201115974 六、發明說明: 【發明所屬之技術領域】 本發明是有關於一種智慧型網路監控系統,特別 是指一種基於網路流量知識本體(0ntology)之智慧型網路 監控系統。 >【先前技術】201115974 VI. Description of the Invention: [Technical Field] The present invention relates to a smart network monitoring system, and more particularly to a smart network monitoring system based on a network traffic knowledge ontology (0ntology). >[Prior technology]
目前是通訊時代,各行各業無不需要網路,網路的重 要性不可言喻。相關網路設備的市場銷售量迅速增加,且 對網路監控系統之需求日益提升。 目前,既有的網路流量監控系統只能顯示出“流量’,或“ 線路佔有率,但是不同的網路環境下,相同的網路流量數 值有著不同的代表意義,因此以目前的網路流量監控系而 言,仍然必須透過網路管理人員才可以得知這些數值所代 表的網路流量意義。 此外,市場上網路監控系統動辄數百萬,非一般中小 企業及學校所能負擔。以學校單位來看,依據97學年声教 育部之統計’目前台灣擁有171所大專院校。其中,除了 幾間擁有五年五百億及教學卓越計晝的學校之外,其他與 ^對於網路流量監控之議題其實都非常關注但是卻苦無經 費來建置動辄數百萬的網路監控系統。因 :灰 解決之道。 ,义要尋未 【發明内容】 種智慧型網路監控 因此’本發明之目的,即在提供— 系統。 201115974 ★於是,本發明智慧型網路監控系統用以監控—特定 築物之多數網路設備之網路流量。 涿糸統包含一網路流量 貝科=單元…知識本體館存庫及—模糊推則擎。該 :路机里資料操取單元用以從該等網路設備擷取網路流量 資料。該知識本體儲存庫用以儲存至少一網路監控領域專 家:對該特定建築物所资供的網路監控領域知識。該模糊 推响引擎用以基於該知識本體儲存庫中的網路監控領域知 識’將該網路流量資料擷取單元料來的網路流量資料 換成網路流量.語意。 b本發明之功效在於,當網路流量發生異常時,可即時 提供符合人類思考模式的告警語意’以告知網管人員即時 採取適當的處理措施。此外,本發明之建置費用係為一般 中小企業及學校所能負擔’故可讓一般中小企業及學校省 下魔大的客製化網路環境流量監控費用。 【實施方式】 有關本發明之前述及其他技術内容、特點與功效,在 以下配合參考圖式之一個較佳實施例的詳細說明中,將可 清楚的呈現。 在本發明被詳細描述之前,要注意的是,在以下的說 明内容中’類似的元件是以相同的編號來表示。 參閱圖1,本發明智慧型網路監控系統1之較佳實施例 用以監控一特定建築物之多數網路設備9之網路流量。在 本較佳實施例中,係以一學校中的建築物做為該特定建築 物來進行說明,然本發明中的特定建築物並不限於學校中 201115974 的建築物,可以是需利用本發明智慧型網路監控系統i來 監控網路設備9之網路流量之任何特定建築物。該智慧型 網路監控系統i包含-網路流量資料梅取單元^、一包括 -知識本體儲存庫131及-模_論引擎132之模糊推論 控制器13、-告警單元14及一網路監控介面& 該網路流量資料擷取單元U用以從該等網路設備9操 取網路流量資料。這些網路流量資料需要事先經由網路管 # ^人員來加以定義。例如’在本較佳實施財,透過學校 的網路管理人員所定義的重要資料為:建築、校區、樓声 - 、IP位址、別名、類別、時間、連接埠、模糊變數、流量 权、流量流出、設備最大流出量及設傷最大進入量等。 适些網路流量資料根據不同的網路環境將會有所不同,如 I體位置的建築、校區及樓層,或是網路設備9的模糊變 最大流出量及設備最大進入量等,所以在此網路 操取單元11之建置過程中最重要的關鍵在於網路 g %境内的網路管理人員。 路管理人員指的便是對網路環境熟悉的網路監 ==8,其基於對於該特定網路環境的知識,建立起 ⑶。h的知識本體,並將其儲存至該知識本體儲存庫 個131用^存至少一 ‘瓜控領域專家8針對該特定網路 提供的網路監控領域知識,其^V網路孩境所 定網路環境之、疋用來描述該特 域知識其包括領域層(Domain Layer)、種 201115974 類層(Category Layer)、概念(Concept)、屬性(Attribute)、操 作(Operation)及實例層(Instance Layer)。如圖2所示,其即 為本較佳實施例中該知識本體儲存庫12中所儲存的的知識 本體,其中領域層即是該知識本體’種類層則有校區i、校 區2...及校區n ’概念代表了每台網路設備9的名稱,屬性 則是概念,的屬性,其主要用法在於描述概念所包含4的屬性 值有哪些,且這些屬性也是代表對於概念的關鍵項目。因 此,在本發明系統1建置的過程令,係先透過領域專家8 定義網路設備9的關鍵屬性,再建置此網路設備9的知識 本體。至於操作,則是對於概念而言的操作概念。另外, 實例層表示實際網路環境中的實例。如圖3、4所示,圖3 $本較佳實施例中的網路設備9之概念範例,圖4則是其 實例因此,知識本體儲存庫131即是將網路流量資料利 用領域專家8所定義的知識本體來加以儲存,以便做即時 模糊推論或是未來進行網路資料分析之用。 參閱圖1、5’該模糊推論引f 132帛以基於該知識本 一 庫I31中的網路監控領域知識,將該網路流量 ^ ; °取單元11所傳來的網路流量資料轉換成網路流量語 思,即,該模糊推論弓I擎132 #由操取該網路流量資料 單几11所傳來的數值,並根據網路監控領域專家 識本體儲存庫131中所定義的模糊推論知識庫 例中,°得到某台網路設備9的關鍵數值。在本較佳實施 及下裁量要:要判斷出校園中建築對建築之間的網路上傳 ^ 圖5所不,每條網路線路(或是埠(Port))都有 201115974 其網路流量輪入模糊變數,例如其語意項可以是非常低 (V一Low)、低(Low)、中(Medium)、高(High)及非常高 (、High)等’故每條網路線路即是一個輸入模糊變數。舉例 來說,當某-網路設備9之線路網路流量為% _時, 因其僅對應至語意項為、、高,,之梯型曲線,故66 Mbps之 線路網路流量所對應之輸入模糊變數即為、、高。,而,當 某一網路設備9之線路網路流量為72 Μ.時,由於其^ 時對應至語意項為、、高,,及、常高,,之梯型曲線故在 本發明實施例中將取可能性(縱座標)較高者,即取語意項為 ’之梯型曲線’故72 Mbps之線路網路流量所對應之 =入模《數即為、、高'於1藉由綜合所有網路線路以 =6、7、8所示者(稍後將詳述)加以分析,將可判斷出建 情況語意。 〜场到某-建築物之流量 旦扭Ϊ該模糊推論引擎132將網路流量資料轉換成網路流 的過程中,首先必需定義個別網路線路流量上傳及 糊變數’至於整體輸出上傳及下載流量則是 1综“析個別線路上傳及下載流量所得到的。其中, 别線路的上傳(下載)4即是—個輸人 路上傳(下載m量則是-個輪出模…二而』為 網路線路的_輸入模糊糊變數^在本實施例中, ,、翰入杈糊變數間的隸屬函數係採用專家 :路::域:家8根據個別網路環境定義,所以針對不同 網路:量兄數::到的隸屬函數會不盡相同,最後可將輸人 網路极量數值轉換成符合網路監控領域專家8之領 201115974 域知識之語意。 參閱圖1、6、7、8,在本較佳實施例中,該知識本體 儲存庫131係利用一模糊標記語言(Fuzzy Markup Language ,FML)來建置,且包括一模糊推論知識庫(Knowledge Base)1311及一模糊推論規則庫(Rule Base)1312。FML語言 是由Acampora和Loia等學者提出,是以XML為基礎並結 合模糊邏輯所定義出來的語言。FML基本上分為三層式架 構,分別是XML、文件類型定義(Document Type Definition ,DTD)及可擴展樣式表轉換語言(Extensible Stylesheet Language Transformations,XSLT)。其中,XML 是將模糊 邏輯控制建立成一種新的標記語言,DTD是要定義出可以 在FML合法使用的標籤元件,XSLT的功用在於將模糊控 制描述轉換成特定的程式語言。 如圖6所示,其為基於網路流量知識本體之智慧型網 路監控系統之FML架構圖(以本案申請人台南大學校園中的 學生宿舍懷遠齋的上傳網路流量為例)。在本較佳實施例中 ,本系統1之根節點為模糊推論控制器(Controller) 13,其 在FML程式語言中,可以<FUZZYCONTROL>標籤表示。 <FUZZYCONTROL>標籤使用三個子標籤,分別為type、 defuzzifymethod及ip,其中:(l)type表示模糊控制器的型 態,例如MAMDANI; (2)defuzzifymethod定義解模糊化的 方法;(3)ip代表在網路上這個模糊控制器的網路位址。 此外,圖6 _所示之左子樹為模糊推論知識庫1311, 若以FML語言撰寫程式碼,將以<KNOWLEDGEBASE>標 201115974 籤表示。<KNOWLEDGEBASE>使用 <FUZZYVARIABLE:^ 標籤來描述模糊概念(例如:校園網路線 路某一個埠)及其語意項(例如··流量非常高)。 <FUZZYVARIABLE> 的標籤有 name、scale、domainLeft、 domainRight、type及ip,其中:(l)name為模糊概念的名稱 ;(2)scale為模糊概念的測量單位(3)domainLeft及 domainRight為模糊概念的區間;(4)type為模糊概念在規則 中的角色;(5)ip代表在網路上模糊知識庫131的網路位址 。<FUZZYTERM>H有一個標籤為name,用來定義模糊概 念的語意項。 以圖6、7、8中所舉出的實例來說,圖6中的左子樹 及其對應程式碼圖7說明本案申請人台南大學中從格致樓( 其建築物代號為A)到懷遠齋(其建築物代號為E)的每條線路 之懷遠齋下載流量(共四條,即四個模糊變數)的五個模糊集 合。在此例中,每條線路的輸入模糊變數可設定為五個模 糊集合,其語意項分別為非常低(Very_Low)、低(Low)、中 (Medium)、高(High)及非常高(Very_High);輸出模糊變數則 是建築物流量程度,亦定義為五個模糊集合,其語意項亦 分別為非常低(Very_Low)、低(Low)、中(Medium)、高 (High)及非常高(Very_High)。 再者,圖6中所示之右子樹為模糊推論規則庫1312, 若以FML語言撰寫程式碼,將以<RULEBASE>標籤表示。 <RULEBASE>有兩個子標籤,分別為inferenceengine及ip 。inferenceengine 定義推論方式 ,例如 201115974 MINMAXMINMAMDANI ; ip代表在網路上這個模糊控制器 的網路位址。每個單一規則以標籤<RULE>表示,<RULE> 所使用的子標籤分別有id、connector、weight及ip,其中 :(l)id為規則的代號;(2)connector為邏輯運算的運算元; (3)weight為該規則的權重值;(4)ip代表在網路上模糊規則 庫的網路位址。模糊規則你IF-PART及THEN-PART分別以 標籤〈ANTECEDENT〉及〈CONSEQUENT〉表示, <CLAUSEA>& <CLAUSEC>* 別定義 IF-PART 及 THEN-PART的模糊子句,並以(1)<VARIABLE>標籤描述模糊概念 ;(2)<TERM>標籤描述模糊概念語意項;(3)<TSKPARAM> 描述TSK模糊控制型態THEN-PART參數。因此,在本較 佳實施例中,由於FML是對於模糊椎論的通用標籤語言, 其具有通用性以及可明確詳細表達出規則庫1311及知識庫 1312,並且日後可使用FML快速建構適用於不同網路環境 之智慧型網路監控系統 1。如圖 7、8所示,其 等分別為本實施例中以FML語言所撰寫的模糊 推論知識庫1311及模糊推論規則庫1312之程式碼(以本 案申請人台南大學校園中的學生宿舍懷遠齋的上傳網路流 里部分程式碼為例)。 以圖6、7、8中所舉出的實例來說,圖6中的右子樹 及其對應程式碼圖8說明欲得到從袼致樓(其建築物代號為 A)到懷遠齋(其建築物代號為e )的懷遠齋整體建築物之下載 流量語意所需用到的模糊規則庫。在如圖6所示之具有四 條線路(Port)的系統中,由於其代表具有四個輸入模糊變數 10 201115974 ’且每個輸入模糊變數有五個模糊集合,所以總共有 54=625條模糊規則,如圖6之右子樹,其部份範例程式碼 則如圖8所示。 該告警單元14主要的功能就是接收模糊推論引擎ΐ32 的輸出(整體網路流量語意)。若該輪出出現異常現象’如 High或是Very High,則啥警單元14會利用電子郵件及/或 手機簡訊的方式告知網路管理員,並在網路監控介面Μ上 顯示警告訊息,在第一時間告知網管人員並進而解決問題 ,其中該網路監控介面15例如可以Netw〇rk Weathermap技 術來實施。至於在其他正常流量(Very 1〇w、l〇w及 Medium)之情況下,該整體網路流量語意則僅是平常地領示 在網路監控介面15 ±,而不會經由告警單元14以電子郵 件及7或手機簡訊的方式告知網路管理員。 因此,本發明藉由知識本體儲存庫131、模糊推 13、止邀 S3- 1 ^ 、:警早兀Μ及網路監控介面15等元件之協同運作, 可乂提供網路每境中一建築物的網路即時流量語意,其代 表本發明系統!所能產生的最终告警語意。此告警語意最 主要=目的為’網路管理人員可以透過此告警語意了解到 拄目前有哪幾楝大樓網路流量是正常或是緊急,可以第一 能環境的網路狀況’而不是被動的等待通知才 。,出問題。本發明系統1不但可以讓網路管理人 解網路流量狀況,並可更進一步透過知識本體 況。 的資料去分析了解整個網路環境的網路使用情 11 201115974 以下藉由將本發明系統1之技術實施於由本案申請人 國立臺南大學之知識本體應用暨軟體工程研究室所架設之 虛擬實驗環境,來測試本發明之實際效能。 實驗一(正常狀態): 參閱圖5本實施例中網路流量與所對應的可能性之關 係、圖6之FML架構圖、圖9,以及以下表1、2,本案發 明人利用某個時間點(20〇8年12月24日22時22分55秒) 的學生宿舍(懷遠齋)即時網路下載流量的資料,分析在這個 時間點的即時網路流量情況。此楝學生宿舍共有四條主要 網路流量線路(或^(PGrt)),代表此建築物有四個輸入的 模糊變數’故可擷取這四個模糊變數的輸人值。這四個輸 入值代表此學生宿舍之四條網路的即時下栽流量(如表i及 表2所示)。將這四個即時下載流量經過模糊推論後,可得 到該學生宿舍的即時網路下载流量的語意項為“非常低,,,直 實驗結果如圖1G之網路監控介面15所示,並得知實驗結 果與網路管理人員的判斷結果相符合。 時間(年-月-日 2008-12-24 ^22^55_ 2008-12-24 22:22:55 進入 線路 建築物 流量 語意 語意分析 6.9 Mbps 非常低 非常低 2.9 Mbps 非常低 表1 學生宿舍,路即時穿資料 埠 實體線路 _格致樓,懷遠齋 格致樓,懷遠齋 埠5/1 埠5/2 12 201115974 \ 埠6/1 2008-12-24 6.2 非常低 格致樓,懷遠齋' 22:22:55 Mbps 埠6/2 2008-12-24 3.4 非常低 格致樓,懷遵齋, 22:22:55 Mbps 表2 學生宿舍網路即時上傳資料 實體線路 • i ? - 埠 時間(年-月-曰 時:分:秒) 進入 流量 線路 語意 建築物 語意分析 埠5/1 2008-12-24 7.8 非常低 懷遠齋,格致樓, 22:22:55 Mbps 埠5/2 2008-12-24 4.3 非常低 懷遠齋,格致樓' 22:22:55 Mbps 非常低 埠6/1 2008-12-24 6.4 非常低 懷遠齋,格致樓 / 22:22:55 Mbps 埠6/2 2008-12-24 3.7 非常低 懷遠齋,格致樓 / 22:22:55 Mbps 實驗二(迴圈造成的異常狀態): 參閱以下表3、4及圖10,接著發明人模擬其中一條網 路線造成線路流量迴圈的情形,例如有人不小心將同一條 網路線都接到線路來源的網路孔中。此時,整台網路設備9 的流量會被這個迴路阻塞,因而造成這個迴路上會負載設 備網路9可以提供的最大網路流量,進一步可能造成網路 癱瘓。表3及表4為在這個情況下所得到的網路流量資料 ,其經過本發明系統1處理後會產生如圖10所示的警告頁 面。如圖11所示,其顯示整體建築網路流量線路是不正常 13 201115974 的,且本發明中的告警單元14可更進一步以電子郵件或手 機簡訊等方式主動提醒管理者有異常現象產生,以讓網路 管理人員更迅速找出有問題的地方為懷遠齋的埠5/1,以達 到本系統1之告警作用。 表3學生宿舍網路即時下載資料(異常) 實體線路 埠 時間(年-月-曰 時:分:秒) 進入 流量 气線'路 語意 建築物 語意分析 埠5/1 2008-12-24 108.2 非常高 格致樓,懷遠齋, 23:05:30 Mbps 埠5/2 2008-12-24 13.2 非常低 格致樓,懷遠齋' 23:05:30 Mbps 非常高 埠6/1 2008-12-24 3.4 非常低 格致樓,懷遠齋r 23:05:30 Mbps 埠6/2 2008-12-24 7.8 非常低 格致樓,懷遠齋’ 23:05:30 Mbps 表4 學生宿舍網路即時上傳資料(正常) 實體線路 埠 時間(年-月-曰 時:分:秒) 進入 流量 線路 語意 建築物 語意分析 埠5/1 2008-12-24 4.3 非常低 非常低 懷遠齋,格致樓, 23:05:30 Mbps 埠5/2 2008-12-24 6.6 非常低 懷遠齋,格致樓, 23:05:30 Mbps 埠6/1 2008-12-24 4.2 非常低 懷遠齋,格致樓 , 23:05:30 Mbps 14 201115974 —---1 埠6/2 ------- 2008-12-24 6.5 非常低 ώ遠9K格致樓 23:05:30 Mbps 實驗三(使用P2P軟體造成的異常狀態): 參閱以下表5、6及圖11,另外,本案發明人還根據歷 史資料模擬出另一種網路流量異常狀態。此種狀態是住宿 學生於半夜時間利用P2P軟體下載影片.導致該棟宿舍網路 流量異常暴增。如表5中2009年5月19曰00時00分〇〇At present, it is the age of communication. There is no need for internet in all walks of life, and the importance of the Internet is inexplicable. The market for related network devices is rapidly increasing, and the demand for network monitoring systems is increasing. At present, the existing network traffic monitoring system can only display "traffic" or "line occupancy rate, but in different network environments, the same network traffic value has different representative meanings, so the current network In the case of traffic monitoring, the network administrator must still be able to know the meaning of the network traffic represented by these values. In addition, there are millions of network monitoring systems on the market that can be afforded by non-small SMEs and schools. In terms of school units, according to the statistics of the 97-year sound education department, there are currently 171 colleges and universities in Taiwan. Among them, apart from a few schools with five-year 50 billion and teaching excellence programs, other issues related to network traffic monitoring are actually very concerned but there is no need to build millions of networks. Road monitoring system. Because: ash solution. [Abstract] Intelligent network monitoring Therefore, the object of the present invention is to provide a system. 201115974 ★ Thus, the intelligent network monitoring system of the present invention is used to monitor the network traffic of most network devices of a particular building. SiS contains a network traffic Beko = unit... Knowledge Ontology Library and - Fuzzy Push Engine. The data processing unit in the road machine is used to extract network traffic data from the network devices. The knowledge ontology repository is used to store at least one expert in the field of network monitoring: knowledge of the network monitoring domain provided for the particular building. The fuzzy push engine is configured to replace the network traffic data from the network traffic data capture unit with the network traffic based on the knowledge of the network monitoring domain in the knowledge ontology repository. b The effect of the invention is that when the network traffic is abnormal, the warning meaning of the human thinking mode can be provided immediately to inform the network administrator to take appropriate measures immediately. In addition, the construction cost of the present invention is a generalized small and medium-sized enterprise and a school that can afford the cost of monitoring the flow of the customized network environment for the general SMEs and schools. The above and other technical contents, features, and advantages of the present invention will be apparent from the following detailed description of the preferred embodiments. Before the present invention is described in detail, it is to be noted that in the following description, similar elements are denoted by the same reference numerals. Referring to Figure 1, a preferred embodiment of the intelligent network monitoring system 1 of the present invention is used to monitor the network traffic of a majority of network devices 9 of a particular building. In the preferred embodiment, a building in a school is used as the specific building. However, the specific building in the present invention is not limited to the building of 201115974 in the school, and may be utilized. The intelligent network monitoring system i monitors any particular building of the network traffic of the network device 9. The intelligent network monitoring system i includes a network traffic data acquisition unit, a knowledge base repository 131 and a fuzzy inference controller 13 of the simulation engine 132, an alarm unit 14, and a network monitoring system. Interface & The network traffic data capture unit U is configured to manipulate network traffic data from the network devices 9. These network traffic data needs to be defined in advance by the network administrator. For example, in this preferred implementation, the important information defined by the school's network administrators is: building, campus, building sound -, IP address, alias, category, time, connection, fuzzy variables, flow rights , flow outflow, maximum outflow of equipment and maximum amount of injury. Appropriate network traffic data will vary according to different network environments, such as the building, campus and floor of the I location, or the maximum outflow of the network device 9 and the maximum amount of equipment entering, so The most important key in the process of building the network operation unit 11 is the network administrator in the network. Road administrators refer to network supervisors ==8, which are familiar with the network environment, based on knowledge of the specific network environment (3). h's knowledge ontology, and store it in the knowledge ontology repository 131 with at least one of the 'guaranteed field experts 8' for the network monitoring domain knowledge provided by the specific network, the network of the network The environment of the road is used to describe the domain knowledge. It includes the Domain Layer, the 201115974 Category Layer, the Concept, the Attribute, the Operation, and the Instance Layer. ). As shown in FIG. 2, it is the knowledge ontology stored in the knowledge ontology repository 12 in the preferred embodiment, wherein the domain layer is the knowledge ontology type layer has a campus i, a campus 2. .. and the campus n 'concept represents the name of each network device 9, the attribute is the concept, the attribute, its main usage is to describe the attribute values of the 4 included in the concept, and these attributes are also representative of the concept Key projects. Therefore, in the process of the system 1 of the present invention, the domain attribute expert 8 is first defined to define the key attributes of the network device 9, and then the knowledge ontology of the network device 9 is built. As for the operation, it is the concept of operation for the concept. In addition, the instance layer represents an instance in the actual network environment. As shown in FIG. 3 and FIG. 4, FIG. 3 is a conceptual example of the network device 9 in the preferred embodiment, and FIG. 4 is an example thereof. Therefore, the knowledge ontology repository 131 is an expert in the field of network traffic data utilization. The defined ontology is stored for immediate fuzzy inference or for future network data analysis. Referring to FIG. 1 and FIG. 5', the fuzzy inference is based on the knowledge of the network monitoring field in the knowledge library I31, and the network traffic data transmitted by the unit 11 is converted into The network traffic language, that is, the fuzzy inference bow I engine 132 # is obtained by fetching the value of the network traffic data sheet 11 and according to the network monitoring field expert knowledge of the definition of the ontology repository 131 In the inference knowledge base example, ° obtains the key value of a network device 9. In this preferred implementation and the discretion: to determine the network upload between the building and the building on campus ^ Figure 5, each network line (or Port) has 201115974 its network traffic Involve fuzzy variables, for example, the semantic terms can be very low (V-Low), Low (Low), Medium (Medium), High (High), and Very High (High), so each network line is An input fuzzy variable. For example, when the line network traffic of a certain network device 9 is % _, since it only corresponds to the ladder type curve of the semantic item, the line network traffic corresponding to 66 Mbps corresponds to The input fuzzy variable is , and is high. However, when the network traffic of a certain network device 9 is 72 Μ., since the time corresponding to the semantic terms is, high, and high, the ladder curve is implemented in the present invention. In the example, the probability (ordinate) is higher, that is, the meaning of the word is 'ladder curve', so the line network traffic of 72 Mbps corresponds to the input mode "number is ", high" By analyzing all the network lines as shown in =6, 7, and 8 (more on this later), it will be possible to judge the semantics of the construction. ~ Field to a certain building flow twisted Ϊ The fuzzy inference engine 132 in the process of converting network traffic data into network flow, first must define individual network line traffic upload and paste variable 'for the overall output upload and download The traffic is obtained by analyzing the uploading and downloading traffic of individual lines. Among them, the uploading (downloading) of the other lines is the same as the uploading of the input line (the amount of downloading is - the round-out model...two) In the present embodiment, the membership function between the variables of the network line is expert: Road:: Domain: Home 8 is defined according to the individual network environment, so for different networks Road: The number of brothers:: The membership function will be different. Finally, the maximum value of the input network can be converted into the semantics of the 201115974 domain knowledge of experts in the field of network monitoring. See Figures 1, 6, and 7. 8. In the preferred embodiment, the knowledge ontology repository 131 is built using a Fuzzy Markup Language (FML) and includes a Fuzzy Inference Knowledge Base 1311 and a Fuzzy Inference. Rule base Rule Base) 1312. The FML language is proposed by scholars such as Acampora and Loia. It is a language based on XML and combined with fuzzy logic. FML is basically divided into three layers of architecture, namely XML, file type definition (Document Type Definition (DTD) and Extensible Stylesheet Language Transformations (XSLT). Among them, XML is to establish fuzzy logic control into a new markup language. DTD is to define the tag components that can be legally used in FML. The function of XSLT is to convert the fuzzy control description into a specific programming language. As shown in Figure 6, it is a FML architecture diagram of the intelligent network monitoring system based on the network traffic ontology (in the case of the applicant's campus in Tainan University) For example, in the preferred embodiment, the root node of the system 1 is a fuzzy inference controller (Controller) 13, which in the FML programming language can be <FUZZYCONTROL> The tag indicates that the <FUZZYCONTROL> tag uses three subtags, type, defuzzifymethod, and ip, where : (l) type indicates the type of fuzzy controller, such as MAMDANI; (2) defuzzifymethod defines the method for defuzzification; (3) ip represents the network address of the fuzzy controller on the network. In addition, Figure 6 _ The left subtree shown is the fuzzy inference knowledge base 1311. If the code is written in FML language, it will be represented by the <KNOWLEDGEBASE> mark 201115974. <KNOWLEDGEBASE> Use the <FUZZYVARIABLE:^ tag to describe the concept of ambiguity (for example, a campus network route) and its semantics (for example, traffic is very high). The labels of <FUZZYVARIABLE> are name, scale, domainLeft, domainRight, type, and ip, where: (1) name is the name of the fuzzy concept; (2) scale is the unit of measurement of the fuzzy concept (3) domainLeft and domainRight are fuzzy concepts (4) type is the role of the fuzzy concept in the rule; (5) ip represents the network address of the fuzzy knowledge base 131 on the network. <FUZZYTERM>H has a label named name that defines the semantics of the fuzzy concept. In the example given in Figures 6, 7, and 8, the left subtree in Figure 6 and its corresponding code Figure 7 illustrate the applicant from the Tainan University in the case of Gezhilou (its building code is A) to Huaiyuan Five fuzzy sets of Huaiyuanzhai download traffic (four in total, four fuzzy variables) for each line of Zhai (its building code is E). In this example, the input fuzzy variable for each line can be set to five fuzzy sets, with semantic terms being Very Low (Lery_Low), Low (Low), Medium (High), High (High), and Very High (Very_High). The output fuzzy variable is the degree of building traffic. It is also defined as five fuzzy sets. The semantic terms are also very low (Very_Low), low (Low), medium (Medium), high (High) and very high ( Very_High). Furthermore, the right subtree shown in Fig. 6 is the fuzzy inference rule base 1312, and if the code is written in the FML language, it will be represented by the <RULEBASE> tag. <RULEBASE> has two subtags, inferenceengine and ip. The inferenceengine defines the inference method, such as 201115974 MINMAXMINMAMDANI; ip represents the network address of the fuzzy controller on the network. Each single rule is represented by a label <RULE>, and the sub-labels used by <RULE> have id, connector, weight, and ip, respectively: (1) id is the code of the rule; (2) the connector is logically operated. (3) weight is the weight value of the rule; (4) ip represents the network address of the fuzzy rule base on the network. Fuzzy rules: IF-PART and THEN-PART are represented by the tags <ANTECEDENT> and <CONSEQUENT> respectively, <CLAUSEA>&<CLAUSEC>* do not define the fuzzy clauses of IF-PART and THEN-PART, and 1) <VARIABLE> tag describes the fuzzy concept; (2) <TERM> tag describes the fuzzy concept semantic term; (3) <TSKPARAM> describes the TSK fuzzy control type THEN-PART parameter. Therefore, in the preferred embodiment, since FML is a general-purpose tag language for fuzzy vertebral theory, it has versatility and can express the rule base 1311 and the knowledge base 1312 in detail, and can be quickly constructed using FML in the future. Smart network monitoring system for network environment1. As shown in FIG. 7 and FIG. 8 , the codes of the fuzzy inference knowledge base 1311 and the fuzzy inference rule base 1312 written in the FML language in the present embodiment are respectively used as the student dormitory Huai Yuanzhai on the campus of the applicant of Tainan University. For example, some of the code in the upload network stream is used.) In the example illustrated in Figures 6, 7, and 8, the right subtree in Figure 6 and its corresponding code Figure 8 illustrate the desire to obtain from Qizhi Building (with building code A) to Huaiyuanzhai (its The fuzzy rule base required for the download traffic semantics of the entire building of the Huaiyuanzhai building with the building code e). In a system with four ports as shown in Figure 6, there are a total of 54 = 625 fuzzy rules since it has four input fuzzy variables 10 201115974 'and each input fuzzy variable has five fuzzy sets. As shown in the right subtree of Figure 6, some of the sample code is shown in Figure 8. The main function of the alarm unit 14 is to receive the output of the fuzzy inference engine ΐ32 (the overall network traffic semantics). If there is an abnormality such as High or Very High, the alarm unit 14 will notify the network administrator by email and/or mobile phone message and display a warning message on the network monitoring interface. The network manager is informed first and then solves the problem, wherein the network monitoring interface 15 can be implemented, for example, by Netw〇rk Weathermap technology. As for other normal traffic (Very 1〇w, l〇w, and Medium), the overall network traffic semantics is only usually displayed on the network monitoring interface 15 ± without the alarm unit 14 Inform your network administrator of email and 7 or mobile phone newsletters. Therefore, the present invention can provide a network in each environment by the collaborative operation of the components such as the knowledge ontology repository 131, the fuzzy push 13, the invitation S3- 1 ^, the alert, and the network monitoring interface 15 . The network's real-time traffic semantics, which represents the system of the invention! The final warning semantics that can be generated. The main meaning of this warning is that the purpose of the alarm is that the network administrator can use this warning to understand which network traffic in the building is normal or urgent, and can be the first network environment of the environment' instead of passive. Waiting for notification. , something went wrong. The system 1 of the present invention not only allows the network administrator to understand the network traffic status, but also further passes the knowledge ontology. The data to analyze and understand the network usage of the entire network environment 11 201115974 The following is to implement the technology of the system 1 of the present invention in the virtual experimental environment set up by the applicant's National Center for Knowledge Ontology and Software Engineering of Tainan University To test the actual performance of the present invention. Experiment 1 (normal state): Referring to FIG. 5, the relationship between the network traffic and the corresponding possibility in this embodiment, the FML architecture diagram of FIG. 6, FIG. 9, and the following Tables 1, 2, the inventor of the present invention utilizes a certain time. The student dormitory (Huaiyuanzhai) of the point (22:22:55 on December 24, 20) was downloaded from the real-time network to analyze the instantaneous network traffic at this point in time. There are four main network traffic lines (or ^(PGrt)) in this student residence hall, which means that the building has four input fuzzy variables' so that the input values of these four fuzzy variables can be retrieved. These four inputs represent the immediate download of the four networks in the student residence (as shown in Tables i and 2). After the fuzzy inference of the four instant download traffic, the semantic meaning of the real-time network download traffic of the student dormitory is “very low, and the direct experiment result is shown in the network monitoring interface 15 of FIG. 1G, and The results of the experiment are in line with the judgments of the network administrators. Time (year-month-day 2008-12-24 ^22^55_ 2008-12-24 22:22:55) Into the line building traffic semantic meaning analysis 6.9 Mbps Very low very low 2.9 Mbps Very low Table 1 Student residence, road wear information 埠 physical line _ Gezhilou, Huaiyuan Zhaige Zhilou, Huaiyuan Zhaiyi 5/1 埠 5/2 12 201115974 \ 埠6/1 2008-12- 24 6.2 Very low-grade building, Huaiyuanzhai' 22:22:55 Mbps 埠6/2 2008-12-24 3.4 Very low-grade building, Huai Zun-zhai, 22:22:55 Mbps Table 2 Instant uploading information on the dormitory network Physical circuit • i ? - 埠 time (year-month-曰 hour: minute: second) Enter the traffic line semantic meaning building semantic analysis 埠 5/1 2008-12-24 7.8 Very low Huaiyuanzhai, Gezhilou, 22:22: 55 Mbps 埠5/2 2008-12-24 4.3 Very low Huaiyuanzhai, Gezhilou' 22 :22:55 Mbps Very low 埠6/1 2008-12-24 6.4 Very low Huaiyuanzhai, Gezhilou / 22:22:55 Mbps 埠6/2 2008-12-24 3.7 Very low Huaiyuanzhai, Gezhilou / 22 : 22:55 Mbps Experiment 2 (abnormal state caused by loops): Refer to Tables 3, 4 and 10 below, and then the inventor simulates a situation in which one of the network routes causes the loop flow to be looped. For example, someone accidentally puts the same network. The routes are all connected to the network hole of the line source. At this time, the traffic of the entire network device 9 will be blocked by this loop, thus causing the maximum network traffic that the device network 9 can provide on this loop, further possible The network traffic is caused. Tables 3 and 4 are the network traffic data obtained in this case, and after processing by the system 1 of the present invention, a warning page as shown in FIG. 10 is generated. As shown in FIG. The overall building network traffic line is not normal 13 201115974, and the alarm unit 14 in the present invention can further actively remind the administrator of an abnormal phenomenon by means of an email or a mobile phone newsletter, so that the network administrator can find more quickly. Out The problem is Huaiyuanzhai's 埠5/1 to achieve the alarm function of this system 1. Table 3 Student dormitory network real-time download data (abnormal) Physical line 埠 time (year-month-曰 hours: minutes: seconds) Flow gas line 'Languyi building semantic analysis 埠5/1 2008-12-24 108.2 Very high Gezhilou, Huaiyuanzhai, 23:05:30 Mbps 埠5/2 2008-12-24 13.2 Very low-grade building, Huaiyuan Zhai ' 23:05:30 Mbps Very high 埠 6/1 2008-12-24 3.4 Very low Ge Zhi Lou, Huai Yuan Zhai r 23:05:30 Mbps 埠6/2 2008-12-24 7.8 Very low Ge Zhilou, Huaiyuan Zhai ' 23:05:30 Mbps Table 4 Student Dormitory Network Instant Upload Data (Normal) Physical Line Time (Year - Month - Time: Minute: Second) Enter the traffic line semantic meaning building semantic analysis 埠 5/1 2008- 12-24 4.3 Very low and very low Huaiyuanzhai, Gezhilou, 23:05:30 Mbps 埠5/2 2008-12-24 6.6 Very low Huaiyuanzhai, Gezhilou, 23:05:30 Mbps 埠6/1 2008- 12-24 4.2 Very low Huaiyuanzhai, Gezhilou, 23:05:30 Mbps 14 201115974 —---1 埠6/2 ------- 2008-12-24 6.5 Non Often low and far away 9K Gezhi Building 23:05:30 Mbps Experiment 3 (using the abnormal state caused by P2P software): See Tables 5, 6 and Figure 11 below. In addition, the inventor also simulated another network based on historical data. Traffic abnormal state. This state is for students to use P2P software to download videos in the middle of the night, resulting in an abnormal surge in traffic in the dormitory. As shown in Table 5, May 19, 2009, 00:00
秒至2009年5月19日〇〇時20分〇〇秒之五組記錄所示, 當利用本發明系統1監控網路流量時,可發現某學生宿舍( 盈友齋)此時間段的網路流量暴增,且是因為有學生使用 P2P軟體所造成。由於p2p軟體目前幾乎被用於下載非法影 音及軟體,許多學校已經開始禁止使用,故利用本發明監 控系統1 T發現校園内是否發生此種異常狀況。如圖^所 示,其為表5、6中的第一組記錄(2〇〇9年5月19日〇〇時 〇〇分〇〇秒)經過本發明系統i處理後所產生的警告頁面。 如圖U所示,其顯示使用P2P軟體所造成的益友齋下載異 常之情況。 學,宿舍T路即 實體線路 埠 時間(年-月-曰 時:分:秒) ----- 進入 流量 (Mbps) 線路 語意 建築物 語意分析 ~格致樓,益友齋) 埠8/1 2009-5-19 97.6 非常向 埠8/2 非常南 ~格致接,益友醤) 〇〇:〇0:0〇 49.9 中等 格致樓,益友齋、 埠8/1 2009-5-1Q 76.4 非常南 非常1¾ ~~~~~--- 15 201115974 埠8/2 00:05:00 47.5 中等 格致樓,益友齋, 埠8/1 2009-5-19 00:10:00 76.2 非常高 非常高 格致樓,益友齋’ 埠8/2 51.0 中等 格致樓,益友齋’ 埠8/1 2009-5-19 00:15:00 76.3 非常高 非常高 格致樓,益友脔r 埠8/2 45.6 中等 格致樓,益友齋< 埠8/1 2009-5-Ϊ9 00:20:00 80.5 非常高 非常高 格致樓,益友齋' 埠8/2 49.6 中等 格致樓,益友齋, 表6 學生宿舍網路即時上傳資料(正常) 實體線路 埠 時間(年-月-曰 時:分:秒) 進入 流量 (Mbps) 線路 語意 建築物 語意分析 埠8/1 2009-5-19 49.2 中等 益友齋,格致樓 , 中等 埠8/2 00:00:00 25.0 低 益友齋,格致樓 f 埠8/1 2009-5-19 25.6 低 益友齋,格致樓 ' 低 埠8/2 00:05:00 25.8 低 益友齋,格致樓 ' 埠8/1 2009-5-19 25.7 低 益友脔,格致樓, 低 埠8/2 00:10:00 24.1 低 益友齋,格致樓, 埠8/1 2009-5-19 22.5 低 益友齋,格致樓/ 低 埠8/2 00:15:00 23.5 低 益友齋,格致樓, 埠8/1 2009-5-19 23.1 低 益友齋,格致樓, 低 埠8/2 00:20:00 21.4 低 益友齋,格致樓 · 綜上所述,當網路流量發生異常時,本發明智慧型網 路監控系統可即時提供符合人類思考模式的告警語意,以 告知網管人員即時採取適當的處理措施。此外,本發明之 16 201115974 建置費用係為一般中小企業及學校所能負擔,故可讓一般 中小企業及學校省下龐大的客製化網路環境流量監控費用 ,故確實能達成本發明之目的。 惟以上所述者,僅為本發明之較佳實施例而已,當不 能以此限定本發明實施之範圍,即大凡依本發明申請專利 範圍及發明說明内容所作茗簡單的等效變化與修飾皆仍 屬本發明專利涵蓋之範圍内。 【圖式簡單說明】 圖1疋一系統方塊圖,說明本發明智慧型網路監控 系統之較佳實施例; 圖2是-樹狀示意圖’說明該較佳實施例中知識本體 儲存庫中所儲存的的知識本體; 圖3是一示意圖,說明該較佳實施例中網路設備之概 念之範例; 圖4疋示意圖,就明該較佳實施例中網路設備之實 例之範例; 圖5疋自線圖,說明該較佳實施例中網路線路(或稱 為谭(㈣)的流量與輪人模糊變數間的隸屬函數之範例; Θ疋帛構Η說明該較佳實施例中的架構圖( 以本案中請人台南大學校園中的學生宿舍懷遠㈣上傳_ 路流量為例); 圖7是一段程式瑪,說明該較佳實施例中知識庫之 FML程式碼範例; 圖8是"段程式探,DO & * 飞竭說明該較佳實施例中規則庫之 17 201115974 FML程式碼範例; 圖9是一電腦操作晝面,說明該較佳實施例中實驗一 之網路監控介面; 圖10是一電腦操作畫面,說明該較佳實施例中實驗二 之網路監控介面;及 圖11是一電'腦嗛作晝面,說明該較佳實施例中實驗三n 之網路監控介面。 201115974 【主要元件符號說明】 1 ......... •智慧型網路監控 1312··· …模糊推論規則庫 系統 132 …. …模糊推論引擎 11........ •網路流量資料擷 14…… …告警單元 取單元 15…… …網路監控介面 13........ •模糊控制器 8 ....... …網路監控領域 131…… -知識本體儲存庫 專家 1311·...· •模糊推論知識庫 9 ........ …網路設備From the second group of records recorded in seconds to 20 minutes on May 19, 2009, when using the system 1 of the present invention to monitor network traffic, a network of students in a certain dormitory (Yiyouzhai) can be found. Road traffic has skyrocketed and is caused by students using P2P software. Since the p2p software is currently almost used to download illegal video and software, many schools have begun to ban the use of the present invention, so that the monitoring system 1 T of the present invention is used to find out whether such an abnormality occurs in the campus. As shown in FIG. 2, it is the warning page generated by the system i of the first group of records in Tables 5 and 6 (May 19, 2009, 19 〇〇 〇〇 )) . As shown in Figure U, it shows the case of Yiyouzhai download abnormality caused by using P2P software. Learning, dormitory T road is the physical line 埠 time (year-month-曰 hours: minutes: seconds) ----- incoming traffic (Mbps) line semantic meaning building semantic analysis ~ Gezhilou, Yiyouzhai) 埠8/1 2009 -5-19 97.6 Very 埠8/2 Very South~Gezhi, Yiyou醤) 〇〇:〇0:0〇49.9 zhonggezhilou, Yiyouzhai, 埠8/1 2009-5-1Q 76.4 Very South Very 13⁄4 ~~~~~--- 15 201115974 埠8/2 00:05:00 47.5 Zhonggezhilou, Yiyouzhai, 埠8/1 2009-5-19 00:10:00 76.2 Very high very high-grade building, Yiyou斋' 埠8/2 51.0 zhonggezhilou, Yiyouzhai' 埠8/1 2009-5-19 00:15:00 76.3 Very high very high gezhilou, Yiyou 脔r 埠8/2 45.6 Zhonggezhilou, Yiyouzhai < 埠8/1 2009-5-Ϊ9 00:20:00 80.5 Very high very high Gezhilou, Yiyouzhai' 埠8/2 49.6 Zhonggezhilou, Yiyouzhai, Table 6 Student dormitory network instant upload information (normal ) Physical line time (year-month-曰 hours: minutes: seconds) Incoming traffic (Mbps) Line semantics Building semantic analysis埠8/1 2009-5-19 49.2 Zhongyiyouzhai, Gezhi , Medium 埠 8/2 00:00:00 25.0 Low Yiyouzhai, Gezhilou f 埠8/1 2009-5-19 25.6 Low Yiyouzhai, Gezhilou' low 埠 8/2 00:05:00 25.8 Low Yiyouzhai ,格致楼' 埠8/1 2009-5-19 25.7 低益友脔,格致楼, 低埠8/2 00:10:00 24.1 低益友斋,格致楼, 埠8/1 2009-5-19 22.5 Low益友斋,格致楼/ 低埠8/2 00:15:00 23.5 低益友斋,格致楼,埠8/1 2009-5-19 23.1 低益友斋,格致楼, 低埠8/2 00:20: 00 21.4 益益友斋,格致楼· In summary, when the network traffic is abnormal, the intelligent network monitoring system of the present invention can immediately provide the warning semantics in accordance with the human thinking mode to inform the network administrator to take appropriate treatment immediately. Measures. In addition, the 16 201115974 construction cost of the present invention is affordable for general SMEs and schools, so that general SMEs and schools can save a large amount of customized network environment traffic monitoring costs, so it is indeed possible to achieve the present invention. purpose. However, the above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, that is, the simple equivalent changes and modifications made by the scope of the present invention and the description of the invention are all simple equivalent changes and modifications. It is still within the scope of the invention patent. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram showing a preferred embodiment of a smart network monitoring system of the present invention; FIG. 2 is a schematic diagram of a tree illustrating the knowledge body repository in the preferred embodiment. FIG. 3 is a schematic diagram showing an example of the concept of a network device in the preferred embodiment; FIG. 4 is a schematic diagram showing an example of a network device in the preferred embodiment; FIG.疋From the line diagram, an example of the membership function between the traffic of the network line (or Tan ((4)) and the fuzzy variable of the wheel in the preferred embodiment is illustrated; Architecture diagram (in this case, the student dormitory in the campus of Tainan University, Huaiyuan (4) uploads _ road traffic as an example); Figure 7 is a block diagram showing the example of the FML code of the knowledge base in the preferred embodiment; "Paragraph, DO & * Explain the example of the 2011 2011 974 FML code in the rule base of the preferred embodiment; Figure 9 is a computer operation diagram illustrating the network of Experiment 1 in the preferred embodiment Monitoring interface; Figure 10 is a computer The screen is a description of the network monitoring interface of the second experiment in the preferred embodiment; and FIG. 11 is an electric brain slap, illustrating the network monitoring interface of the experiment in the preferred embodiment. 201115974 [Mainly Component Symbol Description] 1 ......... • Smart Network Monitoring 1312···Fuzzy Inference Rule Base System 132 ..... Fuzzy Inference Engine 11........ • Network Traffic Data 撷 14 ... ... alarm unit fetch unit 15 ... ... network monitoring interface 13 ..... ... fuzzy controller 8 ... ... ... network monitoring field 131 ... - knowledge ontology Repository Expert 1311·...· Fuzzy Inference Knowledge Base 9 ........ ...Network Equipment
1919