TWI510109B - The recursive method of network traffic anomaly detection - Google Patents

The recursive method of network traffic anomaly detection Download PDF

Info

Publication number
TWI510109B
TWI510109B TW102134461A TW102134461A TWI510109B TW I510109 B TWI510109 B TW I510109B TW 102134461 A TW102134461 A TW 102134461A TW 102134461 A TW102134461 A TW 102134461A TW I510109 B TWI510109 B TW I510109B
Authority
TW
Taiwan
Prior art keywords
signaling
abnormal
user
traffic
recursive
Prior art date
Application number
TW102134461A
Other languages
Chinese (zh)
Other versions
TW201513690A (en
Inventor
Yao Tsung Yang
Yi Sheng Chiu
Grum Ting Liu
Kuen Tsang Hsieh
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW102134461A priority Critical patent/TWI510109B/en
Publication of TW201513690A publication Critical patent/TW201513690A/en
Application granted granted Critical
Publication of TWI510109B publication Critical patent/TWI510109B/en

Links

Description

遞迴式異常網路流量偵測方法Recursive abnormal network traffic detection method

本專利屬於行動網路之信令異常分析技術,除了信令異常內容的解析外,亦能透過訊務的流量資訊,提供流量變化的評估值,以協助判定行動異常問題之癥結。再進一步透過雲端架構縮短流量預測時間,提升預測準確率與即時性,以適時掌握整體網路的狀況。綜合以上是本專利之技術特色。This patent belongs to the signaling anomaly analysis technology of the mobile network. In addition to the analysis of the abnormal content of the signaling, it can also provide the evaluation value of the traffic change through the traffic information of the traffic to assist in determining the crux of the abnormal operation problem. Further reduce the traffic prediction time through the cloud architecture, improve the prediction accuracy and immediacy, and timely grasp the overall network status. The above is the technical feature of this patent.

隨著智慧型手機、智慧型平板、影音媒體及APP應用程式的普及,行動網路的頻寬大小及傳輸品質也日趨重要,尤其是網路壅塞的問題一直為人所詬病。因此能夠掌握用戶上網的行為模式,以及各設備的流量趨勢,將有助於判定異常問題之癥結。With the popularity of smart phones, smart tablets, audio and video media and APP applications, the bandwidth and transmission quality of mobile networks are becoming more and more important, especially the problem of network congestion has been criticized. Therefore, it is possible to grasp the behavior pattern of the user's Internet access and the traffic trend of each device, which will help determine the crux of the abnormal problem.

目前坊間設備如基地台控制器(Base Station Controller,BSC)/無線電網路控制器(Radio Network Controller,RNC)等,其網管功能所提供的流量資訊多以設備流量為主;而設備如策略計費規則功能(Policy Charging and Rules Function,PCRF)/策略計費執行功能(Policy and Charging Enforcement Function,PCEF)則可以提供用戶的使 用流量,卻無法知悉接取設備的連線狀態;再者,對於異常流量的判斷,一般皆仰賴管理者或操作者的使用經驗或是直接採用系統預設值,較無法真實反應出流量的異常,更遑論動態地偵測異常變化。At present, the equipment such as the Base Station Controller (BSC)/Radio Network Controller (RNC), etc., the traffic information provided by the network management function is mainly based on device traffic; Policy Charging and Rules Function (PCRF)/Policy and Charging Enforcement Function (PCEF) can provide users with With traffic, it is impossible to know the connection status of the access device; in addition, the judgment of abnormal traffic generally depends on the experience of the administrator or the operator or directly adopts the system default value, which is less able to truly reflect the traffic. Anomalies, let alone dynamically detect anomalous changes.

「Congestion detection method and apparatus for cell in mobile network」世界專利WO2011144061,以Acquisition Unit及Cell設備間的RRT(Round Trip Time)作為壅塞偵測的主要辨別方式,並以一個預先設定的RRTH(Round Trip Time threshold value)為判斷依據,若RRT>RRTH代表Cell壅塞發生,反之則無。但是透過此預先設定的RRTH,雖然可以即時反應目前的連線狀態是否壅塞,卻無法顯示其異常的變化。"Congestion detection method and apparatus for cell in mobile network" world patent WO2011144061, using RRT (Round Trip Time) between Acquisition Unit and Cell device as the main identification method for congestion detection, and with a preset RRTH (Round Trip Time) Threshold value) is the basis for judgment. If RRT>RRTH indicates that the Cell congestion occurs, otherwise it does not. However, through this pre-set RRTH, although it is possible to immediately reflect whether the current connection state is blocked, it cannot display abnormal changes.

「即時行動網路數據服務速率查詢裝置」台灣專利M394652,提供行動用戶測試連線下載的服務,透過傳輸檔案來了解網路的連線狀態,因此僅能提供小範圍的個人流量測試,無法窺探整體的網路設備狀態以及流量的異常變化。"Immediate mobile network data service rate inquiry device" Taiwan patent M394652, which provides mobile user test connection download service, through the transmission file to understand the connection status of the network, so it can only provide a small range of personal traffic test, can not snoop The overall network device status and abnormal changes in traffic.

此外,透過行動核心網路設備的網管功能來取得流量資訊時,會消耗該設備的運算時間,進而影響系統效能,若設備運算已經滿載,將使得異常情形更難以排解。再者,設備的操作模式,也會因為製造廠商的不同相對地複雜,若要全面監控,勢必增加額外的客製化成本。另外,坊間設備幾乎沒有提供流量預測的功能,使得流量資料無法獲得有效利用,更無法作為未來設備容量擴增或修正之考量。In addition, when the traffic information is obtained through the network management function of the mobile core network device, the computing time of the device is consumed, which affects the system performance. If the device operation is fully loaded, the abnormal situation is more difficult to resolve. Moreover, the operation mode of the equipment will be relatively complicated due to the different manufacturers. If it is to be fully monitored, it will inevitably increase the additional customization cost. In addition, the equipment in the workshop has almost no function of providing traffic prediction, so that the traffic data cannot be effectively utilized, and it cannot be considered as the expansion or correction of the future equipment capacity.

總之,一般的行動通信網路監測設備雖然具備即時的流量資訊,但多以一固定門檻值作為壅塞判斷,較難反 應出異常流量之變化,更遑論用戶或設備流量評估與預測的功能;再者,設備操作模式與輸出資料格式,也因為製造廠商不同而迥異。因此在多種設備的網路環境下,較難以一馭萬,必須個別客製化。另外一方面,當設備進行流量資料擷取或分析時,連帶會影響系統效能,更無法進行巨量資料的運算。因此流量資料無法獲得有效利用,異常情形難以排解,往往是維運人員的心腹之患。In short, although the general mobile communication network monitoring equipment has instant traffic information, it is more difficult to counter with a fixed threshold. The change in abnormal traffic should be made, not to mention the user's or device traffic assessment and prediction functions; in addition, the device operating mode and output data format are also different because of the manufacturer. Therefore, in the network environment of a variety of devices, it is more difficult to be tens of thousands, and must be customized. On the other hand, when the device performs traffic data extraction or analysis, it will affect the system performance, and it is impossible to perform huge amounts of data calculation. Therefore, the flow data cannot be effectively utilized, and the abnormal situation is difficult to resolve, which is often the affliction of the maintenance personnel.

由此可見,上述習用方式仍有諸多缺失,實非一良善之設計,而亟待加以改良。It can be seen that there are still many shortcomings in the above-mentioned methods of use, which is not a good design, but needs to be improved.

本專利之目的在於監測行動通信網路的異常流量狀態,利用本專利所提出的方法,分析所擷取的信令及蒐集的流量資料,透過信令分析來判斷連線是否異常,並根據用戶或設備的歷史流量變化,佐以判斷目前網路的異常狀態,裨益判定異常問題之癥結,提昇維運查測效率與正確性。此外,本專利更進一步研判分析所得之信令,透過統計學習模型預測流量,以作為未來設備容量擴增或修正之依據。The purpose of this patent is to monitor the abnormal traffic status of the mobile communication network, and use the method proposed in this patent to analyze the captured signaling and collected traffic data, and determine whether the connection is abnormal through signaling analysis, and according to the user. Or the historical flow change of the equipment, together with judging the abnormal state of the current network, and determining the crux of the abnormal problem, improving the efficiency and correctness of the inspection. In addition, the patent further analyzes the signaling obtained by the analysis, and predicts the traffic through the statistical learning model as a basis for future device capacity amplification or correction.

達成上述發明目的之遞迴式異常網路流量偵測方法,提出一種異常分析與預估的技術。本專利所提出之遞迴式異常網路流量偵測方法,包含四個單元:(一)行動信令擷取模組、(二)信令異常偵測模組、(三)雲端伺服器與(四)異常評估參考模組。A recursive abnormal network traffic detection method that achieves the above object is proposed, and an abnormal analysis and prediction technique is proposed. The recursive abnormal network traffic detection method proposed by the patent comprises four units: (1) an action signaling acquisition module, (2) a signaling anomaly detection module, and (3) a cloud server and (4) Anomaly evaluation reference module.

行動信令擷取模組自行動核心網路設備間擷取信令,取得擷取時間,並透過解碼功能,取得用戶識別碼、設備識別碼、操作碼、連線狀態、用戶上下行流量、設備傳輸 流量等。信令異常偵測模組則進行連線狀態分析,若能直接判讀封包內容的狀態為異常,則立即異常警示。若無法直接判讀,再執行訊務流量比對,以遞迴運算出的流量預測值為參考值,如果實際量測值與參考值大於誤差門檻,則納入異常警示。最後,再將結果及對應的用戶及設備參數整理並儲存至雲端伺服器,以利下次遞迴運算的進行。The action signaling acquisition module captures signaling from the mobile core network device, obtains the acquisition time, and obtains the user identification code, the device identification code, the operation code, the connection status, the user uplink and downlink traffic, and the user through the decoding function. Device transmission Traffic, etc. The signaling anomaly detection module performs connection state analysis. If the status of the packet content is directly interpreted as abnormal, an abnormal warning is immediately issued. If the direct interpretation is not possible, the traffic flow comparison is performed, and the traffic prediction value calculated by the recursion is a reference value. If the actual measurement value and the reference value are greater than the error threshold, an abnormal warning is included. Finally, the results and corresponding user and device parameters are collated and stored in the cloud server for the next recursive operation.

異常評估參考模組則以該雲端伺服器儲存的流量資料為輸入,透過資料過濾功能,整理出有效訊務流量,可以增加異常分析的效率,亦可提升異常評估的準確率。同時因為雲端架構,能夠縮短巨量資料的運算時間,進而提升異常預估的即時性。此外,根據連線狀態轉化的學習模型,透過實際量測的流量值,能獲得修正後的異常指數,並作為下次異常評估的依據,以提升異常預測的準確率。The abnormality evaluation reference module takes the flow data stored by the cloud server as input, and through the data filtering function, sorts out the effective traffic flow, which can increase the efficiency of the abnormal analysis and improve the accuracy of the abnormality evaluation. At the same time, because of the cloud architecture, the computing time of huge amounts of data can be shortened, thereby improving the immediacy of abnormal predictions. In addition, according to the learning model of the connection state transition, the corrected abnormality index can be obtained through the actual measured flow value, and used as the basis for the next abnormality assessment to improve the accuracy of the abnormal prediction.

本專利之遞迴式異常網路流量偵測方法不同於坊間的監測設備,除了能解析設備流量,如Cell、RNC等;也能針對用戶流量進行分析,類似PCRF/PCEF之流量統計功能;同時針對連線內容進行分析,與其他習用技術相互比較時,更具備下列優點:The recursive abnormal network traffic detection method of this patent is different from the monitoring device in the workshop, except that it can parse device traffic, such as Cell, RNC, etc.; it can also analyze user traffic, similar to the traffic statistics function of PCRF/PCEF; Analysis of the connection content, when compared with other conventional technologies, has the following advantages:

1.本專利之行動信令擷取模組採用信令分流方式,自設備間擷取信令,不會影響行動核心網路設備的效能。1. The mobile signaling capture module of this patent uses a signaling offloading method to extract signaling from between devices without affecting the performance of the mobile core network device.

2.本專利之信令異常偵測模組能分析用戶及設備的連線狀態,當欄位出現異常資訊時可立即異常警示。2. The signaling anomaly detection module of this patent can analyze the connection status of the user and the device, and can immediately notify the abnormality when the abnormal information of the field occurs.

3.本專利之信令異常偵測模組能針對非異常或無法判定異常的連線,進行信令流量偵測。藉由用戶及設備識別碼來連結產生信令流量,並根據過去的流量 參考值來判斷是否異常。3. The signaling anomaly detection module of the patent can perform signaling flow detection for a connection that is not abnormal or cannot determine an abnormality. Linking the generated signaling traffic by user and device identification code, and based on past traffic The reference value is used to determine whether it is abnormal.

4.本專利之異常評估參考模組採用雲端伺服器來處理巨量資料,能整合運算資源及減少運算時間。4. The abnormality evaluation reference module of this patent uses a cloud server to process huge amounts of data, which can integrate computing resources and reduce computing time.

5.本專利之異常評估參考模組採用統計學習模型來估算流量,以作為異常流量的依據。5. The anomaly evaluation reference module of this patent uses a statistical learning model to estimate the flow as a basis for abnormal traffic.

10‧‧‧行動信令擷取模組10‧‧‧Action Signaling Capture Module

20‧‧‧信令異常偵測模組20‧‧‧Signal anomaly detection module

201‧‧‧信令分析201‧‧‧Signal Analysis

202‧‧‧狀態比對是否異常202‧‧‧Is the state comparison abnormal?

203‧‧‧異常警示203‧‧‧Abnormal warning

204‧‧‧連結流量資訊204‧‧‧Link traffic information

205‧‧‧流量比對是否大於誤差門檻205‧‧‧ Whether the flow comparison is greater than the error threshold

206‧‧‧流量整理206‧‧‧Traffic finishing

30‧‧‧雲端伺服器30‧‧‧Cloud Server

40‧‧‧異常評估參考模組40‧‧‧Anomaly Evaluation Reference Module

401‧‧‧資料過濾401‧‧‧ data filtering

402‧‧‧異常分析402‧‧‧Anomaly analysis

403‧‧‧異常評估403‧‧‧Anomaly assessment

404‧‧‧學習模型404‧‧‧ learning model

405‧‧‧訓練資料405‧‧‧ Training materials

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:Please refer to the detailed description of the present invention and the accompanying drawings, and the technical contents of the present invention and its effects can be further understood; the related drawings are:

圖1為本專利遞迴式異常網路流量偵測方法模組圖。FIG. 1 is a module diagram of the patent recursive abnormal network traffic detection method.

圖2為本專利信令異常偵測模組之運作流程圖。FIG. 2 is a flow chart of operation of the patent signaling abnormality detecting module.

圖3為本專利異常評估參考模組之功能程序圖。FIG. 3 is a functional program diagram of the abnormality evaluation reference module of the present patent.

為了使本發明的目的、技術方案及優點更加清楚明白,下面結合附圖及實施例,對本發明進行進一步詳細說明。應當理解,此處所描述的具體實施例僅用以解釋本發明,但並不用於限定本發明。The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

以下,結合附圖對本發明進一步說明:Hereinafter, the present invention will be further described with reference to the accompanying drawings:

本專利係一種遞迴式異常網路流量偵測方法,分析擷取的信令內容以偵測行動網路的連線狀態,並藉由比對過去流量的參考值來判斷網路是否異常,同時過濾誤差較大的量測值以收斂訓練數據,並遞迴地修正評估參數,以增加異常流量判斷的準確率。The patent is a recursive abnormal network traffic detection method, which analyzes the captured signaling content to detect the connection state of the mobile network, and determines whether the network is abnormal by comparing the reference value of the past traffic. The measurement value with large filtering error is used to converge the training data, and the evaluation parameters are corrected recursively to increase the accuracy of the abnormal flow judgment.

請參閱圖1,本專利包含四個單元:行動信令擷取模組10、信令異常偵測模組20、雲端伺服器30與異常評估參考模組40。Referring to FIG. 1 , the patent includes four units: an action signaling capture module 10 , a signaling anomaly detection module 20 , a cloud server 30 , and an abnormality evaluation reference module 40 .

行動信令擷取模組10於行動網路設備間擷取信令,取得擷取時間,並透過解碼產生用戶識別碼、設備識別碼、操作碼、連線狀態、用戶上下行流量、設備傳輸流量等,接著將結果輸出到信令異常偵測模組20。該行動網路設備為常見的行動核網設備,例如基地台控制器(BSC)/無線電網路控制器(RNC)、無線電接取網路(GSM/EDGE Radio Access Network,GERAN)/無線電接取網路(Universal Terrestrial Radio Access Network,UTRAN)、無線電接取網路(Evolved UTRAN,EUTRAN)、服務GPRS支援節點(Serving GPRS Support Node,SGSN)、閘道GPRS支援節點(Gateway GPRS Support Node,GGSN)、服務閘道(Serving Gateway,S-GW)、封包資料網路閘道(Packet Data Network Gateway,P-GW)或行動管理實體(Mobile Management Entity,MME)等。The action signaling capture module 10 captures signaling between the mobile network devices, obtains the acquisition time, and generates a user identification code, a device identification code, an operation code, a connection status, a user uplink and downlink traffic, and a device transmission through decoding. The traffic, etc., is then output to the signaling anomaly detection module 20. The mobile network equipment is a common mobile nuclear network equipment, such as a base station controller (BSC) / radio network controller (RNC), a radio access network (GSM/EDGE Radio Access Network, GERAN) / radio access Universal Terrestrial Radio Access Network (UTRAN), Evolved UTRAN (EUTRAN), Serving GPRS Support Node (SGSN), Gateway GPRS Support Node (GGSN) , Serving Gateway (S-GW), Packet Data Network Gateway (P-GW) or Mobile Management Entity (MME).

信令異常偵測模組20則進行連線狀態分析,若能直接判讀為異常則立即異常警示。若無法直接判讀,再執行流量比對,以異常評估參考模組40所產生的同時段預測值或不同時段平均值為參考值,如果量測值與參考值大於誤差門檻,則納入異常警示。最後,再將結果及對應的用戶及設備參數整理並儲存至雲端伺服器30。The signaling abnormality detecting module 20 performs the connection state analysis, and if it can directly interpret the abnormality, it immediately alerts abnormally. If the direct comparison is not possible, the flow comparison is performed, and the predicted value of the simultaneous segment generated by the abnormality evaluation reference module 40 or the average value of the different time periods is used as the reference value. If the measured value and the reference value are greater than the error threshold, the abnormal warning is included. Finally, the results and corresponding user and device parameters are collated and stored in the cloud server 30.

執行步驟請參閱圖二:首先由信令分析201讀取行動信令擷取模組10解碼的信令欄位,進行連線狀態比對202,如果用戶或設備的連線狀態能直接判讀為異常,則將該筆連線資訊傳送至異常警示203,並標示為異常。該連線狀態為3GPP文件所定義之任何可以辨識用戶或設備的狀態欄位,如無線電網路層原因(Radio Network Layer Cause)、傳輸層原因(Transport Layer Cause)、協定原因(Protocol Cause)及雜項 原因(Miscellaneous Cause)等。若不能直接判讀異常,則由連結資訊204根據用戶或設備識別碼,取得目前時段內的流量資訊,再由異常評估參考模組40讀取流量參考值;若流量參考值不存在,則略過流量比對205,進入流量整理206;反之,若存在流量參考值,則進行流量比對205。比對公式如下: For the execution step, refer to FIG. 2: First, the signaling field decoded by the action signaling extraction module 10 is read by the signaling analysis 201, and the connection status comparison 202 is performed. If the connection state of the user or the device can be directly interpreted as If the error is abnormal, the connection information is transmitted to the abnormal warning 203 and marked as abnormal. The connection status is any status field that can identify the user or device as defined by the 3GPP file, such as Radio Network Layer Cause, Transport Layer Cause, Protocol Cause, and Miscellaneous Cause, etc. If the abnormality cannot be directly interpreted, the connection information 204 obtains the traffic information in the current time period according to the user or the device identification code, and then the traffic reference value is read by the abnormality evaluation reference module 40; if the traffic reference value does not exist, the flow is skipped. The traffic comparison 205 enters the traffic collation 206; conversely, if there is a traffic reference value, the traffic comparison 205 is performed. The comparison formula is as follows:

為異常評估參考模組40產生的流量參考值;M t 為行動信令擷取模組10取得的實際流量值;H 為相對誤差門檻值。若誤差範圍大於誤差門檻,則同樣將該筆連線資訊傳送至異常警示203,並標示為異常。若小於誤差門檻,則進入流量整理206。流量內容整理206,會將每筆連線內容進行預存動作,整理包含擷取時間、用戶識別碼、設備識別碼、操作碼、連線狀態、用戶上下行流量、設備傳輸流量、流量參考值及相對誤差值等,以利儲存至雲端伺服器。最後,再將結果輸出至雲端伺服器30。 The flow reference value generated by the reference module 40 is abnormally evaluated; M t is the actual flow value obtained by the action signaling acquisition module 10; H is the relative error threshold. If the error range is greater than the error threshold, the pen connection information is also transmitted to the abnormality alert 203 and marked as abnormal. If it is less than the error threshold, it enters flow grooming 206. The traffic content sorting 206 will pre-store each connection content, including the extraction time, user identification code, device identification code, operation code, connection status, user uplink and downlink traffic, device transmission traffic, traffic reference value and Relative error values, etc., to facilitate storage to the cloud server. Finally, the result is output to the cloud server 30.

雲端伺服器30以分散式資料庫儲存信令異常偵測模組20所產生的巨量流量資料及比對參數,採用MapReduce分散式運算環境,將巨量資料轉換成key跟value的序對,分別傳給不同的Mapper來處理,完成異常評估參考模組40的運算後亦會將結果整理成key跟value之序對,再傳給Reducer整理結果,提供整合運算資源及減少運算時間。The cloud server 30 stores the huge amount of traffic data and comparison parameters generated by the signaling abnormality detecting module 20 in a distributed database, and uses a MapReduce distributed computing environment to convert huge amounts of data into key pairs of values and values. They are respectively sent to different Mappers for processing. After the operation of the abnormality evaluation reference module 40 is completed, the results are also sorted into key pairs of values and values, and then transmitted to the Reducer to sort the results, providing integrated computing resources and reducing computation time.

異常評估參考模組40主要透過篩選後的用戶或設備正常歷史流量資料,建立統計學習的機率模型,以遞迴方式套用評估公式產生流量參考值,用以判斷用戶或設備的異常現況,並微調異常指數以增加評估準確率。The abnormality assessment reference module 40 mainly establishes a probability model of statistical learning through the filtered normal historical traffic data of the user or the device, and applies the evaluation formula to generate a traffic reference value in a recursive manner to determine the abnormal situation of the user or the device, and fine-tune Anomaly index to increase the accuracy of the assessment.

運作程序請參閱圖三:首先讀取雲端伺服器30儲存的流量配對資料,透過資料過濾401的篩選,取得同時段用戶或設備的流量資料,若查無同時段資料,則以單日平均流量代替,並儲存於訓練資料405。接著由異常分析402將篩選過後的用戶或設備連線流量資料,透過訓練資料405提供的特徵資料,根據學習模型404轉化為對應的統計模型,得到異常指數以作為異常評估403的判斷依據,並將評估公式產生的流量參考值傳送至信令異常偵測模組20。此異常評估403所產生的參考值,亦會回饋至學習模型404,由異常分析402比對下次資料過濾401篩選的實際量測值,以取得新的異常參數,並修正異常評估403的參考值,使得預測的參考值能更準確。其公式如下: For the operation procedure, please refer to Figure 3: First, read the traffic matching data stored by the cloud server 30, and obtain the traffic data of the user or device at the same time through the filtering of the data filtering 401. If the data of the simultaneous segment is not found, the average daily traffic is obtained. Instead, it is stored in training material 405. Then, the abnormality analysis 402 transmits the filtered user or device connection flow data to the corresponding statistical model according to the learning model 404 according to the feature data provided by the training data 405, and obtains the abnormality index as the judgment basis of the abnormality assessment 403, and The traffic reference value generated by the evaluation formula is transmitted to the signaling abnormality detecting module 20. The reference value generated by the abnormality assessment 403 is also fed back to the learning model 404, and the abnormality analysis 402 compares the actual measured values of the next data filtering 401 to obtain new abnormal parameters, and corrects the reference of the abnormality assessment 403. The value makes the predicted reference value more accurate. Its formula is as follows:

為異常評估403目前的估計值;為異常評估403前次的估計值;K t 為異常指數;M t 為資料過濾401篩選的實際量測值。透過該模組不斷地遞迴執行及微調,所產生的預測參考值,將更貼近實際量測的結果。 Estimate the current estimate of 403 for anomalies; The previous estimate of 403 is evaluated for the abnormality; K t is the abnormality index; M t is the actual measured value of the data filtering 401 screening. Through the module's continuous recursive execution and fine-tuning, the resulting predicted reference values will be closer to the actual measured results.

綜合以上,本專利的實施方式可舉例如下:行動信令擷取模組10於行動網路設備基地台控制器(BSC)或無線電網路控制器(RNC)與GPRS服務支援節點(Serving GPRS Support Node,SGSN)間,擷取IuPS(Interface UMTS Packet Switched)介面之RANAP(Radio Access Network Application Part)信令;並於信令異常偵測模組20中,發現欄位無線電網路層原因(Radio Network Layer Cause)的值為重置期間無法建立(Unable to Establish During Relocation),因此直接判讀為異常;若無該欄位或是訊息內容無法判定異常,則分析相同 無線電網路控制器號碼((Radio Network Controller,RNC-ID)的(GPRS Tunneling Protocol-Control,GTP-C)流量與異常評估參考模組40產生的流量參考值,比對兩者的誤差,若大於誤差門檻值10%則判定為異常,並將結果儲存於雲端伺服器30,以進行下次的估算。In summary, the embodiments of the present patent can be exemplified as follows: the mobile signaling acquisition module 10 is implemented in a mobile network device base station controller (BSC) or a radio network controller (RNC) and a GPRS service support node (Serving GPRS Support). Between the Node and the SGSN, the RANAP (Radio Access Network Application Part) signaling of the IuPS (Interface UMTS Packet Switched) interface is obtained; and the reason for the radio network layer of the field is found in the signaling abnormality detecting module 20 (Radio) The value of Network Layer Cause) is Unable to Establish During Relocation, so it is directly interpreted as an exception; if there is no such field or the content of the message cannot be determined abnormally, the analysis is the same. The reference value of the traffic generated by the Radio Network Controller (RNC-ID) (GPRS Tunneling Protocol-Control, GTP-C) traffic and abnormality evaluation reference module 40 is compared with the error between the two. If it is greater than the error threshold of 10%, it is determined to be abnormal, and the result is stored in the cloud server 30 for the next estimation.

上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請貴局核准本件發明專利申請案,以勵發明,至感德便。To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.

10‧‧‧行動信令擷取模組10‧‧‧Action Signaling Capture Module

20‧‧‧信令異常偵測模組20‧‧‧Signal anomaly detection module

30‧‧‧雲端伺服器30‧‧‧Cloud Server

40‧‧‧異常評估參考模組40‧‧‧Anomaly Evaluation Reference Module

Claims (6)

一種遞迴式異常網路流量偵測之方法,其中係包含:一信令異常偵測模組,係依據行動信令擷取模組所提供之資訊,讀取設備或用戶連線狀態,若直接判讀為異常,則立即異常警示,再執行信令分析,比對合理時間範圍內異常評估參考模組所預測的結果,若該信令實際量測值與預測值大於誤差範圍,則納入異常警示;以及一異常評估參考模組,係透過用戶或設備的歷史流量資料,建立統計學習的機率模型,並以遞迴方式套用評估公式產生流量參考值,判斷該用戶或設備的異常現況,其該異常評估參考模組之執行步驟包括:步驟一、過濾信令異常偵測模組所量測的流量資訊;步驟二、將歷史流量資訊套用評估公式產生流量參考值;步驟三、比對參考值與實際量測值的誤差,微調異常指數以修正該學習模型;以及步驟四、儲存誤差範圍內的實際量測值以作為遞迴執行的樣本。 A method for recursive abnormal network traffic detection, which comprises: a signaling anomaly detection module, which is based on information provided by an action signaling capture module, and reads a device or user connection status, if If the direct interpretation is abnormal, an abnormal warning is immediately performed, and then the signaling analysis is performed to compare the predicted result of the abnormality evaluation reference module within a reasonable time range. If the actual measured value and the predicted value of the signaling are larger than the error range, the abnormality is included. The warning and the abnormality evaluation reference module establish a probability model of statistical learning through the historical flow data of the user or the device, and apply the evaluation formula in a recursive manner to generate a flow reference value to determine the abnormal state of the user or the device. The execution steps of the abnormality assessment reference module include: Step 1: Filtering the traffic information measured by the signaling abnormality detecting module; Step 2: Applying the historical traffic information to the evaluation formula to generate the traffic reference value; Step 3: Comparing the reference The error between the value and the actual measured value, fine-tuning the abnormal index to correct the learning model; and step 4, the actual measured value within the storage error range As a recursive implementation of the samples. 如申請專利範圍第1項所述之遞迴式異常網路流量偵測之方法,其中該信令異常偵測模組,其連線狀態係為辨識用戶或設備的狀態欄位。 The method for recursive abnormal network traffic detection according to claim 1, wherein the signaling abnormality detecting module is configured to identify a status field of the user or the device. 如申請專利範圍第1項所述之遞迴式異常網路流量偵測之方法,其中該信令異常偵測模組,其信令分析步驟:步驟一、根據用戶識別碼取得用戶流量資訊;步驟二、根據設備識別碼取得設備流量資訊; 步驟三、比對異常評估參考模組的參考值;以及步驟四、誤差大於門檻值時,則納入異常警示。 The method for recursive abnormal network traffic detection according to the first aspect of the patent application, wherein the signaling abnormality detecting module has a signaling analysis step: Step 1: obtaining user traffic information according to the user identification code; Step 2: Obtain device traffic information according to the device identification code; Step 3: Compare the reference value of the reference module for the abnormality evaluation; and step 4, when the error is greater than the threshold value, the abnormal warning is included. 如申請專利範圍第3項所述之遞迴式異常網路流量偵測之方法,其中該信令分析之步驟一,該用戶識別碼係為辨識該用戶以連結該用戶的流量資訊,該識別碼係為辨識用戶的欄位之位址。 The method for recursive abnormal network traffic detection according to claim 3, wherein in step 1 of the signaling analysis, the user identification code is to identify the user to link the user's traffic information, and the identification The code system is the address of the field identifying the user. 如申請專利範圍第3項所述之遞迴式異常網路流量偵測之方法,其中該信令分析之步驟二,該設備識別碼係為辨識該設備以連結設備的流量資訊,該識別碼係為辨識設備的欄位。 The method for recursive abnormal network traffic detection according to claim 3, wherein in step 2 of the signaling analysis, the device identification code is a traffic information for identifying the device to link the device, the identifier It is the field that identifies the device. 如申請專利範圍第1項所述之遞迴式異常網路流量偵測之方法,其中該評估公式係為,其中為異常評估目前的估計值,為該異常評估前次的估計值,K t 為異常指數,M t 為資料過濾篩選的實際量測值。The method for recursive abnormal network traffic detection as described in claim 1 of the patent scope, wherein the evaluation formula is ,among them Evaluate the current estimate for anomalies, The previous estimate is evaluated for the anomaly, K t is the anomaly index, and M t is the actual measured value of the data filtering filter.
TW102134461A 2013-09-25 2013-09-25 The recursive method of network traffic anomaly detection TWI510109B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW102134461A TWI510109B (en) 2013-09-25 2013-09-25 The recursive method of network traffic anomaly detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW102134461A TWI510109B (en) 2013-09-25 2013-09-25 The recursive method of network traffic anomaly detection

Publications (2)

Publication Number Publication Date
TW201513690A TW201513690A (en) 2015-04-01
TWI510109B true TWI510109B (en) 2015-11-21

Family

ID=53437324

Family Applications (1)

Application Number Title Priority Date Filing Date
TW102134461A TWI510109B (en) 2013-09-25 2013-09-25 The recursive method of network traffic anomaly detection

Country Status (1)

Country Link
TW (1) TWI510109B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI735594B (en) * 2016-08-08 2021-08-11 香港商阿里巴巴集團服務有限公司 Method, device and system for identifying and assisting in identifying false traffic
TWI782645B (en) * 2021-07-29 2022-11-01 中華電信股份有限公司 System and method for evaluating network component quality degradation based on mobile network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002021774A1 (en) * 2000-09-11 2002-03-14 Nokia Corporation System, device and method for automatic anomaly detection
US20070064617A1 (en) * 2005-09-15 2007-03-22 Reves Joseph P Traffic anomaly analysis for the detection of aberrant network code
EP1772993A1 (en) * 2005-10-05 2007-04-11 Fujitsu Limited Detecting anomalies internal to a network from traffic external to the network
US20100138919A1 (en) * 2006-11-03 2010-06-03 Tao Peng System and process for detecting anomalous network traffic
US20130117282A1 (en) * 2011-11-08 2013-05-09 Verisign, Inc. System and method for detecting dns traffic anomalies

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002021774A1 (en) * 2000-09-11 2002-03-14 Nokia Corporation System, device and method for automatic anomaly detection
US20070064617A1 (en) * 2005-09-15 2007-03-22 Reves Joseph P Traffic anomaly analysis for the detection of aberrant network code
EP1772993A1 (en) * 2005-10-05 2007-04-11 Fujitsu Limited Detecting anomalies internal to a network from traffic external to the network
US20100138919A1 (en) * 2006-11-03 2010-06-03 Tao Peng System and process for detecting anomalous network traffic
US20130117282A1 (en) * 2011-11-08 2013-05-09 Verisign, Inc. System and method for detecting dns traffic anomalies

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI735594B (en) * 2016-08-08 2021-08-11 香港商阿里巴巴集團服務有限公司 Method, device and system for identifying and assisting in identifying false traffic
TWI782645B (en) * 2021-07-29 2022-11-01 中華電信股份有限公司 System and method for evaluating network component quality degradation based on mobile network

Also Published As

Publication number Publication date
TW201513690A (en) 2015-04-01

Similar Documents

Publication Publication Date Title
JP6690011B2 (en) System and method for measuring effective customer impact of network problems in real time using streaming analysis
US9888399B2 (en) Adaptive monitoring for cellular networks
JP5612696B2 (en) Network management system and method for identifying and accessing quality of service results within a communication network
CN110312279A (en) A kind of monitoring method and device of network data
US9462486B2 (en) Method and device for classifying wireless data service
WO2014040633A1 (en) Identifying fault category patterns in a communication network
CN103906112A (en) Method and system for communication network performance analyzing
CN110856188B (en) Communication method, apparatus, system, and computer-readable storage medium
WO2013185489A1 (en) Method and apparatus for analyzing signaling traffic
CN105357699A (en) Wireless network quality monitoring system and method
CN103298035A (en) Congestion control method and device
CN102256297B (en) TD-SCDMA (Time Division-Synchronization Code Division Multiple Access) wireless communication network service user perception data collection method
CN113225339A (en) Network security monitoring method and device, computer equipment and storage medium
TWI510109B (en) The recursive method of network traffic anomaly detection
CN104811959A (en) Mobile network user perception analysis system and method based on big data
CN108667740A (en) The method, apparatus and system of flow control
CN107820270B (en) GPRS interface monitoring system based on GSM-R network
CN108063764B (en) Network traffic processing method and device
CN110972199B (en) Flow congestion monitoring method and device
CN113727092B (en) Video monitoring quality inspection method and device based on decision tree
WO2023045365A1 (en) Video quality evaluation method and apparatus, electronic device, and storage medium
JP2017208717A (en) Analysis system for radio communication network
CN212569772U (en) Cloud computing server platform based on big data
CN102256271A (en) Capacity expansion indication information acquisition method and device
TWI536774B (en) Network Management Method Based on Predicting Circuit Carrying Capacity and Computer Program Product

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees