KR20100045257A - Network traffic monitoring method and apparatus - Google Patents

Abstract

PURPOSE: A network traffic monitoring method for grasping an interface of a relative device having greater than traffic through collection and inspection of the network traffic is provided to discover an interface and a device with traffic error by collecting traffic. CONSTITUTION: If the value of the input traffic is greater than the fixed the input threshold, a traffic state decision unit decides the traffic abnormality of a device(S703). An interface with a traffic monitoring device is greater than value of the input traffic(S704~S709). A traffic collecting unit collects each interfaec interface traffic(S706). An interface input attribute value is greater than the fixed input threshold, the traffic state judgment unit detects the target interface.

Description

Network traffic monitoring method and apparatus

The present invention relates to a network management apparatus and method, and more particularly, to a network traffic monitoring apparatus and method for identifying the interface of a device having a traffic abnormality by collecting network traffic and inspecting the collected traffic value for stable network management will be.

Currently operating network management system periodically checks the traffic values measured at the router's interface through SNMP (Simple Network Management Protocol) to monitor the abnormal flow of network traffic.

The network management system notifies the operator when the value of the collected traffic exceeds the threshold set by the operator, and releases the alert when it does not exceed the threshold.

However, in the conventional network traffic monitoring method, if the frequency of collecting the traffic is short, there is no problem in the small network where the number of routers to be measured is small. Becomes high.

For example, assuming an average of 20 interfaces per device, a total of 1000 interfaces are measured in a small network of 50 routers. However, in a large network of about 1,000 routers, the number of interfaces to be measured is 20,000.

If the measurement period is 5 minutes, the traffic collection server may have no problem collecting traffic in both small and large networks. However, if the measurement period is shortened to 1 minute for faster and more detailed monitoring, the processing is performed in the large network. The amount of traffic that needs to be increased significantly can cause performance problems for the collection server.

The technical problem to be achieved by the present invention is to provide an apparatus and method for monitoring network traffic that enables fast and detailed network traffic collection without burdening a large network.

The technical problem to be achieved by the present invention is to provide an apparatus and method for monitoring network traffic that detects an interface with a traffic abnormality even though a fast and detailed network collection is performed.

The present invention according to the first aspect for achieving the above technical problem provides a method for monitoring network traffic by the number of traffic measurement cycles N (the minimum value of N is 2) consecutive traffic measurement cycles. The method includes collecting a device traffic at least once of the N times at a first time for a first device, and setting a value of the device traffic collected during the first time to a first threshold value. Comparing the second step of determining whether there is a traffic abnormality, the interface traffic is determined by giving a second time longer than the first time for each interface of the first equipment having the traffic abnormality identified through the value of the equipment traffic. A third step of collecting, and a fourth step of determining whether there is an abnormal traffic by comparing the value of the interface traffic for each interface collected during the second time period with a second threshold set for each interface.

Here, the network traffic monitoring method of the present invention includes a fifth step of collecting the interface traffic at least once every N times for a third time longer than the first time for each interface of the first equipment, And a sixth step of determining whether there is an abnormal traffic by comparing the value of the interface traffic for each interface collected for three hours with a second threshold set for each interface.

In addition, the network traffic monitoring method of the present invention, before the first step,

A seventh step of collecting the M traffic of the first device and the interface traffic of each interface of the first device M times for a third period of time during the setting period for each network device; An eighth step of determining whether or not there is a correlation between the value of the first collected equipment traffic and the sum of the interface traffic for each interface, in the order of the traffic; and the sum of the value of the equipment traffic and the interface traffic for each interface. The method may further include a ninth step of excluding the equipment having no correlation between values from the traffic monitoring target and registering the correlation equipment as the first equipment.

In addition, the present invention according to the first aspect for achieving the above technical problem provides a network traffic monitoring apparatus for monitoring network traffic using a number of consecutive traffic measurement number of N (the minimum value of N is 2) times as a traffic measurement cycle. The apparatus may include a database storing a device traffic collection possible list in which information of a test target device capable of inspecting network traffic is recorded, and at least one of the N times for the test target device recorded in the device traffic collection possible list. A traffic collector configured to collect equipment traffic at a first time each time, and collect traffic for each interface at a second time longer than the first time from a device having traffic abnormality, and the traffic collector Compare the value of the equipment traffic collected during the first time with the set first threshold value to determine whether there is a traffic abnormality, and control the traffic collector to collect the traffic for each interface of the equipment having the traffic abnormality, The value of the interface traffic for each interface collected during the second time And a traffic state determination unit to determine whether there is a traffic abnormality in comparison with a second threshold set for each interface.

The network traffic monitoring apparatus of the present invention determines whether there is a correlation between the value of the device traffic and the sum of the interface traffic for each interface for each network device, and thus the sum of the value of the device traffic and the interface traffic for each interface. The apparatus may further include a measurement target calculator configured to exclude a device having no correlation with each other from the device traffic collection possible list and register the correlation with the device traffic collection possible list.

According to the embodiment described above, the present invention enables a shorter period, which is shorter than a conventional traffic collection period, to collect traffic and to discover equipment and interfaces with abnormal traffic.

In addition, the present invention does not increase the load on the inspection equipment even if the traffic collected and inspected in a shorter time period than the conventional one.

DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the spirit or scope of the present invention. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and like reference numerals designate like parts throughout the specification.

Throughout the specification, when a part is said to "include" a certain component, it means that it can further include other components, without excluding other components unless specifically stated otherwise. In addition, the terms “… unit”, “… unit”, “module”, etc. described in the specification mean a unit that processes at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software. have.

Now, an apparatus and method for monitoring network traffic in an embodiment of the present invention will be described with reference to the accompanying drawings. First, the concept of the present invention will be described with reference to FIG. 1 is a conceptual diagram for explaining the present invention.

The present invention collects network traffic in a shorter period (hereinafter referred to as a 'short cycle') than a normal cycle (hereinafter, referred to as a 'normal cycle') by using the Simple Network Management Protocol (SNMP) in the traffic monitoring apparatus 100. And inspect.

At this time, if the traffic is collected for each interface as in the conventional method as a shortened period, the number of traffic collection is increased in comparison with the conventional general period for the same time, and accordingly, the traffic monitoring apparatus 100 has a significant load on the traffic. do.

In order to solve this problem, the present invention performs network traffic collection based on a short cycle in units of equipment.

Collecting network traffic by device means identifying the value of the traffic input / output for the device by inspecting the device. The inspection of network traffic by such a device is different from the collection of network traffic for each interface that grasps the value of the traffic input / output on the interface by inspecting each interface in an arbitrary device.

In other words, collecting network traffic on a device-by-device basis is an equipment input attribute value representing the amount of traffic input (i.e., collected) to a device during a set time in the standard MIB (Management Information Base) of SNMP. It is to grasp the equipment output attribute value indicating the amount of traffic output from the equipment during the set time. Collecting network traffic for each interface is an interface input attribute value representing the amount of traffic input to each interface during a setting time of an arbitrary device in the standard MIB of SNMP, and an amount of traffic output from the corresponding interface during the setting time. It is to grasp the interface output attribute value.

Hereinafter, the traffic input / output to the equipment is referred to as equipment traffic, and the equipment input attribute value and equipment output attribute value for the equipment traffic are collectively referred to as equipment traffic values. The traffic input / output to the interface is called interface traffic, and the interface input attribute value and interface output attribute value for the interface traffic are collectively referred to as the interface traffic value.

Therefore, collecting the equipment traffic is much less inspection target (or collection number) than collecting the traffic for each interface so as not to increase the load on the traffic monitoring apparatus 100.

For example, in a small network in which one router has 20 interfaces and the number of routers is about 1,000, the traffic monitoring apparatus 100 collects traffic with a short period of 1 minute for all interfaces.

If the inspection period is 5 minutes, the traffic is collected from 20 interfaces for each 1000 routers and repeated 5 times. Therefore, traffic collection should be performed 100,000 times of 5 * 1000 * 20.

However, according to the present invention, when the equipment traffic is inspected, the traffic is collected by 1000 routers and repeated five times. Therefore, only 5,000 times of 1000 * 5 need be collected. Therefore, the present invention shortens the traffic collection period in comparison with the related art, but does not increase the load of the server because the inspection target is small.

In the present invention using the method of checking the device traffic, the device traffic inspection is first detected to detect a device having a traffic abnormality, and then the interface traffic is checked for the detected device to identify an interface of the corresponding device having a traffic abnormality.

Referring to FIG. 1, the present invention preferentially collects equipment traffic for equipment 1 (10), equipment 2 (20), and equipment 3 (30), and checks the value of the collected equipment traffic to determine the traffic abnormality. Detect equipment 2 (20).

Then, the present invention collects the interface traffic for each interface of the device 2 (20) for the device 2 (20) with the traffic abnormality, and examines the value of the collected interface traffic to find the interface with the traffic abnormality.

Meanwhile, for the present invention, the value of the device traffic measured for one device and the value of traffic for each interface should be correlated (hereinafter, referred to as 'sum of interface traffic'). That is, the network equipment (that is, the inspection target equipment) applied to the present invention should have a correlation between the equipment input attribute value and the interface input attribute value for each interface, and the equipment output attribute value and the interface output attribute value for each interface. The sum of must be correlated.

For this reason, the present invention is to determine whether there is a correlation between the measured value of the equipment traffic and the sum of the interface traffic for each of the inspection target equipment to be monitored as shown in Figure 2, Apply the invention.

Hereinafter, a method of selecting an inspection target device according to an exemplary embodiment of the present invention will be described with reference to FIGS. 2 to 4.

Prior to the description, an equipment input attribute value, an equipment output attribute value, an interface input attribute value, and an interface output attribute value according to an embodiment of the present invention will be described.

Equipment input attribute value, equipment output attribute value, interface input attribute value and interface output attribute value according to an embodiment of the present invention are shown in Table 1 below.

TABLE 1

Measurement target Measurement item Attribute value Equipment traffic input ipInReceives Print ipOutRequest, ipForwDatagrams, ipOutDiscards, ipOutNoRoutes, ipFragOks, ipFragFails, ipFragCreates Interface traffic input ifInUcastPkts, ifInNUcastPkts Print ifOutUcastPkts, ifOutNUcastPkts

According to Table 1, the device input attribute values according to an embodiment of the present invention are ipInReceives, which is an attribute value of an ip group in SNMP, and the device output attribute values are pOutRequest, ipForwDatagrams, ipOutDiscards, ipOutDiscards, ipOutNoRoutes, ipFragOks, and ipFragFails, which are attribute values of an ip group. And ipFragCreates.

And according to Table 1, the interface input attribute values according to an embodiment of the present invention are ifInUcastPkts and ifInNUcastPkts which are attribute values of the if group in SNMP, and the interface output attribute values are ifOutUcastPkts and ifOutNUcastPkt which are attribute values of the if group.

Where ipInReceives is the number of input datagrams received by the interface (including those received as errors), ipOutRequest is the number of IP datagrams sent to any IP by the Internet Protocol (IP) user protocol, and ipForwDatagrams is the final IP destination. The number of input datagrams to send to other paths because is not an entity.

In addition, ipOutDiscards is the number of output IP datagrams that had no problem delivering to the destination, but were discarded for other reasons, and ipOutNoRoutes is the number of IP datagrams discarded because they could not find a route to send the IP datagram. In addition, ipFragOks is the number of IP datagrams that have been successfully fragmented, ipFragFails is the number of IP datagrams that have to be fragmented but unsuccessfully discarded, and ipFragCreates is the number of fragments of IP datagrams created as a result of fragmentation.

ifInUcastPkts is the number of unicast packets transmitted in the upper protocol, and ifInNUcastPkts is the number of non-unicast packets transmitted in the upper protocol. IfOutUcastPkts is the number of packets requested by the upper protocol to the unicast address, and ifOutNUcastPkts is the number of packets requested by the higher protocol to the non-unicast address.

Therefore, if the equipment input attribute value is called inIP, the equipment output attribute value is called outIP, the interface input attribute value is called inIF, and the interface output attribute value is called outIF, each attribute value is represented by the following equations (1) to (4). Measured through

(Equation 1)

inIP = ipInReceives

(Equation 2)

outIF = ipOutRequest + ipForwDatagrams-ipOutDiscards-ipOutNoRoutes-ipFragOKs-pFragFails + ipFragCreates

(Equation 3)

Here, n is the number of interfaces of the equipment.

(Equation 4)

Here, n is the number of interfaces of the equipment.

2 is a flowchart illustrating a method of selecting an inspection target device for a network traffic monitoring method according to an exemplary embodiment of the present invention.

As shown in FIG. 2, one network device, that is, a router, is configured for a certain period (for example, one day) in order to determine whether a value of equipment traffic and a sum of interface traffic correlate with each other. Equipment traffic and interface traffic are collected in a period (for example, 1 minute, 2 minutes, 5 minutes, etc.) (S201). The S201 process collects each traffic by m times a day, and collects each traffic through the attribute values of Table 1.

For one day, after the measurement of the traffic, the present invention determines whether the ratio of the value of the equipment traffic collected in the first to the sum of the interface traffic is sequentially above the set ratio (C) in the order of the first to mth. (S202 to S206).

That is, with respect to the sum of the value of the equipment traffic collected from the first (one of the first to mth) and the interface traffic, it is determined whether the absolute value of (inIP-inIF) / inIF is smaller than the set ratio (C) (S204). In step S204, if it is greater than or equal to the set ratio (C), it is excluded from the inspection object, and if it is less than or equal to the set ratio (C), it is determined whether the absolute value of (outIP-outIF) / outIF is smaller than the set ratio (C) (S205).

If the absolute value of (outIP-outIF) / outIF is less than the set ratio (C) in step S205, the process repeats steps S204 and S205 by using the sum of the equipment traffic and the interface traffic collected at the next time. do.

If the absolute value of (inIP-inIF) / inIF and (outIP-outIF) / outIF from the first to mth is smaller than the set ratio (C), the present invention can collect equipment traffic of the test equipment. Add to list (S207).

On the other hand, if at least one of the absolute value of (inIP-inIF) / inIF and the absolute value of (outIP-outIF) / outIF from the first to mth is larger than the set ratio (C), the present invention is in the equipment traffic collection possible list. Exclude.

Here, when the absolute value of (inIP-inIF) / inIF and the absolute value of (outIP-outIF) / outIF are smaller than the set ratio (C), the sum of the equipment traffic and the interface traffic is shown in a correlation graph. Appears as 3. 3 is a graph showing a case where there is a correlation between the value of equipment traffic and the sum of interface traffic, and the case where the difference between the value of equipment traffic and the sum of interface traffic is about 0.001%.

When the absolute value of (inIP-inIF) / inIF and the absolute value of (outIP-outIF) / outIF are equal to or greater than the set ratio (C), the sum of the equipment traffic and the interface traffic is shown in a correlation graph as shown in FIG. Appears together. FIG. 4 is a graph showing a case where there is no correlation between the value of the equipment traffic and the sum of the interface traffic, and the case where the difference between the value of the equipment traffic and the sum of the interface traffic is about 15%.

3 and 4, the horizontal axis represents time and the vertical axis represents output traffic. The values of the graphs shown in FIGS. 3 and 4 represent a difference P between the sum of the equipment traffic and the sum of the interface traffic, and are specifically based on the values of the output traffic.

As can be seen from Figure 4, if the sum of the value of the equipment traffic and the interface traffic is more than the set ratio (C), the difference between the sum of the value of the equipment traffic and the interface traffic is large, the correlation is low. This makes the reliability unreliable when predicting the sum of the interface traffic through the value of the equipment traffic.

As can be seen from Figure 3, if the sum of the value of the equipment traffic and the interface traffic is less than the set ratio (C), there is almost no difference in the sum of the value of the equipment traffic and the interface traffic has a high correlation. This makes it possible to predict the aggregate value of the interface traffic through the value of the equipment traffic.

Hereinafter, a traffic monitoring apparatus according to an embodiment of the present invention will be described with reference to FIG. 5. 5 is a block diagram of a traffic monitoring device according to an embodiment of the present invention.

As shown in FIG. 5, the traffic monitoring apparatus according to an exemplary embodiment of the present invention includes a measurement target calculator 110, a database 120, a traffic collector 130, a traffic state determiner 140, and an alarm generator. 150 and an input unit 160.

The measurement target calculator 110 determines the correlation between the value of the equipment traffic and the sum of the interface traffic with respect to one network device, and selects the inspection target device described with reference to FIG. 2. The measurement target calculator 110 adds the selected inspection target device, that is, the router, to the device traffic collection possible list stored in the database 120. Meanwhile, the measurement target calculator 110 may be configured as a separate device and implemented as an external device of the traffic monitoring device of the present invention.

The database 120 stores the equipment traffic collection possible list, and stores the input / output equipment traffic thresholds (insthr, outsthr) corresponding to the equipment traffic and the input / output interface traffic thresholds (inthr, outthr) corresponding to the interface traffic. And a setting ratio (C) for screening equipment to be inspected is stored.

Here, insthr is an input device traffic threshold and the sum of input interface traffic thresholds for each interface of the corresponding equipment, and outsthr is an output device traffic threshold and the sum of output interface traffic outthr for each interface of the corresponding equipment. . Inthr is an input interface traffic threshold and is set corresponding to each interface of the equipment, and outthr is an output interface traffic threshold and is set corresponding to each interface of the equipment.

The traffic collection unit 130 sets one of the first traffic collection method (see FIG. 5) and the second traffic collection method (see FIG. 7), and is registered in the equipment traffic collection possible list according to the set traffic collection method. Collect device traffic and interface traffic for. That is, the traffic collector 130 measures (identifies) the equipment input attribute value, the equipment output attribute value, the interface input attribute value, and the interface output attribute value according to the first or second traffic collection method.

The traffic state determining unit 140 compares the value of the equipment traffic collected by the traffic collecting unit 130 or the value of the equipment traffic with the value of the interface traffic with a corresponding set threshold value (insthr, outsthr, inthr, outthr). Identify the equipment or / and interface present. At this time, the traffic state determination unit 140 compares the value of the equipment traffic and the interface traffic with the threshold value of the packet per second (PPS) unit equipment input attribute value (inIP) and the equipment output attribute value ( outIP) and the interface input attribute value inIF and the interface output attribute value outIF, which are values of the interface traffic, are changed as in the following conditional expression.

(Conditional expression)

equipment traffic input PPS (inSPPS) = inIP / acquisition cycle

outSPPS (equipment traffic output PPS) = outIP / acquisition cycle

inPPS (interface traffic input PPS) = inIF / acquisition cycle

outPPS (interface traffic output PPS) = outIF / acquisition cycle

Here, the collection period is a short period T1 or a general period T2. Specifically, the collection period in inSPPS and outSPPS is a shortened period T1, and the collection period in inPPS and outPPS is a general period T2.

The alarm generating unit 150 generates an alarm when a device or an interface having a traffic abnormality is found under the control of the traffic state determining unit 140. The input unit 160 may receive an operator's input and store information stored in the database 120 or change the stored information.

Meanwhile, the traffic state determination unit 140 may set and store one of a first traffic collection method and a second traffic collection method in place of the traffic collection unit 130. In this case, the traffic collection unit 130 may be controlled by controlling the traffic collection unit 130. Equipment traffic or equipment traffic and interface traffic are collected according to one of the first traffic collection method and the second traffic collection method.

Hereinafter, a network traffic monitoring method according to a first embodiment of the present invention will be described with reference to FIGS. 6 and 7. 6 is a diagram illustrating a first traffic collection method used in a network traffic monitoring method according to an exemplary embodiment of the present invention. 7 is a flowchart illustrating a network traffic monitoring method according to a first embodiment of the present invention.

In the network traffic monitoring method according to the first embodiment of the present invention, as shown in FIGS. 5 and 6, the first traffic collection for collecting the device traffic for each device is performed for each short period T1, and the collected device traffic is performed. The process (S701 to S703) is repeated to check whether there is an abnormal traffic by checking the value of.

That is, the traffic collecting unit 130 collects input / output traffic input to each device during the T1 time set according to the first traffic collection method shown in FIG. 6, that is, the equipment input / equipment output at the set T1 time period. The attribute value is determined (S701).

Then, the traffic state determination unit 140 compares the value of the collected equipment traffic for each device with the input / output threshold set for each device (S702). That is, the traffic state determination unit 140 compares the equipment input attribute value inIP and the set input equipment traffic threshold value among the values of the equipment traffic, and outputs the equipment output attribute value outIP and the set output equipment traffic threshold outsthr. ).

At this time, the input threshold (insthr, intrhr) and the output threshold (outsthr, outthr) is managed in units of Packet Per Second (PPS). Therefore, the traffic state determination unit 140 changes the value of the equipment traffic to a value that can be compared with the threshold for the process S702.

The traffic state determination unit 140 determines that the equipment at this time is a device having a traffic abnormality when there is a device having a value of the input traffic greater than the set input threshold or the output traffic having a value greater than the set output threshold in step S702 ( S703).

When detecting a device having a traffic abnormal in step S703 (S704), the traffic monitoring apparatus 100 performs steps S705 to S709 for the device having a traffic abnormality to detect an interface having a traffic abnormality among the interface of the device. Detect.

That is, when detecting a device having a traffic abnormality, the alarm generating unit 150 performs a notification alert notifying the outside of the device having a traffic abnormality (S705), and the traffic collecting unit 130 of the traffic state determining unit 140 According to the control, the interface traffic for each interface of the corresponding equipment is collected during the normal period (S706).

The traffic state determination unit 140 compares the interface traffic value for each interface with a set input / output threshold value (S707). That is, the traffic state determination unit 140 compares the interface input attribute value inIF among the values of the interface traffic with the set input interface traffic threshold inthr, and compares the interface output attribute value outIF with the set output interface traffic threshold outthr. ).

At this time, the input threshold (inthr) and the output threshold (outthr) is managed in units of Packet Per Second (PPS). Therefore, for the S707 process, the traffic state determination unit 140 changes the value of the interface traffic to a value that can be compared with a threshold.

The traffic state determination unit 140 detects an interface whose interface input attribute value inIF is greater than the set input threshold value and / or the interface output attribute value outIF is greater than the set output threshold value through S707. In step S708, the detected interface is determined to be an interface having abnormal traffic (S709).

In addition, an alarm is generated for an interface having a traffic error, and the input / output traffic of the interface is monitored every set time.

Next, a network traffic monitoring method according to a second embodiment of the present invention will be described with reference to FIGS. 8 and 9. 8 is a diagram illustrating a second traffic collection method used in a network traffic monitoring method according to an exemplary embodiment of the present invention. 9 is a flowchart illustrating a network traffic monitoring method according to a second embodiment of the present invention, based on a collection method according to an example shown in FIG. 7.

As shown in FIG. 8, the second traffic collection method according to the present invention is generally similar to the first traffic collection method, but includes a general period T2 that is an integer multiple of the short period T1 in order to collect interface traffic. ) Is different.

In FIG. 8, the general period T2 is illustrated as being five times the short period t1, but may be arbitrarily varied by the operator, such as three times the short period T1 or six times the short period T1. This is as if a plurality of short cycles T1 and one general period T2 form one cycle. That is, a plurality of equipment traffic collection and one interface traffic collection constitute one cycle.

For example, referring to FIG. 8, the second traffic collecting method repeats collecting one interface traffic after four equipment traffic collections as one cycle. Of course, one cycle may be two or more times to collect the interface traffic, it is preferable that at least one or more times to collect the equipment traffic.

On the other hand, the second traffic collection method solves the problem of the first traffic collection method.

In other words, monitoring network traffic by collecting only equipment traffic as in the first traffic collection method does not recognize the traffic even when the traffic is input or output while the interface of the corresponding equipment has an abnormal traffic. This is because the value of the equipment traffic represents only the total traffic input or output to the equipment. Therefore, when the traffic is collected and inspected as in the first embodiment of the present invention, even if there is an interface with traffic abnormality, it may not be found.

For example, suppose there is a device with three interfaces, the traffic threshold of the first interface is 10, the traffic threshold of the second interface is 10, and the traffic threshold of the third interface is 15. The traffic threshold is a reference traffic value for determining the traffic abnormality.

In this state, if the value of the equipment traffic is 30, the present invention determines that the equipment is not an abnormal traffic. This is because the sum of the traffic thresholds of the first to third interfaces is 35, and the value of the equipment traffic is less than 35.

However, if the value of the traffic of the first interface is 15, the value of the traffic of the second interface is 5, and the value of the traffic of the third interface is 10 among the values of the equipment traffic, the traffic of the equipment is 30 and there is no traffic abnormality. Substantially, the first interface is at least 15 as the traffic is higher than the threshold 10.

Therefore, in order to solve this problem, the second traffic collecting method performs at least one of one cycle of collecting and inspecting the conventional interface traffic.

Hereinafter, a network traffic monitoring method according to a second embodiment of the present invention to which the second traffic collection method is applied will be described with reference to FIG. 9. Here, as shown in FIG. 8, the second traffic collection method includes a case in which one cycle collects equipment traffic four times in a shortened period T1 and collects interface traffic once in a general period T2. do.

The traffic collecting unit 130 collects the equipment traffic in a shortened period T1 by a set number of times in one cycle (S901 and S902).

Then, the traffic state determination unit 140 compares the value of the collected equipment traffic for each device with the input / output threshold (insthr, inthr) set for each device (S903). That is, the traffic monitoring apparatus 100 compares the equipment input attribute value inIP among the values of the equipment traffic with the set input equipment traffic threshold insthr, and compares the equipment output attribute value outIP with the set output equipment traffic threshold outsthr. Compare with

At this time, the traffic monitoring apparatus 100 changes the value of the equipment traffic to a value that can be compared with the input / output equipment traffic threshold.

The traffic state determination unit 140, if the value of the input traffic is greater than the input device traffic threshold set in step S903, or if the value of the output traffic is greater than the output device traffic threshold set, the equipment at this time if there is more than traffic It is determined that (S904).

When the device having the traffic abnormality is found through the process S904 (S905), the traffic state determining unit 140 performs the processes S907 to S910 on the device having the traffic abnormality, so that the traffic abnormality has the traffic abnormality among the interface of the device. Detect.

That is, when the device having a traffic abnormality is detected, the alarm generating unit 150 performs a notification alarm notifying the outside of the device having the traffic abnormality (S907), and the traffic collecting unit 130 performs the corresponding equipment during the general period T2. Interface traffic is collected for each interface at step S908.

The traffic state determination unit 140 then compares the interface traffic value for each interface with a set input / output interface traffic threshold (inthr, outthr) (S909). That is, the traffic state determination unit 140 compares the interface input attribute value inIF among the values of the interface traffic with the set input interface traffic threshold inthr, and compares the interface output attribute value outIF with the set output interface traffic threshold outthr. ).

At this time, the traffic state determination unit 140 changes the value of the interface traffic to a value that can be compared with a corresponding threshold.

The traffic state determination unit 140 outputs an output interface traffic threshold value at which the interface input attribute value inIF is greater than the set input interface traffic threshold inthr and / or the interface output attribute value outIF is set through step S909. outthr) is detected (S910), and the detected interface is determined as an interface having traffic abnormality (S911).

Meanwhile, the traffic collecting unit 130 collects the interface traffic as many times as the setting time in one cycle regardless of the equipment traffic inspection result, and the traffic state determining unit 140 collects the value of the collected equipment traffic for each device by equipment. Compare with the set input / output threshold (S906, S908, S909). Of course, if the traffic collecting unit 130 collects the interface traffic set in one cycle, the traffic abnormality detection notification alert operation (S907) will not be made.

Hereinafter, referring to FIG. 10, a process of identifying a device or an interface having a traffic error by comparing a corresponding traffic value with a threshold value in a network traffic monitoring method according to the first and second embodiments of the present invention will be described in detail. . FIG. 10 is a flowchart illustrating a detailed main process in a network traffic monitoring method according to the first and second embodiments of the present invention. Referring to FIG.

As shown in FIG. 10, when the traffic collecting unit 130 collects the equipment traffic for the first equipment, that is, measures the value of the equipment traffic according to the first or second traffic collection method, the traffic state determination unit 140 ) Changes the equipment input attribute value (inIP) to inSPPS and the equipment input attribute value (outIP) to outSPPS (long-bit input PPS).

The traffic state determination unit 140 then compares inSPPS with insthr (input equipment traffic threshold) and outSPPS (long bit traffic output PPS) with outsthr (input equipment traffic threshold), so that both inSPPS and outSPP are above the threshold. It is determined whether or not it is large (S1001).

If both inSPPS and outSPPS are above the corresponding thresholds (insthr, outsthr) in step S1001, the traffic state determination unit 140 determines that the first device is a device having traffic abnormality, and the value of the interface traffic for all interfaces of the first device ( inIF, outIF) is measured (S1002).

The traffic state determination unit 140 changes inIF (interface input attribute value) to inPPS (interface traffic input PPS) among the measured values of interface traffic for each interbase, and outPPS (interface traffic output) to outPPS (interface output attribute value). PPS). Then, the traffic state determination unit 140 compares the inPPS and outPPS of the interface with the threshold (inthr, outthr) of the interface, and determines whether both inPPS and outPPS is less than the threshold (S1003).

Through the determination (S1003), the traffic state determination unit 140 controls the alarm generator 150 to generate an alarm for the corresponding interface when any one of the inPPS and the outPPS has an interface larger than the corresponding threshold, and sets the time. Each time the input / output traffic for the interface is monitored (S1004).

On the other hand, in step S1001, if both inSPPS and outSPPS is not greater than the corresponding threshold (insthr, outsthr), the traffic state determination unit 140 determines whether inSPPS is greater than insthr (S1005).

If inSPPS is greater than insthr in the determination S1005, the traffic state determination unit 140 measures the values of interface traffic (inIF, outIF) for all interfaces of the first device (S1006). The traffic state determination unit 140 changes inIF to inPPS among measured interface traffic values of each interbase, and compares the inPPS of each interface with an inthr of the corresponding interface to determine whether the inPPS is less than inthr. (S1007).

Through the determination (S1007), the traffic state determining unit 140 controls the alarm generating unit 150 to generate an alarm for the corresponding interface when an interface with an inPPS greater than inthr is found, and generates an alarm for the corresponding interface every set time. I / O traffic is monitored (S1008).

Finally, if the inSPPS is less than insthr in step S1005, the traffic state determination unit 140 determines whether outSPP is greater than outsthr (S1009).

If outSPPS is greater than outsthr in the determination (S1009), the traffic state determination unit 140 measures the values of interface traffic (inIF, outIF) for all interfaces of the first device (S1010). The traffic state determination unit 140 changes outIF to outPPS among the measured values of the interface traffic for each interbase, and compares the outPPS of each interface with an outthr of the corresponding interface to determine whether the outPPS is less than or equal to outthr. (S1011).

Through the determination (S1011), the traffic state determination unit 140 controls the alarm generator 150 to generate an alarm for the corresponding interface when an outPPS is found to be larger than the outthr, and for the corresponding interface every set time. I / O traffic is monitored (S1012).

The embodiments of the present invention described above are not only implemented by the apparatus and method but may be implemented through a program for realizing the function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded, The embodiments can be easily implemented by those skilled in the art from the description of the embodiments described above.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. To the right

It belongs.

1 is a conceptual diagram for explaining the present invention.

2 is a flowchart illustrating a method of selecting an inspection target device for a network traffic monitoring method according to an exemplary embodiment of the present invention.

3 is a graph showing a case where there is a correlation between a value of equipment traffic and a sum of interface traffic.

4 is a graph showing a case where there is no correlation between the value of the equipment traffic and the sum of the interface traffic.

5 is a block diagram of a traffic monitoring device according to an embodiment of the present invention.

6 is a diagram illustrating a first traffic collection method used in a network traffic monitoring method according to an exemplary embodiment of the present invention.

7 is a flowchart illustrating a network traffic monitoring method according to a first embodiment of the present invention.

8 is a diagram illustrating a second traffic collection method used in a network traffic monitoring method according to an exemplary embodiment of the present invention.

9 is a flowchart illustrating a network traffic monitoring method according to a second embodiment of the present invention.

FIG. 10 is a flowchart illustrating a detailed main process in a network traffic monitoring method according to the first and second embodiments of the present invention. Referring to FIG.

Claims (10)

In the method for monitoring network traffic using N (minimum value of N is 2) traffic measurement cycles as the number of consecutive traffic measurements, A first step of collecting equipment traffic at a first time for the first equipment at least once in N times; A second step of determining whether there is an abnormal traffic by comparing the value of the equipment traffic collected during the first time with a set first threshold value, A third step of collecting interface traffic at a second time longer than the first time for each interface of the first equipment having the traffic abnormality identified through the value of the equipment traffic, and And a fourth step of determining whether there is an abnormal traffic by comparing the value of the interface traffic for each interface collected during the second time period with a second threshold set for each interface. How to monitor network traffic. The method of claim 1, A fifth step of collecting interface traffic at least once of the N times for a third time longer than the first time for each interface of the first equipment;  And a sixth step of determining whether there is an abnormal traffic by comparing the value of the interface traffic for each interface collected during the third time period with a second threshold set for each interface. How to monitor network traffic. The method according to claim 1 or 2, Before the first step, A seventh step of collecting equipment traffic of the first equipment and interface traffic for each interface of the first equipment M times by setting a third time period for each network equipment; An eighth step of determining whether there is a correlation between the value of the second collected device traffic and the sum of the interface traffic for each interface, in the order of the first collected traffic to the Mth collected traffic; And a ninth step of excluding a device having no correlation between the value of the device traffic and the sum of the interface traffic for each interface from the traffic monitoring target and registering the correlated device as the first device. How to monitor network traffic. The method of claim 3, The value of the equipment traffic is identified through the equipment input attribute value and the equipment output attribute value, the value of the interface traffic is determined through the interface input attribute value and the interface output attribute, The device input attribute value is ipInReceives, which is an attribute value of an ip group in a standard MIB (Management Information Base) of Simple Network Management Protocol (SNMP), and the device output attribute value is pOutRequest, which is an attribute value of an ip group in a standard MIB of SNMP. And ipForwDatagrams and ipOutDiscards and ipOutNoRoutes and ipFragOks and ipFragFails and ipFragCreates, The interface input attribute values are ifInUcastPkts and ifInNUcastPkts which are attribute values of the if group in the standard MIB of SNMP, and the interface output attribute values are ifOutUcastPkts and ifOutNUcastPkt which are attribute values of the if group in the standard MIB of SNMP. How to monitor network traffic. The method of claim 4, wherein And a tenth step of collecting and inspecting the traffic every fourth time for a particular interface that is found to have an abnormal traffic, How to monitor network traffic. In the network traffic monitoring apparatus for monitoring network traffic using N (minimum value of N is 2) consecutive traffic measurement cycles as a traffic measurement cycle, Database that stores the equipment traffic collection list, which records the information of the target equipment that can inspect the network traffic, Collecting equipment traffic by giving a first time to at least one of the N times for the inspection target equipment recorded in the equipment traffic collection possible list, and a second time longer than the first time in the equipment having the traffic abnormality. Traffic collection unit for collecting the traffic for each interface at intervals, and The traffic collecting unit compares the value of the equipment traffic collected during the first time period with the set first threshold value to determine whether there is a traffic abnormality, and controls the traffic collecting unit to control traffic of each interface of the equipment having the traffic abnormality. And a traffic state determination unit configured to determine whether there is a traffic abnormality by comparing the value of the interface traffic for each interface collected during the second time period with a second threshold set for each interface. Network traffic monitoring device. The method of claim 6, The traffic collecting unit, in addition to the equipment traffic collection, at least one of the N times to collect the interface traffic by giving a third time longer than the first time for each interface of the first equipment,  Network traffic monitoring device. The method of claim 7, wherein For each network device, whether there is a correlation between the value of the device traffic and the sum of the interface traffic for each interface is determined, and the device having no correlation between the value of the device traffic and the sum of the interface traffic for each interface is recalled. Excluding from the equipment traffic collection possible list, and further comprising a measurement target calculation unit for registering the correlated equipment to the equipment traffic collection possible list, Network traffic monitoring device. The method according to claim 6 or 8, The measurement object calculation unit, The network traffic of the first device and the interface traffic for each interface of the first device is collected M times for a third period of time for each network device, and the order of the M-th collected traffic from the first collected traffic. To determine whether there is a correlation between the value of the device traffic collected and the sum of the interface traffic for each interface, Network traffic monitoring device. 10. The method of claim 9, The value of the equipment traffic is determined through the equipment input attribute value and the equipment output attribute value, the value of the interface traffic is determined through the interface input attribute value and the interface output attribute, The device input attribute value is ipInReceives which is an attribute value of an ip group in a standard MIB (Management Information Base) of SNMP (Simple Network Management Protocol), and the device output attribute value is an attribute value of an ip group in a standard MIB of SNMP. pOutRequest, ipForwDatagrams, ipOutDiscards, ipOutNoRoutes, ipFragOks, ipFragFails and ipFragCreates. The interface input attribute values are ifInUcastPkts and ifInNUcastPkts which are attribute values of the if group in the standard MIB of SNMP, and the interface output attribute values are ifOutUcastPkts and ifOutNUcastPkt which are attribute values of the if group in the standard MIB of SNMP. Network traffic monitoring device.

Images