[go: up one dir, main page]

CN117880126B - Virtual reality-based interactive network flow visualization equipment identification method - Google Patents

Virtual reality-based interactive network flow visualization equipment identification method Download PDF

Info

Publication number
CN117880126B
CN117880126B CN202410125674.8A CN202410125674A CN117880126B CN 117880126 B CN117880126 B CN 117880126B CN 202410125674 A CN202410125674 A CN 202410125674A CN 117880126 B CN117880126 B CN 117880126B
Authority
CN
China
Prior art keywords
network
data
cluster
feature
time window
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410125674.8A
Other languages
Chinese (zh)
Other versions
CN117880126A (en
Inventor
周洪海
金志浩
谢丽萍
赵玉薇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinshu Information Technology Suzhou Co ltd
Original Assignee
Jinshu Information Technology Suzhou Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinshu Information Technology Suzhou Co ltd filed Critical Jinshu Information Technology Suzhou Co ltd
Priority to CN202410125674.8A priority Critical patent/CN117880126B/en
Publication of CN117880126A publication Critical patent/CN117880126A/en
Application granted granted Critical
Publication of CN117880126B publication Critical patent/CN117880126B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • H04L43/045Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • H04L41/122Discovery or management of network topologies of virtualised topologies, e.g. software-defined networks [SDN] or network function virtualisation [NFV]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/131Protocols for games, networked simulations or virtual reality
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an interactive network flow visualization equipment identification method based on virtual reality, which comprises the following steps: s1, extracting key characteristics of a network flow data packet, and integrating the key characteristics into a network flow data set; s2, carrying out data cleaning and standardized processing pretreatment on the collected network flow data set; s3, preprocessing and analyzing the preprocessed network flow data set, determining key characteristics of the data flow, and performing dynamic cluster analysis; s4, identifying various equipment types in the network based on the flow data, labeling each dynamic cluster analysis result, and deducing possible equipment types; s5, creating a network topology three-dimensional model of three-dimensional representations of network equipment and connections, wherein each network equipment and connection is represented by a corresponding three-dimensional object; and S6, binding the real-time network traffic data to a network topology three-dimensional model for interactive network traffic visualization. The invention visualizes network traffic data and device status in a three-dimensional network topology model.

Description

Virtual reality-based interactive network flow visualization equipment identification method
Technical Field
The invention relates to the technical field of network security and monitoring, in particular to an interactive network flow visualization equipment identification method based on virtual reality.
Background
With rapid development of network technology and increasing application range, network environments become more and more complex. Conventional network monitoring and security analysis methods rely primarily on two-dimensional graphs and data tables, which, although to some extent, may provide an overview of network status, present challenges in processing large-scale, dynamically changing network data. The prior art has significant shortcomings in terms of data processing efficiency, real-time performance and user interaction experience, particularly in terms of analysis of mass network data and identification of complex network threats.
Conventional network monitoring systems often rely on static data reports and charts, which are relatively limited in terms of data presentation and user interaction. These systems are inefficient in processing and exposing large amounts of real-time data and difficult to provide intuitive network status representations, especially for non-technicians. The complexity and dynamics of the network state make it difficult to reflect the actual operation of the network in real time using conventional methods, resulting in limited efficiency and accuracy of network management and security analysis. Second, existing network monitoring and security analysis tools also suffer from deficiencies in identifying increasingly complex network threats. With the continuous evolution of network attack means, the traditional detection method based on rules and signatures is difficult to adapt to new threat modes in time. In addition, the prior art often lacks flexibility and accuracy in identifying the type of network device, and cannot effectively adapt to diversified and rapidly changing network environments. Therefore, how to provide an interactive network traffic visualization device identification method based on virtual reality is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide an interactive network traffic visualization equipment identification method based on virtual reality, which visualizes network traffic data and equipment states in a network topology three-dimensional model, and provides an intuitive and multidimensional network state display mode, which is easier to understand and analyze than the traditional two-dimensional charts and data tables, and especially can grasp the state and the dynamics of the whole network more intuitively for non-technicians.
According to the embodiment of the invention, the method for identifying the interactive network traffic visualization equipment based on virtual reality is characterized by comprising the following steps of:
s1, capturing an incoming network flow data packet and an outgoing network flow data packet at a network node through a network monitoring tool, extracting key characteristics of the network flow data packet, and integrating the key characteristics into a network flow data set;
S2, carrying out data cleaning and standardized processing pretreatment on the collected network flow data set;
S3, preprocessing and analyzing the preprocessed network flow data set, determining key characteristics of the data flow, and performing dynamic cluster analysis on data characteristics in each time window by using a time window dynamic self-adaptive clustering algorithm;
S4, identifying various equipment types in the network based on the flow data, labeling each dynamic cluster analysis result, and deducing possible equipment types;
s5, creating a network topology three-dimensional model of three-dimensional representations of network equipment and connections, wherein each network equipment and connection is represented by a corresponding three-dimensional object;
and S6, binding the real-time network flow data to the network topology three-dimensional model for interactive network flow visualization, and dynamically displaying different network flows and state information on the network topology three-dimensional model through different visualization effects.
Optionally, the S1 specifically includes:
s11, capturing an incoming and an outgoing network traffic data packet on each node of the network by using a network monitoring tool;
s12, extracting key data point features comprising a source IP address src_ip, a destination IP address dst_ip, a source port number src_port, a destination port number dst_port, a protocol type protocol, a packet size packet_size and a timestamp from the captured network traffic data packet, and integrating the key features captured from the data points into a network traffic data set D:
D={d1,d2,...,dn};
di∈src_ipi,dst_ipi,src_porti,dst_porti,protocoli,packet_sizei,timestampi;
S13, carrying out data filtering on the network flow data set according to the network monitoring requirement, wherein the network monitoring requirement is represented by a filtering rule F of a specific IP address range, port number and protocol type:
F={src_ip∈IP_Range,dst_ip∈IP_Range,src_port∈Port_Set,dst_port∈Port_Set,protocol∈Protocol_Set};
Wherein, IP_Range is an allowed IP address Range, port_set is a designated Port number Set, protocol_set is a specific Protocol type Set;
The filtered data set is denoted as D '= { D i∈D|F(di) }, i.e. the data point D i satisfying the filtering rule F is screened out of the original data set D to form a new network traffic data set D';
s14, integrating the filtered network traffic data set into a final network traffic data set D'.
Optionally, the S2 specifically includes:
s21, checking each data point D i in the network traffic data set D' using the outlier determination function f outlier(di):
foutlier(di)=(abs(di,feature-μ)>k×σ);
Where d i,feature represents a certain characteristic value of the data point d i, μ and σ are the mean value and standard deviation of the characteristic, respectively, k is a preset threshold value for determining the severity of the outlier, determining what degree of deviation would be considered abnormal, k is set to 2 or 3, and when the characteristic value of the data point d i deviates from the mean value by more than 2 or 3 times the standard deviation, the data point is considered abnormal;
For data point d i judged to be abnormal by f outlier(di), the interpolation function f interp is applied for correction:
wherein, f interp(di) represents the new corrected characteristic value, and d i-1,feature and d i+1,feature are the characteristic values of the adjacent data points before and after the data point d i respectively;
And (3) re-integrating all the data points D i after interpolation correction into the network traffic data set D', and carrying out consistency and integrity verification.
S22, processing the feature featire i of each data point D i in the network traffic data set d″ by applying the normalization function f norm:
Where feature i represents the raw feature value of data point d i, min (feature) and max (feature) are the minimum and maximum values, respectively, of the feature in the entire dataset;
S23, selecting the characteristics of each data point D i in the network flow data set D' by adopting information gain, screening out the characteristics which are most valuable for identifying network equipment, wherein the calculation formula of the information gain is as follows:
IG(T,f)=H(T)-H(T|f);
Where T represents the target variable, f represents a particular feature, H (T) is the entropy of the target variable, and H (T|f) is the conditional entropy of the target variable given the feature f.
Optionally, the step S3 specifically includes:
s31, for the network traffic data set D ", defining an initial time window length Δt based on the average intensity and volatility of the network traffic:
wherein, gamma and alpha are adjustment coefficients, K is the number of clusters in a specific time window according to the actual network environment and the demand, and from the cluster analysis of the previous step, w k is the weight of the cluster K, which represents the importance of the cluster in the network flow, var (K) is the variance of the flow data in the cluster K, which reflects the flow fluctuation degree in the cluster;
in the data analysis process, according to the change condition of the real-time network flow, the time window length delta t is dynamically adjusted, the change of the flow fluctuation degree and the clustering characteristic in the time window length delta t is dynamically adjusted and considered, when the fluctuation of the network flow is increased, the size of the time window is reduced, and when the fluctuation of the network flow is reduced, the size of the time window is increased:
Wherein Δt is the current time window length, K new and Var new (K) respectively represent the number of clusters in the new time window and the variance of each cluster, and β is an adjustment index for adjusting the variation amplitude of the time window size;
Each time point t i corresponds to one data point or data within a period of time in the network traffic dataset D ", the time window W t is a set of consecutive time points { t i,ti+1,...,ti+n }, where the value of n is calculated according to Δt new in the dynamic adjustment formula, and the number of new time points n new is:
S32, carrying out data clustering on the data in each time window W t by applying a dynamic self-adaptive clustering algorithm, wherein the number K t and the mode of clustering are dynamically adjusted according to the data characteristics in the time windows, and the calculation of the number of clusters is determined according to the change of the time window length delta t new and the fluctuation of flow data:
Wherein, The representation is rounded up, a and b are constants that adjust the number of clusters, determined by the characteristics and requirements of the network,An exponential decay term, used to adjust the number of clusters according to the time window length Δt new, γ is an adjustment coefficient, dynamically adjusts the number of clusters when the time window changes and adapts to the change of network traffic, var (D ", W t) is the variance of the network traffic dataset D" in the time window W t, reflecting the fluctuation of the network traffic in the time window, σ 2 is a baseline value of the network traffic variance, used to normalize the influence of the variance on the number of clusters;
S33, carrying out feature analysis on the clustering result of each time window W t to identify the characteristic and the mode of each cluster, wherein the feature analysis comprises the steps of calculating a clustering feature mean value, a clustering variance and clustering feature importance evaluation of data points in each cluster;
S34, according to the clustering results of the continuous time windows W t-1 and W t, analyzing the change and trend among clusters, and dynamically adjusting the clustering strategy and parameters of the subsequent time window W t+1 based on the fluctuation degree of the flow in the current time window W t and the change of the clustering characteristic and the dynamic adjustment of the time window length delta t new.
Optionally, the cluster feature mean includes, for each cluster C k,k=1,2,...,Kt in the time window W t, calculating a cluster feature mean for all data points within the cluster on each feature, the cluster feature mean representing typical behavior of the cluster on that feature:
Wherein μ k,f represents the mean of feature f in cluster C k;
the intra-cluster variance to evaluate the consistency of the data points inside each cluster in terms of features, the variance of the features inside the clusters is calculated, the smaller the variance, the more consistent the data points inside the clusters in terms of the features:
Wherein, Is the variance of feature f within cluster C k.
The cluster features evaluate the importance of each feature to distinguish between different clusters:
IG(Ck,f)=H(Ck)-H(Ck|f);
Where H (C k) is the entropy of cluster C k and H (C k |f) is the conditional entropy of cluster C k given feature f.
Optionally, the step S4 specifically includes:
S41, labeling each cluster by applying a labeling function f label to the clusters C k in each time window W t, wherein the labeling function generates descriptive labels based on the following formula:
Wherein F represents the feature set considered in cluster C k, μ k,f and Representing the mean and variance of feature f in cluster C k, respectively, IG (C k, f) representing the information gain of feature f, each Label f being generated based on the statistical properties and information gain of a particular feature f, reflecting the salient behavior or characteristics of cluster C k on that feature;
S42, based on the labeling information of the clustering result, applying a device type inference function f device to identify and infer various device types in the network, the device type inference function f device(Ck) determining the possible device types represented by each cluster using the labeling result and feature analysis of the cluster C k:
Wherein T 1 represents a possible set of device types, f device(Ck) is a labeling result of the cluster Ck A kind of electronic device , L ki is a label of the cluster C k, score (L ki, T) is a scoring function for measuring the relevance of the label L ki to the device type T, and the scoring function considers the accuracy and information quantity of the label L ki in describing the device type T;
S43, constructing a mapping function MAPDEVICETYPE, mapping a specific cluster mode to a specific network device type, for each cluster C k, taking into account a descriptive tag set generated by a tagging function f label and a device type inference result obtained by a device type inference function f device, and mapping a cluster C k to one or more network device types:
MapDeviceType(Ck)={(t,relevance(Ck,t))|t∈T};
Where t is one potential device type, relevance (C k, t) is a correlation function between the computed cluster C k and the device type t, which is determined based on the results of the labeling result function f label(Ck) of the cluster C k and the device type inference function f device(Ck), for quantifying the degree of matching of each cluster to a particular device type.
Optionally, the step S43 further includes evaluating, by calculation relevance (C k, t), a correlation between the cluster C k and each possible device type t, the correlation being based on the labeling information of the cluster C k and an inference of the device type that the cluster may represent:
Where f label(Ck) represents the labeling result of cluster C k, i.e., a set of descriptive labels, L ki is a label of cluster C k, score (L ki, t) is a scoring function that measures the relevance of label L ki to device type t, the scoring function being set based on the degree of matching between label content and device type features, Is a weight indicating the importance or reliability of the measurement tag L ki, the weight being based on the tag's information gain IG (C k,Lki).
Optionally, the step S5 specifically includes:
S51, creating a network topology three-dimensional model of a three-dimensional representation of corresponding network equipment and connection according to network topology data by utilizing three-dimensional modeling software, and selecting proper geometric shapes, textures and colors to represent different types of network equipment and connection states, wherein each network equipment and connection is represented by a three-dimensional object;
S52, mapping the device types into the network topology three-dimensional model, wherein the process comprises the steps of creating visual elements corresponding to icons or models related to specific colors or shapes in the network topology three-dimensional model for each identified device type, and placing the visual elements at corresponding positions in the network topology three-dimensional model;
S53, dynamically displaying network traffic and state information on a network topology three-dimensional model through a visualization element, using colors, sizes or animations to represent different types of network traffic, device states or warnings, displaying links with higher traffic in brighter colors, and displaying threatening devices as flickering or special-color icons;
s54, designing and realizing an interactive user interface, allowing a user to interact with the network topology three-dimensional model through the virtual reality equipment, realizing the functions of zooming, rotating, selecting and viewing detailed information of specific network equipment or connection, wherein the user interaction is based on gestures, head tracking or controller input;
S55, periodically acquiring the latest network flow data, equipment states and warning information from the network monitoring system, and updating the visual representation of the corresponding elements in the network topology three-dimensional model so that the network topology three-dimensional model receives and displays real-time data from the network monitoring system.
Optionally, the mapping of the device type to the network topology three-dimensional model specifically includes:
Definition mapping function VisualMapping maps each device type into a visual element of an icon or model for a particular color or shape:
VisualMapping(t)=v;
Where t represents the device type derived from MAPDEVICETYPE (C k), and v represents the visual element corresponding to device type t;
a spatial location mapping function SPATIALMAPPING defining the actual physical layout or logical relationship based on the network locates each device type to the appropriate location in the network topology three-dimensional model:
SpatialMapping(Ck)=p;
Wherein, p represents the spatial position in the network topology three-dimensional model, and the spatial position is decided based on the connection density and the flow mode network characteristics of the cluster C k;
In combination with the results of VisualMapping and SPATIALMAPPING, visual elements are created and placed in the network topology three-dimensional model, each device type derived from MAPDEVICETYPE (C k) will be represented by a corresponding visual element v at a corresponding location p:
IntegrateVisuals(Ck)={(v,p)|v=VisualMapping(t),p=SpatialMapping(Ck)};
Where t is the device type mapped from cluster C k and v and p are the corresponding visual element and position, respectively.
Optionally, the step S6 specifically includes:
s61, establishing a real-time data stream connected with a network monitoring system, continuously acquiring network flow data, equipment states and safety warnings, and periodically or in real time extracting key data indexes of the number of network flow data packets transmitted per second, the activity states of the equipment and the safety warning level from the network monitoring system;
S62, binding data in the real-time data stream to corresponding elements of a network topology three-dimensional model, mapping network flow data to connecting lines in the model, mapping equipment state data to corresponding equipment representations, and mapping safety warning data to specific warning identifications;
And S63, realizing dynamic visual updating based on real-time data in the network topology three-dimensional model, automatically adjusting the color, the size or the animation effect of elements in the network topology three-dimensional model according to real-time data change, adjusting the brightness or the color of a connecting wire strip according to flow increase and decrease, and changing the color or the flicker frequency of equipment representation according to equipment state.
S64, periodically evaluating and optimizing a real-time data stream processing mechanism and a binding mode of data and a network topology three-dimensional model, and adjusting data acquisition frequency, data processing logic and a visual display strategy according to changes of network conditions and user feedback.
The beneficial effects of the invention are as follows:
(1) According to the invention, through real-time data collection and preprocessing and combining a dynamic self-adaptive clustering algorithm and feature analysis, massive network data can be efficiently processed, and the change of the network state can be captured and reflected in real time, so that the method can adapt to the dynamic change of the network environment more quickly than the traditional method, and the data processing efficiency and instantaneity are improved.
(2) The invention visualizes the network flow data and the equipment state in the network topology three-dimensional model, provides an intuitive and multidimensional network state display mode, is easier to understand and analyze than the traditional two-dimensional chart and data table, and can grasp the state and the dynamics of the whole network more intuitively especially for non-technicians.
(3) The invention utilizes virtual reality technology, and the user can directly interact with the network model, such as zooming and rotating to view different parts of the network, or select specific equipment and connection to acquire more detailed information, thereby providing higher-level user participation and experience.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:
Fig. 1 is a general frame diagram of an interactive network traffic visualization device identification method based on virtual reality.
Detailed Description
The invention will now be described in further detail with reference to the accompanying drawings. The drawings are simplified schematic representations which merely illustrate the basic structure of the invention and therefore show only the structures which are relevant to the invention.
Referring to fig. 1, a virtual reality-based interactive network traffic visualization device identification method is characterized by comprising the following steps:
s1, capturing an incoming network flow data packet and an outgoing network flow data packet at a network node through a network monitoring tool, extracting key characteristics of the network flow data packet, and integrating the key characteristics into a network flow data set;
in this embodiment, S1 specifically includes:
s11, capturing an incoming and an outgoing network traffic data packet on each node of the network by using a network monitoring tool;
s12, extracting key data point features comprising a source IP address src_ip, a destination IP address dst_ip, a source port number src_port, a destination port number dst_port, a protocol type protocol, a packet size packet_size and a timestamp from the captured network traffic data packet, and integrating the key features captured from the data points into a network traffic data set D:
D={d1,d2,...,dn};
di∈src_ipi,dst_ipi,src_porti,dst_porti,protocoli,packet_sizei,timestampi;
S13, carrying out data filtering on the network flow data set according to the network monitoring requirement, wherein the network monitoring requirement is represented by a filtering rule F of a specific IP address range, port number and protocol type:
F={src_ip∈IP_Range,dst_ip∈IP_Range,src_port∈Port_Set,dst_port∈Port_Set,protocol∈Protocol_Set};
Wherein, IP_Range is an allowed IP address Range, port_set is a designated Port number Set, protocol_set is a specific Protocol type Set;
The filtered data set is denoted as D '= { D i∈D|F(di) }, i.e. the data point D i satisfying the filtering rule F is screened out of the original data set D to form a new network traffic data set D';
s14, integrating the filtered network traffic data set into a final network traffic data set D'.
Through steps S11-S14, the network traffic data is effectively screened, ensuring the pertinence and validity of the analysis.
S2, carrying out data cleaning and standardized processing pretreatment on the collected network flow data set;
in this embodiment, S2 specifically includes:
s21, checking each data point D i in the network traffic data set D' using the outlier determination function f outlier(di):
foutlier(di)=(abs(di,feature-μ)>k×σ);
Where d i,feature represents a certain characteristic value of the data point d i, μ and σ are the mean value and standard deviation of the characteristic, respectively, k is a preset threshold value for determining the severity of the outlier, determining what degree of deviation would be considered abnormal, k is set to 2 or 3, and when the characteristic value of the data point d i deviates from the mean value by more than 2 or 3 times the standard deviation, the data point is considered abnormal;
For data point d i judged to be abnormal by f outlier(di), the interpolation function f interp is applied for correction:
wherein, f interp(di) represents the new corrected characteristic value, and d i-1,feature and d i+1,feature are the characteristic values of the adjacent data points before and after the data point d i respectively;
And (3) re-integrating all the data points D i after interpolation correction into the network traffic data set D', and carrying out consistency and integrity verification.
Compared with the traditional abnormal value identification usually depends on a fixed threshold value or a simple statistical method, the abnormal value identification is more flexible and has strong adaptability by combining the statistical method and a dynamic adjustment threshold value (based on multiple times of standard deviation), and can effectively adapt to different types and scales of network flow data.
S22, applying a normalization function f norm to the feature i of each data point D i in the network traffic data set d″ to process:
Where feature i represents the raw feature value of data point d i, min (feature) and max (feature) are the minimum and maximum values, respectively, of the feature throughout the data set, the normalization formula described above may be adapted to account for characteristics of the network traffic data, such as some features may be more important or more differentiated, for example, some key features (e.g., packet size) may be weighted differently to reflect their importance in network traffic analysis.
S23, selecting the characteristics of each data point D i in the network flow data set D' by adopting information gain, screening out the characteristics which are most valuable for identifying network equipment, wherein the calculation formula of the information gain is as follows:
IG(T,f)=H(T)-H(T|f);
Where T represents the target variable, f represents a particular feature, H (T) is the entropy of the target variable, and H (T|f) is the conditional entropy of the target variable given the feature f.
In this embodiment, feature transformation may be performed: for selected features, feature transformation is performed to enhance the recognition effect of the model. For example, normalization or normalization may be performed on the numerical features; the one-time thermal encoding may be performed for a category type feature, and the time stamp may be converted to a form of relative time or session duration, etc., to capture the timing characteristics of the traffic, taking into account the timing nature of the network traffic data.
Feature fusion: in order to further enhance the expressive power of the data, different features may be fused. For example, a new network path feature is generated in connection with the source IP address src_ip and the destination IP address dst_ip, or the source port number and the destination port number dst_port are jointly considered to identify a specific service or application.
The seven key features of the network traffic data set d″ are corresponding feature fusion of the source IP address src_ip, the destination IP address dst_ip, the source port number src_port, the destination port number dst_port, the protocol type protocol, the packet size packet_size and the timestamp, and the following feature fusion method is defined:
Network path feature fusion: feature_path=hash (src_ip||dst_ip), where source IP and destination IP addresses are fused, and represent network paths of network traffic packets, so that transmission paths of the network traffic packets in the network can be clearly identified, and tracking of sources and destinations of traffic is facilitated.
Port communication feature fusion: feature_port=hash (src_port dst_port), and by fusing source and destination ports, identifying a particular service or application helps identify a particular network service and application because many applications and services use a particular port number.
Protocol-port fusion feature: feature_pro_port=hash (protocol src_port dst_port), in combination with a protocol type and a port number, is used to identify a specific type of network communication, and in combination with the protocol type and the port information, the specific type of network communication can be more accurately located, for example, HTTP traffic and FTP traffic can be distinguished.
Network traffic packet size-timestamp fusion feature: feature_size_time=hash (packet_size_timestamp), and the network traffic packet size and timestamp are fused to identify traffic patterns for a specific period of time, help identify traffic patterns and trends at a specific point in time or within a time period, and aim to analyze time-sensitive behavior of network traffic (e.g., DDoS attacks).
Source IP-port fusion feature: feature_src_ip_port=hash (src_ip||src_port), and by fusing a source IP address and a source port, a specific device or application sending traffic can be better identified, the identification capability of traffic initiated by the specific device or application is enhanced, and analysis of internal network behaviors and external threats is facilitated.
Destination IP-port fusion feature: feature_dst_ip_port=hash (dst_ip||dst_port), and the destination IP address and the destination port are fused, so that the method is beneficial to identifying the target equipment or application of the traffic, and is beneficial to accurately identifying the target equipment or application of the traffic and monitoring the target direction and intention of the network traffic.
Protocol-IP convergence feature: feature_proco_ip=hash (protocol src_ip dst_ip), and combines the protocol type and the IP address to identify the network traffic mode under the specific protocol, so that the network traffic mode under the specific protocol can be more comprehensively reflected, and effective traffic classification and analysis in a complex network environment can be facilitated.
By the feature fusion method, new features which are richer and have information value can be extracted from the original seven key features, and the new features can reflect the characteristics of network traffic more comprehensively and provide data support for subsequent steps.
S3, preprocessing and analyzing the preprocessed network flow data set, determining key characteristics of the data flow, and performing dynamic cluster analysis on data characteristics in each time window by using a time window dynamic self-adaptive clustering algorithm;
In this embodiment, S3 specifically includes:
s31, for the network traffic data set D ", defining an initial time window length Δt based on the average intensity and volatility of the network traffic:
wherein, gamma and alpha are adjustment coefficients, K is the number of clusters in a specific time window according to the actual network environment and the demand, and from the cluster analysis of the previous step, w k is the weight of the cluster K, which represents the importance of the cluster in the network flow, var (K) is the variance of the flow data in the cluster K, which reflects the flow fluctuation degree in the cluster;
in the data analysis process, according to the change condition of the real-time network flow, the time window length delta t is dynamically adjusted, the change of the flow fluctuation degree and the clustering characteristic in the time window length delta t is dynamically adjusted and considered, when the fluctuation of the network flow is increased, the size of the time window is reduced, and when the fluctuation of the network flow is reduced, the size of the time window is increased:
Wherein Δt is the current time window length, K new and Var new (K) respectively represent the number of clusters in the new time window and the variance of each cluster, and β is an adjustment index for adjusting the variation amplitude of the time window size;
Each time point t i corresponds to one data point or data within a period of time in the network traffic dataset D ", the time window W t is a set of consecutive time points { t i,ti+1,...,ti+n }, where the value of n is calculated according to Δt new in the dynamic adjustment formula, and the number of new time points n new is:
S32, carrying out data clustering on the data in each time window W t by applying a dynamic self-adaptive clustering algorithm, wherein the number K t and the mode of clustering are dynamically adjusted according to the data characteristics in the time windows, and the calculation of the number of clusters is determined according to the change of the time window length delta t new and the fluctuation of flow data:
Wherein, The representation is rounded up, a and b are constants that adjust the number of clusters, determined by the characteristics and requirements of the network,An exponential decay term, used to adjust the number of clusters according to the time window length Δt new, γ is an adjustment coefficient, dynamically adjusts the number of clusters when the time window changes and adapts to the change of network traffic, var (D ", W t) is the variance of the network traffic dataset D" in the time window W t, reflecting the fluctuation of the network traffic in the time window, σ 2 is a baseline value of the network traffic variance, used to normalize the influence of the variance on the number of clusters;
S33, carrying out feature analysis on the clustering result of each time window W t to identify the characteristic and the mode of each cluster, wherein the feature analysis comprises the steps of calculating a clustering feature mean value, a clustering variance and clustering feature importance evaluation of data points in each cluster;
S34, according to the clustering results of the continuous time windows W t-1 and W t, analyzing the change and trend among clusters, and dynamically adjusting the clustering strategy and parameters of the subsequent time window W t+1 based on the fluctuation degree of the flow in the current time window W t and the change of the clustering characteristic and the dynamic adjustment of the time window length delta t new.
In this embodiment, the cluster feature mean includes, for each cluster C k,k=1,2,...,Kt in the time window W t, calculating a cluster feature mean for all data points within the cluster on each feature, the cluster feature mean representing typical behavior of the cluster on that feature:
Wherein μ k,f represents the mean of feature f in cluster C k;
Intra-cluster variance to evaluate the consistency of the data points inside each cluster in terms of features, the variance of the features inside the cluster is calculated, the smaller the variance, the more consistent the data points inside the cluster in terms of the features:
Wherein, Is the variance of feature f within cluster C k.
Clustering features assess the importance of each feature to distinguish between different clusters:
IG(Ck,f)=H(Ck)-H(Ck|f);
Where H (C k) is the entropy of cluster C k and H (C k |f) is the conditional entropy of cluster C k given feature f.
S4, identifying various equipment types in the network based on the flow data, labeling each dynamic cluster analysis result, and deducing possible equipment types;
In this embodiment, S4 specifically includes:
S41, labeling each cluster by applying a labeling function f label to the clusters C k in each time window W t, wherein the labeling function generates descriptive labels based on the following formula:
Wherein F represents the feature set considered in cluster C k, μ k,f and Representing the mean and variance of feature f in cluster C k, respectively, IG (C k, f) representing the information gain of feature f, each Label f being generated based on the statistical properties and information gain of a particular feature f, reflecting the salient behavior or characteristics of cluster C k on that feature;
S42, based on the labeling information of the clustering result, applying a device type inference function f device to identify and infer various device types in the network, the device type inference function f device(Ck) determining the possible device types represented by each cluster using the labeling result and feature analysis of the cluster C k:
wherein T 1 represents a possible set of device types, f device(Ck) is a labeling result of cluster C k, L ki is a label of cluster C k, score (L ki, T) is a scoring function for measuring relevance of label L ki to device type T, and the scoring function considers accuracy and information quantity of label L ki in describing device type T;
S41 and S43, namely labeling of a clustering result and construction of a mapping function, provide necessary input and subsequent application scenes for a device type inference function respectively, and determine the most probable device type by using a scoring mechanism, so that accuracy and interpretability of network device identification are improved.
S43, constructing a mapping function MAPDEVICETYPE, mapping a specific cluster mode to a specific network device type, for each cluster C k, taking into account a descriptive tag set generated by a tagging function f label and a device type inference result obtained by a device type inference function f device, and mapping a cluster C k to one or more network device types:
MapDeviceType(Ck)={(t,relevance(Ck,t))|t∈T};
Where t is one potential device type, relevance (C k, t) is a correlation function between the computed cluster C k and the device type t, which is determined based on the results of the labeling result function f label(Ck) of the cluster C k and the device type inference function f device(Ck), for quantifying the degree of matching of each cluster to a particular device type.
In this embodiment, S43 further comprises evaluating, by calculation relevance (C k, t), the correlation between cluster C k and each possible device type t, the correlation being based on the labeling information of cluster C k and the inference of the device type that the cluster is likely to represent:
Where f label(Ck) represents the labeling result of cluster C k, i.e., a set of descriptive labels, L ki is a label of cluster C k, score (L ki, t) is a scoring function that measures the relevance of label L ki to device type t, the scoring function being set based on the degree of matching between label content and device type features, Is a weight that represents a measure of the importance or reliability of the tag Lk i, the weight being based on the tag's information gain IG (C k,Lki).
S41 and S42, namely labeling of the clustering result and device type inference, provide input and judgment basis for the mapping function, and the mapping function is based on the inference of the clustering result and the device type and on the correlation between the clustering and the device type, so that the mapping result is more accurate and targeted.
S5, creating a network topology three-dimensional model of three-dimensional representations of network equipment and connections, wherein each network equipment and connection is represented by a corresponding three-dimensional object;
in this embodiment, S5 specifically includes:
S51, creating a network topology three-dimensional model of a three-dimensional representation of corresponding network equipment and connection according to network topology data by utilizing three-dimensional modeling software, and selecting proper geometric shapes, textures and colors to represent different types of network equipment and connection states, wherein each network equipment and connection is represented by a three-dimensional object;
S52, mapping the device types into the network topology three-dimensional model, wherein the process comprises the steps of creating visual elements corresponding to icons or models related to specific colors or shapes in the network topology three-dimensional model for each identified device type, and placing the visual elements at corresponding positions in the network topology three-dimensional model;
S53, dynamically displaying network traffic and state information on a network topology three-dimensional model through a visualization element, using colors, sizes or animations to represent different types of network traffic, device states or warnings, displaying links with higher traffic in brighter colors, and displaying threatening devices as flickering or special-color icons;
s54, designing and realizing an interactive user interface, allowing a user to interact with the network topology three-dimensional model through the virtual reality equipment, realizing the functions of zooming, rotating, selecting and viewing detailed information of specific network equipment or connection, wherein the user interaction is based on gestures, head tracking or controller input;
S55, periodically acquiring the latest network flow data, equipment states and warning information from the network monitoring system, and updating the visual representation of the corresponding elements in the network topology three-dimensional model so that the network topology three-dimensional model receives and displays real-time data from the network monitoring system.
In this embodiment, mapping the device type to the network topology three-dimensional model specifically includes:
Definition mapping function VisualMapping maps each device type into a visual element of an icon or model for a particular color or shape:
VisualMapping(t)=v;
Where t represents the device type derived from MAPDEVICETYPE (C k), and v represents the visual element corresponding to device type t;
a spatial location mapping function SPATIALMAPPING defining the actual physical layout or logical relationship based on the network locates each device type to the appropriate location in the network topology three-dimensional model:
SpatialMapping(Ck)=p;
Wherein, p represents the spatial position in the network topology three-dimensional model, and the spatial position is decided based on the connection density and the flow mode network characteristics of the cluster C k;
In combination with the results of VisualMapping and SPATIALMAPPING, visual elements are created and placed in the network topology three-dimensional model, each device type derived from MAPDEVICETYPE (C k) will be represented by a corresponding visual element v at a corresponding location p:
IntegrateVisuals(Ck)={(v,p)|v=VisualMapping(t),p=SpatialMapping(Ck)};
Where t is the device type mapped from cluster C k and v and p are the corresponding visual element and position, respectively.
And S6, binding the real-time network flow data to the network topology three-dimensional model for interactive network flow visualization, and dynamically displaying different network flows and state information on the network topology three-dimensional model through different visualization effects.
In this embodiment, S6 specifically includes:
s61, establishing a real-time data stream connected with a network monitoring system, continuously acquiring network flow data, equipment states and safety warnings, and periodically or in real time extracting key data indexes of the number of network flow data packets transmitted per second, the activity states of the equipment and the safety warning level from the network monitoring system;
S62, binding data in the real-time data stream to corresponding elements of a network topology three-dimensional model, mapping network flow data to connecting lines in the model, mapping equipment state data to corresponding equipment representations, and mapping safety warning data to specific warning identifications;
And S63, realizing dynamic visual updating based on real-time data in the network topology three-dimensional model, automatically adjusting the color, the size or the animation effect of elements in the network topology three-dimensional model according to real-time data change, adjusting the brightness or the color of a connecting wire strip according to flow increase and decrease, and changing the color or the flicker frequency of equipment representation according to equipment state.
S64, periodically evaluating and optimizing a real-time data stream processing mechanism and a binding mode of data and a network topology three-dimensional model, and adjusting data acquisition frequency, data processing logic and a visual display strategy according to changes of network conditions and user feedback.
Example 1:
in order to verify the feasibility of the virtual reality-based interactive network traffic visualization and device identification method provided by the invention, the network traffic is often increased significantly and shows diversity in a large-scale A enterprise network environment, especially in the early peak hours of working days (such as 8 to 9 am).
First, the system begins to collect network traffic data in real-time during early rush hour, including packets transmitted by various network devices (e.g., routers, servers). With network monitoring tools, data is captured on multiple network nodes and key features, such as source and destination IP addresses, port numbers, protocol types, etc., are extracted from these data packets. These data are subjected to washing and normalization processes, ready for subsequent analysis.
During this period, the K value of the dynamic adaptive clustering algorithm is set higher (10) due to the complexity of the network behavior to capture the complexity of the network behavior. The system analyzes the data, identifies different traffic patterns, and clusters them into different types. Each cluster is labeled as a different network device type, such as a router, server, etc., based on its traffic characteristics, packet type, etc.
In order to make network monitoring more intuitive, the system creates a virtual reality environment that includes a three-dimensional model of the network topology of the entire enterprise. In this network topology three-dimensional model, different types of network devices have different appearances and color representations, and in embodiment 1, routers are represented in green and servers are represented in blue. Such a design makes it intuitive and easy to identify and distinguish between different network devices.
The real-time network traffic and status data is then bound to the network topology three-dimensional model. The size of the traffic in example 1 is represented by the brightness or color intensity of the three-dimensional model of the network topology, and as the network traffic increases, the color of the corresponding connection becomes brighter. Meanwhile, the network states such as normal, congestion and disconnection are displayed through different color codes, so that a network manager can clearly identify the network states at a glance, and two scenes are intercepted in the implementation process to be described:
Table 1: early peak time network traffic and status
Network traffic analysis for some early peak period is described with reference to table 1 above:
In the early peak period, the network activity is significantly increased, the flow shows diversity and complexity, and in this period, the K value of the dynamic adaptive clustering algorithm is set to 10 to capture the complex network behavior in this period. The following key data are collected by the network monitoring tool:
The marketing department's server increased the average number of packets per second from the conventional 326 to 864 during the early peak. The traffic load of a critical router increases from an average of 5246 packets per second to 16541 packets. An abnormal data traffic pattern is detected and an unknown IP address continues to send a number of requests to the financial department's server.
In a virtual reality environment, the marketing department's servers are represented in blue, with brightness increasing with increasing number of packets, while the key routers are represented in green, with brightness and color intensity also changing with increasing traffic. Abnormal traffic caused by unknown IP addresses is represented in a three-dimensional model of network topology by red flashing warning, so that a network administrator can timely notice the potential security threat.
Table 2: network traffic and status during late night hours
Network status monitoring for a certain late night period is described with reference to table 2 above:
Compared with the early peak time and the late night time, the network flow is relatively stable, and the K value is adjusted to be 3. During this period, the monitoring of the system shows: the average traffic load across the network drops by 79.44%, most of the network connections appear as conventional cyan, indicating that the network is operating properly. A backup server starts a large-scale data backup at this point, resulting in a temporary increase in its traffic, which is represented in the network topology three-dimensional model by the color change of the server model changing from blue to yellow.
During the whole monitoring process, a large amount of real-time data is recorded and analyzed. By comparing the data of the early peak and the late night time, the total flow of the network in the early peak time is more than 4 times of the total flow in the late night time, and the network behaviors and flow modes in different time periods can be more effectively identified and distinguished by dynamically adjusting the K value of the clustering algorithm. Visual effects (e.g., color changes, brightness adjustments, warning blinks) in the three-dimensional model of network topology provide visual network status cues to network administrators that help them quickly locate and focus on important or abnormal network activities.
Embodiment 1 shows the application effect of the method in the actual network environment, and effectively solves the defects of the traditional network monitoring method in terms of data processing efficiency, real-time performance and user interaction experience. By the method, the network manager can monitor the network state in real time, and can analyze the network flow and identify the potential network threat more effectively through the visual three-dimensional visual interface, so that the network management and the security analysis are improved.
According to the invention, through real-time data collection and preprocessing and combining a dynamic self-adaptive clustering algorithm and feature analysis, massive network data can be efficiently processed, and the change of the network state can be captured and reflected in real time, so that the method can adapt to the dynamic change of the network environment more quickly than the traditional method, and the data processing efficiency and instantaneity are improved.
The invention visualizes the network flow data and the equipment state in the network topology three-dimensional model, provides an intuitive and multidimensional network state display mode, is easier to understand and analyze than the traditional two-dimensional chart and data table, and can grasp the state and the dynamics of the whole network more intuitively especially for non-technicians.
The invention utilizes virtual reality technology, and the user can directly interact with the network model, such as zooming and rotating to view different parts of the network, or select specific equipment and connection to acquire more detailed information, thereby providing higher-level user participation and experience.
The foregoing is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art, who is within the scope of the present invention, should make equivalent substitutions or modifications according to the technical scheme of the present invention and the inventive concept thereof, and should be covered by the scope of the present invention.

Claims (8)

1. The virtual reality-based interactive network traffic visualization equipment identification method is characterized by comprising the following steps of:
s1, capturing an incoming network flow data packet and an outgoing network flow data packet at a network node through a network monitoring tool, extracting key characteristics of the network flow data packet, and integrating the key characteristics into a network flow data set;
S2, carrying out data cleaning and standardized processing pretreatment on the collected network flow data set;
S3, preprocessing and analyzing the preprocessed network flow data set, determining key characteristics of the data flow, and performing dynamic cluster analysis on data characteristics in each time window by using a time window dynamic self-adaptive clustering algorithm;
S4, identifying various equipment types in the network based on the flow data, labeling each dynamic cluster analysis result, and deducing possible equipment types;
s5, creating a network topology three-dimensional model of three-dimensional representations of network equipment and connections, wherein each network equipment and connection is represented by a corresponding three-dimensional object;
and S6, binding the real-time network flow data to the network topology three-dimensional model for interactive network flow visualization, and dynamically displaying different network flows and state information on the network topology three-dimensional model through different visualization effects.
2. The method for identifying an interactive network traffic visualization device based on virtual reality according to claim 1, wherein the S1 specifically comprises:
s11, capturing an incoming and an outgoing network traffic data packet on each node of the network by using a network monitoring tool;
s12, extracting key data point features comprising a source IP address src_ip, a destination IP address dst_ip, a source port number src_port, a destination port number dst_port, a protocol type protocol, a packet size packet_size and a timestamp from the captured network traffic data packet, and integrating the key features captured from the data points into a network traffic data set D:
D={d1,d2,…,dn};
di∈src_ipi,dst_ipi,src_porti,dst_porti,protocoli,packet_sizei,timestampi;
S13, carrying out data filtering on the network flow data set according to the network monitoring requirement, wherein the network monitoring requirement is represented by a filtering rule F of a specific IP address range, port number and protocol type:
F={src_ip∈IP_Range,dst_ip∈IP_Range,src_port∈Port_Set,dst_port∈Port_Set,protocol∈Protocol_Set};
Wherein, IP_Range is an allowed IP address Range, port_set is a designated Port number Set, protocol_set is a specific Protocol type Set;
The filtered network traffic data set is denoted as D '= { D i∈D|F(di) }, i.e. the data point D i satisfying the filtering rule F is screened out of the network traffic data set D to form a new network traffic data set D';
s14, integrating the filtered network traffic data set into a final network traffic data set D'.
3. The method for identifying an interactive network traffic visualization device based on virtual reality according to claim 2, wherein the step S2 specifically comprises:
s21, checking each data point D i in the network traffic data set D' using the outlier determination function f outlier(di):
foutlier(di)=(abs(di,feature-μ)>k×σ);
Where d i,feature represents a certain characteristic value of the data point d i, μ and σ are the mean value and standard deviation of the characteristic, respectively, k is a preset threshold value for determining the severity of the outlier, determining what degree of deviation would be considered abnormal, k is set to 2 or 3, and when the characteristic value of the data point d i deviates from the mean value by more than 2 or 3 times the standard deviation, the data point is considered abnormal;
For data point d i judged to be abnormal by f outlier(di), the interpolation function f interp is applied for correction:
Wherein, f interp(di) represents the new corrected characteristic value, and d i-1,feature and d i+1,feature are the characteristic values of the adjacent data points before and after the data point d i respectively;
reintegrating all the data points D i after interpolation correction into a network flow data set D', and carrying out consistency and integrity verification;
S22, applying a normalization function f norm to the feature i of each data point D i in the network traffic data set d″ to process:
Where feature i represents the raw feature value of data point d i, min (feature) and max (feature) are the minimum and maximum values, respectively, of the feature in the entire dataset;
S23, selecting the characteristics of each data point D i in the network flow data set D' by adopting information gain, screening out the characteristics which are most valuable for identifying network equipment, wherein the calculation formula of the information gain is as follows:
IG(T,f)=H(T)-H(T|f);
Where T represents the target variable, f represents a particular feature, H (T) is the entropy of the target variable, and H (T|f) is the conditional entropy of the target variable given the feature f.
4. The method for identifying an interactive network traffic visualization device based on virtual reality according to claim 3, wherein the step S3 specifically comprises:
s31, for the network traffic data set D ", defining an initial time window length Δt based on the average intensity and volatility of the network traffic:
wherein, gamma and alpha are adjustment coefficients, K is the number of clusters in a specific time window according to the actual network environment and the demand, and from the cluster analysis of the previous step, w k is the weight of the cluster K, which represents the importance of the cluster in the network flow, var (K) is the variance of the flow data in the cluster K, which reflects the flow fluctuation degree in the cluster;
in the data analysis process, according to the change condition of the real-time network flow, the time window length delta t is dynamically adjusted, the change of the flow fluctuation degree and the clustering characteristic in the time window length delta t is dynamically adjusted and considered, when the fluctuation of the network flow is increased, the size of the time window is reduced, and when the fluctuation of the network flow is reduced, the size of the time window is increased:
Wherein Δt is the current time window length, K new and Var new (K) respectively represent the number of clusters in the new time window and the variance of each cluster, and β is an adjustment index for adjusting the variation amplitude of the time window size;
Each time point t i corresponds to one data point or data within a period of time in the network traffic dataset D ", the time window W t is a set of consecutive time points { t i,ti+1,…,ti+n }, where the value of n is calculated according to Δt new in the dynamic adjustment formula, and the number of new time points n new is:
S32, carrying out data clustering on the data in each time window W t by applying a dynamic self-adaptive clustering algorithm, wherein the number K t and the mode of clustering are dynamically adjusted according to the data characteristics in the time windows, and the calculation of the number of clusters is determined according to the change of the time window length delta t new and the fluctuation of flow data:
Wherein, The representation is rounded up, a and b are constants that adjust the number of clusters, determined by the characteristics and requirements of the network,An exponential decay term, used to adjust the number of clusters according to the time window length Δt new, γ is an adjustment coefficient, dynamically adjusts the number of clusters when the time window changes and adapts to the change of network traffic, var (D ", W t) is the variance of the network traffic dataset D" in the time window W t, reflecting the fluctuation of the network traffic in the time window, σ 2 is a baseline value of the network traffic variance, used to normalize the influence of the variance on the number of clusters;
S33, carrying out feature analysis on the clustering result of each time window W t to identify the characteristic and the mode of each cluster, wherein the feature analysis comprises the steps of calculating a clustering feature mean value, a clustering variance and clustering feature importance evaluation of data points in each cluster;
S34, according to the clustering results of the continuous time windows W t-1 and W t, analyzing the change and trend among clusters, and dynamically adjusting the clustering strategy and parameters of the subsequent time window W t+1 based on the fluctuation degree of the flow in the current time window W t and the change of the clustering characteristic and the dynamic adjustment of the time window length delta t new.
5. The virtual reality-based interactive network traffic visualization device identification method of claim 4, wherein the cluster feature mean comprises, for each cluster C k,k=1,2,…,Kt in the time window W t, calculating a cluster feature mean for all data points within a cluster over each feature, the cluster feature mean representing typical behavior of the cluster over the feature:
Wherein μ k,f represents the mean of feature f in cluster C k;
the intra-cluster variance to evaluate the consistency of the data points inside each cluster in terms of features, the variance of the features inside the clusters is calculated, the smaller the variance, the more consistent the data points inside the clusters in terms of the features:
Wherein, Is the variance of feature f within cluster C k;
The cluster features evaluate the importance of each feature to distinguish between different clusters:
IG(Ck,f)=H(Ck)-H(Ck|f);
Where H (C k) is the entropy of cluster C k, H (C k |f) is the conditional entropy of cluster C k given feature f, and IG (C k, f) represents the information gain of feature f.
6. The virtual reality-based interactive network traffic visualization device identification method according to claim 5, wherein the S5 specifically comprises:
S51, creating a network topology three-dimensional model of a three-dimensional representation of corresponding network equipment and connection according to network topology data by utilizing three-dimensional modeling software, and selecting proper geometric shapes, textures and colors to represent different types of network equipment and connection states, wherein each network equipment and connection is represented by a three-dimensional object;
S52, mapping the device types into the network topology three-dimensional model, wherein the process comprises the steps of creating visual elements corresponding to icons or models related to specific colors or shapes in the network topology three-dimensional model for each identified device type, and placing the visual elements at corresponding positions in the network topology three-dimensional model;
S53, dynamically displaying network traffic and state information on a network topology three-dimensional model through a visualization element, using colors, sizes or animations to represent different types of network traffic, device states or warnings, displaying links with higher traffic in brighter colors, and displaying threatening devices as flickering or special-color icons;
s54, designing and realizing an interactive user interface, allowing a user to interact with the network topology three-dimensional model through the virtual reality equipment, realizing the functions of zooming, rotating, selecting and viewing detailed information of specific network equipment or connection, wherein the user interaction is based on gestures, head tracking or controller input;
S55, periodically acquiring the latest network flow data, equipment states and warning information from the network monitoring system, and updating the visual representation of the corresponding elements in the network topology three-dimensional model so that the network topology three-dimensional model receives and displays real-time data from the network monitoring system.
7. The method for identifying an interactive network traffic visualization device based on virtual reality according to claim 6, wherein the mapping of the device type to the network topology three-dimensional model specifically comprises:
Definition mapping function VisualMapping maps each device type into a visual element of an icon or model for a particular color or shape:
VisualMapping(t)=v;
Where t represents the device type derived from MAPDEVICETYPE (C k), and v represents the visual element corresponding to device type t;
a spatial location mapping function SPATIALMAPPING defining the actual physical layout or logical relationship based on the network locates each device type to the appropriate location in the network topology three-dimensional model:
SpatialMapping(Ck)=p;
Wherein, p represents the spatial position in the network topology three-dimensional model, and the spatial position is decided based on the connection density and the flow mode network characteristics of the cluster C k;
In combination with the results of VisualMapping and SPATIALMAPPING, visual elements are created and placed in the network topology three-dimensional model, each device type derived from MAPDEVICETYPE (C k) will be represented by a corresponding visual element v at a corresponding location p:
IntegrateVisuals(Ck)={(v,p)|v=VisualMapping(t),p=SpatialMapping(Ck)};
Where t is the device type mapped from cluster C k and v and p are the corresponding visual element and position, respectively.
8. The method for identifying an interactive network traffic visualization device based on virtual reality according to claim 1, wherein the step S6 specifically comprises:
s61, establishing a real-time data stream connected with a network monitoring system, continuously acquiring network flow data, equipment states and safety warnings, and periodically or in real time extracting key data indexes of the number of network flow data packets transmitted per second, the activity states of the equipment and the safety warning level from the network monitoring system;
S62, binding data in the real-time data stream to corresponding elements of a network topology three-dimensional model, mapping network flow data to connecting lines in the model, mapping equipment state data to corresponding equipment representations, and mapping safety warning data to specific warning identifications;
S63, realizing dynamic visual updating based on real-time data in the network topology three-dimensional model, automatically adjusting the color, the size or the animation effect of elements in the network topology three-dimensional model according to real-time data change, adjusting the brightness or the color of a connecting wire strip according to flow increase and decrease, and changing the color or the flicker frequency of equipment representation according to equipment state;
S64, periodically evaluating and optimizing a real-time data stream processing mechanism and a binding mode of data and a network topology three-dimensional model, and adjusting data acquisition frequency, data processing logic and a visual display strategy according to changes of network conditions and user feedback.
CN202410125674.8A 2024-01-30 2024-01-30 Virtual reality-based interactive network flow visualization equipment identification method Active CN117880126B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410125674.8A CN117880126B (en) 2024-01-30 2024-01-30 Virtual reality-based interactive network flow visualization equipment identification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410125674.8A CN117880126B (en) 2024-01-30 2024-01-30 Virtual reality-based interactive network flow visualization equipment identification method

Publications (2)

Publication Number Publication Date
CN117880126A CN117880126A (en) 2024-04-12
CN117880126B true CN117880126B (en) 2024-07-05

Family

ID=90593258

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410125674.8A Active CN117880126B (en) 2024-01-30 2024-01-30 Virtual reality-based interactive network flow visualization equipment identification method

Country Status (1)

Country Link
CN (1) CN117880126B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114818933A (en) * 2021-12-23 2022-07-29 金数信息科技(苏州)有限公司 Method and device for monitoring artificial flow cheating based on Epsilon greedy algorithm
CN116486489A (en) * 2023-06-26 2023-07-25 江西农业大学 3D Hand Pose Estimation Method and System Based on Semantic-Aware Graph Convolution

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101893475B1 (en) * 2018-03-14 2018-10-04 마인드서프 주식회사 method of providing network status monitor based on artificial intelligence for multi-layer representation
CN117439911A (en) * 2023-09-20 2024-01-23 中建材信息技术股份有限公司 State monitoring method of edge equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114818933A (en) * 2021-12-23 2022-07-29 金数信息科技(苏州)有限公司 Method and device for monitoring artificial flow cheating based on Epsilon greedy algorithm
CN116486489A (en) * 2023-06-26 2023-07-25 江西农业大学 3D Hand Pose Estimation Method and System Based on Semantic-Aware Graph Convolution

Also Published As

Publication number Publication date
CN117880126A (en) 2024-04-12

Similar Documents

Publication Publication Date Title
US11522769B1 (en) Service monitoring interface with an aggregate key performance indicator of a service and aspect key performance indicators of aspects of the service
US11531679B1 (en) Incident review interface for a service monitoring system
JP3921469B2 (en) System for analyzing network load and other traffic characteristics of executable software applications
CN106790050B (en) A kind of anomalous traffic detection method and detection system
US9747351B2 (en) Creating an entity definition from a search result set
US7681131B1 (en) Method and apparatus for aggregating, condensing, supersetting, and displaying network topology and performance data
KR20200033090A (en) An apparatus for network monitoring and method thereof, and system
CN104394021B (en) Exception of network traffic analysis method based on visualization cluster
CN108965055A (en) A kind of network flow abnormal detecting method taking a method based on historical time
WO1996024211A1 (en) Apparatus and method for evaluating network traffic performance
US20080186876A1 (en) Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor
EP2342866A1 (en) Network optimisation systems
Debashi et al. Sonification of network traffic flow for monitoring and situational awareness
CN105071985A (en) Server network behavior description method
CN109359686A (en) A method and system for user portrait based on campus network traffic
CN118552882B (en) Edge calculation optimization method and system of intelligent video monitoring system
CN118174953A (en) Multi-dimensional network anomaly perception traceability system and method based on artificial intelligence
Mansman et al. Visualization of host behavior for network security
US20050275655A1 (en) Visualizing multivariate data
KR102579705B1 (en) Apparatus for Visualizing Security Topology of Cloud and Integrated System for Managing Operation and Security of Cloud Workload Using the Same
CN117880126B (en) Virtual reality-based interactive network flow visualization equipment identification method
US11411842B1 (en) Method and apparatus for providing targeted services
CN118474043A (en) SD-WAN application identification method and system based on deep learning
US20100064204A1 (en) Monitoring Complex Data Feeds Through Ensemble Testing
CN115801538A (en) Site server application asset deep identification method, system and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant