Search

CN-122027522-A - Visual monitoring method and system for network session data based on big data analysis

CN122027522ACN 122027522 ACN122027522 ACN 122027522ACN-122027522-A

Abstract

The application provides a network session data visual monitoring method and system based on big data analysis, and relates to the technical field of electric digital data processing. The method comprises the steps of obtaining an atomic session log containing a target IP and connection response time delay, comparing the target IP with a multi-level geographic space mapping index library, marking geographic attribution labels, calculating average connection response time consumption in a statistical time window according to geographic node aggregation, triggering secondary traversal and determining abnormal point IP when the average time consumption of a target geographic node exceeds a health baseline threshold value, carrying out thermal tone filling according to the average time consumption of each geographic node on a display interface, calling and displaying a historical time delay fluctuation curve of the abnormal point IP and a corresponding area average time consumption curve after responding to user inquiry, and generating visual evidence of a network fault source, so that operation and maintenance personnel can accurately restore real network performance of the area at the moment, and technical blank that historical performance complaints cannot be verified is effectively filled.

Inventors

  • LIN SHENGFENG
  • SHI HONGLIANG

Assignees

  • 岭博科技(北京)有限公司

Dates

Publication Date
20260512
Application Date
20260205

Claims (10)

  1. 1. The visualized monitoring method of network session data based on big data analysis is applied to a network operation and maintenance monitoring system, and is characterized by comprising the following steps: Acquiring an atomic session log set which flows through a gateway and contains a target IP and a connection response time delay; comparing the target IP corresponding to each atomic conversation log with a preset multi-level geographic space mapping index library, and pre-storing the hierarchical attribution relation between the global public network IP address segment and the three-level geographic nodes of the country, province and city in the multi-level geographic space mapping index library according to the geographic attribution label unique to the comparison result mark; Respectively calculating the connection response time delay data of all the associated logs under each geographic node in a statistical time window according to the geographic attribution labels, and generating average connection response time consumption of each region; triggering the second traversal of all atomic session logs under the target geographic node when the average connection response time consumption of the target geographic node exceeds a network health baseline threshold value: determining a performance outlier IP based on a preset outlier screening rule according to the connection response time delay data in the statistical time window; loading an area map on a display interface, and filling thermal color levels of the map according to average connection response time consumption of each geographic node; And after receiving a query instruction of a user, calling and displaying a historical time delay fluctuation curve of the performance abnormal point IP in the statistical time window and an average connection response time-consuming curve of a corresponding area so as to generate visual evidence of a network fault source.
  2. 2. The method according to claim 1, wherein the step of determining the performance outlier IP based on a preset outlier screening rule according to the connection response delay data in the statistical time window specifically includes: Calculating average connection response time consumption of all city-level nodes by taking the minimum geographic granularity as an aggregation unit based on the hierarchical structure of the target geographic area; comparing the calculated average connection response time consumption of each urban level node with a network health baseline threshold value, and screening out abnormal urban level nodes; For each abnormal city level node, searching the multi-level geographic space mapping index library for IP belonging to the corresponding performance abnormal point.
  3. 3. The method according to claim 2, wherein said step of retrieving, for each of said abnormal city level nodes, in said multi-level geospatial mapping index repository, the IP belonging to the corresponding performance outlier, comprises in particular: grouping all the atomic session logs under the target geographic node according to the target IP address to obtain a plurality of IP groups; Calculating average connection response time consumption in each IP packet and weight proportion of the log number of each IP packet to the total log number under the target geographic node respectively; Determining a delay weight corresponding to each IP packet based on the product of the average connection response time consumption and the weight proportion; And selecting the n preset destination IP addresses with the largest time delay weight as the IP of the abnormal performance point.
  4. 4. The method of claim 3, wherein after the step of selecting the n destination IP addresses with the greatest delay weight as the performance outlier IP, the method further comprises: Backtracking an atomic session log set in the statistical time window, searching all internal source IP addresses which initiate connection requests to the performance abnormal point IP, and constructing a source mapping set; calculating time delay discrete variances of different internal source IP addresses in the source end mapping set for accessing the IP of the performance outliers; if the time delay discrete variance is smaller than a preset congestion judging threshold value, judging that the external network is abnormal, and marking the performance abnormal point IP as a common fault node on a display interface; if the time delay discrete variance is larger than or equal to the congestion judging threshold value, judging that the local area network is abnormal, and marking the internal source IP address with the highest time delay contribution degree as a personal fault node at the display interface.
  5. 5. The method of claim 4, further comprising, after the step of marking the internal source IP address with the highest latency contribution by the presentation interface as a personality failure node: based on the source end mapping set, generating a visual fault logic topological graph on the display interface, wherein the fault logic topological graph takes the IP of the performance abnormal point as a core node and the internal source IP address as a divergent node; When the external network is abnormal, highlighting the connection lines of all the internal source IP addresses pointing to the performance abnormal point IP in the source end mapping set, and synchronously displaying the time delay rising amplitude value of the performance abnormal point IP as an evidence label; When the abnormality in the local area network is determined, a target subnet group with abnormal time delay is positioned from the source mapping set; and highlighting and early warning the internal source IP address in the target subnet group.
  6. 6. The method of claim 5, wherein when determining an intra-local area network anomaly, after the step of locating the target subnet group with the delay anomaly from the source mapping set, further comprises: acquiring a network bandwidth utilization rate curve of the target subnet group in the statistical time window and a connection response time delay curve of the access performance outlier IP; extracting a plurality of high-delay time segments with values in the connection response delay curve exceeding the network health baseline threshold; detecting whether the network bandwidth utilization rate curve is in a high-load saturated state in each high-delay time segment; Counting the coincidence duty ratio of the time segments in the high-load saturated state to all the high-delay time segments; if the overlapping ratio is higher than a preset trend synchronization threshold, judging that the target subnet group has bandwidth occupation type abnormality and displaying the abnormality; and if the coincidence duty ratio is lower than the trend synchronization threshold, judging that the link quality type abnormality exists in the target subnet group and displaying the abnormality.
  7. 7. The method according to claim 1, wherein after the step of retrieving and displaying the historical delay fluctuation curve of the performance outlier IP in the statistical time window and the average connection response time-consuming curve of the corresponding region after receiving the query instruction of the user, further comprises: Receiving a click command of a user aiming at a set time point in the historical time delay fluctuation curve; And calling the session attribute information related to the set time point from the atomic session log set, and displaying the session attribute information for initiating connection in a window.
  8. 8. A network operation and maintenance monitoring system, characterized in that it comprises one or more processors and a memory, said memory being coupled to said one or more processors, said memory being for storing computer program code comprising computer instructions, said one or more processors invoking said computer instructions to cause said network operation and maintenance monitoring system to perform the method according to any of claims 1-7.
  9. 9. A computer readable storage medium comprising instructions which, when run on a network operation and maintenance monitoring system, cause the network operation and maintenance monitoring system to perform the method of any of claims 1-7.
  10. 10. A computer program product, characterized in that the computer program product, when run on a network operation and maintenance monitoring system, causes the network operation and maintenance monitoring system to perform the method according to any of claims 1-7.

Description

Visual monitoring method and system for network session data based on big data analysis Technical Field The application relates to the technical field of electric digital data processing, in particular to a network session data visual monitoring method and system based on big data analysis. Background With the rapid development of mobile internet and big data technology, network access service has become an infrastructure core in hotels, large parks and enterprise office environments. Under the high-density user access scenes, a network administrator not only needs to monitor the on-off state of a core link, but also needs to deeply analyze the internet surfing behavior and the service quality of the terminal user so as to quickly locate the root cause of the problem when the user complains about network blocking or has slow access. In order to solve the problem that users in a local area network report that the network speed is slow and difficult to check, the existing mainstream solution generally adopts a network monitoring system of a NetFlow/sFlow flow analysis technology. The specific working process of the scheme is that the network equipment (such as a router and a switch) periodically counts the flow of the port or generates a flow record, and sends the data to a central monitoring network operation and maintenance monitoring system, and after receiving the data, the system performs summarization calculation on the flow to generate a time sequence chart (such as a port flow trend chart) reflecting the network bandwidth utilization rate. When the operation and maintenance personnel need to check the problems, by checking the charts, whether the total bandwidth of the network outlet reaches saturation at a certain moment can be intuitively known, or by inquiring the network address conversion log file generated by the firewall, the accumulated flow of the specific IP address in a certain period of time is checked, so that whether the abnormal flow occupies the bandwidth is judged. However, the value of the bandwidth utilization is not equal to the actual internet surfing speed perceived by the user, so that it is difficult for the user or staff to know what the root cause of the internet surfing speed is in the prior art. In particular, existing log records, while maintaining session records for source IP and destination IP, are essentially focused on recording "whether a connection exists" and how much data was transferred ", often ignoring quantitative records of the key performance indicator" session connection time consuming ". When a user complains that a network station is slow to visit, but the total bandwidth of the network is not saturated, the operation and maintenance personnel face massive log entries without geographic position marks, and connection time-consuming data of the user for a specific area (such as a specific province or country) is difficult to strip from a pure traffic value. The data presentation mode of 'whether the flow exists or not and whether the record exists or not' causes that when the historical speed complaints are faced, the real network performance of a user accessing a specific area target at the moment cannot be restored, and a large fault investigation blind area is reserved. Disclosure of Invention The application provides a visual monitoring method and a visual monitoring system for network session data based on big data analysis, which are used for solving the technical problems that network performance complaints cannot restore a historical site and cannot locate a fault geographic position. In a first aspect, the application provides a visualized monitoring method of network session data based on big data analysis, which is applied to a network operation and maintenance monitoring system, and comprises the steps of obtaining an atomic session log set containing destination IP and connection response time delay flowing through a gateway; the method comprises the steps of comparing a target IP corresponding to each atomic conversation log with a preset multilevel geographic space mapping index library, pre-storing a hierarchical attribution relation between a global public network IP address section and three-level geographic nodes of countries, provinces and cities in the multilevel geographic space mapping index library according to a unique geographic attribution label of a comparison result mark, respectively calculating connection response time delay data of all associated logs under each geographic node in a statistic time window according to the geographic attribution label, generating average connection response time consumption of each region, triggering secondary traversal of all atomic conversation logs under a target geographic node when the average connection response time consumption of the target geographic node exceeds a network health baseline threshold value, determining a performance abnormal point IP based on a preset abnormal screening