TWI389504B - IP network traffic error detection and analysis system - Google Patents

Description

IP network traffic troubleshooting and analysis system

The invention relates to an IP network traffic error detection and analysis system, in particular to a function of centrally controlling and analyzing the traffic of each IP backbone network by using the Cloud Computing architecture.

At present, the traditional network traffic error detection and analysis mainly uses the Client-Server mode, which requires a client device of various brands and a matching server. The disadvantage is that if more than 5 types of traffic troubleshooting and analysis functions are required, each module can be executed with more than 5 types of software, that is, more than 25 types of client services are required to be sent to more than 25 servers. , is a mode that is not feasible.

In view of the shortcomings derived from the above-mentioned conventional technologies, the inventors of the present invention have improved and innovated, and after years of painstaking research, they finally succeeded in research and development of the IP network traffic error detection and analysis system. Using Cloud Computing's "distributed computing" concept, the huge computing operations are broken into thousands of smaller jobs and operated simultaneously on remote and multi-servers.

The object of the present invention is to provide an IP network traffic distributed distributed point, centralized control and traffic error detection and analysis system, which can respectively target P2P communication, DDoS attack, VoIP communication, L7 communication protocol, and traffic QoS. Information for individual analysis and testing.

The IP network traffic error detection and analysis system can achieve the above object, and the system comprises two subsystems: a distributed detector (DP) and a server host group. The server host group includes a website server, a database server, an instant message replication and replay server (RIDS), a traffic analysis device module, and a report server module. Instant Messaging Reproducing Server (RIDS) and Traffic Analysis Device Modules, using Cloud Computing architecture, when IP network traffic is collected by the Decentralized Detector (DP) subsystem and imported into the RIDS device, Further importing a variety of traffic analysis device modules, respectively, for individual P2P traffic, DDoS attacks, VoIP traffic, L7 communication protocols, and traffic QoS and other traffic data for individual analysis and detection. The analysis equipment of each module is composed of 3 ^~ 5 different traffic analysis devices; after analyzing the traffic data, it is transmitted to the dedicated report server of each module. For 5 different traffic analysis, different traffic analysis device modules are used, combined with modular instant processing software (3 ^~ 5) for traffic troubleshooting and analysis.

Please refer to FIG. 1 , which is a system architecture diagram of an IP network traffic error detection and analysis system according to the present invention. As can be seen from the figure, the present invention is composed of a distributed detector (DP) 11 and a server host group 12 . The system is composed of functions responsible for collection, detection, deep analysis and human-machine interface of each node on the network. The distributed detector (DP) 11 is installed on each node of each IP backbone network, and the server host group 12 is connected to one of the nodes on the IP backbone network through the network to achieve centralized control and Analyze the functions of the traffic of each IP backbone network.

The distributed detector 11 of the present invention needs to adopt the same expandability as the general commercial PC architecture in the hardware part, and the stability must be more reliable, and it is sufficient for the computer platform that requires long-term non-stop work; Operational system that is stable in operation and allows multiple people to go online and relatively less resource-intensive. At present, the main function of the distributed detector 11 is the instant network traffic monitoring and retrieval function, which is usually placed on the edge router (Customer End) of the network or through the routing (or switching) device. Mirror Port or Tap to achieve traffic capture and monitoring.

The server host group 12 of the present invention is composed of a website server 13, a database server 14, an instant message copy and reproduce server (RIDS) 15, a traffic analysis device module (AS) 16, and a report server module. Group 17 consists of. The website server 13 mainly provides a human-machine operation interface for viewing the status of the distributed detector 11 and setting and controlling the overall device for analyzing the fourth layer to the seventh layer information of the IP network communication. The database server 14 is responsible for storing the packet retrieval data. The RIDS 15 then imports the packet retrieval data from the database server 14 into a plurality of traffic analysis device modules 16, which can quickly analyze the network traffic and initiate an alarm for the established policy. The report server module 17 is responsible for outputting the final detection results generated by each of the traffic analysis device modules 16, including various packet analysis reports of the network, including P2P services, DDoS attacks, VoIP services, and L7 communication. Agreement, analysis and troubleshooting of traffic QoS.

Please refer to FIG. 2 , which is a functional architecture diagram of a distributed detector and a server host group of the IP network traffic error detection and analysis system of the present invention. It can be seen from the figure that the distributed detector 11 is Network Monitoring (NM) monitors network traffic data in real time and can be sent back to server host group 12 by FTP (File Transfer Protocol) protocol. The web server 13 responsible for the human-machine interface uses a PHP (Hypertext Preprocessor), Perl, and Java programming language to compose a dynamic web page, and uses a rights management mechanism to have a person who has the functions of setting the RIDS 15 and the traffic analysis device module 16, online. The inspector and the person who outputs the report data are controlled.

Please refer to FIG. 3 , which is a test architecture diagram of an active test module of the IP network traffic error detection and analysis system of the present invention. It can be seen from the figure that the centralized management system 18 (that is, the server host group 12 ) and the backbone are installed. Two parts of the distributed detector 11 of each node of the network. The centralized management system 18 is responsible for collecting the data collected by the distributed detector 11, and transmitting the data to the core component of the RIDS 15 to generate the duplicated backup data, and transmitting the data to the traffic analysis device module 16 for analysis. The result is reported to the user end by the report server module 17 of each analysis device, and the report can be periodically generated according to the received return information. In addition, a client network user interface is provided, and the system can be observed at any time to observe the network status; the distributed detector 11 can instantly collect the IP traffic of the client, and transmit the traffic information to the core component of the RIDS 15, and copy and distribute the analysis to the analysis. Device module for instant network traffic analysis and troubleshooting.

Please refer to FIG. 4 , which is an architecture diagram of the integration test of the RIDS and the traffic analysis device module of the IP network traffic error detection and analysis system of the present invention. It can be seen from the figure that the architecture of the Cloud Computing is used, wherein the traffic analysis device module Group 16 includes five analysis modules, such as P2P Analyzer module, DDoS Analyzer module, VoIP Analyzer module, L7 Protocol Analyzer module and network QoS Analyzer module, for P2P services, DDoS attacks, VoIP services, L7 communication protocol, and network QoS and other traffic data for analysis and troubleshooting. Each module is composed of 3 ^to 5 different traffic analysis devices 19, and the traffic data is analyzed and transmitted to the dedicated report server 20 of each module. The invention can be processed and analyzed in real time by using different traffic analysis devices for different services. When the network traffic generates an abnormal state, it can perform synchronous analysis and detect the problem for each module feature, and send a warning message to the report server 20, which can help the user in different settings and different network conditions. Next, predict the performance of the application. When the report server 20 receives the network security critical standard value, it immediately transmits the abnormal return information to the network management center.

The traffic analysis device module 16 of the present invention comprises five kinds of analysis modules, such as a P2P Analyzer module, a DDoS Analyzer module, a VoIP Analyzer module, an L7 Protocol Analyzer module and a network QoS Analyzer module, among which P2P Analyzer modules The group can perform deep analysis on P2P traffic and monitor how much bandwidth the P2P application or P2P network protocol in the network traffic occupies, which not only helps the administrator to understand the transmission of the overall network traffic, but also the traffic. conduct statistical analysis. Through RIDS 15, traffic can perform further P2P deep analysis for specific application services, specific network protocols for uplink or downlink traffic.

The DDoS Analyzer module can be used for the DoS attack, including the TCP (Transmission Control Protocol) DoS attack, the UDP (User Datagram Protocol) Flood DoS attack, the DDoS attack, and the ICMP (Internet Control Message Protocol) DoS attack. Instantly monitor whether the number of packets in the local area network is abnormal, and cooperate with dynamic packet filtering to achieve the purpose of defending against DoS attacks. When the attack occurs, the warning message is immediately transmitted back to the network administrator through the reward server.

The VoIP Analyzer module analyzes various protocols such as SIP (Session Initiation Protocol), H.232, and MGCP (Media Gateway Control Protocol), and can perform quantitative measurement for VoIP voice and video. The VoIP Analysis Module performs detailed statistical analysis of each phone call, allowing network maintainers to grasp the quality of VoIP communications in the network.

The L7 Protocol Analyzer module is a Layer 7 network analysis tool that uses Deep Packet Inspection (DPI) technology to perform on-the-spot detection and classification of network traffic to be analyzed; The QoS parameters are actually displayed through the network performance parameter values such as Delay and Jitter, and the alarm action is achieved in conjunction with the report server 20; the fine statistics are compiled into a complete and useful network report on the server by using the report software. Through the display of reports, you can clearly understand the application distribution status of network traffic, so that network maintainers can easily detect various problems in the network environment and predict the trends required for the planning of new network services in the future.

The network QoS Analyzer module provides instant detection of network quality conditions, mainly for packet loss, transmission delay, packet transmission sequence, and other error monitoring. For example, when the network congestion causes a large increase in transmission delay, or a large number of packets are lost, the analysis module can detect such abnormal conditions. After the analysis module is integrated with the report server 20, various types of QoS messages can be transmitted to the manager, and a warning is issued before the abnormal threshold is exceeded, so that the QoS status of the network can be instantly grasped. In addition, this module can also view long-term network traffic graphs and analyze them to estimate future traffic trends.

The IP network traffic error detection and analysis system provided by the present invention has the following advantages when compared with other conventional technologies:

1. Using the IP network traffic error detection and analysis system of the present invention, with instant detection function, capable of inspecting, measuring and collecting related data such as stability and reliability of the IP network, as current network performance detection and diagnosis , simulation, and prediction of future traffic growth.

2. The IP network traffic error detection and analysis system of the present invention can provide various types of detection services for IP networks, such as enterprise network security and performance health check.

3. Capture the packet exchange records and application data exchange scenarios on the network to simulate the construction of real network traffic, and analyze and diagnose the network layer, application layer program activity.

4. Self-integration of all-in-one standard detectors (DP) and Instant Messaging Reproducing Server (RIDS), significantly reducing the cost of installation services.

5. The use of the Cloud Computing technology to implement the IP network traffic distributed layout, centralized control and traffic error detection and analysis system is also applicable to the IP network unmanned computer room, with the network management system, to achieve instant maintenance effect. It can also be used with the SOC (Security Operating Center) system to achieve real-time analysis and troubleshooting of network traffic.

6. The present invention can perform individual real-time analysis and detection on P2P traffic, DDoS attacks, VoIP services, L7 communication protocols, and traffic QoS.

The detailed description of the preferred embodiments of the present invention is intended to be limited to the scope of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

To sum up, this case is not only innovative in terms of technical thinking, but also able to enhance the above-mentioned multiple functions compared with conventional articles. It should be submitted in accordance with the law in accordance with the statutory invention patents that fully meet the novelty and progressiveness, and you are requested to approve this article. Invention patent application, in order to invent invention, to the sense of virtue.

11. . . Decentralized detector

12. . . Server host group

13. . . Website server

14. . . Database server

15. . . Instant messaging replication server

16. . . Traffic Analysis Device Module

17. . . Report server module

18. . . Centralized management system

19. . . Traffic analysis equipment

20. . . Report server

FIG. 1 is a system architecture diagram of an IP network traffic error detection and analysis system according to the present invention; FIG.

Figure 2 is a functional architecture diagram of the decentralized detector and server host group of the IP network traffic error detection and analysis system;

Figure 3 is a test architecture diagram of the active test module of the IP network traffic error detection and analysis system;

Figure 4 is an integrated test architecture diagram of the instant messaging replication server and the traffic analysis device of the IP network traffic error detection and analysis system.

11. . . Decentralized detector

12. . . Server host group

13. . . Website server

14. . . Database server

15. . . Instant messaging replication server

16. . . Traffic Analysis Device Module

17. . . Report server module

Claims (10)

An IP network traffic error detection and analysis system includes at least a distributed probe (DP) subsystem, which includes a plurality of distributed detectors, which are respectively installed on IP backbones (IP backbones). Each node is mainly responsible for the collection, detection, deep analysis and human-machine interface of the traffic between the nodes on the network; a web server provides a human-machine interface to view the status, settings, and control of the distributed detectors. The whole device analyzes the IP network traffic data; a database server connects one of the nodes on the IP backbone network through the web server to store the traffic data captured by the distributed detector; an instant message replication Reproducing server (RIDS), generating copy backup data from the data stored in the database server, and distributing it to each traffic analysis device module in real time; a traffic analysis device module containing different traffic data The analysis device is connected with the instant messaging replication server in the Cloud Computing architecture, and can analyze and detect different traffic data in real time; a report server module, The report output device including each analysis device connected to the traffic analysis device module can respectively output different analysis and error check reports of the traffic data. The IP network traffic error detection and analysis system described in claim 1, wherein the distributed detector subsystem is placed on an edge router or a customer terminal of the network. Through the routing (or switch) Mirror Port or network tap (Tap) to achieve the purpose of traffic retrieval and monitoring, and can use the FTP protocol to collect the collected real-time network traffic data Return to the database server for storage. For example, the IP network traffic error detection and analysis system described in claim 1 wherein the traffic analysis device module analyzes the traffic information, which may include P2P traffic, DDoS attacks, VoIP services, and L7. Communication data such as communication protocols and network QoS. For example, the IP network traffic error detection and analysis system described in the first application of the patent scope, wherein the analysis device of the traffic analysis device module may include a P2P Analyzer module, a DDoS Analyzer module, a VoIP Analyzer module, Analysis equipment such as the L7 Protocol Analyzer module and the network QoS Analyzer module. For example, the IP network traffic error detection and analysis system described in claim 4, wherein the P2P Analyzer module can monitor the bandwidth occupied by the P2P application or the P2P network protocol in the network service, and Through RIDS, you can perform deep P2P analysis of traffic on the uplink or downlink for specific application services and specific network protocols. For example, the IP network traffic error detection and analysis system described in claim 4, wherein the DDoS Analyzer module can synchronously monitor the number of packets in the local area network by analyzing multiple network monitoring programs on the device. Whether it is abnormal and cooperate with dynamic packet filtering to defend against DoS attacks. The IP network traffic error detection and analysis system described in claim 6 , wherein the DoS attack may include a TCP (Transmission Control Protocol) DoS attack, a UDP (User Datagram Protocol) Flood DoS attack, a DDoS attack, and ICMP (Internet Control Message Protocol) DoS attack. For example, the IP network traffic error detection and analysis system described in claim 4, wherein the VoIP Analyzer module can analyze various protocols such as SIP, H.232, MGCP, and perform VoIP voice and video. Quantitative measurement. The IP network traffic error detection and analysis system described in claim 4, wherein the L7 Protocol Analyzer module performs deep detection by using Deep Packet Inspection (DPI) technology for network traffic to be analyzed. It can be classified; the QoS parameters of the network can be actually expressed through the network performance parameter values such as Delay and Jitter, so as to clearly understand the application distribution state of the network traffic. For example, the IP network traffic error detection and analysis system described in claim 4, wherein the network QoS Analyzer module provides real-time detection of network quality status, mainly for packet loss, transmission delay. , packet transmission sequence, and other errors for real-time monitoring, you can instantly grasp the QoS status of the network.