relationship used by the service quality determination unit 13 and the continuity calculated by the continuity calculation unit 12 increases. For example, when a DoS attack or the like has occurred, the relationship used by the service quality determination unit 13 deviates more than the continuity calculated by the continuity calculation unit 12, so that the quality of the target service decreases. Can be determined.

  The result output unit 14 outputs detailed data related to the service determined by the service quality determination unit 13 that the service quality is deteriorated. The detailed data includes various data such as the host name of the server 3 that provides the target service and the number of terminals 4 that use the service. The HMI device 5 can acquire detailed data desired by the operator by controlling the service monitoring device 1. Further, the output unit 22 outputs the acquired detailed data as a processing result by the processing unit 10 in a file f or the like.

  The flow data storage unit 31 stores the flow data collected by the service monitoring apparatus 1 in a predetermined format. The traffic extraction unit 11 accesses the flow data storage unit 31 and extracts request traffic and response traffic.

The stationarity data storage unit 32 stores the stationarity calculated by the stationarity calculation unit 12 in a predetermined format.
For example, the detailed data storage unit 33 stores, in a predetermined format, detailed data related to a service for which the service quality determination unit 13 determines that the service quality has deteriorated.

<Processing>
As shown in FIG. 3, the service monitoring apparatus 1 of the present embodiment performs the following processing of the service monitoring apparatus 1 of the present embodiment. This process starts from step S1.

  In step S1, the traffic extraction unit 11 extracts request traffic and response traffic from the collected flow data. After step S1, the process proceeds to step S2.

  In step S2, the stationarity calculation unit 12 calculates the stationarity between the extracted request traffic and response traffic. After step S2, the process proceeds to step S3.

In step S3, the service quality determination unit 13 determines whether the relationship between the request traffic and the response traffic within the specific period deviates from the continuity calculated by the continuity calculation unit 12. Determine the quality of the. The service quality determination unit 13 uses an allowable error (details will be described later) as a threshold for a deviation degree between the relationship used by the service quality determination unit 13 and the continuity calculated by the continuity calculation unit 12. Quality can be determined. After step S3, the process proceeds to step S4.
Proceed to

  In step S4, the result output unit 14 collects detailed data for the network device 2 whose service quality has fluctuated more than the allowable error, and outputs the result.

  According to the processing shown in FIG. 3, it is possible to determine failure of continuity between request traffic and response traffic using an allowable error, and thus it is possible to reliably monitor a service being provided.

  According to the present embodiment, by using flow data collected from network data, a plurality of services being provided are specified, and the continuity between request traffic and response traffic is specified for the specified services. You can find out. For this reason, service quality can be quantitatively evaluated as the degree of deviation from continuity. As a result, it is possible to monitor a service being provided for a network in which a plurality of services are provided.

  Next, a specific example of a service quality determination method will be described over Examples 1 to 3.

[Example 1]
As the continuity calculated by the continuity calculation unit 12, a correlation coefficient between the request traffic and the response traffic can be employed. The server 3 is assumed to be a DNS (Domain Name System) server 3a, and a service provided by one or a plurality of DNS servers 3a will be described as an example.

  Communication relating to DNS is performed at the 53rd port. Therefore, the traffic extraction unit 11 extracts the flow data with the destination port number 53 as the request traffic from the flow data collected from each of the plurality of network devices 2, and the flow data with the source port number 53. As response traffic.

  The continuity calculation unit 12 obtains the number of requested flows (the number of flow data) that is the amount of the extracted requested traffic for each network device 2 and for each predetermined period, and the amount of the extracted response traffic For each network device 2 and every predetermined period. Therefore, the number of request flows and the number of response flows obtained during the period from time t (k−1) to time t (k) (k = 1, 2,...) Are obtained from each network device 2. The stationarity calculation unit 12 obtains a correlation coefficient using a variable of the number of requested flows having a component made up of the number of network devices 2 and a variable of the number of response flows having a component made up of the number of network devices 2. The correlation coefficient is the bivariate covariance divided by the product of the standard deviation of each variable.

Assume that the correlation coefficients obtained during the period from time t (k−1) to t (k) (k = 1, 2,..., 7) are as follows.
Correlation coefficient of t (0) to t (1) = 0.95
Correlation coefficient between t (1) and t (2) = 0.93
Correlation coefficient of t (2) to t (3) = 0.97
Correlation coefficient of t (3) to t (4) = 0.99
Correlation coefficient of t (4) to t (5) = 0.91
Correlation coefficient of t (5) to t (6) = 0.75
Correlation coefficient of t (6) to t (7) = 0.85

  According to the above, the average value of the correlation coefficients from t (k−1) to t (k) (k = 1, 2, 3, 4, 5) is 0.95. For example, the continuity calculation unit 12 can employ the average value 0.95 as the continuity.

  FIG. 4 shows a scatter diagram of the number of request flows and the number of response flows related to the service of the DNS server 3a plotted for each network device 2 in a certain period. The horizontal axis of the scatter diagram shows the number of response flows (src 53 flow number (DNS response flow number). “Src” represents the sender), and the scatter graph shows the request flow number (dst 53 flow). Number (DNS request flow number), “dst” represents the destination). The plots in the scatter diagram are plots for one period (eg, periods t (0) to t (1)), but may be plots for two or more periods collectively. Good.

  The continuity calculation unit 12 obtains a correlation coefficient for a plot in the scatter diagram. When the correlation coefficient shows a large value, there is a certain tendency between the number of requested flows and the number of response flows such that plots are collected near the straight line L (two-dot chain line) in FIG. On the other hand, since the flow data is sampling data, a considerable amount of error is included, and the plot deviates from the straight line L to some extent even if the service quality is stable. Therefore, it is preferable to define an area A1 having a certain width with respect to the straight line L, and to define continuity from a plot within the area A1.

The service quality determination unit 13 evaluates how much the correlation coefficient 0.75 (relationship) of t (5) to t (6) deviates from the average value 0.95 of the correlation coefficient indicating continuity. If the allowable error σ designated from the HMI device 5 (see step S4 in FIG. 3) is 0.15,

Degree of departure from t (5) to t (6) = | 0.95-0.75 | = 0.20> σ

Thus, it can be said that the relationship between the number of requested flows and the number of response flows in t (5) to t (6) deviates greatly from the continuity. Therefore, the service quality determination unit 13 determines that the quality of service of the DNS server 3a at t (5) to t (6) is deteriorated.

  In the scatter diagram of FIG. 4, a plot included in the area A2 is shown as a plot showing the relationship between the number of requested flows and the number of response flows at t (5) to t (6). This plot greatly deviates from the area A1 because the number of DNS request flows is extremely increased with respect to the number of DNS response flows due to a DoS attack or the like. As a result, it can be determined that some measures need to be taken for the network device 2 corresponding to the plot included in the area A2.

Further, the service quality determination unit 13 evaluates how much the correlation coefficient 0.85 of t (6) to t (7) deviates from the average value 0.95 of the correlation coefficient indicating continuity. in this case,

Degree of departure from t (6) to t (7) = | 0.95-0.85 | = 0.10 <σ

Therefore, it cannot be said that the relationship between the number of request flows and the number of response flows in t (6) to t (7) deviates from the steadiness. Therefore, the service quality determination unit 13 determines that the service quality of the DNS server 3a at t (6) to t (7) has not deteriorated and is stable.

  According to the scatter diagram of FIG. 4, a plot showing the relationship between the number of request flows and the number of response flows at t (6) to t (7) is included in area A1. As a result, in t (6) to t (7), it can be said that the quality of service by the DNS server 3a is stable.

The result output unit 14 creates detailed data for the service provided by the DNS server 3a, for which it is determined that the service quality has deteriorated during the period t (5) to t (6). For example, from flow data that shows a decline in service quality,
(1) DNS server IP address (the destination IP address of the flow data whose destination port number is 53, the source IP address of the flow data whose source port number is 53)
(2) IP address of the terminal of the user using the service (source IP address of flow data whose destination port number is 53, destination IP address of flow data whose source port number is 53)
(3) Port number (53 in this example)
(4) Degree of departure from stationarity (5) DNS server host name (6) Number of user terminals using the service (7) Number of requested flows (or number of response flows) unexpectedly increased The network device identifier is output as detailed data. The output detailed data is transmitted to the HMI device 5 and contributes to analysis by the operator.

  According to the first embodiment, by adopting the correlation coefficient between the number of request flows and the number of response flows as the continuity between the request traffic and the response traffic, a factor that causes a decrease in service quality can be easily achieved. Can be identified. For this reason, it is possible to monitor a service being provided for a network in which a plurality of services are provided.

[Example 2]
Clustering by the k-means method or the like is adopted for request traffic and response traffic for a certain service, and the number of clusters and the coordinates of the center of gravity of the clusters can be adopted as the stationarity calculated by the stationarity calculation unit 12. The server 3 is assumed to be a DNS server 3a, and a service provided by one or a plurality of DNS servers 3a will be described as an example.

  Assume that the scatter diagram of the number of request flows and the number of response flows related to the service of the DNS server 3a plotted for each network device 2 when the service quality is stable is as shown in FIG. In this case, when clustering is performed, two clusters B1 and B2 showing continuity are formed, and the center of gravity of each of the clusters B1 and B2 can be obtained.

  Here, it is assumed that the scatter diagram when plotted for each network device 2 is as shown in FIG. In this case, when clustering is performed, in addition to the clusters B1 and B2, a cluster B3 that is plotted in an area where the number of requested flows is extremely large with respect to the number of response flows is formed. Therefore, the service quality determination unit 13 increases the number of clusters by 1 (relationship) compared to when the service quality is stable, and the coordinates of the center of gravity of the cluster B3 deviate from the coordinates of the clusters B1 and B2 by a considerable amount. It is determined that the service quality is degraded due to the fact that the service is related (relationship).

  According to the second embodiment, clustering is performed on the number of requested flows and the number of response flows, and the number of clusters and the center of gravity are adopted as continuity between request traffic and response traffic, thereby reducing service quality. Inviting factors can be easily identified. For this reason, it is possible to monitor a service being provided for a network in which a plurality of services are provided.

[Example 3]
For each of request traffic and response traffic for a certain service, a histogram regarding the flow data collected from the network device 2 is adopted, and as the stationarity calculated by the stationarity calculation unit 12, a request traffic histogram, a response traffic histogram, The similarity between can be adopted. The server 3 is assumed to be a DNS server 3a, and a service provided by one or a plurality of DNS servers 3a will be described as an example.

Assume that the histogram of the number of requested flows related to the service of the DNS server 3a during a certain period is as shown in FIG. Here, the horizontal axis of the histogram in FIG. 6A represents the identifier of the network device 2 that exported the flow data to the service monitoring device 1 as a “data section”, and the vertical axis exported from each network device 2. Of the received flow data, the number of flow data whose request port number is 53 (the number of DNS request flows) is taken as “frequency”. In FIG. 6A, the frequency on the vertical axis indicates, for example, the total number of DNS request flows when exported from 10 network devices 2, but is not limited thereto.
If necessary, the number of DNS request flows may be set for each DNS server 3a.

  In addition, it is assumed that the histogram of the number of response flows related to the service of the DNS server 3a during the same period is as shown in FIG. The horizontal axis and vertical axis of the histogram in FIG. 6B are the same as those in FIG.

  For example, the similarity between the DNS request flow number histogram and the DNS response flow number histogram can be calculated as a cosine similarity between vectors having a frequency as a component for each value in the data section. The cosine similarity is expressed as (the inner product of “the vector obtained from the DNS request flow number histogram” and “the vector obtained from the DNS response flow number histogram”) (the magnitude of the vector obtained from the DNS request flow number histogram). It is calculated as a value divided by “product of“ the magnitude of the vector obtained from the DNS response flow number histogram ”). The greater the cosine similarity (closer to 1), the more similar both vectors.

  The continuity calculation unit 12 calculates the cosine similarity using a vector obtained from the DNS request flow number histogram (FIG. 6A) and a vector obtained from the DNS response flow number histogram (FIG. 6B). The calculation is performed every predetermined period (eg, t (k−1) to t (k) (k = 1, 2, 3, 4, 5)). And the continuity calculation part 12 employ | adopts the average value of the cosine similarity calculated for every predetermined period as continuity, for example.

  The service quality determination unit 13 calculates the cosine similarity (relationship) for a specific period (eg, t (5) to t (6)). When the difference between the calculated cosine similarity and the average value of the cosine similarity that is stationary exceeds the allowable error input from the HMI device 5, the service quality determination unit 13 determines whether the DNS server 3a in the specific period It is determined that the quality of service has deteriorated.

  In addition, for example, the similarity between the DNS request flow number histogram and the DNS response flow number histogram can be calculated as a Jaccard coefficient between sets of elements obtained from the frequency for each value in the data section. The “element obtained from the frequency for each value in the data section” is “1” if the frequency for each value in the data section is greater than or equal to a minute value, and “0” if less than the minute value. As a result, the distributions indicated by the DNS request flow number histogram and the DNS response flow number histogram can be expressed as 01 sets.

  The Jaccard coefficient is the 01 set obtained from the DNS request flow number histogram and the 01 set obtained from the DNS and flow number histogram. The value of the element in the data section is calculated as a value divided by the number of elements in which either one is “1”. The larger the Jaccard coefficient (closer to 1), the more similar the sets are.

  The continuity calculation unit 12 uses the 01 set obtained from the DNS request flow number histogram (FIG. 6A) and the 01 set obtained from the DNS response flow number histogram (FIG. 6B) to use the Jaccard coefficient. Are calculated every predetermined period (example: t (k−1) to t (k) (k = 1, 2, 3, 4, 5)). And the continuity calculation part 12 employ | adopts the average value of the Jaccard coefficient calculated for every predetermined period as continuity, for example.

  The service quality determination unit 13 calculates a Jaccard coefficient (relationship) for a specific period (eg, t (5) to t (6)). When the difference between the calculated Jaccard coefficient and the average value of the Jaccard coefficient that is stationary exceeds the allowable error input from the HMI device 5, the service quality determination unit 13 determines the service of the DNS server 3a in the specific period. It is determined that the quality has deteriorated.

  According to the third embodiment, the number of request flows and the number of response flows are represented by histograms, and the similarity between the request flow number histogram and the response flow number histogram is adopted as continuity between the request traffic and the response traffic. Thus, it is possible to easily identify a factor that causes a decrease in service quality. For this reason, it is possible to monitor a service being provided for a network in which a plurality of services are provided.

(program)
It is also possible to create a program in which processing executed by the service monitoring apparatus 1 according to the above embodiment is described in a language that can be executed by a computer. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the program. Further, such a program may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by a computer and executed to execute the same processing as in the above embodiment. Hereinafter, an example of a computer that executes a monitoring program that realizes the same function as the service monitoring apparatus 1 will be described.

  FIG. 7 is a diagram illustrating a computer that executes a monitoring program. As illustrated in FIG. 7, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 7, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each table described in the above embodiment is stored in the hard disk drive 1090 or the memory 1010, for example.

  Further, the monitoring program is stored in the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described, for example. Specifically, a program module describing each process executed by the monitoring program described in the above embodiment is stored in the hard disk drive 1090.

  In addition, data used for information processing by the monitoring program is stored in the hard disk drive 1090 as program data, for example. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.

  The program module 1093 and the program data 1094 related to the monitoring program are not limited to being stored in the hard disk drive 1090. For example, the program module 1093 and the program data 1094 are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. May be. Alternatively, the program module 1093 and the program data 1094 related to the monitoring program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. It may be read by the CPU 1020.

≪Others≫
(1): In Example 1, the correlation coefficient between the number of request flows and the number of response flows was adopted as stationarity. However, the number of packets per flow and the number of bytes per packet (that is, the average packet length) can also be used as an alternative to the number of flows used as the number of request flows and the number of response flows.

  (2): When there are a plurality of servers 3 that provide one service, when the stationarity calculated by the stationarity calculation unit 12 is not very good (for example, the correlation coefficient to be used for stationarity is too small) When the plots of the scatter diagram of FIG. 4 are scattered), the correlation coefficient can be increased by reducing the number of target servers 3 (in some cases, narrowing down to one server 3).

  (3): In Example 2, clustering was performed for the number of requested flows and the number of response flows, and the number of clusters and the coordinates of the center of gravity of the clusters were adopted as the stationarity calculated by the stationarity calculation unit 12. However, the number of transmission / reception IP addresses and the type of transmission / reception IP address can also be used as an alternative to the number of flows used as the number of request flows and the number of response flows.

  (4): In Example 3, the number of requested flows and the number of response flows are represented by histograms, and cosine similarity and Jaccard coefficients are adopted as the continuity calculated by the continuity calculation unit 12. However, the number of transmission / reception IP addresses and the type of transmission / reception IP address can also be used as an alternative to the number of flows used as the number of request flows and the number of response flows.

In addition, it is possible to realize a technique in which various techniques described in this embodiment are appropriately combined.
Further, the software described in the present embodiment can be realized as hardware, and the hardware can also be realized as software.
In addition, hardware, software, flowcharts, and the like can be changed as appropriate without departing from the spirit of the present invention.

DESCRIPTION OF SYMBOLS 1 Service monitoring apparatus 2 Network apparatus 3 Server 4 Terminal 5 HMI apparatus 10 Processing part 11 Traffic extraction part (extraction part)
12 Stationarity calculation unit 13 Service quality determination unit (determination unit)
14 result output unit 20 input / output unit 21 input unit 22 output unit 30 storage unit 31 flow data storage unit 32 continuity data storage unit 33 detailed data storage unit

Claims (8)

A service monitoring device that monitors a plurality of services being provided using flow data collected from a plurality of network devices,
An extractor that extracts request traffic and response traffic for each of the plurality of services from the collected flow data;
A stationarity calculating unit that calculates stationarity between the request traffic and the response traffic based on the extracted request traffic and response traffic;
A determination unit that determines the quality of each of the plurality of services according to how much the relationship between the request traffic and the response traffic within a specific period deviates from the calculated continuity; Comprising
A service monitoring device. The extraction unit extracts flow data of a specific destination port number as the request traffic, extracts flow data of a specific source port number as the response traffic,
The stationarity calculation unit calculates the number of request flows that are the amount of the extracted request traffic and the number of response flows that are the amount of the extracted response traffic for each network device and every predetermined period. Seeking
Obtaining a correlation coefficient between the number of requested flows and the number of response flows for each predetermined period, and setting the average value of the correlation coefficient for each predetermined period as the stationarity,
The determination unit determines each of the quality of the plurality of services according to how much the correlation coefficient within the specific period deviates from the stationarity.
The service monitoring apparatus according to claim 1. The extraction unit extracts flow data of a specific destination port number as the request traffic, extracts flow data of a specific source port number as the response traffic,
The stationarity calculation unit obtains the number of request flows that is the amount of the extracted request traffic and the number of response flows that are the amount of the extracted response traffic for each network device,
Clustering is performed on the number of requested flows and the number of response flows, and the number of clusters and the center of gravity when service quality is stable are set as the stationarity,
The determination unit determines each of the quality of the plurality of services according to how much the number of clusters and the center of gravity deviate from the stationarity due to the clustering within the specific period.
The service monitoring apparatus according to claim 1. The extraction unit extracts flow data of a specific destination port number as the request traffic, extracts flow data of a specific source port number as the response traffic,
The stationarity calculation unit calculates the number of request flows that are the amount of the extracted request traffic and the number of response flows that are the amount of the extracted response traffic for each network device and every predetermined period. Seeking
A cosine similarity or Jaccard count between the histogram of the request flow count and the response flow count for each predetermined period is obtained, and an average value of the cosine similarity or Jaccard count for each predetermined period is calculated as the steady state. Sex and
The determination unit determines each of the quality of the plurality of services according to how much the cosine similarity or the Jaccard count deviates from the stationarity within the specific period.
The service monitoring apparatus according to claim 1. A service monitoring method in a service monitoring device that monitors a plurality of services being provided using flow data collected from a plurality of network devices,
An extraction step of extracting request traffic and response traffic for each of the plurality of services from the collected flow data;
A stationarity calculating step of calculating stationarity between the request traffic and the response traffic based on the extracted request traffic and response traffic;
A determining step of determining the quality of each of the plurality of services according to how much the relationship between the request traffic and the response traffic within a specific period deviates from the calculated continuity; Comprising
A service monitoring method characterized by the above. In the extraction step, flow data of a specific destination port number is extracted as the request traffic, and flow data of a specific source port number is extracted as the response traffic.
In the continuity calculation step, the number of request flows that is the amount of the extracted request traffic and the number of response flows that are the amount of the extracted response traffic are determined for each network device and for each predetermined period. Seeking
Obtaining a correlation coefficient between the number of requested flows and the number of response flows for each predetermined period, and setting the average value of the correlation coefficient for each predetermined period as the stationarity,
In the determination step, each of the quality of the plurality of services is determined according to how much the correlation coefficient within the specific period deviates from the stationarity.
The service monitoring method according to claim 5. In the extraction step, flow data of a specific destination port number is extracted as the request traffic, and flow data of a specific source port number is extracted as the response traffic.
In the continuity calculation step, a request flow number that is the amount of the extracted request traffic and a response flow number that is the amount of the extracted response traffic are obtained for each network device,
Clustering is performed on the number of requested flows and the number of response flows, and the number of clusters and the center of gravity when service quality is stable are set as the stationarity,
In the determination step, the quality of each of the plurality of services is determined according to how much the number of clusters and the center of gravity deviate from the stationarity due to the clustering within the specific period.
The service monitoring method according to claim 5. In the extraction step, flow data of a specific destination port number is extracted as the request traffic, and flow data of a specific source port number is extracted as the response traffic.
In the continuity calculation step, the number of request flows that is the amount of the extracted request traffic and the number of response flows that are the amount of the extracted response traffic are determined for each network device and for each predetermined period. Seeking
A cosine similarity or Jaccard count between the histogram of the request flow count and the response flow count for each predetermined period is obtained, and an average value of the cosine similarity or Jaccard count for each predetermined period is calculated as the steady state. Sex and
In the determining step, each of the quality of the plurality of services is determined according to how much the cosine similarity or the Jaccard count deviates from the stationarity within the specific period.
The service monitoring method according to claim 5.

Images