TW201916641A - Abnormal traffic detecting server and abnormal traffic detecting method thereof - Google Patents
Abnormal traffic detecting server and abnormal traffic detecting method thereof Download PDFInfo
- Publication number
- TW201916641A TW201916641A TW106133603A TW106133603A TW201916641A TW 201916641 A TW201916641 A TW 201916641A TW 106133603 A TW106133603 A TW 106133603A TW 106133603 A TW106133603 A TW 106133603A TW 201916641 A TW201916641 A TW 201916641A
- Authority
- TW
- Taiwan
- Prior art keywords
- abnormal event
- abnormal
- event ticket
- ticket
- abnormality
- Prior art date
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 250
- 238000000034 method Methods 0.000 title claims abstract description 12
- 230000005856 abnormality Effects 0.000 claims description 61
- 238000001514 detection method Methods 0.000 claims description 31
- 238000012545 processing Methods 0.000 claims description 15
- 230000007246 mechanism Effects 0.000 abstract description 6
- 230000003247 decreasing effect Effects 0.000 abstract description 2
- 238000004458 analytical method Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 239000000306 component Substances 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 208000022119 inability to concentrate Diseases 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本發明是有關於一種異常監控技術,且特別是有關於一種異常訊務偵測伺服器及其異常訊務偵測方法。The invention relates to an abnormal monitoring technology, and in particular to an abnormal traffic detecting server and an abnormal traffic detecting method thereof.
異常監控係企業、電信商或網路服務提供商等單位用以對端設備進行維運的重要程序。而習知的訊務分析系統接收到終端設備之網管系統所蒐集的網路訊務、網路品質或設備效能參數值時,大多會同一時間點同時進行此介面、告警類別及嚴重等級的告警門檻判斷與發送。然而,這將造成告警量過多、誤告警、告警發散無法集中綜合判斷等問題。由此可知,現有異常監控仍有待改進。Anomaly monitoring is an important procedure used by enterprises, telecommunications providers, or network service providers to transport peer devices. When the conventional traffic analysis system receives the network traffic, network quality, or device performance parameter values collected by the network management system of the terminal device, most of the interfaces, alarm categories, and severity alarms are simultaneously performed at the same time. Threshold judgment and transmission. However, this will cause problems such as excessive alarms, false alarms, and inability to concentrate and comprehensively determine alarm divergence. It can be seen that the existing abnormal monitoring still needs to be improved.
有鑑於此,本發明提供一種異常訊務偵測伺服器及其異常訊務偵測方法,其將多筆異常事件紀錄整合,並結合告警通報及容錯機制,能大幅減少單一告警通報量。In view of this, the present invention provides an abnormal traffic detection server and an abnormal traffic detection method thereof, which integrates multiple abnormal event records and combines alarm notification and fault tolerance mechanism to greatly reduce the amount of single alarm notification.
本發明的異常訊務偵測方法,其包括下列步驟。分析多筆訊務資料,以取得多筆異常事件紀錄。依據這些異常事件紀錄建立異常事件票,此異常事件票整併那些異常事件紀錄。偵測此異常事件票的後續異常事件紀錄,以累計異常事件票的異常程度值。依據異常事件票的異常程度值判斷異常事件票之結束,並將異常事件票之建立及結束進行通報。The abnormal traffic detection method of the present invention comprises the following steps. Analyze multiple traffic data to obtain multiple abnormal event records. An abnormal event ticket is established based on these abnormal event records, and the abnormal event ticket is consolidated with those abnormal event records. A subsequent abnormal event record of the abnormal event ticket is detected to accumulate the abnormality value of the abnormal event ticket. The end of the abnormal event ticket is judged according to the abnormality value of the abnormal event ticket, and the establishment and the end of the abnormal event ticket are notified.
本發明的異常訊務偵測伺服器,其包括輸入單元及處理單元。輸入單元取得多筆訊務資料。處理單元耦接輸入單元,並經配置用以執行下列步驟。分析那些訊務資料,以取得多筆異常事件紀錄。依據這些異常事件紀錄建立異常事件票,此異常事件票整併那些異常事件紀錄。偵測此異常事件票的後續異常事件紀錄,以累計異常事件票的異常程度值。依據異常事件票的異常程度值判斷異常事件票之結束,並將異常事件票之建立及結束進行通報。The abnormal traffic detection server of the present invention comprises an input unit and a processing unit. The input unit obtains multiple pieces of traffic data. The processing unit is coupled to the input unit and configured to perform the following steps. Analyze those traffic data to obtain multiple abnormal event records. An abnormal event ticket is established based on these abnormal event records, and the abnormal event ticket is consolidated with those abnormal event records. A subsequent abnormal event record of the abnormal event ticket is detected to accumulate the abnormality value of the abnormal event ticket. The end of the abnormal event ticket is judged according to the abnormality value of the abnormal event ticket, and the establishment and the end of the abnormal event ticket are notified.
基於上述,本發明實施例能將異常事件紀錄整併成多筆異常事件紀錄,並持續偵測後續出現的異常告警紀錄,判斷異常事件是否持續出現或恢復正常,並當異常程度值累計到特定數量時才據以通報。藉此,不僅可大幅減少單一告警量,還結合誤告警容錯機制,使相關人員能及時發現重要異常事件並及早排除,進而有效維護網路服務品質。Based on the above, the embodiment of the present invention can integrate the abnormal event record into multiple abnormal event records, and continuously detect the subsequent abnormal alarm record, determine whether the abnormal event continues to appear or return to normal, and when the abnormality value is accumulated to a specific The quantity is reported only. In this way, not only can a single alarm amount be greatly reduced, but also a fault alarm tolerance mechanism can be combined to enable relevant personnel to detect important abnormal events in time and eliminate them early, thereby effectively maintaining network service quality.
為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。The above described features and advantages of the invention will be apparent from the following description.
圖1是依據本發明一實施例說明系統架構的示意圖。此系統架構包括異常訊務偵測伺服器100及網管伺服器200。異常訊務偵測伺服器100及網管伺服器200可能係任何類型伺服器、個人電腦、主機、工作站等電子裝置。1 is a schematic diagram showing a system architecture in accordance with an embodiment of the present invention. The system architecture includes an abnormal traffic detection server 100 and a network management server 200. The abnormal traffic detection server 100 and the network management server 200 may be any type of server, personal computer, host computer, workstation, and the like.
異常訊務偵測伺服器100包括輸入單元110、儲存單元130及處理單元150。輸入單元110可以係無線或有線通訊處理器(例如,支援藍芽、第4代行動通訊(4G)、Wi-Fi、光纖、乙太網路(Ethernet)等)、匯流排介面等可接收各終端設備的訊務資料(例如,網路訊號、網路品質、設備效能等資料)的硬體單元。The abnormal traffic detection server 100 includes an input unit 110, a storage unit 130, and a processing unit 150. The input unit 110 can be a wireless or wired communication processor (for example, supporting Bluetooth, 4th generation mobile communication (4G), Wi-Fi, optical fiber, Ethernet, etc.), a bus interface, etc. The hardware unit of the terminal's service data (for example, network signal, network quality, device performance, etc.).
儲存單元130可以係任何型態的固定或可移動隨機存取記憶體(RAM)、唯讀記憶體(ROM)、快閃記憶體(flash memory)、傳統硬碟(hard disk drive)、固態硬碟(solid-state drive)或類似元件或上述元件的組合,並用以記錄告警項目及門檻建立與管理模組131、事件票類型管理模組132、事件票與告警項目關聯管理模組133、異常事件票產生器134軟體程式、訊務資料、告警項目、異常事件紀錄、異常事件票、事件票類型、對應表、異常程度值、異常判斷門檻、權重值、事件票與告警項目關聯定義表等相關資訊、檔案及參數。前述模組、參數、檔案及資料待後續實施例再詳細說明。The storage unit 130 can be any type of fixed or removable random access memory (RAM), read only memory (ROM), flash memory, hard disk drive, solid state hard A solid-state drive or the like or a combination of the above components, and used to record an alarm item and threshold establishment and management module 131, an event ticket type management module 132, an event ticket and alarm item association management module 133, and an abnormality Event ticket generator 134 software program, traffic data, alarm item, abnormal event record, abnormal event ticket, event ticket type, correspondence table, abnormal degree value, abnormal judgment threshold, weight value, event ticket and alarm item association definition table, etc. Related information, files and parameters. The foregoing modules, parameters, files and materials will be described in detail in the following embodiments.
處理單元150與輸入單元110及儲存單元130連接,並可以是中央處理單元(CPU),或是其他可程式化之一般用途或特殊用途的微處理器(Microprocessor)、數位信號處理器(DSP)、可程式化控制器、特殊應用積體電路(ASIC)或其他類似元件或上述元件的組合。在本發明實施例中,處理單元150用以執行異常訊務偵測伺服器100的所有作業,且可存取並執行輸入單元110及上述儲存單元130所記錄的軟體模組。The processing unit 150 is connected to the input unit 110 and the storage unit 130, and may be a central processing unit (CPU), or other programmable general purpose or special purpose microprocessor (Microprocessor), digital signal processor (DSP). , a programmable controller, an application specific integrated circuit (ASIC) or other similar component or a combination of the above. In the embodiment of the present invention, the processing unit 150 is configured to execute all the operations of the abnormal traffic detection server 100, and can access and execute the software modules recorded by the input unit 110 and the storage unit 130.
於本發明實施例中,為異常訊務偵測伺服器100提供資通訊網路中的終端設備及介面間訊務資料的裝置係網管伺服器200。此網管伺服器200可能與一個或更多個終端設備及介面連接,以取得前述訊務資料。In the embodiment of the present invention, the device for providing the terminal device and the inter-interface traffic data in the communication network for the abnormal traffic detection server 100 is the network management server 200. The network management server 200 may be connected to one or more terminal devices and interfaces to obtain the aforementioned traffic data.
需說明的是,於其他實施例中,異常訊務偵測伺服器100亦可能透過輸入單元110(內建有網管功能)直接對終端設備或介面取得前述訊務資料,更可能透過隨身碟、資料上傳、光碟等方式輸入前述訊務資料,本發明不加以限制。It should be noted that in other embodiments, the abnormal traffic detection server 100 may directly obtain the foregoing traffic data through the input unit 110 (with the built-in network management function), and more preferably through the flash drive. The foregoing traffic data is input by means of data uploading, optical disc, etc., and the invention is not limited.
為了方便理解本發明實施例的操作流程,以下將舉諸多實施例詳細說明本發明實施例中異常訊務偵測方法。下文中,將搭配異常訊務偵測伺服器100的各項元件及模組說明本發明實施例所述之方法。本方法的各個流程可依照實施情形而隨之調整,且並不僅限於此。In order to facilitate the understanding of the operation flow of the embodiment of the present invention, the following describes an abnormal traffic detection method in the embodiment of the present invention in detail. Hereinafter, the method and the module of the abnormal traffic detection server 100 will be described with reference to the methods described in the embodiments of the present invention. The various processes of the method can be adjusted accordingly according to the implementation situation, and are not limited thereto.
對訊務資料開始偵測之前,需設定有相關參數及對應表。而由於電路訊務會因網路使用環境或所處位階不同而有所差異及變化,需有彈性的異常偵測門檻調適機制。因此,告警項目及門檻建立與管理模組131可提供使用者介面讓使用者依據事先規劃好的電路分類而自訂所屬多種階級嚴重程度偵測門檻(即,異常判斷門檻)。例如,告警等級分為嚴重(Critical)、主要(major)及次要(minor)三階,而不同告警項目設有三個異常判斷門檻,小於第一異常判斷門檻視為正常,介於第一及第二異常判斷門檻之間則視為次要,介於第二及第三異常判斷門檻之間則視為主要,超過第三異常判斷門檻則視為嚴重。需說明的是,不同告警項目的異常判斷門檻可能不同,並可由對應領域的專家系統或其他使用需求而調整。Before starting the detection of the traffic data, you need to set the relevant parameters and correspondence table. Since circuit communication will vary and change depending on the network usage environment or the location, a flexible anomaly detection threshold adjustment mechanism is required. Therefore, the alarm item and threshold establishment and management module 131 can provide a user interface for the user to customize the threshold of various class severity detections (ie, abnormality determination thresholds) according to the pre-planned circuit classification. For example, the alarm level is divided into three levels: critical, major, and minor, and different alarm items have three abnormal judgment thresholds, which are smaller than the first abnormality threshold. The second abnormality judgment threshold is regarded as secondary, and between the second and third abnormal judgment thresholds is regarded as the main, and the third abnormality determination threshold is regarded as serious. It should be noted that the abnormality thresholds of different alarm items may be different and may be adjusted by an expert system in the corresponding field or other usage requirements.
此外,告警項目及門檻建立與管理模組131針對各告警項目之間,更可設定其重要性優先序和權重值。也就是說,不同告警項目被賦予不同權重值。而當處理單元150同時偵測到多種異常事件紀錄時,即可依據優先序對各異常事件紀錄進行排序,再依據權重值加權而提高異常事件紀錄的嚴重等級。以表(1)為例,不同告警項目對應不同權重值及優先序。 表(1)
事件票類型管理模組132提供使用者依據維運需求來定義事件票類型,以供事件票與告警項目關聯管理模組133及異常事件票產生器134參考使用,而異常事件票亦可依發生頻率(例如,即時、每日、每月)進行分類。事件票與告警項目關聯管理模組133提供建立事件票類型與告警項目間的歸屬關係定義,並存入儲存單元130中資料庫的事件票與告警項目關聯定義表中。以表(1)的事件票與告警項目關聯表為例,假設存在電路異常事件票AlarmTicket,當處理單元150偵測某電路出現表格中的ERR、PDC、TRF_DNGAP等七種告警時,則處理單元150可依據此表(1)會將這七種告警歸屬於此異常事件票AlarmTicket中。The event ticket type management module 132 provides a user to define an event ticket type according to the maintenance requirement, and is used by the event ticket and alarm item association management module 133 and the abnormal event ticket generator 134, and the abnormal event ticket can also be generated. The frequency (for example, instant, daily, monthly) is classified. The event ticket and alarm item association management module 133 provides a definition of the attribution relationship between the event ticket type and the alarm item, and stores it in the event ticket and alarm item association definition table of the database in the storage unit 130. Taking the event ticket and alarm item association table of Table (1) as an example, it is assumed that there is a circuit abnormal event ticket AlarmTicket. When the processing unit 150 detects seven alarms such as ERR, PDC, TRF_DNGAP in a circuit appearance table, the processing unit According to this table (1), these seven kinds of alarms can be attributed to the abnormal event ticket AlarmTicket.
前述相關參數及對應表建立好之後,本發明實施例的核心元件(即,異常事件票產生器134)即可開始實作網路異常事件票的生成分析。異常事件票產生器134係分析取得的訊務資料,以取得多筆異常事件紀錄(步驟S210)。具體而言,輸入單元110每隔特定週期(例如,5、10或20分鐘等,即分時)蒐集並剖析訊務資料,並儲存至儲存單元130的訊務資料庫相關表格中。而異常事件票產生器134會每間隔掃描時間(例如,5、10或20分鐘等)讀入訊務資料,對所有電路的訊務資料監控其流量、電路品質等狀態。而各告警項目的異常告警程度均分為三個告警等級1、2、3(分別對應至次要、主要及嚴重等級),異常事件票產生器134則依據不同告警項目判斷訊務資料是否超過對應異常判斷門檻。若訊務資料所記錄的內容超過對應異常判斷門檻值,則產生異常事件紀錄並連同對應告警等級而將其存入資料庫中。After the foregoing related parameters and the correspondence table are established, the core component (ie, the abnormal event ticket generator 134) of the embodiment of the present invention can start to generate and analyze the network abnormal event ticket. The abnormal event ticket generator 134 analyzes the acquired traffic data to acquire a plurality of abnormal event records (step S210). Specifically, the input unit 110 collects and parses the traffic data every specific period (for example, 5, 10, or 20 minutes, etc., time division), and stores it in the transaction database related table of the storage unit 130. The abnormal event ticket generator 134 reads the traffic data every interval scanning time (for example, 5, 10 or 20 minutes, etc.), and monitors the traffic data and circuit quality status of all circuit traffic data. The abnormal alarm level of each alarm item is divided into three alarm levels 1, 2, and 3 (corresponding to the secondary, primary, and severe levels respectively), and the abnormal event ticket generator 134 determines whether the traffic data exceeds according to different alarm items. Corresponding to the abnormality judgment threshold. If the content recorded in the traffic data exceeds the corresponding abnormality threshold, an abnormal event record is generated and stored in the database along with the corresponding alarm level.
異常事件票產生器134依據這些異常事件紀錄建立異常事件票,而此異常事件票即係整併那些異常事件紀錄(步驟S220)。具體而言,依據單一介面並依據事件票與告警項目關聯表,異常事件票產生器134將屬同一事件票類型的不同異常告警進行加權運算(告警等級*權重值),並檢查此介面是否存在(或屬於)對應事件票。The abnormal event ticket generator 134 creates an abnormal event ticket based on these abnormal event records, and the abnormal event ticket is a normal event record (step S220). Specifically, according to the single interface and according to the event ticket and the alarm item association table, the abnormal event ticket generator 134 performs weighting operations (alarm level * weight value) on different abnormal alarms of the same event ticket type, and checks whether the interface exists. (or belong to) the corresponding event ticket.
以圖3為例,異常事件票產生器134於01:00偵測到訊務資料超過上限異常(TRF_BL,告警等級(2)),同時,也偵測到電路封包遺失率過高(PDC,告警等級(3))及訊務使用率過高(UTL,告警等級1)異常,可經整理成圖4所示之異常事件紀錄明細。Taking FIG. 3 as an example, the abnormal event ticket generator 134 detects that the traffic data exceeds the upper limit abnormality (TRF_BL, alarm level (2)) at 01:00, and also detects that the circuit packet loss rate is too high (PDC, The alarm level (3)) and the traffic usage rate (UTL, alarm level 1) are abnormal, and can be sorted into the abnormal event record details shown in Figure 4.
若不存在對應異常事件票(或不屬於既有異常事件票),則異常事件票產生器134建立此介面的異常事件票,並取加權後最嚴重的異常事件紀錄作為異常事件票的代表,而最嚴重的異常事件紀錄經加權後的異常告警程度值(即,加權告警等級)則作為此異常事件票的異常程度值。若最嚴重的異常事件紀錄有多筆,則異常事件票產生器134會依其對應告警項目的優先序進行比較,並取優先序最高者為代表。異常事件票產生器134建立事件票的同時,亦會儲存事件票與異常事件紀錄間的關聯,以利異常事件票查詢分析或事件票通知時,可用於呈現異常事件紀錄的明細。If there is no corresponding abnormal event ticket (or does not belong to the existing abnormal event ticket), the abnormal event ticket generator 134 establishes an abnormal event ticket of the interface, and takes the most severe abnormal event record as the representative of the abnormal event ticket. The weighted abnormal alarm level value (ie, the weighted alarm level) of the most serious abnormal event record is used as the abnormality value of the abnormal event ticket. If there are multiple records of the most serious abnormal events, the abnormal event ticket generator 134 compares according to the priority order of the corresponding alarm items, and takes the highest priority as the representative. When the abnormal event ticket generator 134 establishes the event ticket, it also stores the association between the event ticket and the abnormal event record, so as to facilitate the exception event ticket query analysis or the event ticket notification, which can be used to present the details of the abnormal event record.
請參照圖3,自圖3中的訊務資料時序紀錄可得出01:00首次出現電路流入訊務超過上限(3,587,279 > 3,567,660),因同時間亦存在PDC與UTL告警,故需對三告警類型相關聯之告警項目進行權重運算與比序。經參照表(1)各告警項目的權重運算比序後,取TRF_BL為電路異常事件票為代表,並建立圖4所示之異常事件票 (TRF_BL[告警等級(2) * 權重值(3)=6] > PDC[告警等級(3) * 權重值(1)=3] > UTL[告警等級(1) * 權重值(1)=1]),且此電路的異常事件票所累積的異常程度值為6(即,累積告警等級,其係三告警項目的告警等級經加權後的最大值),並於此異常事件票中記錄並提供介面顯示相關的PDC、UTL、TRF_BL告警資訊。Referring to FIG. 3, the timing data record of the traffic data in FIG. 3 can be used to find that the circuit inflow service exceeds the upper limit (3, 587, 279 > 3, 567, 660) for the first time at 01:00, because there are also PDC and UTL alarms at the same time, so three alarms are required. The type of alarm item associated with the weight calculation and sequence. After referring to the weighting operation sequence of each alarm item in Table (1), take TRF_BL as the circuit abnormal event ticket as the representative, and establish the abnormal event ticket shown in Figure 4 (TRF_BL [alarm level (2) * weight value (3) =6] > PDC [alarm level (3) * weight value (1) = 3] > UTL [alarm level (1) * weight value (1) = 1]), and the abnormality of the abnormal event ticket of this circuit The degree value is 6 (ie, the cumulative alarm level, which is the weighted maximum of the alarm level of the three alarm items), and the interface information is displayed in the abnormal event ticket and the related PDC, UTL, and TRF_BL alarm information is displayed.
另一方面,若存在對應異常事件票(或屬於既有異常事件票),則異常事件票產生器134先計算出此次告警事件紀錄(即,已存在之異常事件票的後續異常事件紀錄)經加權後的異常告警程度值,並對其所屬異常事件票的異常程度值累計運算(即,異常程度值加上當次最嚴重異常事件紀錄的異常告警程度值)(步驟S230)。On the other hand, if there is a corresponding abnormal event ticket (or belongs to the existing abnormal event ticket), the abnormal event ticket generator 134 first calculates the alarm event record (that is, the subsequent abnormal event record of the existing abnormal event ticket). The weighted abnormal alarm degree value is cumulatively calculated for the abnormality value of the abnormal event ticket to which it belongs (that is, the abnormality level value plus the abnormal alarm degree value of the most severe abnormal event record) (step S230).
當異常事件票之異常程度值經累計後達到設定的事件票通知門檻(假設為6)時,則處理單元150會將此異常事件票通知管理人員。而如果連續出現異常事件紀錄(每一時段之最大告警事件)使得累計的異常程度值超過6分,則以6分計算。以圖3所示之告警示意圖為例,第一張異常事件票於01:00發出;第二張異常事件票於04:00建立,但此異常事件票所累積的異常程度值於04:05才達事件票通知門檻,因此,04:05才發出通知;而第三張事件票同第二張狀況,08:50建立,但08:55才達事件票通知門檻,此時再發出通知。When the abnormality value of the abnormal event ticket reaches the set event ticket notification threshold (assumed to be 6), the processing unit 150 notifies the manager of the abnormal event ticket. If the abnormal event record (the maximum alarm event per time period) occurs continuously such that the accumulated abnormality value exceeds 6 points, it is calculated as 6 points. Taking the alarm diagram shown in Figure 3 as an example, the first abnormal event ticket is issued at 01:00; the second abnormal event ticket is established at 04:00, but the abnormality value accumulated by this abnormal event ticket is at 04:05. Only the event ticket was notified to the threshold. Therefore, the notice was issued at 04:05; the third event ticket was established with the second condition at 08:50, but the ticket was notified at 08:55, and the notice was issued at this time.
若某次查無任何異常事件紀錄,則異常事件票產生器134將其異常程度值減2分,使得連續三次未有異常事件紀錄時,異常程度值將扣至0分,則視為異常解除,異常事件產生器134即關閉該事件票(即,異常事件票之結束),並以通知相關管理人員。以圖3所示之告警示意圖為例,第二張事件票於04:05發出通知後,至05:45為止仍持續出現異常事件紀錄,這段時間內,異常事件票所累積的異常程度值一直維持在最大值6。而在05:50、05:55時皆未偵測到異常事件紀錄,則異常程度值分別減2分後,05:55當下的異常事件票之異常程度值為2。然而,06:00又出現異常事件紀錄,使得此異常事件票所累積的異常程度值又會繼續累加,直至06:45時此異常事件票的告警通知才解除。If there is no abnormal event record in a certain check, the abnormal event ticket generator 134 decrements the abnormality value by 2 points, so that if there is no abnormal event record for three consecutive times, the abnormal degree value will be deducted to 0, and it is regarded as abnormally released. The abnormal event generator 134 closes the event ticket (ie, the end of the abnormal event ticket) and notifies the relevant manager. Taking the alarm diagram shown in Figure 3 as an example, after the second event ticket is notified at 04:05, the abnormal event record continues to exist until 05:45. During this time, the abnormality value accumulated by the abnormal event ticket Always maintained at a maximum of 6. At 05:50 and 05:55, no abnormal event record is detected. After the abnormality value is reduced by 2 points, the abnormality value of the current abnormal event ticket at 05:55 is 2. However, an abnormal event record occurs again at 06:00, so that the abnormality value accumulated by the abnormal event ticket will continue to be accumulated until the alarm notification of the abnormal event ticket is released at 06:45.
於本發明實施例中,將告警種類依據其嚴重性與連續性進行整合,最後產生如圖5所示的三張事件票。對維運同仁而言,圖3中一條電路的異常通知數量從42次降為6次,減少了七倍。當管理龐大網路時,異常告警數量出現的規模就會大大減少。此時,當出現重要異常事件票告警時,將有助於立即掌握異常狀況,使相關人員能儘早介入處理。In the embodiment of the present invention, the types of alarms are integrated according to their severity and continuity, and finally three event tickets as shown in FIG. 5 are generated. For Weiyun Tongren, the number of abnormal notifications in one circuit in Figure 3 was reduced from 42 to 6 times, a sevenfold reduction. When managing a large network, the size of the number of abnormal alarms is greatly reduced. At this time, when an important abnormal event ticket alarm occurs, it will help to immediately grasp the abnormal situation, so that relevant personnel can intervene as soon as possible.
需說明的是,前述異常程度值(即,6)、遞減值(即,2)於其他實施中可能係其他數值,端視應用本發明實施例者之需求而自行調整。而本實施例中異常程度值的最大值係事件票通知門檻,然於其他實施例中亦可視實際需求而增減。It should be noted that the foregoing abnormal degree value (ie, 6) and the decrement value (ie, 2) may be other values in other implementations, and are adjusted according to the requirements of the embodiments of the present invention. The maximum value of the abnormality value in this embodiment is the event ticket notification threshold, but in other embodiments, it may be increased or decreased according to actual needs.
而處理單元150更依據異常事件票的異常程度值判斷異常事件票之結束之外,更將此異常事件票之建立及結束進行通報(步驟S240)。換言之,異常事件產生器134會進行事件票的開啟或關閉的分析管理,並將異常事件票之建立及結束(如圖5所示不同異常事件票之開始及結束時間)記錄存於資料庫中,並適時對相關人員發出通報。On the other hand, the processing unit 150 further determines the establishment and the end of the abnormal event ticket based on the abnormality value of the abnormal event ticket, and notifies the establishment and the end of the abnormal event ticket (step S240). In other words, the abnormal event generator 134 performs the analysis management of the opening or closing of the event ticket, and records and records the creation and termination of the abnormal event ticket (the start and end time of different abnormal event tickets shown in FIG. 5) in the database. And notify relevant personnel in due course.
綜上所述,本發明實施例之發想源自於整理與觀察分析,於某單一介面於一段時間內,訊務偵測系統所產生的訊務異常告警發生時點和頻率分佈,發現異常告警會出現偶發與連續的現象。如果可將連續的訊務異常告警於首次發生時,建立一張異常事件票並記錄其開啟時間,並在訊務回歸正常後,關閉異常事件票並記錄關閉時間,而當於異常事件票開啟與關閉時,再通知營運單位,則可將連續單一告警整併,減少單一告警量,避免重要異常告警淹沒於眾多告警事件中。In summary, the idea of the embodiment of the present invention is derived from the collation and observation analysis, and the abnormality alarm is found when a single interface is in a period of time, the time and frequency distribution of the traffic abnormality alarm generated by the traffic detection system occurs. There will be occasional and continuous phenomena. If a continuous traffic anomaly alarm can be generated for the first time, an abnormal event ticket is created and its opening time is recorded, and after the traffic returns to normal, the abnormal event ticket is closed and the closing time is recorded, and when the abnormal event ticket is opened When the system is closed and then notified to the operating unit, the continuous single alarm can be consolidated to reduce the single alarm amount, and the important abnormal alarm is prevented from being flooded in many alarm events.
分析過程中,對於偶發或不連續的告警狀況,如具備權重調整與告警程度累進的機制,對於嚴重異常或誤告警的狀況偵測更具容錯的能力。由於網路異常不只包括訊務異常,若能更進一步地將同一介面、同一時間點的各種異常一併納入考量,例如封包遺失率、封包錯誤率等品質異常,對於單一介面異常的偵測則可達到更加全面性的掌握。During the analysis process, for occasional or discontinuous alarm conditions, such as the mechanism of weight adjustment and alarm severity, it is more fault-tolerant for condition detection of severe abnormalities or false alarms. Since network anomalies not only include traffic anomalies, if you can further consider the same interface and various anomalies at the same time, such as packet loss rate and packet error rate, the detection of a single interface anomaly A more comprehensive grasp can be achieved.
據此,本發明實施例除了可大大地減少單一告警量之外,還具誤告警容錯機制,經由綜合分析更有助於即時發覺重要異常事件,達成及早發現且及早排除之功效,從而降低客訴、減少損失,進而達到有效維護網路服務品質的目的。Accordingly, in addition to greatly reducing the single alarm amount, the embodiment of the present invention also has a false alarm fault tolerance mechanism, and the comprehensive analysis is more helpful for realizing important abnormal events, achieving early detection and early elimination, thereby reducing the guest. V., reduce losses, and thus achieve the purpose of effectively maintaining the quality of network services.
雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention, and any one of ordinary skill in the art can make some changes and refinements without departing from the spirit and scope of the present invention. The scope of the invention is defined by the scope of the appended claims.
100‧‧‧異常訊務偵測伺服器100‧‧‧Abnormal traffic detection server
110‧‧‧輸入單元110‧‧‧Input unit
130‧‧‧儲存單元130‧‧‧storage unit
131‧‧‧告警項目及門檻建立與管理模組131‧‧‧ Alarm Project and Threshold Establishment and Management Module
132‧‧‧事件票類型管理模組132‧‧‧ Event Ticket Type Management Module
133‧‧‧事件票與告警項目關聯管理模組133‧‧‧Event ticket and alarm project association management module
134‧‧‧異常事件票產生器134‧‧‧Exception event ticket generator
200‧‧‧網管伺服器200‧‧‧Network Management Server
S210~S240‧‧‧步驟S210~S240‧‧‧Steps
圖1是依據本發明一實施例說明系統架構的示意圖。 圖2是依據本發明一實施例之一種異常訊務偵測方法的流程圖。 圖3是一範例說明異常事件紀錄。 圖4是一範例說明異常事件紀錄及建立的異常事件票。 圖5是一範例說明異常事件票之建立與結束。1 is a schematic diagram showing a system architecture in accordance with an embodiment of the present invention. 2 is a flow chart of an abnormal traffic detection method according to an embodiment of the invention. Figure 3 is an example of an abnormal event record. FIG. 4 is an example of an abnormal event record and an established abnormal event ticket. Figure 5 is an illustration of the establishment and termination of an abnormal event ticket.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106133603A TWI749072B (en) | 2017-09-29 | 2017-09-29 | Abnormal traffic detecting server and abnormal traffic detecting method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106133603A TWI749072B (en) | 2017-09-29 | 2017-09-29 | Abnormal traffic detecting server and abnormal traffic detecting method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201916641A true TW201916641A (en) | 2019-04-16 |
| TWI749072B TWI749072B (en) | 2021-12-11 |
Family
ID=66992328
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW106133603A TWI749072B (en) | 2017-09-29 | 2017-09-29 | Abnormal traffic detecting server and abnormal traffic detecting method thereof |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI749072B (en) |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI236611B (en) * | 2003-02-01 | 2005-07-21 | Baxter Int | Medical data communication notification and messaging system and method |
| US20100195538A1 (en) * | 2009-02-04 | 2010-08-05 | Merkey Jeffrey V | Method and apparatus for network packet capture distributed storage system |
| US8838286B2 (en) * | 2010-11-04 | 2014-09-16 | Dell Products L.P. | Rack-level modular server and storage framework |
| CN105868876A (en) * | 2015-01-21 | 2016-08-17 | 国家电网公司 | Centralized operation and maintenance fault closed-loop processing method based on process monitoring |
-
2017
- 2017-09-29 TW TW106133603A patent/TWI749072B/en active
Also Published As
| Publication number | Publication date |
|---|---|
| TWI749072B (en) | 2021-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7050931B2 (en) | Computing performance thresholds based on variations in network traffic patterns | |
| EP3436951B1 (en) | Systems and methods for measuring effective customer impact of network problems in real-time using streaming analytics | |
| US20150120914A1 (en) | Service monitoring system and service monitoring method | |
| US7318178B2 (en) | Method and system for reducing false alarms in network fault management systems | |
| US20050097207A1 (en) | System and method of predicting future behavior of a battery of end-to-end probes to anticipate and prevent computer network performance degradation | |
| CN113518057B (en) | Method and device for detecting distributed denial of service attack and computer equipment thereof | |
| CN112001443A (en) | Monitoring method, device, storage medium and electronic device for network behavior data | |
| CN112465237B (en) | Fault prediction method, device, equipment and storage medium based on big data analysis | |
| US20030046031A1 (en) | Baselining of data collector data | |
| CN112350854B (en) | Flow fault positioning method, device, equipment and storage medium | |
| US20080186876A1 (en) | Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor | |
| WO2024066331A1 (en) | Network abnormality detection method and apparatus, electronic device, and storage medium | |
| CN111181751A (en) | A stroboscopic alarm dispatching control method and system | |
| KR101537723B1 (en) | Video analysis system for using priority of video analysis filter and method thereof | |
| CN120321102A (en) | Intelligent alarm preprocessing method based on adaptive rule engine | |
| CN120639864A (en) | Request processing method, device, electronic device and storage medium | |
| TW201916641A (en) | Abnormal traffic detecting server and abnormal traffic detecting method thereof | |
| CN116974869A (en) | Index data monitoring method and device, electronic equipment and storage medium | |
| CN117714264A (en) | Data alarm initiating method and device, storage medium and electronic device | |
| US20070266142A1 (en) | Cross-cutting detection of event patterns | |
| US20210135924A1 (en) | Network monitoring system and method, and non-transitory computer readable medium storing program | |
| KR100957212B1 (en) | Storage medium recording traffic management system, method and method program | |
| CN113590047A (en) | Database screening method and device, electronic equipment and storage medium | |
| CN120179450B (en) | Watchdog circuit monitoring device and system | |
| CN120499009B (en) | A method, device, equipment and storage medium for dynamic service expansion |