Method for realizing network sampling

Abstract

The method comprises;for a certain king of data messages, according to a preset separating strategy the network device separates the data message in a accord with the separating strategy from said data messages; making the collection for the separated data message; the collected data message is packaged and then sends to the collector. The invention only makes processing for a certain data stream so as to avoid the processing inability of the collector due to the over massive data.

Description

technical field [0001] The invention relates to a network sampling technology, in particular to a method for network sampling. Background technique [0002] In the current data network, IP technology plays a central role. With the large number of applications of IP data networks, the management of network security and performance is becoming more and more important. [0003] With the development of the Internet (Internet), there are more and more network destructive behaviors such as hackers and attacks on the network. At present, there are relatively few means to discover such behaviors. The technology of sampling data packets transmitted on the network is a kind of the means employed. When data packets flow through network equipment, such as routers, the network equipment counts the abnormal data packets and forwards the statistical results to the network management equipment. The relevant software in the network management equipment analyzes the statistical results and ...

AI Technical Summary

Problems solved by technology

Among them, the aggregation rules can be autonomous system aggregation, protocol-port aggregation, source prefix aggregation, destination prefix aggregation, and prefix aggregation. The aggregated statistical results are sent to the collector, so that the amount of data will be greatly reduced, but it may cause information loss

For example, in the unaggregated statistical results, there are 100 data packets with different source IP addresses, but the port number is 500, and the seven-tuple and statistical number of these 100 data packets with different source IP addresses will be sent to the collection and stored in the database. After the analyzer reads the above data from the database, if the port number is 500, which is the port used by some network attack, it can immediately locate which source IP addresses sent the attack packets. After protocol-port aggregation, the count of these 100 data packets will become a record, and the source IP address information in the sending record will be gone, only the statistical number and port number information of data packets with port number 500 will be stored In the database, due to the reduction of the amount of information, the analyzer can only analyze the existence of network attacks with port number 500 on the network, but cannot analyze which specific source IP addresses send out the attacks

[0009] It can be seen from the above method of statistics based on NetFlow that the statistics are performed on all types of data flows, and the amount of data is so large that the collector cannot continue to process normally. Although this problem can be solved by aggregation of version 9, the aggregated data flow , the information is even less, and it is more difficult to accurately locate dangerous network behaviors such as attacks, which increases the inaccuracy of the analysis results; moreover, the data obtained by the collector has been counted, and the original data has been lost. For the analyzer, at this time Can only do some simple analysis

Images