[go: up one dir, main page]

TWI802413B - Electronic device and method of detecting abnormal equipment in telecommunication network - Google Patents

Electronic device and method of detecting abnormal equipment in telecommunication network Download PDF

Info

Publication number
TWI802413B
TWI802413B TW111118367A TW111118367A TWI802413B TW I802413 B TWI802413 B TW I802413B TW 111118367 A TW111118367 A TW 111118367A TW 111118367 A TW111118367 A TW 111118367A TW I802413 B TWI802413 B TW I802413B
Authority
TW
Taiwan
Prior art keywords
abnormal
signaling
module
response code
grouping
Prior art date
Application number
TW111118367A
Other languages
Chinese (zh)
Other versions
TW202347995A (en
Inventor
王順賢
高誌遠
楊曜宗
許世俊
余聲旺
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW111118367A priority Critical patent/TWI802413B/en
Application granted granted Critical
Publication of TWI802413B publication Critical patent/TWI802413B/en
Publication of TW202347995A publication Critical patent/TW202347995A/en

Links

Images

Landscapes

  • Alarm Systems (AREA)
  • Emergency Alarm Devices (AREA)
  • Monitoring And Testing Of Transmission In General (AREA)
  • Facsimiles In General (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An electronic device and a method of detecting an abnormal equipment in a telecommunication network are provided. The method includes: obtaining a signaling set, wherein each signaling of the signaling set corresponds to the same response code and equipment type; determining at least one feature according to the response code and the equipment type and obtaining at least one feature vector corresponding to the at least one feature according to the signaling set; dividing the signaling set into a plurality of clusters according to the at least one feature vector, wherein the plurality of clusters includes a first cluster; and obtaining a first abnormal equipment corresponding to the first cluster, adding the first equipment to a abnormal equipment list, and outputting the abnormal equipment list in response to determining that the response code corresponds to a abnormal response code.

Description

在電信網路中偵測異常通訊設備的電子裝置和方法Electronic device and method for detecting abnormal communication equipment in telecommunication network

本發明是有關於一種在電信網路中偵測異常通訊設備的電子裝置和方法。 The invention relates to an electronic device and method for detecting abnormal communication equipment in a telecommunication network.

隨著電信網路的發展演進以及各類加值服務種類增加,網路架構日趨複雜,網路設備與元件亦隨之增加。多樣的網路協定錯綜複雜,使得人工不易判別與追蹤網路障礙。因應於此,人工智慧技術逐漸被導入以解決網路障礙。現今研究主要透過全域地蒐集電信網路資訊,由人工智慧分析網路狀態,藉以提升障礙偵測速度及辨識準確度。 With the development and evolution of telecommunication networks and the increase of various value-added services, the network architecture has become increasingly complex, and network equipment and components have also increased. Various network protocols are intricate and complex, making it difficult for humans to identify and track network obstacles. In response to this, artificial intelligence technology is gradually being introduced to solve network obstacles. Current research mainly collects telecommunications network information in the whole area, and uses artificial intelligence to analyze the network status, so as to improve the speed of obstacle detection and identification accuracy.

目前常見的網路障礙偵測做法,可分為設備狀態偵測方法與信令封包偵測方法。設備狀態偵測方法可透過分析設備各資源使用狀態或設備效能來檢測網路異常,但此方法只能在設備的功能性異常狀況已持續一段時間後才能以發現異常。設備狀態偵 測方法可根據設備狀態的重要特徵值來分析網路異常資料,但此方法需由專家針對不同網路環境挑選重要特徵值,且需要以人工的方式標籤異常資料以訓練更為準確的錯誤偵測模型。因此,此方法不但需花費大量的時間和人力,其也無法對未知的異常障礙進行偵測。 Currently common network obstacle detection methods can be divided into device status detection methods and signaling packet detection methods. The device status detection method can detect network anomalies by analyzing the resource usage status or device performance of the device, but this method can only detect abnormalities after the functional abnormality of the device has lasted for a period of time. Device status detection The detection method can analyze network anomaly data according to important characteristic values of device status, but this method requires experts to select important characteristic values for different network environments, and needs to manually label abnormal data to train more accurate error detection test model. Therefore, this method not only needs a lot of time and manpower, but also cannot detect unknown abnormal obstacles.

信令封包偵測方法可分析設備傳送的封包以檢測障礙,但此方法仍須仰賴人工來為信令標籤異常障礙根因,且需要完整的通訊紀錄作為分析資料。因此,信令封包偵測方法對異常偵測的效率並不理想。 The signaling packet detection method can analyze the packets sent by the device to detect faults, but this method still has to rely on manual labor to identify the root cause of abnormal faults in signaling tags, and requires complete communication records as analysis data. Therefore, the efficiency of the signaling packet detection method for anomaly detection is not ideal.

由此可見,上述習用方式仍有諸多缺失,實非一良善之設計,而亟待加以改良。 It can be seen that the above-mentioned customary method still has many deficiencies, which is not a good design and needs to be improved urgently.

本發明提供一種在電信網路中偵測異常通訊設備的電子裝置和方法,可偵測出發生突發性異常的通訊設備和劣化的通訊設備。 The invention provides an electronic device and method for detecting abnormal communication equipment in a telecommunication network, which can detect suddenly abnormal communication equipment and degraded communication equipment.

本發明的一種在電信網路中偵測異常通訊設備的電子裝置,包括收發器、儲存媒體以及處理器。儲存媒體儲存多個模組。處理器耦接儲存媒體和收發器,並且存取和執行多個模組,其中多個模組包括信令擷取模組、特徵萃取模組、分群模組以及分群匯集模組。信令擷取模組通過收發器以自電信網路接收資料流,並且自資料流中取得信令集合,其中信令集合中的每一者對應於 相同的回應碼和設備類型。特徵萃取模組根據回應碼和設備類型決定至少一特徵,並且根據信令集合取得對應於至少一特徵的至少一特徵向量。分群模組根據至少一特徵向量將信令集合分為多個群組,其中多個群組包括第一群組。分群匯集模組響應於判斷回應碼對應於異常回應碼,取得對應於第一群組的第一異常設備,並且將第一異常設備添加至異常設備列表,其中分群匯集模組通過收發器輸出異常設備列表。 An electronic device for detecting abnormal communication equipment in a telecommunication network of the present invention includes a transceiver, a storage medium and a processor. The storage medium stores multiple modules. The processor is coupled to the storage medium and the transceiver, and accesses and executes multiple modules, wherein the multiple modules include a signaling extraction module, a feature extraction module, a grouping module, and a grouping aggregation module. The signaling extraction module receives the data stream from the telecommunication network through the transceiver, and obtains a signaling set from the data stream, wherein each of the signaling sets corresponds to Same response code and device type. The feature extraction module determines at least one feature according to the response code and the device type, and obtains at least one feature vector corresponding to the at least one feature according to the signaling set. The grouping module divides the signaling set into multiple groups according to at least one feature vector, wherein the multiple groups include the first group. In response to judging that the response code corresponds to the abnormal response code, the grouping and converging module obtains the first abnormal device corresponding to the first group, and adds the first abnormal device to the abnormal device list, wherein the grouping and converging module outputs the abnormality through the transceiver Device List.

在本發明的一實施例中,上述的分群匯集模組響應於判斷回應碼對應於正常回應碼,取得對應於多個群組的離群值的第二異常設備,並且將第二異常設備添加至異常設備列表。 In an embodiment of the present invention, the above-mentioned grouping and aggregation module obtains the second abnormal devices corresponding to the outliers of a plurality of groups in response to judging that the response code corresponds to the normal response code, and adds the second abnormal device to the abnormal device list.

在本發明的一實施例中,上述的第一異常設備對應於第一群組中的第一異常信令,並且第一異常信令為第一群組的多個異常信令中最接近第一群組的群心的異常信令。 In an embodiment of the present invention, the above-mentioned first abnormal device corresponds to the first abnormal signaling in the first group, and the first abnormal signaling is the closest to the first abnormal signaling among the plurality of abnormal signaling in the first group. Abnormal signaling of a group of hearts.

在本發明的一實施例中,上述的分群匯集模組根據多個群組的其中之一的四分位距以及對應於第二異常設備的特徵值判斷第二異常設備對應於離群值。 In an embodiment of the present invention, the above grouping and gathering module determines that the second abnormal device corresponds to an outlier according to the interquartile range of one of the plurality of groups and the feature value corresponding to the second abnormal device.

在本發明的一實施例中,上述的特徵萃取模組對信令集合中的信令的特徵值執行標準化,並且對信令集合使用主成分分析以產生至少一特徵向量。 In an embodiment of the present invention, the above-mentioned feature extraction module performs normalization on the eigenvalues of the signaling in the signaling set, and uses principal component analysis on the signaling set to generate at least one feature vector.

在本發明的一實施例中,上述的分群模組根據下列的其中之一決定多個群組的數量:輪廓法以及手肘法。 In an embodiment of the present invention, the above grouping module determines the number of groups according to one of the following: contour method and elbow method.

在本發明的一實施例中,上述的分群模組根據下列的其 中之一將信令集合分為多個群組:K均值法、K中心點法、階層式分群法以及密度分群法。 In one embodiment of the present invention, the above grouping module is based on the following One of them divides the signaling set into multiple groups: K-means method, K-medoid method, hierarchical grouping method, and density grouping method.

在本發明的一實施例中,上述的多個模組更包括影響分析模組。影響分析模組響應於異常設備列表中對應於第一時間點的第一設備與對應於第二時間點的第二設備匹配,根據第一時間點和第二時間點產生異常設備拓樸圖,其中異常設備拓樸圖指示第一設備發生異常的時間軸。 In an embodiment of the present invention, the aforementioned modules further include an impact analysis module. The impact analysis module responds to the match between the first device corresponding to the first time point in the abnormal device list and the second device corresponding to the second time point, and generates an abnormal device topology diagram according to the first time point and the second time point, The abnormal device topology graph indicates the time axis when the first device is abnormal.

在本發明的一實施例中,上述的多個模組更包括影響分析模組。影響分析模組通過收發器接收設備連接配置,其中影響分析模組響應於異常設備列表包含第一設備且設備連接配置指示第一設備耦接第二設備,根據第一設備和第二設備產生異常設備拓樸圖,其中異常設備拓樸圖指示第二設備與第一設備相互耦接。 In an embodiment of the present invention, the aforementioned modules further include an impact analysis module. The impact analysis module receives a device connection configuration through the transceiver, wherein the impact analysis module generates an exception based on the first device and the second device in response to the abnormal device list including the first device and the device connection configuration indicating that the first device is coupled to the second device A device topology diagram, wherein the abnormal device topology diagram indicates that the second device is coupled to the first device.

本發明的一種在電信網路中偵測異常通訊設備的方法,包括:自電信網路接收資料流,並且自資料流取得信令集合,其中信令集合中的每一者對應於相同的回應碼和設備類型;根據回應碼和設備類型決定至少一特徵,並且根據信令集合取得對應於至少一特徵的至少一特徵向量;根據至少一特徵向量將信令集合分為多個群組,其中多個群組包括第一群組;以及響應於判斷回應碼對應於異常回應碼,取得對應於第一群組的第一異常設備,將第一異常設備添加至異常設備列表,並且輸出異常設備列表。 A method for detecting abnormal communication equipment in a telecommunication network of the present invention includes: receiving a data flow from the telecommunication network, and obtaining a signaling set from the data flow, wherein each of the signaling sets corresponds to the same response code and device type; determine at least one feature according to the response code and device type, and obtain at least one feature vector corresponding to at least one feature according to the signaling set; divide the signaling set into multiple groups according to the at least one feature vector, wherein The plurality of groups includes a first group; and in response to judging that the response code corresponds to an abnormal response code, obtaining a first abnormal device corresponding to the first group, adding the first abnormal device to the abnormal device list, and outputting the abnormal device list.

基於上述,本發明可偵測電信網路中通訊設備的零星異 常與突發障礙。本發明可定時蒐集通訊設備的信令資料,並進行經由資料前處理進行過濾和分類,以產生向量化的信令特徵結構。本發明可以主成分分析法萃取信令特徵,並透過分群法計算出複數個通訊設備群組之群心及離群值,從而快速地偵測出發生異常障礙的網路設備並且分析該設備影響的範圍與發生異常的時間,藉以提供異常設備列表供網路管理人員參考,加速判讀障礙及提供後續事件統計與分析應用。 Based on the above, the present invention can detect sporadic differences of communication equipment in a telecommunication network. Often with sudden disorder. The present invention can regularly collect signaling data of communication equipment, and perform filtering and classification through data preprocessing to generate vectorized signaling feature structures. The present invention can extract signaling features by principal component analysis, and calculate the group centers and outliers of multiple communication equipment groups through the clustering method, so as to quickly detect abnormal network equipment and analyze the impact of the equipment The scope and time of abnormal occurrence, so as to provide a list of abnormal equipment for reference of network management personnel, accelerate the interpretation of obstacles and provide follow-up event statistics and analysis applications.

100:電子裝置 100: Electronic device

110:處理器 110: Processor

120:儲存媒體 120: storage media

121:信令擷取模組 121:Signaling acquisition module

122:特徵萃取模組 122: Feature extraction module

123:分群模組 123: Grouping module

124:分群匯集模組 124: Grouping collection module

125:影響分析模組 125: Impact Analysis Module

130:收發器 130: Transceiver

601、602、603、604、605:設備 601, 602, 603, 604, 605: Equipment

S201、S202、S301、S302、S401、S402、S501、S502、S503、S504、S505、S506、S701、S702、S703、S704:步驟 S201, S202, S301, S302, S401, S402, S501, S502, S503, S504, S505, S506, S701, S702, S703, S704: steps

圖1根據本發明的一實施例繪示一種在電信網路中偵測異常通訊設備的電子裝置的示意圖。 FIG. 1 shows a schematic diagram of an electronic device for detecting abnormal communication equipment in a telecommunication network according to an embodiment of the present invention.

圖2根據本發明的一實施例繪示由信令擷取模組在電信網路中蒐集信令資料的流程圖。 FIG. 2 shows a flow chart of collecting signaling data in a telecommunication network by a signaling retrieval module according to an embodiment of the present invention.

圖3根據本發明的一實施例繪示由特徵萃取模組取得特徵向量的流程圖。 FIG. 3 shows a flow chart of obtaining feature vectors by the feature extraction module according to an embodiment of the present invention.

圖4根據本發明的一實施例繪示由分群模組產生多個群組的流程圖。 FIG. 4 shows a flow chart of generating multiple groups by the grouping module according to an embodiment of the present invention.

圖5根據本發明的一實施例繪示由分群匯集模組產生異常設備列表的流程圖。 FIG. 5 shows a flow chart of generating an abnormal device list by the clustering module according to an embodiment of the present invention.

圖6根據本發明的一實施例繪示異常設備拓樸的示意圖。 FIG. 6 shows a schematic diagram of abnormal device topology according to an embodiment of the present invention.

圖7根據本發明的一實施例繪示一種在電信網路中偵測異常 通訊設備的方法的流程圖。 FIG. 7 illustrates a method for detecting anomalies in a telecommunication network according to an embodiment of the present invention A flowchart of a method for a communication device.

為了使本發明之內容可以被更容易明瞭,以下特舉實施例作為本發明確實能夠據以實施的範例。另外,凡可能之處,在圖式及實施方式中使用相同標號的元件/構件/步驟,係代表相同或類似部件。 In order to make the content of the present invention more comprehensible, the following specific embodiments are taken as examples in which the present invention can actually be implemented. In addition, wherever possible, elements/components/steps using the same reference numerals in the drawings and embodiments represent the same or similar parts.

圖1根據本發明的一實施例繪示一種在電信網路中偵測異常通訊設備的電子裝置100的示意圖。電子裝置100可包含處理器110、儲存媒體120以及收發器130。 FIG. 1 shows a schematic diagram of an electronic device 100 for detecting abnormal communication equipment in a telecommunication network according to an embodiment of the present invention. The electronic device 100 may include a processor 110 , a storage medium 120 and a transceiver 130 .

處理器110例如是中央處理單元(central processing unit,CPU),或是其他可程式化之一般用途或特殊用途的微控制單元(micro control unit,MCU)、微處理器(microprocessor)、數位信號處理器(digital signal processor,DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuit,ASIC)、圖形處理器(graphics processing unit,GPU)、影像訊號處理器(image signal processor,ISP)、影像處理單元(image processing unit,IPU)、算數邏輯單元(arithmetic logic unit,ALU)、複雜可程式邏輯裝置(complex programmable logic device,CPLD)、現場可程式化邏輯閘陣列(field programmable gate array,FPGA)或其他類似元件或上述元件的組合。處理器110可耦接至儲存媒體120以及收發器130,並且存取和執行儲存於儲存媒體120中的 多個模組和各種應用程式。 The processor 110 is, for example, a central processing unit (central processing unit, CPU), or other programmable general purpose or special purpose micro control unit (micro control unit, MCU), microprocessor (microprocessor), digital signal processing Digital Signal Processor (DSP), Programmable Controller, Application Specific Integrated Circuit (ASIC), Graphics Processing Unit (GPU), Image Signal Processor (ISP) ), image processing unit (image processing unit, IPU), arithmetic logic unit (arithmetic logic unit, ALU), complex programmable logic device (complex programmable logic device, CPLD), field programmable logic gate array (field programmable gate array , FPGA) or other similar components or a combination of the above components. The processor 110 can be coupled to the storage medium 120 and the transceiver 130, and access and execute the data stored in the storage medium 120 Multiple mods and various apps.

儲存媒體120例如是任何型態的固定式或可移動式的隨機存取記憶體(random access memory,RAM)、唯讀記憶體(read-only memory,ROM)、快閃記憶體(flash memory)、硬碟(hard disk drive,HDD)、固態硬碟(solid state drive,SSD)或類似元件或上述元件的組合,而用於儲存可由處理器110執行的多個模組或各種應用程式。在本實施例中,儲存媒體120可儲存包含信令擷取模組121、特徵萃取模組122、分群模組123、分群匯集模組124以及影響分析模組125等多個模組,其功能將於後續說明。 The storage medium 120 is, for example, any type of fixed or removable random access memory (random access memory, RAM), read-only memory (read-only memory, ROM), flash memory (flash memory) , hard disk drive (hard disk drive, HDD), solid state drive (solid state drive, SSD) or similar components or a combination of the above components, and are used to store multiple modules or various application programs that can be executed by the processor 110 . In this embodiment, the storage medium 120 can store a plurality of modules including a signaling extraction module 121, a feature extraction module 122, a grouping module 123, a grouping collection module 124, and an impact analysis module 125. Will be explained later.

收發器130以無線或有線的方式傳送及接收訊號。收發器130還可以執行例如低噪聲放大、阻抗匹配、混頻、向上或向下頻率轉換、濾波、放大以及類似的操作。 The transceiver 130 transmits and receives signals in a wireless or wired manner. The transceiver 130 may also perform operations such as low noise amplification, impedance matching, frequency mixing, up or down frequency conversion, filtering, amplification, and the like.

圖2根據本發明的一實施例繪示由信令擷取模組121在電信網路中蒐集信令資料的流程圖。在步驟S201中,信令擷取模組121可通過收發器130存取電信網路,並且自電信網路接收資料流。資料流可包含在電信網路中的通訊設備之間傳遞的信令,其中通訊設備例如是新世代網路(next generation network,NGN)語音設備,但本發明不限於此。在一實施例中,信令可包含對應於對話啟動協定(session initiation protocol,SIP)、Diameter協定、Megaco協定或電話號碼映射(ENUM)網域名稱系統(domain name system,DNS)協定的網際網路協定(Internet protocol)封包。在 一實施例中,信令可包含對應於ISDN用戶部分(ISDN user part)協定、智慧型網路應用協定(intelligent network application protocol,INAP)、移動應用部分(mobile application part,MAP)協定或開放式多媒體應用平台(open multimedia application platform,OMAP)協定的SS7(signaling system NO.7)信令。 FIG. 2 shows a flow chart of collecting signaling data in the telecommunication network by the signaling retrieval module 121 according to an embodiment of the present invention. In step S201 , the signaling capture module 121 can access the telecommunication network through the transceiver 130 and receive data streams from the telecommunication network. The data flow may include signaling transmitted between communication devices in a telecommunication network, such as a next generation network (NGN) voice device, but the invention is not limited thereto. In one embodiment, the signaling may include an Internet protocol corresponding to the session initiation protocol (SIP), Diameter protocol, Megaco protocol, or the Telephone Number Mapping (ENUM) domain name system (DNS) protocol. Internet protocol (Internet protocol) packets. exist In one embodiment, the signaling may include protocols corresponding to ISDN user part (ISDN user part), intelligent network application protocol (intelligent network application protocol, INAP), mobile application part (mobile application part, MAP) protocol or open SS7 (signaling system NO.7) signaling of the multimedia application platform (open multimedia application platform, OMAP) protocol.

在一實施例中,電子裝置100可包含多個信令擷取模組121和收發器130。多個信令擷取模組121可被分別佈建在電信網路的不同區域內,藉以蒐集涵蓋整個電信網路之各個區域的信令。舉例來說,若電信網路為新世代網路(NGN)或IP多媒體子系統(IP multimedia subsystem,IMS)網路,則信令擷取模組121可自電信網路擷取IP封包的信令資料。若電信網路為公用陸上行動網路(public land mobile network,PLMN)或公用交換電話網路(public switch telephone network,PSTN),則信令擷取模組121可自電信網路擷取SS7信令。 In one embodiment, the electronic device 100 may include multiple signaling capture modules 121 and transceivers 130 . A plurality of signaling capture modules 121 can be deployed in different areas of the telecommunication network, so as to collect signaling covering various areas of the entire telecommunication network. For example, if the telecommunication network is a new generation network (NGN) or an IP multimedia subsystem (IP multimedia subsystem, IMS) network, the signaling retrieval module 121 can retrieve the signal of the IP packet from the telecommunication network order information. If the telecommunication network is a public land mobile network (PLMN) or a public switched telephone network (PSTN), the signaling retrieval module 121 can retrieve the SS7 signal from the telecommunication network. make.

在一實施例中,信令擷取模組121可根據預設周期執行資料流的接收。預設周期例如是10秒、15秒或1小時等時間間隔。信令擷取模組121可根據資料流中的各個信令的時間戳來為信令進行排序,並且將排序後的信令儲存在儲存媒體120中。 In one embodiment, the signaling capture module 121 can receive data streams according to a preset period. The preset period is, for example, a time interval of 10 seconds, 15 seconds or 1 hour. The signaling extraction module 121 can sort the signalings according to the timestamps of the signalings in the data stream, and store the sorted signalings in the storage medium 120 .

在步驟S202中,信令擷取模組121可自資料流中取得信令集合。信令集合中的各個信令可來自於不同的通訊設備。信令集合中的每一信令可對應於相同的回應碼類型和設備類型。信令可包含訊框號碼、訊框大小、時間戳、來源設備的IP位址、目的 設備的IP位址、回應時間、UA號碼1、UA號碼2、請求方法(例如:OPTIONS、REGISTER或INVITE)或回應碼等特徵資訊。 In step S202, the signaling retrieval module 121 can obtain a signaling set from the data stream. Each signaling in the signaling set may come from different communication devices. Each signaling in the signaling set may correspond to the same response code type and device type. Signaling can include frame number, frame size, time stamp, IP address of source device, destination Feature information such as the IP address of the device, response time, UA number 1, UA number 2, request method (eg OPTIONS, REGISTER or INVITE) or response code.

在一實施例中,儲存媒體120可預存包含來源設備的IP位址與設備類型之間的映射關係的查找表。信令擷取模組121可根據查找表以及信令中的來源設備的IP位址來判斷信令所對應的設備類型。舉例來說,假設查找表記載了IP位址「192.168.100.1」對應於設備類型「NGN語音設備」。若信令擷取模組121擷取到的信令包含來源設備的IP位址「192.168.100.1」,則信令擷取模組121可根據查找表判斷所擷取的信令對應於設備類型「NGN語音設備」。 In one embodiment, the storage medium 120 may pre-store a lookup table including the mapping relationship between the IP address of the source device and the device type. The signaling retrieval module 121 can determine the device type corresponding to the signaling according to the lookup table and the IP address of the source device in the signaling. For example, suppose the lookup table records that the IP address "192.168.100.1" corresponds to the device type "NGN voice device". If the signaling captured by the signaling capture module 121 includes the IP address "192.168.100.1" of the source device, the signaling capture module 121 can judge that the captured signaling corresponds to the device type according to the lookup table "NGN voice equipment".

在一實施例中,儲存媒體120可預存包含回應碼與回應碼類型之間的映射關係的查找表。信令擷取模組121可根據查找表以及信令中的回應碼來判斷信令所對應的回應碼類型。以SIP協定的信令為例,假設查找表記載回應碼「1xx」對應於回應碼類型「正常回應碼」。若信令擷取模組121擷取到的信令包含回應碼「1xx」,則信令擷取模組121可根據查找表判斷所擷取的信令對應於回應碼類型「正常回應碼」。 In an embodiment, the storage medium 120 may pre-store a lookup table including the mapping relationship between response codes and response code types. The signaling retrieval module 121 can determine the response code type corresponding to the signaling according to the lookup table and the response code in the signaling. Taking the signaling of the SIP protocol as an example, assume that the response code "1xx" recorded in the lookup table corresponds to the response code type "normal response code". If the signaling retrieved by the signaling retrieval module 121 includes the response code "1xx", the signaling retrieval module 121 can determine according to the lookup table that the retrieved signaling corresponds to the response code type "normal response code". .

在一實施例中,信令擷取模組121可根據信令的特徵資訊過濾信令。舉例來說,信令擷取模組121可根據信令是否包含回應碼來判斷是否過濾信令。若一信令包含回應碼,則信令擷取模組121可保留該信令以產生信令集合。若一信令不包含回應碼,則信令擷取模組121可丟棄該信令。也就是說,信令集合中的每 一個信令都包含回應碼。 In one embodiment, the signaling retrieval module 121 can filter the signaling according to the characteristic information of the signaling. For example, the signaling retrieval module 121 can determine whether to filter the signaling according to whether the signaling contains a response code. If a signaling includes a response code, the signaling retrieval module 121 can retain the signaling to generate a signaling set. If a signaling does not contain a response code, the signaling retrieval module 121 may discard the signaling. That is, each of the signaling sets Each signaling contains a response code.

以SIP協定為例,回應碼1xx、2xx、3xx、401、480、486、487、488、600或606(x為整數1~9的任一者)可被信令擷取模組121歸類為正常回應碼。除了上述回應碼以外的其餘回應碼,例如回應碼400、502或603,可被信令擷取模組121歸類為異常回應碼。 Taking the SIP protocol as an example, the response codes 1xx, 2xx, 3xx, 401, 480, 486, 487, 488, 600 or 606 (x is any one of integers 1-9) can be classified by the signaling capture module 121 is the normal response code. Other response codes except the above response codes, such as response codes 400, 502 or 603, can be classified as abnormal response codes by the signaling retrieval module 121 .

圖3根據本發明的一實施例繪示由特徵萃取模組122取得特徵向量的流程圖。特徵萃取模組122可根據回應碼和設備類型決定至少一特徵,並且根據信令集合取得對應於至少一特徵的至少一特徵向量。具體來說,在步驟S301中,特徵萃取模組122可對信令集合中的信令的特徵值執行標準化以產生經標準化的信令集合,其中所述特徵值可關聯於訊框號碼、訊框大小、時間戳、來源設備的IP位址、目的設備的IP位址、回應時間、UA號碼1、UA號碼2、請求方法或回應碼等N種特徵,其中N為正整數。 FIG. 3 shows a flow chart of obtaining feature vectors by the feature extraction module 122 according to an embodiment of the present invention. The feature extraction module 122 can determine at least one feature according to the response code and the device type, and obtain at least one feature vector corresponding to the at least one feature according to the signaling set. Specifically, in step S301, the feature extraction module 122 can standardize the feature values of the signaling in the signaling set to generate a standardized signaling set, wherein the feature values can be associated with frame number, signal N types of characteristics such as frame size, timestamp, IP address of source device, IP address of destination device, response time, UA number 1, UA number 2, request method or response code, among which N is a positive integer.

在一實施例中,特徵萃取模組122可對根據Z分數標準化(Z-score standardization)或最小值最大值正規化(Min-Max normalization)等方法來標準化信令集合。 In one embodiment, the feature extraction module 122 can standardize the signaling set according to methods such as Z-score standardization or Min-Max normalization.

在步驟S302中,特徵萃取模組122可對經標準化的信令集合進行主成分分析以產生至少一特徵向量,其中至少一特徵可包含對應於第一主成分的特徵向量、對應於第二主成分的特徵向量、...、對應於第p主成分的特徵向量等前p個主成分,其中p為小於或等於N的正整數,並且p可為使用者自定義。特徵萃取 模組122可通過只保留信令集合的部分主成分來降低信令集合之特徵的資料量,藉以降低計算複雜度。 In step S302, the feature extraction module 122 can perform principal component analysis on the standardized signaling set to generate at least one feature vector, wherein at least one feature can include a feature vector corresponding to the first principal component and a feature vector corresponding to the second principal component. The eigenvectors of the components, ..., the first p principal components such as the eigenvector corresponding to the p-th principal component, where p is a positive integer less than or equal to N, and p can be user-defined. feature extraction The module 122 can reduce the amount of data of the characteristics of the signaling set by retaining only part of the principal components of the signaling set, so as to reduce the computational complexity.

圖4根據本發明的一實施例繪示由分群模組123產生多個群組的流程圖。分群模組123可根據至少一特徵向量將信令集合中的多個信令分為K個群組,其中K為正整數。具體來說,在步驟S401中,分群模組123決定代表群組數量的K值。分群模組123可根據輪廓法(silhouette method)或手肘法(elbow method)來為信令集合決定最適合的K值。 FIG. 4 shows a flow chart of generating multiple groups by the grouping module 123 according to an embodiment of the present invention. The grouping module 123 can divide the multiple signalings in the signaling set into K groups according to at least one eigenvector, where K is a positive integer. Specifically, in step S401, the grouping module 123 determines the K value representing the number of groups. The grouping module 123 can determine the most suitable K value for the signaling set according to the silhouette method or the elbow method.

在步驟S402中,分群模組123可基於分群演算法而根據至少一特徵向量將信令集合分為K個群組。分群演算法可包含K均值法(K-means)、K中心點法(K-medoids)、階層式分群法(hierarchical clustering)或密度分群法(DBSCANS)。 In step S402, the grouping module 123 may divide the signaling set into K groups according to at least one feature vector based on a grouping algorithm. The clustering algorithm may include K-means, K-medoids, hierarchical clustering or DBSCANS.

舉例來說,假設信令集合包含M個信令(M為正整數),則至少一特徵向量中的每一個特徵向量可包含分別對應於M個信令的M個特徵值。分群模組123可根據至少一特徵向量中的每一個特徵向量的M個特徵值來將M個信令分為K個群組。K個群組中的每一群組可包含至少一個信令。 For example, assuming that the signaling set includes M signalings (M is a positive integer), each of the at least one eigenvector may include M eigenvalues respectively corresponding to the M signalings. The grouping module 123 can divide the M signaling into K groups according to the M eigenvalues of each eigenvector in the at least one eigenvector. Each of the K groups may include at least one signaling.

圖5根據本發明的一實施例繪示由分群匯集模組124產生異常設備列表的流程圖。在步驟S501中,分群匯集模組124可自分群模組123取得K個群組。 FIG. 5 shows a flow chart of generating an abnormal device list by the grouping and gathering module 124 according to an embodiment of the present invention. In step S501 , the grouping and gathering module 124 can obtain K groups from the grouping module 123 .

在步驟S502中,分群匯集模組124可判斷K個群組是否對應於異常回應碼。若K個群組對應於異常回應碼,則進入步驟 S503。若K個群組並非對應於異常回應碼(即:K個群組對應於正常回應碼),則進入步驟S504。由於在步驟S202中產生的信令集合中的每一個信令對應於相同的回應碼,故分群匯集模組124可根據K個群組中的任一個信令來判斷K個群組是否對應於異常回應碼。 In step S502, the group aggregation module 124 can determine whether the K groups correspond to abnormal response codes. If K groups correspond to abnormal response codes, enter the step S503. If the K groups do not correspond to abnormal response codes (that is, the K groups correspond to normal response codes), go to step S504. Since each signaling in the signaling set generated in step S202 corresponds to the same response code, the grouping and converging module 124 can determine whether the K groups correspond to Exception response code.

在步驟S503中,分群匯集模組124可根據信令集合取得分別對應於K個群組的K個異常設備。以K個群組中的第一群組為例,由於第一群組中的每一個信令的回應碼都為異常回應碼,代表電信網路可能發生突發性事件導致第一群組中的每一個信令中的來源設備發生異常。據此,分群匯集模組124可根據第一群組取得能代表該突發性事件的異常設備以供使用者參考。具體來說,分群匯集模組124可取得第一群組的群心(cluster center),並且從第一群組中挑選出最接近群心的異常信令。在取得最接近群心的異常指令後,分群匯集模組124可根據異常指令中的來源設備之資訊取得代表第一群組的異常設備。基於相似的步驟,分群匯集模組124可取得代表K個群組中除了第一群組的其他群組的異常設備。最終,分群匯集模組124可取得分別對應於K個群組的K個異常設備。 In step S503, the grouping and gathering module 124 can obtain K abnormal devices respectively corresponding to the K groups according to the signaling aggregation. Taking the first group among the K groups as an example, since the response code of each signaling in the first group is an abnormal response code, it means that an unexpected event may occur in the telecommunications network and cause the The source device in each signaling is abnormal. Accordingly, the grouping and gathering module 124 can obtain the abnormal equipment that can represent the emergency according to the first group for the user's reference. Specifically, the grouping and gathering module 124 can obtain the cluster center of the first group, and select the abnormal signaling closest to the cluster center from the first group. After obtaining the abnormal command closest to the group center, the clustering module 124 can obtain the abnormal device representing the first group according to the information of the source device in the abnormal command. Based on similar steps, the grouping and gathering module 124 can obtain abnormal devices representing other groups in the K groups except the first group. Finally, the grouping and gathering module 124 can obtain K abnormal devices respectively corresponding to the K groups.

在步驟S504中,分群匯集模組124可根據信令集合取得對應於K個群組的離群值的異常設備。由於K個群組中的每一個信令的回應碼都為正常回應碼,代表這些信令的來源設備中的大部分應是正常的,可能僅有少部分設備因為設備劣化等因素而導 致零星的異常發生,而這些零星的異常設備所傳遞的信令即可能成為K個群組的離群值。據此,分群匯集模組124取得K個群組中的離群值以作為異常信令,並且根據異常信令的來源設備之資訊取得對應於的異常設備。 In step S504 , the cluster collection module 124 can obtain abnormal devices corresponding to outliers in K groups according to the signaling set. Since the response codes of each signaling in the K groups are normal response codes, it means that most of the source devices of these signalings should be normal, and only a small number of devices may be damaged due to factors such as equipment degradation. Sporadic abnormalities occur, and the signaling transmitted by these sporadic abnormal devices may become outliers of K groups. Accordingly, the grouping and gathering module 124 obtains the outliers in the K groups as abnormal signaling, and obtains the corresponding abnormal device according to the information of the source device of the abnormal signaling.

在一實施例中,分群匯集模組124可基於分群演算法取得K個群組的離群值。在一實施例中,分群匯集模組124可根據K個群組的其中之一的四分位距(interquartile range,IQR)以及信令的特徵值來判斷該信令是否為離群值,進而判斷該信令的來源設備是否為異常設備。以K個群組中的第二群組為例,第二群組中的每一個信令可包含對應於特徵「回應時間」的特徵值。若第二群組包含X個信令(X為正整數),則分群匯集模組124可從分別對應於X個信令的X個特徵值中選出第一四分位數Q1和第三四分位數Q3,並可根據方程式(1)計算回應時間的閾值T。若代表一信令的「回應時間」的特徵值大於閾值T,則分群匯集模組124可判斷該信令為第二群組的離群值。若代表一信令的「回應時間」的特徵值小於或等於閾值T,則分群匯集模組124可判斷該信令非為第二群組的離群值。 In one embodiment, the grouping and gathering module 124 can obtain the outliers of the K groups based on the grouping algorithm. In one embodiment, the clustering module 124 can determine whether the signaling is an outlier according to the interquartile range (IQR) of one of the K groups and the characteristic value of the signaling, and then Determine whether the source device of the signaling is an abnormal device. Taking the second group among the K groups as an example, each signaling in the second group may include a characteristic value corresponding to the characteristic "response time". If the second group contains X signalings (X is a positive integer), the grouping and gathering module 124 can select the first quartile Q1 and the third quartile from the X eigenvalues respectively corresponding to the X signalings. Quantile Q3, and the threshold T of response time can be calculated according to equation (1). If the eigenvalue representing the "response time" of a signaling is greater than the threshold T, the cluster aggregation module 124 may determine that the signaling is an outlier of the second group. If the eigenvalue representing the "response time" of a signaling is less than or equal to the threshold T, the cluster aggregation module 124 may determine that the signaling is not an outlier of the second group.

Figure 111118367-A0305-02-0015-1
Figure 111118367-A0305-02-0015-1

在步驟S505中,分群匯集模組124可將異常設備(即:由步驟S503或步驟S504產生的異常設備)添加至異常設備列表。 In step S505, the clustering module 124 may add the abnormal device (ie: the abnormal device generated by step S503 or step S504) to the abnormal device list.

在步驟S506中,分群匯集模組124可通過收發器130輸出異常設備列表,以供使用者參考。 In step S506 , the grouping and gathering module 124 can output a list of abnormal devices through the transceiver 130 for user's reference.

影響分析模組125可根據異常設備列表產生異常設備拓樸,並且通過收發器130輸出異常設備拓樸以供使用者參考。圖6根據本發明的一實施例繪示異常設備拓樸的示意圖。在一實施例中,影響分析模組125可響應於設備列表中對應於第一時間點的第一設備與對應於第二時間點的第二設備匹配而根據第一時間點和第二時間點產生異常設備拓樸圖,其中異常設備拓樸圖可指示第一設備發生異常的時間軸。 The impact analysis module 125 can generate an abnormal device topology according to the abnormal device list, and output the abnormal device topology through the transceiver 130 for user's reference. FIG. 6 shows a schematic diagram of abnormal device topology according to an embodiment of the present invention. In one embodiment, the impact analysis module 125 may respond to the first device corresponding to the first time point in the device list matching the second device corresponding to the second time point, according to the first time point and the second time point A topological graph of the abnormal equipment is generated, wherein the topological graph of the abnormal equipment may indicate a time axis when the first equipment is abnormal.

以圖6的設備601和設備602為例,假設異常設備列表包含設備601和設備602。影響分析模組125可根據異常設備列表從信令集合中取得對應於設備601的信令,其中該信令可包含時間戳「t-2」以及來源設備的IP位址「192.168.100.1」。影響分析模組125還可根據異常設備列表從信令集合中取得對應於設備602的信令,其中該信令可包含時間戳「t-1」以及來源設備的IP位址「192.168.100.1」。由於設備601與設備602對應於相同的來源設備的IP位址「192.168.100.1」。據此,影響分析模組125可判斷設備601與設備602匹配。影響分析模組125可響應於設備601與設備602匹配而根據時間戳「t-1」與時間戳「t-2」產生異常設備拓樸圖600,其中異常設備拓樸圖600可指示設備601(或設備602)發生異常的時間軸,如圖6所示。 Taking the device 601 and the device 602 in FIG. 6 as an example, it is assumed that the abnormal device list includes the device 601 and the device 602 . The impact analysis module 125 can obtain the signaling corresponding to the device 601 from the signaling set according to the abnormal device list, wherein the signaling can include the time stamp "t-2" and the IP address "192.168.100.1" of the source device. The impact analysis module 125 can also obtain the signaling corresponding to the device 602 from the signaling set according to the list of abnormal devices, wherein the signaling can include the time stamp "t-1" and the IP address "192.168.100.1" of the source device . Since the device 601 and the device 602 correspond to the same IP address "192.168.100.1" of the source device. Accordingly, the impact analysis module 125 can determine that the device 601 matches the device 602 . The impact analysis module 125 can generate the abnormal device topology map 600 according to the timestamp "t-1" and the timestamp "t-2" in response to the device 601 matching the device 602, wherein the abnormal device topology map 600 can indicate the device 601 (or device 602 ) the time axis of abnormal occurrence, as shown in FIG. 6 .

以圖6的設備602和設備603為例,假設異常設備列表包含設備602和設備603。影響分析模組125可根據異常設備列表從信令集合中取得對應於設備602的信令,其中該信令可包含時 間戳「t-1」以及來源設備的IP位址「192.168.100.1」。影響分析模組125還可根據異常設備列表從信令集合中取得對應於設備603的信令,其中該信令可包含時間戳「t」以及來源設備的IP位址「192.168.100.1」。由於設備602與設備603對應於相同的來源設備的IP位址「192.168.100.1」。據此,影響分析模組125可判斷設備602與設備603匹配。影響分析模組125可響應於設備602與設備603匹配而根據時間戳「t」與時間戳「t-1」產生異常設備拓樸圖600,其中異常設備拓樸圖600可指示設備602(或設備603)發生異常的時間軸,如圖6所示。 Taking the device 602 and the device 603 in FIG. 6 as an example, it is assumed that the abnormal device list includes the device 602 and the device 603 . The impact analysis module 125 can obtain the signaling corresponding to the device 602 from the signaling set according to the abnormal device list, wherein the signaling can include time Timestamp "t-1" and IP address "192.168.100.1" of the source device. The impact analysis module 125 can also obtain the signaling corresponding to the device 603 from the signaling set according to the abnormal device list, wherein the signaling can include a time stamp "t" and an IP address "192.168.100.1" of the source device. Since the device 602 and the device 603 correspond to the same IP address "192.168.100.1" of the source device. Accordingly, the impact analysis module 125 can determine that the device 602 matches the device 603 . The impact analysis module 125 can generate the abnormal device topology map 600 according to the timestamp "t" and the timestamp "t-1" in response to the device 602 matching with the device 603, wherein the abnormal device topology map 600 can indicate the device 602 (or Device 603) abnormal time axis, as shown in Figure 6.

在一實施例中,影響分析模組125可通過收發器130接收設備連接配置。影響分析模組125可響應於異常設備列表包含第一設備且設備連接配置指示第一設備耦接第二設備而根據第一設備和第二設備產生異常設備拓樸圖,其中異常設備拓樸圖可指示第二設備與第一設備相互耦接。 In one embodiment, the impact analysis module 125 can receive the device connection configuration through the transceiver 130 . The impact analysis module 125 may generate an abnormal device topology map according to the first device and the second device in response to the abnormal device list including the first device and the device connection configuration indicating that the first device is coupled to the second device, wherein the abnormal device topology map The second device may be indicated to be mutually coupled to the first device.

以圖6的設備602和設備604為例,影響分析模組125可通過收發器130接收設備連接配置。假設異常設備列表包含設備602,並且設備連接配置指示設備602耦接設備604。影響分析模組125可自信令集合中取得對應於設備602的信令,並且從該信令中取得來源設備的IP位址「192.168.100.1」。影響分析模組125還可自信令集合中取得對應於設備604的信令,並且從該信令中取得來源設備的IP位址「192.168.100.2」。響應於設備602與設備604的IP位址匹配,影響分析模組125可根據設備602和設備 604產生異常設備拓樸圖600,其中異常設備拓樸圖600可指示設備602與設備604相互耦接。 Taking the device 602 and the device 604 in FIG. 6 as an example, the impact analysis module 125 can receive the device connection configuration through the transceiver 130 . Assume that the exception device list includes device 602 , and the device connection configuration indicates that device 602 is coupled to device 604 . The impact analysis module 125 can obtain the signaling corresponding to the device 602 from the signaling set, and obtain the IP address "192.168.100.1" of the source device from the signaling. The impact analysis module 125 can also obtain the signaling corresponding to the device 604 from the signaling set, and obtain the IP address "192.168.100.2" of the source device from the signaling. In response to device 602 matching the IP address of device 604, impact analysis module 125 may 604 generates an abnormal device topology 600 , wherein the abnormal device topology 600 may indicate that the device 602 and the device 604 are coupled to each other.

以圖6的設備603和設備605為例,影響分析模組125可通過收發器130接收設備連接配置。假設異常設備列表包含設備603,並且設備連接配置指示設備603耦接設備605。影響分析模組125可自信令集合中取得對應於設備603的信令,並且從該信令中取得來源設備的IP位址「192.168.100.1」。影響分析模組125還可自信令集合中取得對應於設備605的信令,並且從該信令中取得來源設備的IP位址「192.168.100.2」。響應於設備603與設備605的IP位址匹配,影響分析模組125可根據設備603和設備605產生異常設備拓樸圖600,其中異常設備拓樸圖600可指示設備603與設備605相互耦接。 Taking the device 603 and device 605 in FIG. 6 as an example, the impact analysis module 125 can receive the device connection configuration through the transceiver 130 . Assume that the abnormal device list includes device 603 , and the device connection configuration indicates that device 603 is coupled to device 605 . The impact analysis module 125 can obtain the signaling corresponding to the device 603 from the signaling set, and obtain the IP address "192.168.100.1" of the source device from the signaling. The impact analysis module 125 can also obtain the signaling corresponding to the device 605 from the signaling set, and obtain the IP address "192.168.100.2" of the source device from the signaling. In response to the IP addresses of device 603 and device 605 matching, impact analysis module 125 may generate abnormal device topology map 600 according to device 603 and device 605, wherein abnormal device topology map 600 may indicate that device 603 and device 605 are coupled to each other .

圖7根據本發明的一實施例繪示一種在電信網路中偵測異常通訊設備的方法的流程圖,其中所述方法可由如圖1所示的電子裝置實施。在步驟S701中,自電信網路接收資料流,並且自資料流取得信令集合,其中信令集合中的每一者對應於相同的回應碼和設備類型。在步驟S702中,根據回應碼和設備類型決定至少一特徵,並且根據信令集合取得對應於至少一特徵的至少一特徵向量。在步驟S703中,根據至少一特徵向量將信令集合分為多個群組,其中多個群組包括第一群組。在步驟S704中,響應於判斷回應碼對應於異常回應碼,取得對應於第一群組的第一異常設備,將第一異常設備添加至異常設備列表,並且輸出異常設備列 表。 FIG. 7 shows a flow chart of a method for detecting abnormal communication equipment in a telecommunication network according to an embodiment of the present invention, wherein the method can be implemented by the electronic device shown in FIG. 1 . In step S701, a data stream is received from a telecommunication network, and a signaling set is obtained from the data stream, wherein each of the signaling sets corresponds to the same response code and device type. In step S702, at least one feature is determined according to the response code and the device type, and at least one feature vector corresponding to the at least one feature is obtained according to the signaling set. In step S703, the signaling set is divided into multiple groups according to at least one feature vector, wherein the multiple groups include the first group. In step S704, in response to judging that the response code corresponds to the abnormal response code, obtain the first abnormal device corresponding to the first group, add the first abnormal device to the abnormal device list, and output the abnormal device list surface.

綜上所述,本發明可透過擷取電信網路的封包或信令,經由資料處理及分群法分析,提供通訊設備(例如:語音設備)異常障礙偵測及分析其影響範圍與時間,協助網路維運人員找出異常障礙之根因。與其他習用技術相互比較時,更具有下列之效益與優點:本發明可採用主成份分析的信令特徵萃取方法,能兼容多種語音通訊協定,相較於傳統專家法則,不需因應不同網路元件而個別調整判斷條件,提供障礙偵測系統通用性,降低維運人員負擔。本發明可在異常狀態發生後,提供異常障礙事件追蹤,包含障礙發生造成影響範圍及其時間歷程,提升維運人員進行障礙診斷的準確性,縮短排除障礙之時間。 To sum up, the present invention can provide communication equipment (such as: voice equipment) abnormal obstacle detection and analysis of its impact range and time by capturing the packets or signaling of the telecommunication network, through data processing and group analysis, and assisting Network maintenance personnel find out the root cause of abnormal obstacles. Compared with other conventional technologies, it has the following benefits and advantages: the present invention can adopt the signaling feature extraction method of principal component analysis, and can be compatible with various voice communication protocols. Compared with traditional expert rules, it does not need to adapt to different networks Individually adjust the judgment conditions for each component, provide the versatility of the obstacle detection system, and reduce the burden on maintenance personnel. The present invention can provide abnormal obstacle event tracking after an abnormal state occurs, including the scope of influence caused by the obstacle and its time history, improve the accuracy of obstacle diagnosis by maintenance personnel, and shorten the time for troubleshooting.

S701、S702、S703、S704:步驟 S701, S702, S703, S704: steps

Claims (10)

一種在電信網路中偵測異常通訊設備的電子裝置,包括: 收發器; 儲存媒體,儲存多個模組;以及 處理器,耦接所述儲存媒體和所述收發器,並且存取和執行所述多個模組,其中所述多個模組包括: 信令擷取模組,通過所述收發器以自所述電信網路接收資料流,並且自所述資料流中取得信令集合,其中所述信令集合中的每一者對應於相同的回應碼和設備類型; 特徵萃取模組,根據所述回應碼和所述設備類型決定至少一特徵,並且根據所述信令集合取得對應於所述至少一特徵的至少一特徵向量; 分群模組,根據所述至少一特徵向量將所述信令集合分為多個群組,其中所述多個群組包括第一群組;以及 分群匯集模組,響應於判斷所述回應碼對應於異常回應碼,取得對應於所述第一群組的第一異常設備,並且將所述第一異常設備添加至異常設備列表,其中所述分群匯集模組通過所述收發器輸出所述異常設備列表。 An electronic device for detecting abnormal communication equipment in a telecommunication network, comprising: transceiver; a storage medium for storing multiple modules; and a processor, coupled to the storage medium and the transceiver, and accessing and executing the multiple modules, wherein the multiple modules include: a signaling retrieval module for receiving a data stream from the telecommunications network via the transceiver, and obtaining a signaling set from the data stream, wherein each of the signaling sets corresponds to the same Response code and device type; The feature extraction module determines at least one feature according to the response code and the device type, and obtains at least one feature vector corresponding to the at least one feature according to the signaling set; a grouping module, which divides the signaling set into multiple groups according to the at least one feature vector, wherein the multiple groups include a first group; and The grouping and gathering module, in response to judging that the response code corresponds to an abnormal response code, obtains a first abnormal device corresponding to the first group, and adds the first abnormal device to an abnormal device list, wherein the The grouping and gathering module outputs the list of abnormal devices through the transceiver. 如請求項1所述的電子裝置,其中所述分群匯集模組響應於判斷所述回應碼對應於正常回應碼,取得對應於所述多個群組的離群值的第二異常設備,並且將所述第二異常設備添加至所述異常設備列表。The electronic device as claimed in claim 1, wherein the cluster aggregation module obtains second abnormal devices corresponding to the outliers of the plurality of groups in response to determining that the response code corresponds to a normal response code, and adding the second abnormal device to the abnormal device list. 如請求項1所述的電子裝置,其中所述第一異常設備對應於所述第一群組中的第一異常信令,並且所述第一異常信令為所述第一群組的多個異常信令中最接近所述第一群組的群心的異常信令。The electronic device according to claim 1, wherein the first abnormal device corresponds to the first abnormal signaling in the first group, and the first abnormal signaling is multiple The abnormal signaling closest to the group center of the first group among the abnormal signaling. 如請求項2所述的電子裝置,其中所述分群匯集模組根據所述多個群組的其中之一的四分位距以及對應於所述第二異常設備的特徵值判斷所述第二異常設備對應於所述離群值。The electronic device according to claim 2, wherein the grouping and gathering module judges the second Anomalous devices correspond to the outliers. 如請求項1所述的電子裝置,其中所述特徵萃取模組對所述信令集合中的信令的特徵值執行標準化,並且對所述信令集合使用主成分分析以產生所述至少一特徵向量。The electronic device according to claim 1, wherein the feature extraction module performs normalization on the feature values of the signaling in the signaling set, and uses principal component analysis on the signaling set to generate the at least one Feature vector. 如請求項1所述的電子裝置,其中所述分群模組根據下列的其中之一決定所述多個群組的數量:輪廓法以及手肘法。The electronic device as claimed in claim 1, wherein the grouping module determines the number of the plurality of groups according to one of the following: contour method and elbow method. 如請求項1所述的電子裝置,其中所述分群模組根據下列的其中之一將所述信令集合分為所述多個群組:K均值法、K中心點法、階層式分群法以及密度分群法。The electronic device according to claim 1, wherein the grouping module divides the signaling set into the plurality of groups according to one of the following: K-means method, K-centroid method, hierarchical grouping method and density clustering. 如請求項1所述的電子裝置,其中所述多個模組更包括: 影響分析模組,響應於所述異常設備列表中對應於第一時間點的第一設備與對應於第二時間點的第二設備匹配,根據所述第一時間點和所述第二時間點產生異常設備拓樸圖,其中所述異常設備拓樸圖指示所述第一設備發生異常的時間軸。 The electronic device as claimed in item 1, wherein the plurality of modules further include: The impact analysis module, in response to the first device corresponding to the first time point in the abnormal device list matching the second device corresponding to the second time point, according to the first time point and the second time point An abnormal equipment topology diagram is generated, wherein the abnormal equipment topology diagram indicates a time axis when the first equipment is abnormal. 如請求項1所述的電子裝置,其中所述多個模組更包括: 影響分析模組,通過所述收發器接收設備連接配置,其中 所述影響分析模組響應於所述異常設備列表包含第一設備且所述設備連接配置指示所述第一設備耦接第二設備,根據所述第一設備和所述第二設備產生異常設備拓樸圖,其中所述異常設備拓樸圖指示所述第二設備與所述第一設備相互耦接。 The electronic device as claimed in item 1, wherein the plurality of modules further include: an impact analysis module, receiving a device connection configuration through the transceiver, wherein The impact analysis module generates an abnormal device according to the first device and the second device in response to the abnormal device list including the first device and the device connection configuration indicating that the first device is coupled to the second device A topology diagram, wherein the abnormal device topology diagram indicates that the second device is coupled to the first device. 一種在電信網路中偵測異常通訊設備的方法,包括: 自所述電信網路接收資料流,並且自所述資料流取得信令集合,其中所述信令集合中的每一者對應於相同的回應碼和設備類型; 根據所述回應碼和所述設備類型決定至少一特徵,並且根據所述信令集合取得對應於所述至少一特徵的至少一特徵向量; 根據所述至少一特徵向量將所述信令集合分為多個群組,其中所述多個群組包括第一群組;以及 響應於判斷所述回應碼對應於異常回應碼,取得對應於所述第一群組的第一異常設備,將所述第一異常設備添加至異常設備列表,並且輸出所述異常設備列表。 A method for detecting abnormal communication equipment in a telecommunications network, comprising: receiving a data stream from the telecommunications network, and obtaining a signaling set from the data stream, wherein each of the signaling sets corresponds to the same response code and device type; determining at least one feature according to the response code and the device type, and obtaining at least one feature vector corresponding to the at least one feature according to the signaling set; dividing the signaling set into a plurality of groups according to the at least one eigenvector, wherein the plurality of groups includes a first group; and Responsive to judging that the response code corresponds to an abnormal response code, obtaining a first abnormal device corresponding to the first group, adding the first abnormal device to an abnormal device list, and outputting the abnormal device list.
TW111118367A 2022-05-17 2022-05-17 Electronic device and method of detecting abnormal equipment in telecommunication network TWI802413B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW111118367A TWI802413B (en) 2022-05-17 2022-05-17 Electronic device and method of detecting abnormal equipment in telecommunication network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111118367A TWI802413B (en) 2022-05-17 2022-05-17 Electronic device and method of detecting abnormal equipment in telecommunication network

Publications (2)

Publication Number Publication Date
TWI802413B true TWI802413B (en) 2023-05-11
TW202347995A TW202347995A (en) 2023-12-01

Family

ID=87424346

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111118367A TWI802413B (en) 2022-05-17 2022-05-17 Electronic device and method of detecting abnormal equipment in telecommunication network

Country Status (1)

Country Link
TW (1) TWI802413B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI892433B (en) * 2024-01-29 2025-08-01 中華電信股份有限公司 Data collection device and data collection method for open radio access network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI478530B (en) * 2012-08-13 2015-03-21 Chunghwa Telecom Co Ltd The method and system for ngn traffic monitoring
TWI721693B (en) * 2019-12-09 2021-03-11 中華電信股份有限公司 Network behavior anomaly detection system and method based on mobile internet of things
US20210194910A1 (en) * 2017-04-26 2021-06-24 Elasticsearch B.V. Anomaly and Causation Detection in Computing Environments Using Counterfactual Processing
TWI760887B (en) * 2020-10-13 2022-04-11 中華電信股份有限公司 Method and server for abnormal status detection of voice signaling

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI478530B (en) * 2012-08-13 2015-03-21 Chunghwa Telecom Co Ltd The method and system for ngn traffic monitoring
US20210194910A1 (en) * 2017-04-26 2021-06-24 Elasticsearch B.V. Anomaly and Causation Detection in Computing Environments Using Counterfactual Processing
TWI721693B (en) * 2019-12-09 2021-03-11 中華電信股份有限公司 Network behavior anomaly detection system and method based on mobile internet of things
TWI760887B (en) * 2020-10-13 2022-04-11 中華電信股份有限公司 Method and server for abnormal status detection of voice signaling

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI892433B (en) * 2024-01-29 2025-08-01 中華電信股份有限公司 Data collection device and data collection method for open radio access network

Also Published As

Publication number Publication date
TW202347995A (en) 2023-12-01

Similar Documents

Publication Publication Date Title
CN109063745B (en) Method and system for network device type identification based on decision tree
US9386028B2 (en) System and method for malware detection using multidimensional feature clustering
WO2021189730A1 (en) Method, apparatus and device for detecting abnormal dense subgraph, and storage medium
CN112434298B (en) A Network Threat Detection System Based on Autoencoder Integration
CN112291107B (en) Network analysis program, network analysis device, and network analysis method
US12443852B2 (en) Method and related apparatus for signaling anomaly detection
CN115396204B (en) A method and device for detecting abnormal flow in industrial control network based on sequence prediction
CN111181923A (en) Flow detection method and device, electronic equipment and storage medium
CN112600792B (en) A method and system for detecting abnormal behavior of Internet of Things devices
CN106126385B (en) A kind of unit exception real-time detection method based on synchronous data flow compression
WO2016193060A1 (en) Method, apparatus and system for device replacement detection and device recommendation
CN114422379A (en) Analysis method for multi-platform equipment wireless networking
CN111786951A (en) Traffic data feature extraction method, malicious traffic identification method and network system
CN113645182A (en) Random forest detection method for denial of service attack based on secondary feature screening
CN112532614A (en) Safety monitoring method and system for power grid terminal
TWI802413B (en) Electronic device and method of detecting abnormal equipment in telecommunication network
CN110768856A (en) Network flow measuring method, network measuring equipment and control plane equipment
CN118041699B (en) Network intrusion positioning system based on artificial intelligence
CN112134875A (en) IoT network abnormal flow detection method and system
CN113726809A (en) Internet of things equipment identification method based on flow data
CN113645305A (en) Method and system for determining transmission node of data of Internet of things
TWI781874B (en) Electronic device and method for detecting anomaly of telecommunication network based on autoencoder neural network model
CN110995713A (en) Botnet detection system and method based on convolutional neural network
CN110225540A (en) A kind of fault detection method towards centralization access net
CN119652559B (en) A train communication network intrusion detection method based on multi-scale residual networks