KR20090124944A - System and method for identifying application topology - Google Patents

Abstract

PURPOSE: A system and a method for distinguishing an application topology within a host are provided to efficiently distinguish the application topology by using interaction carried by packets. CONSTITUTION: A packet extractor(102) extracts packets from network traffic generating in a predetermined period. An interaction identifier(103) identifies interaction mobbed by the packets according to an interaction characteristic. A stream generator(104) occurs streams. The stream comprises the statistics about the interaction having the same type. A correlator(105) discovers transmission stream from lead-ins and transmission stream of nodes.

Description

System and method for identifying application topologies {SYSTEM AND METHOD FOR IDENTIFYING APPLICATION TOPOLOGY}

TECHNICAL FIELD The present invention relates to configuration management in Information Technology (IT) systems, and more particularly to methods and systems for identifying application topologies.

There are many tools that facilitate IT management in IT systems such as data centers. However, these tools still face various challenges. For example, the scale and complexity of a system is increasing rapidly, and components of the system such as servers and applications are frequently changing. Administrators usually know the devices and network topologies within the IT system, but these are not enough to manage the IT system more effectively and more efficiently. Managers need to have more complete knowledge about IT systems.

One aspect of this knowledge is the application topology in IT systems, i.e. the deployment of components of applications (e.g. programs, services, components, etc.) within hosts (e.g. servers) of the IT system. , And interaction between components of these deployed applications (eg, a request-response about a service).

There have been several tools for identifying application topologies. For example, IBM's Tivoli Application Dependency Discovery Manager (TADDM) can discover application topologies by scanning ports / configurations. However, these early types of tools must initially scan the IP address and predetermined ports to find the application, log on to the server to obtain and analyze the application configuration file, or require special installation of the agent.

NLayers InSight, a Canadian EMC company, is a passive tool for identifying application topologies by scanning packets obtained through means such as port mirroring, network cable taps, and so on. NLayers InSight identifies application components and their interactions according to predefined interaction characteristics (finger prints) from the effective loads placed on the packet, and the time of occurrence between the causal interactions accordingly. Identify correlations between interactions based on the assumption that a correlation exists in. However, for this type of tool, much information needs to be prepared before they can work. In addition, because of the differences between operating environments for executing application components, the occurrence times are highly dependent on the operating environment, and thus show large jitter due to changes in the operating environment. They can reduce the effectiveness and success rate of identification.

Thus, there is a need to provide a means for identifying an application topology based on less information.

It is an object of the present invention to provide a method and system for identifying an application topology in order to increase the identification efficiency of the application topology.

An embodiment of the present invention is a system for identifying an application topology, comprising: a packet extractor configured to extract packets from network traffic occurring in a predetermined period of time, and to obtain transmission times of packets, the source address and destination address of each of the packets; At least one of the packet extractors is within a predetermined host range; An interaction identifier configured to identify an interaction carried by packets according to the interaction characteristic, wherein each of the interactions includes a type of interaction, a requesting side of the interaction, and a response side of the interaction; Interaction identifier; A stream each representing an interaction having the same type, the same requesting side, and the same responding side, and containing statistics about the same type of interaction carried by packets extracted during each unit interval within a predetermined period of time; A stream generator configured to generate audio signals; And a correlator configured to find correlated incoming and outgoing streams from all incoming and outgoing streams of nodes having incoming and / or outgoing streams.

An embodiment of the present invention is a method of identifying an application topology, the method comprising extracting packets from network traffic occurring in a predetermined period of time and obtaining a transmission time of the packets, wherein at least one of a source address and a destination address of each of the packets is provided. Extracting the packets and obtaining a transmission time of the packets, wherein is within a predetermined host range; Identifying the interaction carried by the packets according to the interaction characteristics, wherein each of the interactions includes a type of interaction, a requesting side of the interaction, and a response side of the interaction. step; A stream, each representing an interaction having the same type, the same requesting side, and the same responding side, the statistics comprising statistics about the same type of interaction carried by packets extracted during each unit interval within a predetermined period of time; Generating them; And finding a correlated incoming stream and outgoing stream from all incoming streams and outgoing streams of nodes having an incoming stream and / or an outgoing stream.

The identification efficiency of the application topology is increased.

Embodiments of the present invention are described below with reference to the drawings. It should be noted that for the sake of clarity, the representations and descriptions of these components and processes known by those skilled in the art that are not related to the present invention are omitted in the drawings and the detailed description.

1 illustrates an exemplary structure of a system 100 for identifying an application topology in accordance with one embodiment of the present invention.

As shown in FIG. 1, system 100 includes a packet extractor 102, an interaction identifier 103, a stream generator 104, and a correlator 105.

Packet extractor 102 receives packets (ie, network packets) from the network. Systems managed by an administrator through system 100 are within certain limits. Hosts within this range are interconnected through the network. Application components deployed on the hosts interact via a network to implement various applications. It is possible to use techniques such as switch port monitoring, cable tap / fiber splitters, and hubs to obtain packets transmitted over a monitored network connection in real time without affecting typical interactions. Since it is possible to identify the host either by an address (e.g. an Internet Protocol (IP) address) or by a similar identifier carried by the packets (e.g. a Uniform Resource Identifier), the packets obtained are usually It is based on a uniform group of network protocols (eg, Transmission Control Protocol (TCP) / IP). However, to facilitate the acquisition of packets, it is also possible to capture packets that are compatible with the protocol family if no address or identifier collision exists.

The packet extractor 102 extracts, from packets obtained in real time, packets whose at least one of its source address and destination address are within a predetermined host range, i.e., packets whose system is within the range of which the application topology is desired. Record the corresponding extraction time as the transmission time of the packets. If the packet carries the corresponding transmission time directly, the packet extractor 102 records this transmission time as the extraction time. If the packets extracted by the packet extractor 102 are not analyzed in real time, it is necessary to record the extraction time in the packet record to approximate the transmission time of the packets.

Packet extractor 102 may determine whether nodes are to be analyzed according to whether identifiers or source / destination addresses obtained through address translation of the packet fall within a predetermined host range. One node may be a host or similar processing device. One node may have one or more addresses or identifiers.

Preferably, packet extractor 102 may include an apparatus (not shown) for filtering out unnecessary packets. The device eliminates duplicate packets, such as packets having the same sequence number, and / or removes application-specific packets such as routing protocol packets.

Interaction identifier 103 identifies the interaction carried by the packets extracted by packet extractor 102 in accordance with the interaction characteristics. Interaction refers to the activity of application components to transfer information between each other according to an application protocol to execute the business logic of the application. In general, interactions can be generalized as a request-response model. Here, the application component as the requesting side sends a request message (to initiate interaction) to the application component as the responding side, the responding side executes the requested business logic upon receipt of the request message, and requests the corresponding result. It does not return to the side or return any information. In the context of the present application, an interaction is usually represented by a request message, but may be represented by some or all of the messages generated during the entire request-response process.

Messages that represent interaction are usually encapsulated according to the application protocol. Examples of application protocols include Hyper Text Transfer Protocol (HTTP), Hyper Text Transfer Protocol Secure (HTTPS), Java Database Connectivity (JDBC) / Open Database Connectivity (ODBC), Light Directory Access Protocol (LDAP), and Simple Mail Transfer (SMTP). Protocol, Post Office Protocol Version 3 (POP3), and Network News Transfer Protocol (NNTP), but are not limited to these. Messages encapsulated according to the application protocol are carried by packet. Packets carrying messages for initiating an interaction are also called interaction initiation packets.

The type of interaction depends on the type of application protocol and the discretizing granularity. For example, for an interaction represented by the HTTP request message "GET / index.jsp HTTP / 1.1", if the segmentation criteria is a server, then the type of interaction is either a protocol type (eg HTTP) or a protocol. The type is distinguished by the addition of the protocol version (eg HTTP / 1.1). If the segmentation criterion is a service, then the type of interaction is either the protocol plus the business type (eg HTTP (/ index)) or the protocol type plus the protocol type and the business type (HTTP, HTTP / 1.1 ( / Index)). Different application protocols have their own way to distinguish. Protocols and service characteristics for identifying interactions can be designed for various application protocols. For example, it is possible to adopt similar methods for identifying protocols in EMC's nLayers InSight's interactivity characteristics description.

The interaction identified by interaction identifier 103 may include, for example, the following information. Type of interaction, requesting side of the interaction, and responding side of the interaction. The requesting side of the interaction may be indicated in the source address or source identifier (eg, URL, etc.) of the packet for initiating the interaction (eg, synchronization request packet), and the responding side of the interaction, It may be indicated by a destination address or a destination identifier (eg, a URL, etc.) of the packet to initiate (eg, a synchronization request packet).

Preferably, the interaction identifier 103 is for example the request side when the requesting side (eg, source address or source identifier of the application component initiating the interaction) is not within a predetermined host range, for example. It can be recognized as that particular requestor, such as a separate external server. Preferably, interaction identifier 103 may ignore the interaction when the responding party is not within a predetermined host range to exclude topologies that are not relevant to the application of interest.

Stream generator 104 generates a stream from interactions having the same type, request side, and response side, and derives the pattern of the stream. In the context of the present application, a stream represents all the interactions having the same requesting side, the same responding side, and the same interaction type, among the interactions carried by packets occurring during a given period of time. The pattern of the stream refers to a pattern formed by statistics on the interaction of the stream carried by packets generated at each unit interval of the predetermined period. The predetermined period of time (eg, hours, days, etc.) and the unit interval (eg, seconds, minutes, etc.) may be determined according to a particular embodiment. The statistics may be, for example, the number of interactions, the amount of data of the interactions, or a combination thereof (eg, a sum, a weighted sum, etc.).

The stream generated by the stream generator 104 may include, for example, the following information: the type of stream (ie, the type of correlation interaction), the requesting side of the stream (ie, the correlation interaction). Requesting side), the responding side of the stream (ie, the responding side of the correlation interaction), and the pattern of the stream. 2 graphically illustrates an example behavior pattern of a stream. Where the horizontal axis represents time and the vertical axis represents the number of HTTP interactions per minute.

For the end point of each of all streams generated by the stream generator 104 (ie, nodes physically correspond to the end point and can be the requesting or responding side of the stream), the correlator 105 is the end point. Obtain all incoming streams of (ie, streams having end points as their respondents) and all outgoing streams (ie, streams with end points as their requesting side). It should be noted that the end point includes not only an end point having an incoming stream and an outgoing stream, but also an end point having only an incoming stream or an outgoing stream. The correlation value between the statistical patterns for each of the incoming streams and each of the outgoing streams is calculated. The correlator 105 selects as a pair of incoming streams and outgoing streams a pair of incoming streams and outgoing streams whose correlation value exceeds a predetermined threshold (threshold may be zero) and is the maximum of all correlation values. That is, they are identified as belonging to the same correlation. In the case of excluding these incoming and outgoing stream pairs, the correlator 105 performs the above calculation and selection once again. The processes then continue until there are no incoming streams and outgoing streams with correlation values above a predetermined threshold (threshold may be zero), or until all incoming streams have been correlated with each outgoing stream. Or iterate until all outgoing streams are correlated with each incoming stream. A series of incoming streams and outgoing streams may belong to the same correlation. Note that the present invention is not limited to the above correlation values, but any metric for expressing the degree of correlation may be used. In addition, the present invention is not limited to the above predetermined threshold, but any threshold condition for comparing the degree of correlation may be used. The threshold condition can be entered manually. The threshold may be zero. That is, there is no threshold limit. The threshold means that all incoming streams and outgoing streams are classified according to their degree of correlation, and then a pair or group of incoming streams and outgoing streams with higher correlation values can be selected for further analysis.

Correlation of streams represents multilevel dependencies between application components. For example, client A sends an HTTP query request to web server B, and web server B sends a JDBC query request to database C in response to this HTTP query request. Since there is a causal relationship between the HTTP query request and the JDBC query request, the pattern of streams corresponding to these requests has a higher similarity within a given time interval.

To measure the correlation, various correlation algorithms may be used that calculate the correlation between the stream patterns. For example, the correlation coefficient can be calculated by the following equation.

이고

ego

X represents the pattern of the incoming stream, Y represents the pattern of the outgoing stream. X _i represents the statistics for the unit interval i in the pattern X, Y _i represents the statistics for the unit interval i in the pattern Y. ρ _{X, Y} represents the correlation between patterns X and Y, cov (X, Y) represents the covariance of patterns X and Y, σ _X represents the standard deviation of pattern X, and σ _Y represents the standard of pattern Y Indicates a deviation. n is the number of unit intervals, μ _X is the average value of the pattern X, and μ _Y is the average value of the pattern Y. N can be replaced with n-1 in the equation for calculating the standard deviation. Instead of using the correlation coefficient, the correlation value may be represented by using, for example, a T value or a P value.

3 shows the stream pattern of the HTTP query request and the stream pattern of the JDBC query request in the above example. It can be seen from FIG. 3 that the similarity between these two stream patterns is higher. Correlation calculations also show that the correlation between these two streams is a maximum (0.889), so that these two stream patterns can be analyzed to belong to the same correlation.

In one embodiment, system 100 may include a type identifier (not shown). The type identifier determines the server type of the responding party for each stream by using the server type pattern. The server type pattern defines the correspondence between the type of interaction in the stream and the server type on the responding side. For example, server type patterns include, but are not limited to, the following correspondences.

Interaction Type HTTP corresponds to a web server.

Interaction Types JDBC corresponds to the database server.

● Interaction type LDAP corresponds to the LDAP server.

In one embodiment, the system 100 may include a transducer (not shown). The converter connects the corresponding requesting and responding sides to the streams, displays the correlation between the streams and the server types on the responding side, and provides the application topology in a visual form for providing via a device such as a display. To convert.

The method of the invention shown in FIG. 4 will be described in connection with the example of FIG. 5. 4 is a flowchart illustrating a method of identifying an application topology according to an embodiment of the present invention. 5 illustrates an example application topology.

As shown in FIG. 4, the method begins at 400. Then, in step 401, packets whose at least one of the source address and the destination address are within a predetermined host range are extracted from the network traffic generated in the predetermined period, and the transmission times of the packets are obtained. As shown in Fig. 5, the monitored system includes a mail server 501 having an IP address 100.1.0.1; A web server 502 with an IP address 100.1.0.2; A mail server 503 having an IP address 100.0.0.1; A web server 504 with an IP address 100.0.0.2; It is assumed to include an LDAP server 505 with an IP address 100.0.0.3. Servers 501 and 502 are located on the same physical server 500. In step 401, packets whose destination IP address is within this range are extracted.

Next, in step 402, the interactions carried by the packets are identified according to the interaction characteristic. Here, each of the interactions includes a type of interaction, a requesting side of the interaction, and a response side of the interaction. For the example shown in FIG. 5, interaction A from client to server 501 of type POP3, interaction B from client to server 502 of type HTTP, server 503 of type POP3 from server 501 Interaction C, interaction D from server 502 to server 504 of type HTTP, interaction E from server 504 to server 505 of type LDAP, and the request of the interactions identified by the IP address. It is possible to identify the side and the response side.

Then, in step 403, streams are generated that represent interactions each having the same type, same request and same response side. Here, each stream includes statistics about interactions of the type of interaction carried by packets extracted during each unit interval within a predetermined period of time. For the example of FIG. 5, streams labeled A ', B', C ', D', and E 'are generated, respectively, which correspond to the interactions obtained in step 402. Then, in step 404, statistics on the incoming stream and statistics on the outgoing stream, from all incoming streams and all outgoing streams of each responder having both an incoming stream and an outgoing stream, for a predetermined period of time. All incoming streams and outgoing streams with the highest degree of correlation between and satisfying a predetermined threshold condition are found, and the found incoming streams and outgoing streams are marked as belonging to the same correlation. Here, the correlation between the incoming stream and the outgoing stream is excluded from the range to be subsequently retrieved in order to ensure the convergence of the analysis method. For the example of FIG. 5, assuming that the correlation values between streams A 'and C' and between streams B 'and D' and between streams D 'and E' are maximum, at step 404, stream A ' And C 'belong to the same correlation, and streams B', D 'and E' belong to the same correlation.

Further, by using the server type pattern, it is possible to determine the server type of the response side for each stream. In the example of FIG. 5, server 501 is a mail server, server 502 is a web server, server 503 is a mail server, server 504 is a web server, and server 505 is an LDAP server. It is possible to determine.

Furthermore, it is possible to connect the corresponding requesting and responding sides to the streams and to display the correlation between the streams and the server types on the responding side to transform the application topology into a visual form. For example, it is possible to display the application topology in a form similar to the example shown in FIG. 5. Here, the correlation between the streams can be represented by a particular mark (eg by color or symbol).

The processes and devices may be implemented through hardware. Such hardware may be one processing device or a plurality of processing devices. Such a processing device may be a microprocessor, microcontroller, digital processor, microcomputer, part of a central processing unit, state machine, logic circuits, and / or any device capable of manipulating signals.

Note that the above-described series of devices may be implemented in software or firmware. When the above-described series of processes are implemented in software, the general-purpose personal computer 600 illustrated in FIG. 6 may perform various functions when various programs are installed, from a storage medium or a network, the program constituting the software. It is installed in a computer having a dedicated hardware configuration, such as.

In FIG. 6, the central processing unit (CPU) 601 is stored in a program loaded in the random access memory (RAM) 603 according to the program stored in the read-only memory (ROM) 602 or from the storage section 608. Thus, various processes are performed. In the RAM 603, the data required when the CPU 601 performs various processes and the like are also stored if necessary.

The CPU 601, the ROM 602, and the RAM 603 are connected to each other via the bus 604. Input / output interface 605 is also connected to bus 604.

An input section 606 including the following components: a keyboard, a mouse, and the like; An output section 607 including a display, such as a cathode ray tube (CRT), a liquid crystal display (LCD), and a loudspeaker; A storage section 608 including a hard disk or the like; And a communication section 609 including a network interface card such as a LAN card, a modem, or the like, is connected to the input / output interface 605.

Drive 610 is also connected to input / output interface 605 if necessary. Removable media 611, such as magnetic disk, optical disk, magneto-optical disk, semiconductor memory, etc., is mounted on drive 610 if necessary, such that a computer program read therefrom is installed in storage section 608 if necessary.

When the above-described series of processes are implemented by software, the program constituting the software is installed from a storage medium such as removable medium 611 or a network such as the Internet.

Those skilled in the art should note that this storage medium is not limited to the removable medium 611 in which the program as illustrated in FIG. 6 is stored, which is delivered separately from the apparatus for providing the program to the user. Examples of removable media 611 include magnetic disks (including floppy disks), optical disks (including compact disk-read only memory (CD-ROM) and digital budget disks (DVD)), magneto-optical disks (including MD), And semiconductor memories. In the alternative, the storage medium may be a ROM 602 in which a program is stored, a hard disk included in the storage section 608, or the like, along with a device including the same, to be delivered to the user.

Note that the steps in which the above-described series of processes are performed may be performed naturally in time order in the order described, but need not necessarily be performed in time order. Some steps may be performed in parallel or independently of one another.

While exemplary embodiments have been described, it should be understood that various other changes, substitutions, and alterations can be made by those skilled in the art without departing from the scope or spirit of the invention.

The above and / or other aspects, features, and / or advantages of the present invention will be readily understood in view of the following detailed description by reference to the accompanying drawings. In the accompanying drawings, the same or corresponding technical features or components will be indicated by the same or corresponding reference numerals.

1 illustrates an exemplary structure of a system for identifying an application topology in accordance with one embodiment of the present invention.

2 graphically depicts an exemplary behavior pattern of a stream.

3 illustrates a stream pattern of an HTTP query request and a stream pattern of a JDBC query request in one example.

4 is a flow diagram illustrating a method of identifying an application topology in accordance with one embodiment of the present invention.

5 illustrates an example application topology.

6 is a block diagram illustrating an exemplary implementation of a computer for implementing the present invention.

Claims (10)

A system for identifying application topologies, A packet extractor configured to extract packets from network traffic occurring within a predetermined period of time and obtain a transmission time of the packets, wherein at least one of a source address and a destination address of each of the packets is within a predetermined host range Extractor; An interaction identifier configured to identify an interaction carried by packets according to the interaction characteristic, wherein each of the interactions includes a type of interaction, a requesting side of the interaction, and a response side of the interaction; Interaction identifier; A stream each representing an interaction having the same type, the same requesting side, and the same responding side, and containing statistics about the same type of interaction carried by packets extracted during each unit interval within a predetermined period of time; A stream generator configured to generate audio signals; And A correlator configured to discover correlated incoming streams and outgoing streams from all incoming streams and outgoing streams of nodes having incoming streams and / or outgoing streams Including, the system. The method of claim 1, wherein the packet extractor, Means for filtering duplicate packets and packets irrelevant to the application. The method of claim 1, wherein the interaction characteristic, The characteristic of the protocol on which the interactions are based, or a combination of the characteristic of the protocol and the application. The method according to any one of claims 1 to 3, And a type identifier configured to determine the server type of the responding party for each stream by using a server type pattern. The method according to any one of claims 1 to 3, And a converter configured to display a correlation between the streams and the server types of the responding side to connect corresponding requesting and responding sides to the streams and to convert the application topology into a visual form. As a method of identifying application topology, Extracting packets from network traffic occurring in a predetermined period of time and obtaining a transmission time of the packets, wherein at least one of a source address and a destination address of each of the packets is within a predetermined host range and Obtaining a transmission time of packets; Identifying the interactions carried by the packets according to the interaction characteristics, wherein each of the interactions includes a type of interaction, a requesting side of the interaction, and a response side of the interaction. Making; Each representing an interaction having the same type, the same requesting side, and the same responding side, and comprising statistics about the same type of interaction carried by packets extracted during each unit interval within the predetermined period of time; Generating streams; And Discovering correlated incoming streams and outgoing streams from all incoming streams and outgoing streams of nodes having an incoming stream and / or an outgoing stream; The application topology identification method comprising a. The method of claim 6, wherein the protocol, Application topology identification method, including HTTP, HTTPS, JDBC / ODBC, LDAP, SMTP, POP3, or NNTP. The method of claim 6, wherein the requesting and responding side of the interactions, Wherein each is indicated by a source address and a destination address of packets for initiating the interactions. The method of claim 6, wherein the identifying step, Wherein the requesting side identifies as the particular requesting side the requesting side of the interaction that is not within a predetermined host range. The method of claim 6, wherein the identifying step, And the responding party ignores the interaction that is not within the predetermined host range.

Images