KR102376349B1 - Apparatus and method for automatically solving network failures based on automatic packet - Google Patents

Abstract

The present invention is to provide a device or automatically solving a network failure based on automatic packet analysis and a method thereof. The method collects packet information on the network status, automatically determines whether there is a failure in a specific area through analyzed data, automatically resolves the network failure, provides a guide for accurately and quickly identifying and resolving various and complex network issues (performance, failure, etc.) with one click, allows any network operator to easily and conveniently manage the network, and provides a customized network management service tailored to user needs by interworking with various systems with information collection and analysis functions.

Description

Apparatus and method for automatically solving network failures based on automatic packet}

The present invention relates to an intelligent network management system, and in particular, collects packet information on network status, automatically determines whether there is a failure in a specific area through the analyzed data, and automatically resolves network failures to solve various and complex network issues ( performance, failure, etc.) with a single click, provides a guide for accurate and quick cause identification and resolution, enables any network operator to easily and conveniently manage the network, and works by linking with various systems with information collection and analysis functions. Disclosed are an apparatus and method for automatically resolving network failures based on automatic packet analysis suitable for providing customized network management services tailored to user needs.

In general, intelligent network technology refers to networks and infrastructure technologies that will be commonly used for the 4th industrial revolution and innovative growth based on intelligence. Specifically, SDN (Software-Defined Networking), NFV (Network Functions Virtualization), and network intelligence technologies , low-latency/time-determined network technology, quantum information communication technology, network structure technology, transmission network technology, wired and wireless access technology, etc. are comprehensively included.

In addition, network intelligence technology repeats a series of procedures such as automatic data collection and feedback for autonomous decision-making using artificial intelligence technologies such as machine learning, so that end-to-end (re)setup, control, management and orchestration, etc. technology that automatically performs the functions of

The meaning of these intelligent networks is evolving over time, mainly leading to breakthroughs in computation and algorithms.

As prior art, 'system for communication failure management and maintenance of network equipment' of Korean Patent Registration No. 10-1998863, and 'network management device, network management system and network management method' of Korean Patent Registration No. 10-2133001 are disclosed. has been disclosed.

When the network goes down, it directly leads to business disruption. In addition, delay in business processing due to network performance degradation leads to direct loss of the organization. The average loss for a single network outage is $402,542 in the United States. (Source: The Rise of AIOps: How Data, Machine Learning, and AI Will Transform Performance Monitoring, Appdynamics News, 2018.12.17.) Therefore, it is necessary to minimize the network interruption situation.

The Uptime Institute, which evaluates the performance of networks, has studied publicly reported cases of network outages. Looking at this, network failure among IT failures increased significantly from 19% in 2017 to 32% in 2018. Therefore, in the event of a network outage, a technology capable of promptly tracing the cause and suggesting a solution is required.

Conventional network management includes a Network Management System (NMS), a Traffic Management System (TMS), a Data Packet Inspector (DPI), and a Packet Analyzer.

However, NMS (Network Management System) centered on equipment and line monitoring has limitations in solving complex network issues. In addition, TMS (Traffic Management System) for network traffic management has a limitation in not supporting in-depth analysis of payload. In addition, DPI (Data Packet Inspector) and packet analyzer (Packet Analyzer) are very complicated and difficult to use, and there is a problem that requires a high degree of expertise.

US 10-1998863 B1 US 10-2133001 B1

Accordingly, the present invention has been proposed to solve the problems of the related art as described above, and an object of the present invention is to collect packet information on a network state, automatically determine whether a failure in a specific area exists through the analyzed data, and to determine a network failure automatically solves various and complex network issues (performance, failure, etc.) with a single click, provides a guide for accurate and quick cause identification and resolution, and enables any network operator to easily and conveniently manage the network. , to provide an automatic packet analysis-based automatic network failure resolution device and method that can provide customized network management services tailored to user needs by interworking with various systems with information collection and analysis functions.

1 is a conceptual diagram of an apparatus for automatically resolving network failures based on automatic packet analysis according to an embodiment of the present invention.

As shown in this figure, in the automatic network failure resolution device 110 of the intelligent network management system 100 that manages the network, the network failure automatic resolution device 110 collects packet information on the network status and Through the analyzed data, it automatically determines whether there is a failure in a specific area and automatically resolves the network failure, providing a guide to accurately and quickly identifying and resolving various and complex network issues with one click, and network operators a control unit 120 that enables anyone to easily and conveniently manage a network, and controls to provide a customized network management service tailored to user needs by interworking with various systems with information collection and analysis functions; Under the control of the controller 120, packet data is received from the network equipment 210 of the data center or the remote intelligent network management device 220 through a network interface card (NIC), and the received packet data is combined into one data stream to generate raw data necessary to create an information bundle, and store it in a raw packet storage buffer, and the network of the data center 210 or the remote intelligent network management device 220 a packet capture unit 130 for measuring data including packets, SNMP TRAP, and SYSLOG information; Under the control of the control unit 120, metadata is generated for the packets collected by the packet capture unit 130, and the metadata includes packet confirmation time, packet size, session ID, packet size, MAC address, and TCP information. Session information bundle, BPS information bundle, PPS information bundle, RTT information bundle, timeout information bundle, TCP information bundle, Remarks information bundle, and event information bundle are created, and data is compressed simultaneously for each type of information bundle and an information bundle generating unit 140 for storing; Performance of receiving the control of the control unit 120, receiving the information bundle generated by the information bundle generating unit 140, generating performance indicators necessary for network management, and generating basic performance indicators and additional performance indicators in the performance indicators an indicator generating unit 150; A performance index that is controlled by the control unit 120, selects an information type to be used in an information bundle based on the performance index generated by the performance index generator 150, and then analyzes the network performance to generate a performance index analysis result an analysis unit 160; and a network failure processing unit 170 that automatically determines whether there is a failure in a specific area using the analysis result of the performance indicator analysis unit 160 and automatically resolves the network failure.

2 is a conceptual diagram illustrating an example to which the present invention is applied in FIG. 1 .

As shown in this figure, if it is determined that the network failure is a network failure, the network failure processing unit 170 presents recommendations or controls the network by itself, and if it is not possible to control the network by itself or the content is not permitted, the network failure processing unit 170 provides recommendations The solution is presented in the form of a solution, and if it is possible to control the network by itself, it is characterized in that it accesses a specific device in the network using a remote shell command by connecting via SSH to change settings or reboot.

The network failure processing unit 170 determines that a packet loop is expected in the corresponding hop if the speed suddenly slows down when going through a specific hop in the network, and delivers a recommendation of 'check the cable wiring'; If network service is slow at a specific time every day, apply QoS to a specific location discovered by NetFlow and connect to a separate QoS device or switch, and use the QoS function to prevent congestion of server requests from that location It is characterized by automatically handling network failures by adjusting the total amount of network failure, recommending to adjust the client's network access time so that requests are distributed by time period, and recommending server and network expansion including suggestions for additional bandwidth required.

3 is a flowchart illustrating a method for automatically resolving network failures based on automatic packet analysis according to an embodiment of the present invention.

As shown in this figure, if the automatic network failure resolution device 110 of the intelligent network management system 100 performs automatic resolution of network failures, the packet capture unit 130 provides for the network equipment 210 of the data center. To sample NetFlow information or receive packet data from the remote intelligent network management device 220 through a network interface card (NIC), and combine the received packet data into one data stream to create an information bundle Measuring data including network packets, SNMP TRAP, and SYSLOG information of the data center 210 or the remote intelligent network management device 220 by generating necessary raw data and storing it in a raw packet storage buffer a packet capture step (ST1); After the packet capture step, the information bundle generating unit 140 generates metadata for the collected packets, and the metadata includes packet confirmation time, packet size, session ID, packet size, MAC address, and TCP information, Information that creates a session information bundle, BPS information bundle, PPS information bundle, RTT information bundle, timeout information bundle, TCP information bundle, Remarks information bundle, and event information bundle, and compresses and stores data for each type of information at the same time a bundle creation step (ST2); After the information bundle generating step, the performance indicator generating unit 150 receives the generated information bundle, generates a performance indicator required for network management, and generates a basic performance indicator and an additional performance indicator in the performance indicator. (ST3) and; After the performance indicator generation step, the performance indicator analysis unit 160 selects the type of information to be used in the information bundle based on the generated performance indicator, and then analyzes the network performance to generate a performance indicator analysis result (ST4). )Wow; After the performance indicator analysis step, the network failure processing unit 170 automatically determines whether there is a failure in a specific area using the analysis result and automatically resolves the network failure network failure processing step (ST5); do it with

4 is a detailed flowchart of network failure processing in FIG. 3 .

As shown in this figure, the network failure processing step is a failure processing determination step (ST11, ST12) of determining whether a specific area has a failure through the data analyzed with NetFlow information and packet information, and determining which failure processing is to be performed. )Wow; If it is determined that it is a network failure in the failure processing determination step, a recommendation is presented or the network is controlled by itself, and if the network cannot be controlled by itself or the content is not authorized, a solution is presented in the form of a recommendation, and if If it is possible to control the network by itself, connect via SSH, access a specific device on the network using a remote shell command, change settings or reboot, and provide a network failure processing result (ST13, ST14); It is characterized in that it is carried out including

An apparatus and method for automatically solving network failures based on automatic packet analysis according to the present invention collect packet information on network status, automatically determine whether there is a failure in a specific area through the analyzed data, and automatically resolve network failures, It provides a guide for accurate and quick identification and resolution of various and complex network issues (performance, failure, etc.) with one click, and enables any network operator to easily and conveniently manage the network, and information collection and analysis function This has the effect of providing a customized network management service tailored to user needs by interworking with various systems.

In addition, the present invention enables operation (All-In-One) in one system from information collection to analysis, diagnosis, and results, and provides an optimal system selection option suitable for the operating environment (Portable, Rack Mount, Rugged PC, Cloud, etc.) This is possible, and immediate use (Zero Configuration) is possible without pre-setting.

In addition, the present invention has the advantage of not relying on the vendor as a packet collection technology using a general NIC (Network Interface Controller), and has the advantage of not being affected by the user environment by internalizing the L7 protocol automatic classification engine, and interworking with EMS, SIEM, NMS, etc. (Rest API) There is a possible advantage, and there is an effect that a customized service according to the user's request is possible.

In addition, the present invention has the effect of reducing the mean time to repair (MTTR) by 1/5 or more while being cheaper at about 1/4 of the price of a foreign solution for the same purpose. In the prior art, it takes about 1 to 2 weeks to collect system setting information, analyze, and solve the report writing problem. On the other hand, the present invention has the advantage that it can be processed within about 2-3 days from information collection, analysis, report writing, and problem solving. (The total time required to solve the problem is a general empirical value and may vary depending on the nature of the problem.) The present invention can shorten the pre-preparation (setting) time for network information collection, and shorten the time to check the cause of the problem through analysis can do. It can also shorten the time to take action and recover from a problem. In addition, it is possible to shorten the preparation time of the final report.

In addition, in the case of the prior art, a network and solution operation expert is absolutely necessary for network management, but the present invention has the advantage that it can be operated even by a beginner network engineer.

1 is a conceptual diagram of an apparatus for automatically resolving network failures based on automatic packet analysis according to an embodiment of the present invention.
2 is a conceptual diagram illustrating an example to which the present invention is applied in FIG. 1 .
3 is a flowchart illustrating a method for automatically resolving network failures based on automatic packet analysis according to an embodiment of the present invention.
4 is a detailed flowchart of network failure processing in FIG. 3 .

A preferred embodiment of an automatic packet analysis-based automatic network failure resolution apparatus and method according to the present invention configured as described above will be described in detail with reference to the accompanying drawings. In the following description of the present invention, if it is determined that a detailed description of a related well-known function or configuration may unnecessarily obscure the gist of the present invention, the detailed description thereof will be omitted. And the terms to be described later are terms defined in consideration of functions in the present invention, which may vary depending on the intention or precedent of the user or operator, and accordingly, the meaning of each term should be interpreted based on the content throughout this specification. will be.

First, the present invention collects packet information on the network status, automatically determines whether there is a failure in a specific area through the analyzed data, and automatically resolves the network failure, so that various and complex network issues (performance, failure, etc.) It provides a guide for accurate and quick cause identification and resolution with one click, enables network operators to easily and conveniently manage the network, and links with various systems with information collection and analysis functions to provide customized network management service tailored to user needs was intended to provide.

1 is a conceptual diagram of an apparatus for automatically resolving network failures based on automatic packet analysis according to an embodiment of the present invention.

The network failure automatic resolution device 110 of the intelligent network management system 100 that manages the network includes the control unit 120 , the packet capture unit 130 , the information bundle generation unit 140 , and the performance indicator generation unit 150 . , a performance indicator analysis unit 160 , may be configured to include a network failure processing unit 170 .

The control unit 120 collects packet information on the network state from the network failure automatic resolution device 110, automatically determines whether a failure in a specific area is present through the analyzed data, and automatically resolves the network failure, resulting in various and complex networks It provides a guide to accurately and quickly identifying and resolving issues with one click, allowing any network operator to easily and conveniently manage the network, and interlocking with various systems with information collection and analysis functions to customize user needs Controlled to provide network management services.

The packet capture unit 130 receives the control of the control unit 120, and receives packet data from the network equipment 210 of the data center or the remote intelligent network management device 220 through a network interface card (NIC). The data center 210 or the remote intelligent network management device ( 220) measures data including network packet, SNMP TRAP, and SYSLOG information.

The information bundle generation unit 140 is controlled by the control unit 120 and generates metadata for the packets collected by the packet capture unit 130, and the metadata includes packet confirmation time, packet size, session ID, and packet size. , MAC address and TCP information are included. Session information bundle, BPS information bundle, PPS information bundle, RTT information bundle, timeout information bundle, TCP information bundle, Remarks information bundle, and event information bundle are created, and the It compresses and stores data by type at the same time.

The performance indicator generation unit 150 receives the control of the control unit 120, receives the information bundle generated by the information bundle generation unit 140, generates a performance indicator necessary for network management, and the performance indicator includes a basic performance indicator and Generate additional performance indicators.

The performance indicator analysis unit 160 is controlled by the control unit 120, selects the type of information to be used in the information bundle based on the performance indicator generated by the performance indicator generation unit 150, and then analyzes the performance of the network to analyze the performance indicator produce results.

The network failure processing unit 170 automatically determines whether there is a failure in a specific area using the analysis result of the performance indicator analysis unit 160 and automatically resolves the network failure.

The operation of the present invention will be described in more detail as follows.

The packet capture unit 130 receives information of the data center 210 as a packet, and manages the packet data as an information bundle. When packets are collected in the NIC, the packet capture unit 130 separately distributes and stores each packet in an individual queue (hardware buffer) inside the NIC for load distribution in the NIC. And let the application program take out data from the hardware buffer and process it.

In addition, the packet capture unit 130 creates a predetermined number of queues in the NIC hardware itself. In addition, the packet capture unit 130 allocates a separate thread for reading data of the NIC. At this time, one is allocated for each queue. In addition, a separate buffer is created in advance to move and store the raw packets in the NIC's internal queue. Also, it is possible to check whether packets are stacked in the queue automatically or manually. In case of automatic confirmation, there is a delay until the system notifies the result to the program after checking the queue. This is a process of "checking the queue in the system → sending a message to the program → processing the program's message → processing the queue". Therefore, the delay is avoided by manual control based on an infinite loop. That is, it avoids the delay by performing the process of "queue check → queue processing → repeat in the program".

In addition, the packet capture unit 130 calculates and checks the size of data accumulated for each queue by concurrently executing each thread. And select the location to be stored in the buffer for each queue. At this time, if the size of the data to be stored is larger than the remaining size of the buffer, the buffer is replaced with a new empty buffer. Also, after specifying the storage location in advance, each thread writes data to a single buffer at the same time. In general, when multiple threads write to a single buffer at the same time, there may be a problem where multiple threads write data at the same time at the same location, but in this case, there is no problem because the data writing area does not overlap. Since the packet capture unit 130 designates a location to be stored in advance, there is no room for wasting memory. In the case of the prior art, because a single thread is used, the write speed is limited (up to 10 Gbps), or the speed problem is solved by using an FPGA-based separate hardware, whereas the present invention is a 100% software method only. It has the advantage of enabling high-speed processing.

Also, the information bundle generating unit 140 manages a buffer for storing a plurality of packets, and each packet includes an L2 header, an L3 header, an L4 header, and a packet body (body and payload).

The information bundle structure of the information bundle generating unit 140 has a structure such as 'first time to be stored, last time to be stored, information block 1, information block 2, information block 3, ..., information block n'. there is. The structure of the information block consists of the structure of 'compressed size, actual size, and compressed binary information data'. Among the previous information materials, the fixed length has the same structure as 'fixed-width data 1, fixed-width data 2, fixed-width data 3, fixed-width data 4, ..., fixed-width data n'. Among the previous information materials, variable length is 'fixed-width data 1 (including variable-length information), separate-length data 1, fixed-width data 2 (including variable-length information), variable-length data 2, fixed-width data 3 (including variable-length information) , variable-length data 3, ..., fixed-width data n (including variable-length information), and variable-length data n'.

The information bundle generating unit 140 generates metadata for individual packets. The metadata includes packet confirmation time, packet size, session ID, packet size, MAC address, and various TCP-specific information.

The information bundle generated by the information bundle generator 140 includes a session information bundle, a BPS information bundle, a PPS information bundle, an RTT information bundle, a timeout information bundle, a TCP information bundle, a Remarks information bundle, an event information bundle, and the like.

Session ID, client IP/port, server IP/port, L4 protocol, and L7 protocol information are stored in the session information bundle.

Session ID, transmission time (in seconds), data size transmitted from client to server per second, and data size information transmitted from server to client per second are stored in the BPS information bundle.

The PPS information bundle stores the session ID, transmission time (in seconds), the number of packets transmitted from the client to the server per second, and the number of packets transmitted from the server to the client per second.

In the RTT (Round Trip Time) information bundle, session ID, transmission delay time from client to server, and transmission delay time information from server to client are stored.

All session information and occurrence time information are stored in the timeout information bundle.

In the TCP information bundle, the time zone and session information in which TCP SYN occurred, TCP SYN, the time zone and session information in which TCP RST occurred, TCP RST, the time zone and session information in which TCP DUP ACK occurred, TCP DUP ACK, the time zone and session in which TCP packet retransmission occurred It stores TCP packet retransmission information, which is the time of occurrence and the type of problem (TCP Zero Window, Port Reused, Out of Order), and other TCP problem information.

HTTP request/response header, DNS query and response result, SMTP email sender ID, FTP/IMAP/POP3 error content information are stored in Remarks information bundle.

In the event information bundle, event information that occurs when it is above or below a predefined threshold or above a variable rate is stored.

The performance indicator generating unit 150 generates the basic performance indicators including performance indicators of BPS, PPS, latency, and timeout.

In addition, additional performance indicators include performance indicators of the number of flows created by time and IP, TCP performance indicators, performance indicators of IP list providing TCP-based services, IP list of UDP-based services, performance indicators of MAC addresses for each IP, data by port number One or more performance indicators are generated among performance indicators of usage status or performance indicators for each L7 protocol.

TCP performance indicators include TCP RST, TCP Zero Windows, TCP DUP ACKS, TCP retransmission, TCP port reuse, and TCP packet order reversal. A performance indicator of data transmission amount measurement for each sender/receiver may be included.

The performance indicator analysis unit 160 determines that the performance indicator to be analyzed is BPS-based analysis, PPS-based analysis, Timeout-based analysis, TCP RST-based analysis, TCP Zero Windows analysis, TCP DUP ACK analysis, TCP retransmission analysis, TCP port reuse analysis, Determines which performance indicator analysis is performed among TCP packet order reversal analysis, HTTP error status analysis, and additional performance indicator analysis.

If the performance indicator analysis is BPS-based analysis, the performance indicator analysis unit 160 analyzes it as 'traffic surge' if the traffic is 85% or more of the total available bandwidth, and 'continues the excessive traffic state' if the traffic surge state lasts for 60 seconds or more. If more than 50% of the total traffic is concentrated on a single IP, it is analyzed as 'traffic concentration to a specific IP', and if the traffic in use is less than 2% of the total available bandwidth, it is analyzed as 'suspicious network failure'.

In the case of PPS-based analysis, if the broadcast packet occupies more than 70% of the total packet, it is analyzed as 'high bandwidth occupation due to the rapid increase of the broadcast packet'. In this case, it is analyzed as 'unknown packets occupy a large amount of bandwidth'.

In case of timeout based analysis, if timeout occurs for more than 20 IPs per second during the period specified by the user, it is analyzed as 'suspicious of service unavailable due to network interface shutdown or equipment power failure', and if more than 10 IPs per second during the period specified by the user If timeout occurs for less than ~ 20 IPs, it is analyzed as 'suspicious of service interruption due to cable or GBIC (Giga Bitrate Interface Converter, Gigabit Interface Converter) failure'.

In the case of TCP RST-based analysis, if the same server sends RST more than 10 times per second, it is analyzed as 'a request is received from the server side to a destination port that does not exist, or a connection is attempted to a port that has already been connected' And, if the same client sends RST more than 5 times per second, it is analyzed as 'the application wants to close the connection using Reset instead of FIN'. If this is the case, it is analyzed as 'the case where either the server or the client terminates without notifying the termination'.

In the case of TCP Zero Windows analysis, if the TCP Zero Window phenomenon occurs more than 10 times per second, it is analyzed as 'suspected of zero window creation due to errors such as firewalls, IPS security equipment, or WAN accelerators'.

In the case of TCP DUP ACK analysis, if DUP ACK occurs more than 60 times per second from a specific IP, it is analyzed as 'Network Congestion'.

In the case of TCP retransmission analysis, if TCP retransmission occurs more than 1000 times per second in a specific IP, it is analyzed as 'suspicious loop occurrence in the duplication section'.

In the case of TCP port reuse analysis, if TCP port reuse is confirmed more than 3 times per second, it is analyzed as 'suspected of client-side local port exhaustion and server time wait status maintenance'.

In the case of TCP packet reordering analysis, if the reordering occurs more than 3 times per second, it is analyzed as 'suspected of TCP segment loss due to packet loss'.

In the case of HTTP error status analysis, if the status code is HTTP 4XX, if the same phenomenon is found in less than 10 IPs, it is recognized as a 'user input problem' and analyzed. If the status code is HTTP 5XX or HTTP 4XX, If the same phenomenon is found, it is recognized as 'there is a problem in the server or client's code' and analyzed.

In the case of additional analysis of performance indicators, performance indicators are added and analyzed according to the addition of system settings or user additions.

The external device may be the network equipment 210 of the data center or the remote intelligent network management device 220 or the like. The network equipment 210 of the data center measures data by connecting to a physical network (Physical NW) by tapping or port mirroring. In addition, the network equipment 210 of the data center may be a virtualization environment including a virtual switch (vSwitch). The remote intelligent network management device 220 may be a device installed in a remote office.

In addition, the intelligent network management system to which the present invention is applied can perform automatic diagnosis of the network using information bundles. If you look at the contents of automatic diagnosis, the diagnosis items are defined, the condition of the diagnosis target is measured, the symptoms of the diagnosis target are provided, the expected cause is provided, the action method for each expected cause is provided, and the analysis result is provided. Auto-diagnosis targets include performance, usage, and UDP, TCP or HTTP errors.

Automatic network diagnosis includes network status, network usage and performance, failure/event, application service, automatic diagnosis, L2 ~ L7 analysis, statistics and trend analysis, and event processing functions. Through these functions, automatic diagnosis of the network can be performed.

In the automatic diagnosis of network status, the status of network equipment is identified through SNMP Trap information analysis and Syslog data analysis is performed.

In the automatic diagnosis of network usage and performance, automatic diagnosis of BPS (Bits Per Second), PPS (Packets Per Second), Latencies, and Timeout is performed.

Automatic diagnosis of failure/event performs automatic diagnosis of UDP Flag, TCP Resets, TCP Zero Windows, TCP Reuse, TCP Duplicate ACKs, and TCP Retransmission. It also performs automatic diagnosis for HTTP 4XX and HTTP 5XX.

In automatic diagnosis of application service, automatic recognition of application service and detailed analysis of payload are performed. Therefore, automatic diagnosis is performed for HTTP, DNS, SMTP, POP3, IMAP, and FTP.

In automatic diagnosis to suggest the cause and solution of the problem, automatic diagnosis is performed on TCP Retransmission, Hop Low, Microburst, RTT (Round Trip Time), TCP Reset, TCP Zero Windows, TCP DUP ACKs, and Timeout.

In the automatic diagnosis of L2 ~ L7 analysis, Mac usage analysis is performed by Layer 2 analysis, Hop Account analysis is performed by Layer 3 analysis, analysis by port (by source and destination) by Layer 4 analysis, and automatic diagnosis of application services are performed by Layer 7 analysis do.

Automatic diagnosis of statistics and trend analysis performs automatic diagnosis of performance indicators (BPS, PPS, Latency, Timeout), TCP related, HTTP error, Layer 7 analysis, and flow trend.

In the automatic diagnosis of events, threshold setting and control by performance, alarm generation and class setting, search and inquiry by alarm class, and automatic diagnosis of Syslog Server (Remote) and SNMP Trap Server are performed. And alarm/event provides real-time network status monitoring and notification service.

2 is a conceptual diagram illustrating an example to which the present invention is applied in FIG. 1 .

Therefore, the network failure automatic resolution device 110 of the intelligent network management system 100 collects network information using NetFlow by 5-minute sampling for various network equipment 210 such as a switch or router, and a remote intelligent network management device For 220, packet information is received and packet analysis is performed.

NetFlow is network information provided by the switch/router, and data can be collected for each hop.

NetFlow is limited in the types of data that can be obtained due to its nature. That is, only data of L3 or lower levels (L1, L2) can be received.

Since the automatic network failure resolution device 110 of the intelligent network management system 100 of the present invention is based on mirroring, there is no network bandwidth load, but only information about the section in which packets are collected can be obtained, so each hop (eg, a specific switch) and the interval between the switch) cannot be obtained.

The network failure automatic resolution device 110 of the intelligent network management system 100 can analyze all data from L2 to L7 in detail through DPI (Deep Packet Inspection).

Therefore, it can be said that NetFlow of the network equipment 210 of the data center and the remote intelligent network management device 220 to which the present invention is applied are complementary components in terms of the width and depth of the collected network data. .

The network failure automatic resolution device 110 may determine whether there is a failure in a specific area through the data collected and analyzed through the NetFlow of the network equipment 210 and the remote intelligent network management device 220 to which the present invention is applied.

Therefore, when it is determined that there is a failure, the network failure processing unit 170 may present a recommendation or control the network by itself. In addition, if the network cannot be controlled by itself or the content is not authorized, a solution can be suggested in the form of a recommendation. Also, if you can control the network yourself, you can access a specific device to change settings or reboot. In this case, most of the time, SSH is connected and the remote shell command is used to control.

If the network failure processing unit 170 suddenly slows down when going through a specific hop in a very busy network, the amount of packets checked through NetFlow may be at a normal level, or BPS shown by NetFlow may also be normal. At this time, the network failure automatic resolution device 110 detects hundreds to thousands of TCP DUP ACKs and retransmissions per second from IPs related to the corresponding hop. So, in this case, it can be determined that a packet loop is expected at the corresponding hop. Packet loops are almost always caused by incorrect cable wiring. This is not an issue that can be resolved by changing the settings, so we deliver recommendations such as 'check the cable wiring'. Here, the 'very busy network' refers to a case in which one or more components of the equipment performing the corresponding communication are overloaded at the time of measurement. At this time, the communication equipment refers to a client computer, a server computer, and all network equipment (switches, routers, and various security equipment) connecting the client and the server. Also, the components of the equipment are CPU, RAM, Disk, and network port.

In addition, the network failure processing unit 170 can cope with a case in which the service of the network becomes slow if only a specific time period is reached every day. This notifies that both the NetFlow of the network equipment 210 of the data center and the automatic remote network failure resolution device 220 increase the traffic to the server in charge of the network service during the corresponding time period. In addition, NetFlow can confirm that the traffic to the network service is concentrated in a specific location. The remote network failure automatic resolution apparatus 220 may confirm that the response delay from the server is very long only in the corresponding time period. In addition, server personnel may report bursts of CPU and disk usage only during that time period. In this situation, various solutions can be proposed or applied. In other words, it is possible to apply QoS to a specific location discovered by NetFlow, connect to a separate QoS device or switch, and automatically handle network failures by adjusting the total amount of traffic so that server requests do not overflow from the location using the QoS function. there is. It may also be recommended to adjust the client's network connection time so that requests are distributed over time. It can also recommend server and network expansion, including suggestions for additional bandwidth needed.

3 is a flowchart illustrating a method for automatically resolving network failures based on automatic packet analysis according to an embodiment of the present invention.

In the packet capture step (ST1), if the automatic network failure resolution device 110 of the intelligent network management system 100 performs automatic resolution of network failures, the packet capture unit 130 sends to the network equipment 210 of the data center. Sampling the NetFlow information for the network, or receiving packet data from the remote intelligent network management device 220 through a network interface card (NIC), and combining the received packet data into one data stream to create an information bundle The raw data required for this purpose is generated and stored in a raw packet storage buffer, and data including network packets, SNMP TRAP, and SYSLOG information of the data center 210 or the remote intelligent network management device 220 are measured.

In the information bundle generating step ST2, after the packet capturing step, the information bundle generating unit 140 generates metadata for the collected packets, and the metadata includes packet confirmation time, packet size, session ID, packet size, MAC address and TCP information are included, and a session information bundle, BPS information bundle, PPS information bundle, RTT information bundle, timeout information bundle, TCP information bundle, Remarks information bundle, and event information bundle are generated, and each type of information bundle is simultaneously generated. Compress and store data.

In the performance indicator generating step ST3, after the information bundle generation step, the performance indicator generating unit 150 receives the generated information bundle, generates a performance indicator necessary for network management, and includes a basic performance indicator and an additional performance indicator in the performance indicator. to create

In the performance indicator analysis step ST4, after the performance indicator generation step, the performance indicator analysis unit 160 selects the type of information to be used in the information bundle based on the generated performance indicator, and then analyzes the network performance to generate the performance indicator analysis result. do.

In the network failure processing step ST5, after the performance indicator analysis step, the network failure processing unit 170 automatically determines whether a failure in a specific area is present using the analysis result and automatically resolves the network failure.

4 is a detailed flowchart of network failure processing in FIG. 3 .

In the failure processing determination step (ST11, ST12), it is determined whether there is a failure in a specific area through the data analyzed by NetFlow information and packet information, and which failure processing is to be performed.

In the failure processing execution step (ST13, ST14), if it is determined that the network is faulty in the failure processing determination step, a recommendation is presented or the network is controlled by oneself, and if the network cannot be controlled by oneself or the contents are not authorized, a recommendation is made The solution is presented in the form of a solution, and if you can control the network yourself, connect via SSH and use a remote shell command to access a specific device on the network, change settings or reboot, and provide the network error handling result.

As such, the present invention collects packet information on the network status, automatically determines whether there is a failure in a specific area through the analyzed data, and automatically resolves the network failure, so that various and complex network issues (performance, failure, etc.) It provides a guide for accurate and quick cause identification and resolution with one click, enables network operators to easily and conveniently manage the network, and links with various systems with information collection and analysis functions to provide customized network management service tailored to user needs will provide

Although the present invention has been described in more detail with reference to examples above, the present invention is not necessarily limited to these examples, and various modifications may be made within the scope without departing from the technical spirit of the present invention. Therefore, the embodiments disclosed in the present invention are not intended to limit the technical spirit of the present invention, but to explain, and the scope of the technical spirit of the present invention is not limited by these embodiments. The protection scope of the present invention should be construed by the claims, and all technical ideas within the scope equivalent thereto should be construed as being included in the scope of the present invention.

100: intelligent network management system
110: network failure automatic resolution device
120: control unit
130: packet capture unit
140: information bundle generation unit
150: performance indicator generation unit
160: performance indicator analysis unit
170: network failure handling unit
210: network equipment in the data center
220: remote intelligent network management device

Claims (5)

An apparatus for automatically solving network failures of an intelligent network management system that manages networks, the apparatus comprising:
The network failure automatic resolution device collects packet information on the network status, automatically determines whether there is a failure in a specific area through the analyzed data, and automatically resolves network failures with one click for various and complex network issues It provides a guide for accurate and quick cause identification and resolution, enables any network operator to easily and conveniently manage the network, and provides customized network management services tailored to user needs by linking with various systems with information collection and analysis functions. a control unit for controlling;
Raw data required to receive packet data from network equipment in a data center or remote intelligent network management device through a network interface card under the control of the control unit, and combine the received packet data into one data stream to create an information bundle a packet capture unit that generates and stores data in a raw packet storage buffer to measure data including network packets, SNMP TRAP, and SYSLOG information of the data center or the remote intelligent network management device;
Under the control of the control unit, metadata for the packets collected by the packet capture unit is generated, and the metadata includes packet confirmation time, packet size, session ID, packet size, MAC address, and TCP information, and session information Creating bundles, BPS information bundles, PPS information bundles, RTT information bundles, timeout information bundles, TCP information bundles, Remarks information bundles, and event information bundles wealth;
a performance indicator generating unit receiving the control of the control unit, receiving the information bundle generated by the information bundle generating unit, generating a performance indicator required for network management, and generating a basic performance indicator and an additional performance indicator in the performance indicator;
a performance indicator analyzing unit under the control of the control unit, selecting an information type to be used in the information bundle based on the performance indicator generated by the performance indicator generating unit, and then analyzing network performance to generate a performance indicator analysis result;
A network failure processing unit that automatically determines whether a specific area has a failure using the analysis result of the performance indicator analysis unit and automatically resolves the network failure; and
The network failure processing unit provides recommendations or controls the network by itself if it is determined that it is a network failure, and presents a solution in the form of a recommendation if it is not possible to control the network by itself or the content is not permitted, and if If you can control the network yourself, connect via SSH and access a specific device on the network using a remote shell command to change settings or reboot.
the network failure processing unit, if the speed suddenly slows down when going through a specific hop in the network, determines that a packet loop is expected at the corresponding hop, and transmits a recommendation of 'check the cable wiring'; If network service is slow at a specific time every day, apply QoS to a specific location discovered by NetFlow and connect to a separate QoS device or switch, and use the QoS function to prevent congestion of server requests from that location Automatic, characterized in that it automatically handles network failures by adjusting the total amount of A device that automatically resolves network failures based on packet analysis.
delete delete When the network failure automatic resolution device of the intelligent network management system performs automatic resolution of the network failure, the packet capture unit samples the NetFlow information about the network equipment in the data center or sends packet data from the remote intelligent network management apparatus to the network interface card. the raw data required to generate an information bundle by combining the received packet data into one data stream, and storing the raw data in a raw packet storage buffer, the network packet of the data center or the remote intelligent network management device; A packet capture step of measuring data including SNMP TRAP and SYSLOG information;
After the packet capture step, the information bundle generating unit generates metadata for the collected packets, and the metadata includes packet confirmation time, packet size, session ID, packet size, MAC address and TCP information, session information bundle, The information bundle creation step of creating BPS information bundle, PPS information bundle, RTT information bundle, timeout information bundle, TCP information bundle, Remarks information bundle, and event information bundle, and compressing and storing data at the same time for each type of information bundle; ;
a performance indicator generation step of, after the information bundle generating step, the performance indicator generation unit receives the generated information bundle, generates a performance indicator necessary for network management, and generates a basic performance indicator and an additional performance indicator in the performance indicator;
a performance indicator analysis step of generating a performance indicator analysis result by selecting the type of information to be used in the information bundle based on the performance indicator generated by the performance indicator analyzing unit, and then analyzing the network performance;
After the performance indicator analysis step, the network failure processing unit automatically determines whether there is a failure in a specific area using the analysis result and automatically resolves the network failure.
The network failure processing step,
a failure processing determination step of determining whether a specific area has a failure through the data analyzed by NetFlow information and packet information, and determining which failure processing is to be performed;
If it is determined that it is a network failure in the failure processing determination step, a recommendation is presented or the network is controlled by itself. a failure handling step of accessing a specific device in the network by using a remote shell command to access a specific device in the network by using SSH, when it is able to control the network by itself, changing settings or rebooting, and providing a network failure handling result;
A method for automatically resolving network failures based on automatic packet analysis, comprising: delete

Images