阅读说明：本技术 一种数据中心网络故障节点诊断方法及系统 (Data center network fault node diagnosis method and system ) 是由 王小平 马名磊 于 2021-09-29 设计创作，主要内容包括：本发明公开了一种数据中心网络故障节点诊断方法及系统,涉及监督监控技术领域；本发明设置了数据采集模块,该设置通过动态生成树选取测试节点,并获取测试节点与待检测节点之间的时间差值,避免选择故障节点作为测试节点,有助于提高故障节点的检测精度；本发明设置了初步判定模块,该设置根据时间差值对待检测节点进行初步分析,并生成正常节点集、故障节点集和嫌疑节点集,提高了故障节点的检测效率,为分类检测模块的分类奠定基础；本发明设置了分类检测模块,该设置根据分类模型对嫌疑节点进行分类,并对正常节点集和故障节点集进行更新,有助于提高网络节点的故障判断精度和判断效率。(The invention discloses a data center network fault node diagnosis method and a system, relating to the technical field of supervision and monitoring; the data acquisition module is arranged, test nodes are selected through the dynamic spanning tree, the time difference between the test nodes and the nodes to be detected is obtained, the selection of fault nodes as the test nodes is avoided, and the detection precision of the fault nodes is improved; the invention is provided with a preliminary judgment module which preliminarily analyzes the nodes to be detected according to the time difference value and generates a normal node set, a fault node set and a suspect node set, thereby improving the detection efficiency of the fault nodes and laying a foundation for classification of a classification detection module; the classification detection module is arranged, and the classification detection module classifies suspected nodes according to the classification model and updates the normal node set and the fault node set, so that the fault judgment precision and the fault judgment efficiency of the network nodes are improved.)

1. A data center network fault node diagnosis system is characterized by comprising a processor, a data acquisition module, a preliminary judgment module, a classification detection module, an attack monitoring module, an early warning maintenance module and a data storage module;

the preliminary judgment module is used for carrying out preliminary analysis on the fault of the network node, and comprises the following steps:

after the initial judgment module receives the time difference value Sij, the formula is used Acquiring a fault evaluation coefficient GPXi; when the fault evaluation coefficient GPxi meets the condition that GPxi is equal to N +1, judging that the corresponding node i to be detected is normal, and marking the corresponding node i to be detected as a normal node; when the fault evaluation coefficient GPxi meets the condition that GPxi is 0, judging that the corresponding node i to be detected is abnormal, and marking the corresponding node i to be detected as a fault node; otherwise, marking the corresponding node i to be detected as a suspect node;

integrating normal nodes to generate a normal node set, integrating fault nodes to generate a fault node set, and integrating suspected nodes to generate a suspected node set; sending the normal node set, the fault node set and the suspected node set to a data storage module for storage through a processor, and sending the suspected node set to a classification detection module;

the classification detection module is used for carrying out deep analysis on suspected nodes and comprises the following steps:

when the classification detection module receives the suspected node set, a classification model is obtained through the data storage module;

acquiring a time matrix of a suspected node;

inputting the time matrix of the suspect node after data preprocessing into a classification model to obtain an output result, and marking the output result as a suspect label; the suspected label is a node label corresponding to the suspected node;

when the suspected label is 1, judging that the suspected node is a normal node; when the suspected label is 0, judging that the suspected node is a fault node;

updating the normal node set and the fault node set;

acquiring the position of the fault node in the fault node set, marking the position as a target position, and generating a target position schematic diagram through a third-party map platform; the third-party map platform comprises a Baidu map, an Tencent map and a Gagde map;

and the processor sends the target position schematic diagram to the early warning maintenance module, and simultaneously sends the target position schematic diagram, the normal node set and the fault node set to the data storage module for storage.

2. The data center network fault node diagnosis system according to claim 1, wherein the specific obtaining step of the classification model comprises:

acquiring a time matrix of a normal node and acquiring a time matrix of a fault node; the time matrix comprises a time difference value Sij and the total number of nodes between a node i to be detected and a test node j corresponding to the time difference value Sij;

setting node labels for normal nodes and fault nodes; wherein the node label of the normal node is 1, and the node label of the fault node is 0;

dividing the time matrix of the normal node, the time matrix of the fault node and the corresponding node label into a training set and a test set according to a set proportion; the set ratio comprises 4:1, 3:2 and 2: 1;

constructing a fusion model; the fusion model is constructed by combining three baseline models of SVM, LR and GBDT with a fusion mode, wherein the fusion mode comprises a linear weighted fusion method, a cross fusion method, a waterfall fusion method, a characteristic fusion method and a prediction fusion method;

training, verifying and testing the fusion model by using the training set and the testing set after data preprocessing, judging that the training of the fusion model is finished when the precision of the fusion model meets the target precision requirement, and marking the trained fusion model as a classification model;

and sending the classification model to a data storage module for storage through the processor.

3. The data center network fault node diagnosis system of claim 1, wherein the data collection module is configured to collect time difference values between network nodes, and comprises:

marking nodes to be detected of the network nodes as i, selecting N network nodes as test nodes, and marking the test nodes as j, j being 1, 2, … … and N, wherein N is more than 5; the test node is obtained according to the search result of the dynamic spanning tree;

sending a first state signal to a node i to be detected through a test node j, and immediately sending a second state signal to the test node j after the node i to be detected receives the first state signal; the first state signal selects the path with the least network nodes in the communication paths between the node i to be detected and the test node j to be sent;

when the test node j receives the second state signal, the time difference value between the received time of the second state signal and the sending time of the first state signal is immediately obtained, and the time difference value is marked as Sij; the value of the time difference value Sij is 0 and 1, when the time difference value Sij is 0, the time difference value is larger than a time threshold value, namely the node to be detected is marked as a fault node by the test node j; when the time difference value Sij is 1, the time difference value is smaller than or equal to a time threshold value, namely the node to be detected is marked as a normal node by the test node j;

and sending the node i to be detected, the test node j and the time difference value Sij to a data storage module for storage through a processor, and sending the time difference value Sij to a preliminary judgment module.

4. The system according to claim 1, wherein the early warning maintenance module is configured to schedule maintenance personnel to maintain the fault node corresponding to the target location, and includes:

when the early warning maintenance module receives the target position schematic diagram, acquiring the position of a maintainer and marking the position as an initial position;

planning a path between the target position and the initial position through a third-party map platform, and selecting the path with the shortest distance as a target path;

sending the target path to an intelligent terminal of a maintainer through an early warning maintenance module, and simultaneously displaying the real-time position of the maintainer in a target position schematic diagram; the intelligent terminal is in communication connection with the early warning maintenance module and comprises an intelligent mobile phone, a tablet personal computer and a notebook computer;

sending the scheduling record of the maintenance personnel to a data storage module for storage through a processor; the scheduling record comprises time, a target path, the name and the mobile phone number of a maintainer.

5. The data center network fault node diagnosis system of claim 1, wherein the attack monitoring module is configured to monitor attacks suffered by the data center network node, and includes:

establishing a hacker intrusion characteristic library by analyzing a hacker intrusion mode;

analyzing a data packet in the data center network to obtain an analysis result; comparing and matching the analysis result with the attack mode of the hacker invading the feature library, when the two are successfully matched, sending a hacker attack signal to the early warning maintenance module, and sending the corresponding hacker attack mode to the early warning maintenance module;

and sending the hacker intrusion feature library and the sending record of the hacker attack signal to a data storage module through a processor for storage.

6. A data center network fault node diagnosis method is characterized by comprising the following specific steps:

the method comprises the following steps: marking a node to be detected of the network nodes as i, selecting N network nodes as test nodes, and marking the test nodes as j; acquiring a time difference value and marking the time difference value as Sij; sending the time difference value Sij to a preliminary judgment module;

step two: after the initial judgment module receives the time difference value Sij, acquiring a fault evaluation coefficient GPxi; when the fault evaluation coefficient GPxi meets the condition that GPxi is equal to N +1, judging that the corresponding node i to be detected is normal, and marking the corresponding node i to be detected as a normal node; when the fault evaluation coefficient GPxi meets the condition that GPxi is 0, judging that the corresponding node i to be detected is abnormal, and marking the corresponding node i to be detected as a fault node; otherwise, marking the corresponding node i to be detected as a suspect node; generating a normal node set, a fault node set and a suspected node set; sending the suspected node set to a classification detection module;

step three: when the classification detection module receives the suspected node set, a classification model is obtained through the data storage module; acquiring a time matrix of a suspected node; inputting the time matrix of the suspected node into a classification model after data preprocessing to obtain an output result, marking the output result as a suspected label, and analyzing the suspected node according to the suspected label; updating the normal node set and the fault node set; acquiring the position of the fault node in the fault node set, marking the position as a target position, and generating a target position schematic diagram through a third-party map platform; and sending the target position schematic diagram to an early warning maintenance module through a processor.

Technical Field

The invention belongs to the technical field of supervision and monitoring, and particularly relates to a method and a system for diagnosing a data center network fault node.

Background

With the advent of the big data age, the increasing demand of cloud computing has enabled the scale of data center networks to be expanded. Today, data center networks contain hundreds of thousands of servers connected by network interface cards, switches, routers, cables, and light, which are mostly distributed and characterized by high traffic. In large systems, detecting and locating faults is important for network management systems to restore network communications through a fault recovery mechanism.

The invention patent with publication number CN108933694A discloses a data center network fault node diagnosis method and system based on dial-up test data, which generates a dynamic breadth-first spanning tree as a detection path between nodes according to the existing fault detection information; analyzing the dial-up test data based on the given prior probability P to preliminarily determine the fault probability of the network member; and selecting a reasonable threshold value through analyzing a probability distribution function to identify the fault node, and classifying the suspicious node set into a fault node set and a normal node set.

The scheme has better performance in the aspects of detection quantity and diagnosis precision, and can identify the fault nodes in the network under lower detection times in network topology structures with different scales; however, the above scheme is complicated in process, and the data processing process is loaded and has insufficient robustness; therefore, the above solution still needs further improvement.

Disclosure of Invention

In order to solve the problems existing in the scheme, the invention provides a method and a system for diagnosing a fault node of a data center network.

The purpose of the invention can be realized by the following technical scheme: a data center network fault node diagnosis system comprises a processor, a data acquisition module, a preliminary judgment module, a classification detection module, an attack monitoring module, an early warning maintenance module and a data storage module;

the preliminary judgment module is used for carrying out preliminary analysis on the fault of the network node, and comprises the following steps:

after the initial judgment module receives the time difference value Sij, the formula is usedAcquiring a fault evaluation coefficient GPXi; when the fault evaluation coefficient GPXi satisfies GPXi ═ N +1, the pair is determinedThe corresponding node i to be detected is normal, and the corresponding node i to be detected is marked as a normal node; when the fault evaluation coefficient GPxi meets the condition that GPxi is 0, judging that the corresponding node i to be detected is abnormal, and marking the corresponding node i to be detected as a fault node; otherwise, marking the corresponding node i to be detected as a suspect node;

integrating normal nodes to generate a normal node set, integrating fault nodes to generate a fault node set, and integrating suspected nodes to generate a suspected node set; sending the normal node set, the fault node set and the suspected node set to a data storage module for storage through a processor, and sending the suspected node set to a classification detection module;

the classification detection module is used for carrying out deep analysis on suspected nodes and comprises the following steps:

when the classification detection module receives the suspected node set, a classification model is obtained through the data storage module;

acquiring a time matrix of a suspected node;

inputting the time matrix of the suspect node after data preprocessing into a classification model to obtain an output result, and marking the output result as a suspect label; the suspected label is a node label corresponding to the suspected node;

when the suspected label is 1, judging that the suspected node is a normal node; when the suspected label is 0, judging that the suspected node is a fault node;

updating the normal node set and the fault node set;

acquiring the position of the fault node in the fault node set, marking the position as a target position, and generating a target position schematic diagram through a third-party map platform; the third-party map platform comprises a Baidu map, an Tencent map and a Gagde map;

and the processor sends the target position schematic diagram to the early warning maintenance module, and simultaneously sends the target position schematic diagram, the normal node set and the fault node set to the data storage module for storage.

Preferably, the specific obtaining step of the classification model includes:

acquiring a time matrix of a normal node and acquiring a time matrix of a fault node; the time matrix comprises a time difference value Sij and the total number of nodes between a node i to be detected and a test node j corresponding to the time difference value Sij;

setting node labels for normal nodes and fault nodes; wherein the node label of the normal node is 1, and the node label of the fault node is 0;

dividing the time matrix of the normal node, the time matrix of the fault node and the corresponding node label into a training set and a test set according to a set proportion; the set ratio comprises 4:1, 3:2 and 2: 1;

constructing a fusion model; the fusion model is constructed by combining three baseline models of SVM, LR and GBDT with a fusion mode, wherein the fusion mode comprises a linear weighted fusion method, a cross fusion method, a waterfall fusion method, a characteristic fusion method and a prediction fusion method;

training, verifying and testing the fusion model by using the training set and the testing set after data preprocessing, judging that the training of the fusion model is finished when the precision of the fusion model meets the target precision requirement, and marking the trained fusion model as a classification model;

and sending the classification model to a data storage module for storage through the processor.

Preferably, the data collection module is configured to collect a time difference between network nodes, and includes:

marking nodes to be detected of the network nodes as i, selecting N network nodes as test nodes, and marking the test nodes as j, j being 1, 2, … …, N, wherein N is more than 5; the test node is obtained according to the search result of the dynamic spanning tree;

sending a first state signal to a node i to be detected through a test node j, and immediately sending a second state signal to the test node j after the node i to be detected receives the first state signal; the first state signal selects the path with the least network nodes in the communication paths between the node i to be detected and the test node j to be sent;

when the test node j receives the second state signal, the time difference value between the received time of the second state signal and the sending time of the first state signal is immediately obtained, and the time difference value is marked as Sij; the value of the time difference value Sij is 0 and 1, when the time difference value Sij is 0, the time difference value is larger than a time threshold value, namely the node to be detected is marked as a fault node by the test node j; when the time difference value Sij is 1, the time difference value is smaller than or equal to a time threshold value, namely the node to be detected is marked as a normal node by the test node j;

and sending the node i to be detected, the test node j and the time difference value Sij to a data storage module for storage through a processor, and sending the time difference value Sij to a preliminary judgment module.

Preferably, the early warning maintenance module is configured to schedule maintenance staff to maintain the fault node corresponding to the target location, and includes:

when the early warning maintenance module receives the target position schematic diagram, acquiring the position of a maintainer and marking the position as an initial position;

planning a path between the target position and the initial position through a third-party map platform, and selecting the path with the shortest distance as a target path;

sending the target path to an intelligent terminal of a maintainer through an early warning maintenance module, and simultaneously displaying the real-time position of the maintainer in a target position schematic diagram; the intelligent terminal is in communication connection with the early warning maintenance module and comprises an intelligent mobile phone, a tablet personal computer and a notebook computer;

sending the scheduling record of the maintenance personnel to a data storage module for storage through a processor; the scheduling record comprises time, a target path, the name and the mobile phone number of a maintainer.

Preferably, the attack monitoring module is configured to monitor an attack suffered by a data center network node, and includes:

establishing a hacker intrusion characteristic library by analyzing a hacker intrusion mode;

analyzing a data packet in the data center network to obtain an analysis result; comparing and matching the analysis result with the attack mode of the hacker invading the feature library, when the two are successfully matched, sending a hacker attack signal to the early warning maintenance module, and sending the corresponding hacker attack mode to the early warning maintenance module;

and sending the hacker intrusion feature library and the sending record of the hacker attack signal to a data storage module through a processor for storage.

Preferably, the processor is respectively in communication connection with the data acquisition module, the preliminary judgment module, the classification detection module, the attack monitoring module, the early warning maintenance module and the data storage module; the early warning maintenance module is respectively in communication connection with the data storage module and the attack monitoring module, the preliminary judgment module is respectively in communication connection with the data acquisition module and the classification detection module, and the classification detection module is in communication connection with the attack monitoring module.

A data center network fault node diagnosis method comprises the following specific steps:

the method comprises the following steps: marking a node to be detected of the network nodes as i, selecting N network nodes as test nodes, and marking the test nodes as j; acquiring a time difference value and marking the time difference value as Sij; sending the time difference value Sij to a preliminary judgment module;

step two: after the initial judgment module receives the time difference value Sij, acquiring a fault evaluation coefficient GPxi; when the fault evaluation coefficient GPxi meets the condition that GPxi is equal to N +1, judging that the corresponding node i to be detected is normal, and marking the corresponding node i to be detected as a normal node; when the fault evaluation coefficient GPxi meets the condition that GPxi is 0, judging that the corresponding node i to be detected is abnormal, and marking the corresponding node i to be detected as a fault node; otherwise, marking the corresponding node i to be detected as a suspect node; generating a normal node set, a fault node set and a suspected node set; sending the suspected node set to a classification detection module;

step three: when the classification detection module receives the suspected node set, a classification model is obtained through the data storage module; acquiring a time matrix of a suspected node; inputting the time matrix of the suspected node into a classification model after data preprocessing to obtain an output result, marking the output result as a suspected label, and analyzing the suspected node according to the suspected label; updating the normal node set and the fault node set; acquiring the position of the fault node in the fault node set, marking the position as a target position, and generating a target position schematic diagram through a third-party map platform; and sending the target position schematic diagram to an early warning maintenance module through a processor.

Compared with the prior art, the invention has the beneficial effects that:

1. the invention is provided with a data acquisition module, which is used for acquiring the time difference between network nodes; the data acquisition module selects a test node through the dynamic spanning tree and acquires a time difference value between the test node and a node to be detected, so that a fault node is prevented from being selected as the test node, and the detection precision of the fault node is improved;

2. the invention is provided with a preliminary judgment module, which is used for preliminary analysis of the fault of the network node; the preliminary judgment module carries out preliminary analysis on the nodes to be detected according to the time difference value and generates a normal node set, a fault node set and a suspected node set, so that the detection efficiency of the fault nodes is improved, and a foundation is laid for classification of the classification detection module;

3. the invention is provided with a classification detection module, which is used for carrying out deep analysis on suspected nodes; the classification detection module classifies suspected nodes according to the classification model, updates the normal node set and the fault node set, and is beneficial to improving the fault judgment precision and the fault judgment efficiency of network nodes.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

FIG. 1 is a schematic diagram of the principles of the present invention;

FIG. 2 is a schematic diagram of the steps of the present invention.

Detailed Description

The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1-2, a data center network fault node diagnosis system includes a processor, a data acquisition module, a preliminary determination module, a classification detection module, an attack monitoring module, an early warning maintenance module, and a data storage module;

the preliminary judgment module is used for carrying out preliminary analysis on the faults of the network nodes and comprises the following steps:

after the initial judgment module receives the time difference value Sij, the formula is usedAcquiring a fault evaluation coefficient GPXi; when the fault evaluation coefficient GPxi meets the condition that GPxi is equal to N +1, judging that the corresponding node i to be detected is normal, and marking the corresponding node i to be detected as a normal node; when the fault evaluation coefficient GPxi meets the condition that GPxi is 0, judging that the corresponding node i to be detected is abnormal, and marking the corresponding node i to be detected as a fault node; otherwise, marking the corresponding node i to be detected as a suspect node;

integrating normal nodes to generate a normal node set, integrating fault nodes to generate a fault node set, and integrating suspected nodes to generate a suspected node set; sending the normal node set, the fault node set and the suspected node set to a data storage module for storage through a processor, and sending the suspected node set to a classification detection module;

the classification detection module is used for carrying out deep analysis on suspected nodes and comprises the following steps:

when the classification detection module receives the suspected node set, a classification model is obtained through the data storage module;

acquiring a time matrix of a suspected node;

inputting the time matrix of the suspect node after data preprocessing into a classification model to obtain an output result, and marking the output result as a suspect label; the suspected label is a node label corresponding to the suspected node;

when the suspected label is 1, judging that the suspected node is a normal node; when the suspected label is 0, judging that the suspected node is a fault node;

updating the normal node set and the fault node set;

acquiring the position of the fault node in the fault node set, marking the position as a target position, and generating a target position schematic diagram through a third-party map platform; the third-party map platform comprises a Baidu map, an Tencent map and a Gagde map;

and the processor sends the target position schematic diagram to the early warning maintenance module, and simultaneously sends the target position schematic diagram, the normal node set and the fault node set to the data storage module for storage.

Further, the specific obtaining step of the classification model comprises:

acquiring a time matrix of a normal node and acquiring a time matrix of a fault node; the time matrix comprises a time difference value Sij and the total number of nodes between the node i to be detected and the test node j corresponding to the time difference value Sij;

setting node labels for normal nodes and fault nodes; wherein the node label of the normal node is 1, and the node label of the fault node is 0;

dividing the time matrix of the normal node, the time matrix of the fault node and the corresponding node label into a training set and a test set according to a set proportion; the set ratios include 4:1, 3:2 and 2: 1;

constructing a fusion model; the fusion model is constructed by combining three baseline models of SVM, LR and GBDT with a fusion mode, wherein the fusion mode comprises a linear weighted fusion method, a cross fusion method, a waterfall fusion method, a characteristic fusion method and a prediction fusion method;

training, verifying and testing the fusion model by using the training set and the testing set after data preprocessing, judging that the training of the fusion model is finished when the precision of the fusion model meets the target precision requirement, and marking the trained fusion model as a classification model;

and sending the classification model to a data storage module for storage through the processor.

Further, the data collection module is used for collecting time difference values between network nodes, and comprises:

marking nodes to be detected of the network nodes as i, selecting N network nodes as test nodes, and marking the test nodes as j, j being 1, 2, … …, N, wherein N is more than 5; the test node is obtained according to the search result of the dynamic spanning tree;

sending a first state signal to a node i to be detected through a test node j, and immediately sending a second state signal to the test node j after the node i to be detected receives the first state signal; the first state signal selects the path with the least network nodes in the communication paths between the node i to be detected and the test node j to be sent;

when the test node j receives the second state signal, the time difference value between the received time of the second state signal and the sending time of the first state signal is immediately obtained, and the time difference value is marked as Sij; the value of the time difference value Sij is 0 and 1, when the time difference value Sij is 0, the time difference value is larger than a time threshold value, namely the node to be detected is marked as a fault node by the test node j; when the time difference value Sij is 1, the time difference value is smaller than or equal to a time threshold value, namely the node to be detected is marked as a normal node by the test node j;

and sending the node i to be detected, the test node j and the time difference value Sij to a data storage module for storage through a processor, and sending the time difference value Sij to a preliminary judgment module.

Further, the early warning maintenance module is used for scheduling maintenance personnel to maintain the fault node corresponding to the target position, and comprises:

when the early warning maintenance module receives the target position schematic diagram, acquiring the position of a maintainer and marking the position as an initial position;

planning a path between the target position and the initial position through a third-party map platform, and selecting the path with the shortest distance as a target path;

sending the target path to an intelligent terminal of a maintainer through an early warning maintenance module, and simultaneously displaying the real-time position of the maintainer in a target position schematic diagram; the intelligent terminal is in communication connection with the early warning maintenance module and comprises an intelligent mobile phone, a tablet personal computer and a notebook computer;

sending the scheduling record of the maintenance personnel to a data storage module for storage through a processor; the scheduling record includes time, target path, name and phone number of the maintainer.

Further, the attack monitoring module is used for monitoring attacks suffered by the data center network node, and includes:

establishing a hacker intrusion characteristic library by analyzing a hacker intrusion mode;

analyzing a data packet in the data center network to obtain an analysis result; comparing and matching the analysis result with the attack mode of the hacker invading the feature library, when the two are successfully matched, sending a hacker attack signal to the early warning maintenance module, and sending the corresponding hacker attack mode to the early warning maintenance module;

and sending the hacker intrusion feature library and the sending record of the hacker attack signal to a data storage module through a processor for storage.

Further, the hacker intrusion mode includes Land attack, TCP SYN attack, Ping Of Death attack, WinNuke attack, Teardrop attack, and TCP/UDP port scanning attack, and the specific determination step Of the hacker intrusion mode is:

when the source address and the target address of the data packet are the same, judging that the attack mode is Land attack and marking as L;

when SYN connection received in unit time exceeds a threshold value set by a system, judging that the attack mode is TCP SYN attack and marking as S;

when the size Of the data packet is larger than 65535 bytes, judging that the attack mode is Ping Of Death attack and marking as D;

when the target port of the data packet is 137, 138 or 139 and the URG bit is 1, judging that the mode is WinNuke attack and marking as W;

when the slice offset of the sliced data in the data packet is wrong, judging that the attack mode is a Teardrop attack and marking the Teardrop attack as T;

when the data packet sends a connection request to the non-use port, the attack mode is judged to be TCP/UDP port scanning attack and marked as U.

Further, the processor is respectively in communication connection with the data acquisition module, the preliminary judgment module, the classification detection module, the attack monitoring module, the early warning maintenance module and the data storage module; the early warning maintenance module is respectively in communication connection with the data storage module and the attack monitoring module, the preliminary judgment module is respectively in communication connection with the data acquisition module and the classification detection module, and the classification detection module is in communication connection with the attack monitoring module.

A data center network fault node diagnosis method comprises the following specific steps:

the method comprises the following steps: marking a node to be detected of the network nodes as i, selecting N network nodes as test nodes, and marking the test nodes as j; acquiring a time difference value and marking the time difference value as Sij; sending the time difference value Sij to a preliminary judgment module;

step two: after the initial judgment module receives the time difference value Sij, acquiring a fault evaluation coefficient GPxi; when the fault evaluation coefficient GPxi meets the condition that GPxi is equal to N +1, judging that the corresponding node i to be detected is normal, and marking the corresponding node i to be detected as a normal node; when the fault evaluation coefficient GPxi meets the condition that GPxi is 0, judging that the corresponding node i to be detected is abnormal, and marking the corresponding node i to be detected as a fault node; otherwise, marking the corresponding node i to be detected as a suspect node; generating a normal node set, a fault node set and a suspected node set; sending the suspected node set to a classification detection module;

step three: when the classification detection module receives the suspected node set, a classification model is obtained through the data storage module; acquiring a time matrix of a suspected node; inputting the time matrix of the suspected node into a classification model after data preprocessing to obtain an output result, marking the output result as a suspected label, and analyzing the suspected node according to the suspected label; updating the normal node set and the fault node set; acquiring the position of the fault node in the fault node set, marking the position as a target position, and generating a target position schematic diagram through a third-party map platform; and sending the target position schematic diagram to an early warning maintenance module through a processor.

The above formulas are all calculated by removing dimensions and taking numerical values thereof, the formula is a formula which is obtained by acquiring a large amount of data and performing software simulation to obtain the closest real situation, and the preset parameters and the preset threshold value in the formula are set by the technical personnel in the field according to the actual situation or obtained by simulating a large amount of data.

The working principle of the invention is as follows:

marking a node to be detected of the network nodes as i, selecting N network nodes as test nodes, and marking the test nodes as j; sending a first state signal to a node i to be detected through a test node j, and immediately sending a second state signal to the test node j after the node i to be detected receives the first state signal; when the test node j receives the second state signal, the time difference value between the received time of the second state signal and the sending time of the first state signal is immediately obtained, and the time difference value is marked as Sij; sending the node i to be detected, the test node j and the time difference value Sij to a data storage module for storage through a processor, and sending the time difference value Sij to a preliminary judgment module;

after the initial judgment module receives the time difference value Sij, acquiring a fault evaluation coefficient GPxi; when the fault evaluation coefficient GPxi meets the condition that GPxi is equal to N +1, judging that the corresponding node i to be detected is normal, and marking the corresponding node i to be detected as a normal node; when the fault evaluation coefficient GPxi meets the condition that GPxi is 0, judging that the corresponding node i to be detected is abnormal, and marking the corresponding node i to be detected as a fault node; otherwise, marking the corresponding node i to be detected as a suspect node; integrating normal nodes to generate a normal node set, integrating fault nodes to generate a fault node set, and integrating suspected nodes to generate a suspected node set; sending the normal node set, the fault node set and the suspected node set to a data storage module for storage through a processor, and sending the suspected node set to a classification detection module;

when the classification detection module receives the suspected node set, a classification model is obtained through the data storage module; acquiring a time matrix of a suspected node; inputting the time matrix of the suspect node after data preprocessing into a classification model to obtain an output result, and marking the output result as a suspect label; the suspected label is a node label corresponding to the suspected node; when the suspected label is 1, judging that the suspected node is a normal node; when the suspected label is 0, judging that the suspected node is a fault node; updating the normal node set and the fault node set; acquiring the position of the fault node in the fault node set, marking the position as a target position, and generating a target position schematic diagram through a third-party map platform; and the processor sends the target position schematic diagram to the early warning maintenance module, and simultaneously sends the target position schematic diagram, the normal node set and the fault node set to the data storage module for storage.

In the description herein, references to the description of "one embodiment," "an example," "a specific example" or the like are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

The foregoing is merely exemplary and illustrative of the present invention and various modifications, additions and substitutions may be made by those skilled in the art to the specific embodiments described without departing from the scope of the invention as defined in the following claims.