KR100617308B1 - Internet traffic analysing system, method, and storage media providing country-to-country internet traffic analysis results by matrix type - Google Patents

Abstract

An internet traffic analysis system, method, and recording medium are disclosed for visualizing inter-national internet traffic analysis results in a matrix form. In the Internet traffic analysis system, when the traffic analysis unit extracts a serial number corresponding to a country name and generates a record as a result of traffic analysis, the matrix report generation unit sequentially receives the records from the record file, and has a matrix form representing traffic statistics. Generate report output data as a data structure.

Description

Internet traffic analysing system, method, and storage media providing country-to-country internet traffic analysis results by matrix type}

1 is a flowchart illustrating a general internet traffic analysis process.

2 is a block diagram illustrating an internet traffic analysis system according to an embodiment of the present invention.

3A and 3B are diagrams for describing the output recording form of the traffic analyzer of FIG. 2 and the report output form of the matrix report generator of FIG. 2.

4A and 4B are flowcharts for describing an algorithm for generating the inter-country traffic result statistical report in a matrix form by the matrix report generator of FIG. 2.

5A through 5E are flowcharts for describing an operation of generating data in a PREFIX TREE form among algorithms for converting an IP address into a country name in the traffic analyzer of FIG. 2.

FIG. 6 is a flowchart illustrating an operation of converting an IP address into a country name using data in a PREFIX TREE form in the traffic analyzer of FIG. 2.

<Description of Major Symbols in Drawing>

210: Internet 220: Traffic analysis device

221: traffic detection unit 222: traffic analysis unit

223: memory 224: matrix report generation unit

TECHNICAL FIELD The present invention relates to an internet traffic analysis system, and more particularly, to an internet traffic analysis system and method for visualizing internet traffic results between countries.

Conventional systems for analyzing Internet traffic have been used to summarize information about the packets that make up traffic distributed over any physical circuit, rather than to show traffic statistics between countries. . However, as the Internet becomes active and the problem of identifying the charges of Internet usage between countries becomes important, there is an increasing demand for systems that analyze and present the results of Internet traffic between countries. There is an increasing demand for report formats that accurately measure, efficiently analyze, and visualize the same high-volume, high-speed traffic in a clear form. In addition, since the international Internet line is usually a very high-speed line, when measuring the Internet traffic circulated through this line, a large amount of measurement results accumulate, and therefore an algorithm for visualizing the analysis result on the high-speed line at high speed. It is also required.

1 is a flowchart illustrating a general internet traffic analysis process. Referring to FIG. 1, first, in a widely used Internet traffic analysis system, traffic is detected from the Internet using hardware or software for traffic detection (S110). The detected traffic is transmitted according to a protocol such as FTP (file transfer protocol) or NFS (network file server), and the traffic result between the sending country and the receiving country is analyzed (S120). The result of the analysis is stored in a form of a database management system (DBMS) or a simple file in a predetermined memory. Accordingly, the traffic analysis result stored in the predetermined memory may be reported to the user if necessary (S130).

In such a conventional internet traffic analysis system, the traffic results between the sending country and the receiving country are stored and reported in the form of a series of records. Records representing traffic results are sorted in descending order based on the total number of bytes transmitted within a single time zone, and each record represents the total amount of traffic sent by a particular country to a particular country over that physical circuit at a particular time. Each record contains the line number assigned to the physical circuit on which the traffic was detected, the country name of the sender of traffic, the country name of the receiving party of traffic, the value indicating the time zone in which the traffic was detected, and the total packets transmitted. It consists of a value representing a number and a value representing the total number of bytes transmitted.

However, in the conventional Internet traffic analysis system, it is simply provided to the user in the form of the above record, and after measuring and analyzing large-capacity and high-speed traffic such as internet traffic between countries accurately and effectively, the user is more clear and easy to see. It does not meet the user's need for a report form that visualizes the form.

Accordingly, the present invention was devised to solve the above problems, and the technical problem to be achieved by the present invention is an algorithm for converting an IP address into a PREFIX TREE type data structure for representing a country name, and an analysis result. Internet traffic analysis system, method, and the above algorithm which visually visualizes large-capacity, high-speed traffic results such as internet traffic between countries in matrix form by using the algorithm that visualizes the stored records by re-analyzing them. To provide a recording medium having recorded thereon computer readable and executable code for performing the functions in these fields.

Internet traffic analysis system according to the present invention for achieving the above technical problem is characterized in that it comprises a traffic detector, a traffic analyzer and a matrix report generator. The traffic detector detects and outputs traffic from the Internet. The traffic analyzer analyzes the detected traffic and generates an analysis result. The matrix report generator generates report output data as a matrix data structure representing traffic statistics between countries from the analysis result.

The traffic analysis system may further include a memory configured to store the analysis result as a record, and the matrix report generation unit sequentially reads records from a record file corresponding to a predetermined time period in the memory and outputs report output data in the form of a matrix. It is characterized by generating.

The record indicates the line number assigned to the physical circuit on which the traffic was detected, the country name information of the sender of traffic, the country name information of the receiving party of traffic, the value representing the time zone in which the traffic was detected, and the total number of packets transmitted. Value, and a value including a value representing the total number of bytes transmitted.

The traffic analysis unit stores two or more records representing traffic transmitted between a specific country and a specific country within the same time zone, and the matrix report generation unit includes the sum of the number of packets included in the records between specific countries within the same time zone and bytes. Generate the report output data having the sum of the numbers as the traffic statistics between the specific countries. The traffic analyzer receives the detected traffic as a text file, extracts an IP (Internet protocol) address, an AS (autonomous system) number, and a country name information, converts the data into an internal data structure in the form of a PREFIX TREE, and converts the internal data structure into an internal data structure. Obtaining a country name corresponding to the IP address from the characterized in that to generate the analysis result.

When the traffic analyzer receives the text file, the traffic analyzer creates a new data node to be added to the PREFIX TREE, makes the node a new ROOT node if the node is empty, or selects the node if the node is not empty. The internal data structure is generated by setting a position to add. The traffic analyzer compares the new data node with a predetermined ROOT node, and when the mask lengths of the predetermined ROOT node and the new data node are the same and have different address values, and the masks of the predetermined ROOT node and the new data node. When the IP address of a node having a different length and a large mask length does not belong to a subnetwork of a small node, another node having the new data node and the predetermined ROOT node as children is added to the PREFIX TREE. . In the additional node position setting, the traffic analysis unit is characterized in that when the IP address of the new data node belongs to a subnetwork of a predetermined ROOT node, the new data node is a child node of the ROOT node.

In accordance with another aspect of the present invention, there is provided a method for analyzing Internet traffic, the method comprising: detecting traffic from the Internet; Analyzing the detected traffic; And generating report output data as a data structure in a matrix form representing traffic statistics between countries from the analysis result. The traffic analyzing step includes storing the analysis result as a record in a predetermined memory, and generating the report output data includes sequentially reading records from a record file corresponding to a predetermined time period in the memory; And generating report output data in the matrix form from the read records.

In accordance with another aspect of the present invention, an internet traffic analysis function recording medium having a computer readable and executable code recorded thereon includes: a function for detecting traffic from the Internet; Analyzing the detected traffic; And generating a report output data as a data structure in a matrix form representing traffic statistics between countries from the analysis result. The traffic analysis function may include storing the analysis result as a record in a predetermined memory, and the report output data generation function may include: sequentially reading records from a record file corresponding to a predetermined time period in the memory; And generating the report output data in the matrix form from the read records.

In order to fully understand the present invention, the operational advantages of the present invention, and the objects achieved by the practice of the present invention, reference should be made to the accompanying drawings which illustrate preferred embodiments of the present invention and the contents described in the accompanying drawings.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. Like reference numerals in the drawings denote like elements.

2 is a block diagram illustrating an internet traffic analysis system 200 according to an embodiment of the present invention. Referring to FIG. 2, the Internet traffic analysis system 200 includes the Internet 210 and a traffic analysis device 220.

The traffic analysis device 220 analyzes the traffic detected from the Internet 210, and generates report output data representing traffic statistics between countries from the analysis result as a matrix data structure. The report output data output from the traffic analysis device 220 is visualized in a matrix form through a print or display device (not shown), so that a user can easily grasp Internet traffic between countries.

The traffic analysis apparatus 220 as described above includes a traffic capture unit 221, a traffic analysis unit 222, a memory 223, and a matrix report generator 150. ). The traffic detector 221 detects and outputs traffic from the Internet 210 using hardware or software for traffic detection. The traffic detector 221 transmits the detected traffic according to a protocol such as FTP (file transfer protocol) or NFS (network file server). The traffic analyzer 222 analyzes the detected traffic and generates a traffic analysis result between the sending country and the receiving country. The memory 223 stores the analysis result as a record. The analysis result is stored in the memory 223 in the form of a database management system (DBMS) or a simple file. The matrix report generator 150 sequentially reads records from a record file corresponding to a predetermined time period in the memory 223 and generates report output data of the matrix form from the read records. The report output data generation algorithm of the matrix report generator 150 is described in more detail in the description of FIGS. 4A and 4B.

 The traffic analyzer 222 receives the detected traffic transmitted in accordance with a protocol such as FTP or NFS as a text file, extracts an IP (internet protocol) address, an autonomous system (AS) number, and country name information, and obtains a PREFIX. Convert to a TREE type internal data structure, and obtain the country name corresponding to the IP address from the internal data structure to generate the analysis result. Such a country name acquisition algorithm of the traffic analyzer 222 is described in more detail in the descriptions of FIGS. 5A to 5E and 6.

3A and 3B are diagrams for describing the output recording form of the traffic analyzer 222 of FIG. 2 and the report output form of the matrix report generator 150 of FIG. 2. Referring to FIG. 3A, each of a series of records in which the analysis result output from the traffic analyzer 222 of FIG. 2 is stored in the memory 223 is a line assigned to the physical line where the traffic is detected. Number, country name information of the sending party, country name information of the receiving party, a value indicating the time zone in which the traffic was detected, a value indicating the total number of packets transmitted, and the total number of bytes transmitted. It consists of a value representing. Records representing the traffic results may be sorted in descending order based on the total number of bytes transmitted within a single time zone, and each of the records represents traffic information transmitted to a specific country by a specific country through a corresponding physical circuit at a specific time period. Referring to FIG. 3B, a form in which report output data output by the matrix report generator 150 of FIG. 2 is displayed on a predetermined display device (not shown), or a print output form is illustrated. As shown in Figure 3b, the report form has a table form, the first column lists the country names of the traffic sender, the first row lists the country names of the receiving party. In each column, traffic results are sent in packets (330) and bytes (340) from a particular country in the left first column to a particular country in the upper first row, and the percentage value of the total traffic (as shown in parentheses). 350) to be recorded.

4A and 4B are flowcharts for describing an algorithm in which the matrix report generator 150 of FIG. 2 generates an inter-country traffic result statistical report in matrix form. The matrix report generator 150 sequentially reads records from a series of records, that is, a record file corresponding to a predetermined time period, in the memory 223, and reports the matrix form from the records read only once. By generating the output data, it is output to a print or display device (not shown) so that the traffic statistics report in the form of a desired matrix is visualized. The traffic statistics report in matrix form is generated one by one time zone. In FIG. 4A, first, to obtain records as input, the matrix report generator 150 should query the memory 223 in which records are stored. If the records are stored in the DBMS, the records can be retrieved using the DBMS system's query interface. If the records are stored in the file system, the records are retrieved using the operating system call. It may be (S401). Since the algorithm accesses and uses the records only once in sequence, it can be applied without any difference even if the records are stored in any system. The records stored in the memory 223 are sequentially input to the matrix report generator 150 one by one, and the algorithm analyzes the records according to the following procedure to generate a cross-country traffic statistics report.

First, the record is read, and if it is not the first record of the time zone, it is checked whether the time zone is not different from the previous record (S402 to S404). If it is different, it is ready to print the country-wide traffic statistics report in the form of matrix for the previous time zone. Therefore, the report output data in the predetermined matrix variables "REPORT_PACKETS" and "REPORT_BYTES" is output, and all data structures used in the algorithm Initialize the value of the variable (S405, S406). In step S401, even if the record could not be read, the report output data in the matrix variables "REPORT_PACKETS" and "REPORT_BYTES" for the previous time zone are output (S415). In the case of generating an N × N matrix country-wide traffic statistics report, the sizes of the variables “REPORT_PACKETS” and “REPORT_BYTES” are N × N, respectively.

If the read record is the first record (S403) or if the time zone is not different from the previous record (S404), the following process is performed. First, it is determined whether the serial number of the sender country name recorded in the record is recorded in the variable " COUNTRY_NAMES " on the predetermined hash table indicating the serial number corresponding to the country name (S407). To do this, the "COUNTRY_NAMES" of the hash table is searched using the country name as a key, and if recorded, the serial number value for the key is obtained and substituted into X (S408). If it is not recorded, it is determined whether there is a vacancy in the hash table, and if there is a vacancy, additionally records the name of the country sent to the hash table and its serial number, and substitutes the recorded serial number into X (S409, S410, S408). . Country names that are not recorded in the hash table or cannot be recorded cannot be assigned serial numbers, so the value of X cannot be determined. When generating an inter-country traffic statistics report in the form of an N x N matrix, the size of this hash table is N. Do the same for the receiving country name, but assign the serial number to Y (S411 ~ S414).

In FIG. 4B, if the values of X and Y are uniquely determined, now substitute the number of packets recorded in the record just read in "REPORT_PACKETS [X] [Y]" and in "REPORT_BYTES [X] [Y]" By substituting the number of bytes recorded in the record, report output data for visualizing the traffic statistics report in matrix form is output (S416 to S418). Then, the next record is read (S401). Here, it should be noted that when there are no more empty spaces in "REPORT_PACKETS" and "REPORT_BYTES", all incoming records are bypassed until a record of another time zone is met. With some modification to this algorithm, the traffic analyzer 222 may store more than one record in a time frame representing traffic transmitted between a particular country and a particular country. In such an application, the portions (S409, S413) for checking whether there is an empty space in "REPORT_PACKETS" and "REPORT_BYTES" are deleted, and the records are sorted in descending order according to the number of bytes within the same time zone, and then the corresponding record is deleted. The number of packets recorded and the number of bytes are added together and substituted into "REPORT_PACKETS [X] [Y]" and "REPORT_BYTES [X] [Y]" (S417, S418).

5A through 5E are flowcharts for describing an operation of generating data in a PREFIX TREE form among algorithms for converting an IP address into a country name in the traffic analyzer 222 of FIG. 2. In this algorithm of the traffic analyzer 222, a predetermined text file is received from the traffic detector 221 according to a protocol such as FTP or NFS, and converted into a data structure of a PREFIX TREE type. The predetermined text file includes an IP address, an AS (autonomous system) number to which the IP address belongs, and country name information to which the AS belongs. The IP address contained in the text file is paired with the Mask Length. Nodes of the PREFIX TREE are classified into two categories: a data node having an actual AS number and a country name, and an internal node used to construct a TREE. The conversion process is as follows.

In FIG. 5A, when the traffic analyzer 222 reads a text file from the traffic detector 221, first, a data node to be newly added to the PREFIX TREE is generated and the variable P points to the node (S501 to S503). . This node stores the IP address, mask length, AS number, and country name. If the P node is empty in the PREFIX TREE, the P node becomes a new ROOT node of the PREFIX TREE (S504 and S505). If it's not empty, you'll need to start searching from the ROOT node to find where to add the new node pointed to by P.

To this end, first, variables I and B are made to point to the ROOT node (S506). Then, the following process is repeated. First, in Fig. 5B, it is checked whether the mask length (I.mask_len) of the I node is smaller than the mask length (P.mask_len) of the P node (S507). (S510). If so, B node first points to the same node as the I node (S511). At this time, the P node should be one of the child nodes of I. If the bit value (P.ipaddr [i.mask_len + 1]) at the position of "mask length of node I + 1" of the P node's IP address (P.ipaddr) is 1, the node P is the right child node of I. If it is 0, P node should be one of the left child nodes of I (S512). In the case where I must be one of the right child nodes of I, if there are no child nodes on the right side of I, the P node is made into the right child node of I (S516 and S518). If there is a child node on the right side of I, I is made to point to the right child node (S517) and the above process is repeated again. In the case where it is to be one of the left child nodes of I, if there are no child nodes on the left side of I, the P node is made into the left child node of I (S513 and S515). If there is a child node of I, make I point to that child node and repeat the process again.

On the other hand, in FIG. 5C, if the IP address of the P node does not belong to the subnetwork of the I node, a new node NW is created having the nodes indicated by I and P as child nodes, and the node NW is the I and P node. It should be made to have a child node (S519-S528). To know which child node of I or P should be the left child of the new node (NW), the IP address value (I.ipaddr) of the node pointed by I and the IP address value (P. First, among the bits constituting ipaddr), the position where the value is changed must be found (S519). If the value corresponding to the position is 0, the node (eg, I) becomes the left child node of the new node NW, and if 1, the node (eg, I) becomes the right child node ( S520 ~ S523). Next, if the I node is a ROOT node, the new node NW is a ROOT node (S524 to S525). If the I node is not a ROOT node, if there is a right child node of B, the new node NW becomes a right child of B; if there is no right child node of B, the new node NW becomes a left child node of B (S526). ~ S528).

Second, in Fig. 5D, it is checked whether the mask length (I.mask_len) of the I node is larger than the mask length (P.mask_len) of the P node (S507 in Fig. 5A), and if the IP address of the I node is P node if it is large, There is a possibility that it belongs to the sub network of (S529). In this case, the I node must be a child node of the P node, and the P node must be a child node of the B node. If the B node is equal to the I node, since I is a ROOT node, P becomes a new ROOT node (S530, S531). If node B is not the same as node I, determine whether node I was a node B's right or left child, and if it was a right child node, make P node a new right child node of B; Make it a left child node of the B node (S532 to S534). After that, the bit value at the position "mask length + 1 stored in the node pointed to by P" (I.ipaddr [P.mask_len + 1]) of the IP address (I.ipaddr) stored in the I node is 0. If it is 1, I node is made to be the right child node of P, and if it is 0, I node is made to be the left child node of P (S535 to S537). If the I node does not belong to the sub-network of the P node (S529), a new node NW having I and P nodes as child nodes should be created and added to the tree (S519 to S528 in FIG. 5C). The processes S519 to S528 are as described above.

Third, in Fig. 5E, it is checked whether the mask length (I.mask_len) of the I node is equal to the mask length (P.mask_len) of the P node (S509 in Fig. 5A), and in the same case, once the IP address value of the I node ( I. ipaddr) and the IP address value (P. ipaddr) of the P node is checked (S548). If the two values are the same, a new node P need not be added on the tree (S549). In practice, this won't happen. If the address values of the I node and the P node are different from each other, a new node having an I node and a P node as children is created and the node is added to the PREFIX TREE (S519 to S528 in FIG. 5C). The processes S519 to S528 are as described above.

FIG. 6 is a flowchart illustrating an operation of converting an IP address into a country name using data in a PREFIX TREE form in the traffic analyzer 222 of FIG. 2. When the data structure of PREFIX TREE type is completed through the process of FIGS. 5A to 5E, the process of converting an IP address into a country name is very simple and quick. In Fig. 6, first of all, the variables "ADDR" and "MASK" point to the IP address to be searched and the mask length of the address, the I node to point to the ROOT node, and the F node to any node. Initialize to the state not shown (S560 ~ S562). At this time, if the mask length (I.mask_len) stored in the I node is equal to or larger than "MASK", the F node is returned and the execution of the algorithm is terminated (S563 to SS565). Otherwise, it is determined whether the part of the address value stored in the "ADDR" minus the part corresponding to the mask length (ADDR [I.mask_len]) stored in the I node is the same as the address value (I.ipaddr) stored in the I node. (S566). If not equal, the F node is returned and the algorithm ends (S565). If it is equal, it checks whether the AS number and the country name are stored in the I node, and if so, makes the F node point to the I node (S569). After that, it is checked whether the bit value at the position (ADDR [I.mask_len + 1]) of the mask length stored in the I node + 1 is 0 or 1 among the address values stored in the "ADDR" (S568). I pointed to the left child node of the I node (S570), if 1, I pointed to the right child node of the I node (S571) and repeats the above steps (S563 to S571). Note that, as in step S567, when the returned F node does not indicate anything, it means that the AS number or the country name information for the corresponding "ADDR" is not stored in the PREFIX TREE. As such, the inter-state internet traffic analysis system 200 according to an embodiment of the present invention corresponds to an IP address after converting a text file into an internal data structure using the algorithms of FIGS. 5A to 5E and 6. Obtain a country name, and create a record in the format shown in FIG.

As described above, in the Internet traffic analysis system 200 according to an embodiment of the present invention, when the traffic analysis unit 222 extracts a serial number corresponding to a country name and generates a record as a traffic analysis result, the matrix The report generator 224 sequentially receives the records from the record file and generates report output data as a data structure in a matrix form representing traffic statistics. The report output data generated by the matrix report generator 224 is visualized so that a user can easily grasp Internet traffic between countries through a print or display device. In determining the country name, the traffic analysis unit 222 extracts the IP address, AS number, and country name information from a text file, converts the IP address into an internal data structure in the form of a PREFIX TREE, and converts the IP address into a corresponding data structure. Query to obtain the corresponding country name.

The functions used in the devices and methods disclosed herein can be embodied as computer readable codes on a computer readable recording medium. The computer-readable recording medium includes all kinds of recording devices in which data that can be read by a computer system is stored. Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disks, optical data storage devices, and the like, which are also implemented in the form of carrier waves (for example, transmission over the Internet). Include. The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

As described above, optimal embodiments have been disclosed in the drawings and the specification. Although specific terms have been used herein, they are used only for the purpose of describing the present invention and are not intended to limit the scope of the invention as defined in the claims or the claims. Therefore, those skilled in the art will understand that various modifications and equivalent other embodiments are possible from this. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

The Internet traffic analysis system according to the present invention can provide the user with the results of internet traffic analysis in the form of a matrix in the form of a matrix, so that the user can clearly and easily grasp Internet traffic between countries. In addition, using a high-speed algorithm can greatly reduce the time required to generate the report. Therefore, it is installed at the point where a large amount of traffic between countries is distributed, which can be usefully used for internet traffic statistics analysis.

Claims (17)

A traffic detector for detecting and outputting traffic from the Internet; A traffic analyzer configured to analyze the detected traffic and generate an analysis result; And A matrix report generator for generating report output data as a matrix data structure representing traffic statistics between countries from the analysis result; The analysis result, And information indicating a line number assigned to the physical circuit where the traffic was detected, information on the country of origin of the traffic, information on the country of destination of the traffic, information on the time zone when the traffic was detected, and information on the amount of data transmitted. Internet traffic analysis system. According to claim 1, wherein the traffic analysis system, And a memory configured to store the analysis result as a record, wherein the matrix report generating unit sequentially reads records from a record file corresponding to a predetermined time period in the memory and generates report output data in the form of a matrix. Traffic analysis system. The method of claim 1, wherein the data amount information And information including a value indicating a total number of packets transmitted and a value indicating a total number of bytes transmitted. The method of claim 3, wherein the traffic analysis unit, Store two or more records representing traffic transmitted between a specific country and a specific country within the same time zone, and the matrix report generator is configured to add the sum of the number of packets and the number of bytes included in the records between the specific countries within the same time zone. And generate the report output data having as the traffic statistics between the specific countries. The method of claim 2, wherein the traffic analysis unit, Receives the detected traffic as a text file, extracts an IP (Internet protocol) address, an AS (autonomous system) number, and a country name information, converts the data into a PREFIX TREE internal data structure, and converts the IP address from the internal data structure. And generating the analysis result by obtaining a country name corresponding to the Internet traffic analysis system. The method of claim 5, wherein the traffic analysis unit, Upon receiving the text file, create a new data node to be added to the PREFIX TREE, and if that node is empty, make it the new ROOT node, or if the node is not empty, add the node. Internet traffic analysis system, characterized in that for generating the internal data structure by setting. The method of claim 6, wherein the traffic analysis unit, Comparing the new data node and the predetermined ROOT node, when the mask lengths of the predetermined ROOT node and the new data node are the same and different address values, and the mask lengths of the predetermined ROOT node and the new data node are different and the mask length is different. And if the IP address of the large node does not belong to the subnetwork of the small node, add another node having the new data node and the predetermined ROOT node as a child on the PREFIX TREE. The method of claim 7, wherein the traffic analysis unit, In the additional node position setting, when the IP address of the new data node belongs to a subnetwork of a predetermined ROOT node, the new data node is a child node of the ROOT node. Detecting traffic from the Internet; Analyzing the detected traffic; And Generating report output data as a matrix-type data structure representing traffic statistics between countries from the analysis result; The analysis result, And information indicating a line number assigned to the physical circuit where the traffic was detected, information on the country of origin of the traffic, information on the country of destination of the traffic, information on the time zone when the traffic was detected, and information on the amount of data transmitted. How to analyze internet traffic. The method of claim 9, wherein the traffic analysis step, Storing the analysis result as a record in a predetermined memory, The report output data generation step, Sequentially reading records from a record file corresponding to a predetermined time period in the memory; And Generating report output data in the matrix form from the read records. The method of claim 9, wherein the data amount information is And information indicating a total number of transmitted packets and a value indicating a total number of transmitted bytes. The method of claim 11, wherein the traffic analysis step, Store more than one record in the same time zone, representing traffic sent between a country and a country, The report output data generation step, And generating the report output data having the sum of the number of packets and the sum of the number of bytes included in the records between specific countries within the same time zone as the traffic statistics between the specific countries. The method of claim 10, wherein the traffic analysis step, Receives the detected traffic as a text file, extracts IP address, AS number, and country name information, converts it into an internal data structure of PREFIX TREE type, and obtains a country name corresponding to the IP address from the internal data structure. Generating the analysis result. The method of claim 13, wherein the traffic analysis step, Upon receiving the text file, create a new data node to be added to the PREFIX TREE, and if that node is empty, make it the new ROOT node, or if the node is not empty, add the node. Setting to generate the internal data structure. The method of claim 14, wherein the traffic analysis step, Comparing the new data node and the predetermined ROOT node, when the mask lengths of the predetermined ROOT node and the new data node are the same and different address values, and the mask lengths of the predetermined ROOT node and the new data node are different and the mask length is different. And when the IP address of the large node does not belong to the subnetwork of the small node, add another node having the new data node and the predetermined ROOT node as a child on the PREFIX TREE. The method of claim 15, wherein the traffic analysis step, In the additional node position setting, when the IP address of the new data node belongs to a subnetwork of a predetermined ROOT node, the new data node is a child node of the ROOT node. A computer-readable recording medium containing a program for performing the method according to any one of claims 9 to 16.

Images