As a traffic quantity and a communication band increase, the monitoring of a large-scale network becomes not easy. When grasping the whole network as a monitoring object, it is necessary to monitor traffics in a plurality of monitoring sites, to compare a relation between a plurality of events to aggregate the events for every kind, and to aggregate the events of different kinds to one event. Especially, a great deal of traffics brings about a scalability problem. For example, in order to provide a service of high reliability to a user, a large-scale ISP (Internet Services Provider) monitors important events (fault, error in configuration, attack, and signaling setting (assuming charge)). It is extremely important for the ISP to quickly take a measure to an event when detecting the event. Therefore, a high-efficiency and high-scalability distribution monitoring system is demanded which can monitor a great deal of traffics in a large-scale network.
As the distribution monitoring system of the large-scale network, a centralized system and a hierarchized and centralized system are proposed. In these systems, all monitoring data are directly transmitted to a central node, or once collected by intermediate nodes and arbitrated before being transmitted to the central node. However, there are problems in scalability and reliability in the centralized system or the hierarchized and centralized system. Therefore, these systems are not suitable for many monitoring applications.
In order to solve these problems, “WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation” (Non-Patent Literature 1) (IEEE Transactions on Dependable and Secure Computing, Vol. 4, No. 2, pp. 88-104, April-June, 2007) is proposed by Min Cai, Kai Hwang, Jianping Pan, Christos Papadopoulos.
Also, “Distributed Aggregation Algorithms with Load-Balancing for Scalable Grid Resource monitoring” (Parallel and Distributed Processing Symposium, 2007. IPDPS2007. IEEE International Volume, Issue, 26-30, March 2007 pp. 1-10) (Non-Patent Literature 2) is proposed by Cai, M., Hwang, K.
In Non-Patent Literature 1, the monitoring application performs processing to calculate a total of events for a worm to generate a signature. In Non-Patent Literature 2, the monitoring application performs processing to monitor an average CPU use rate over multiple nodes. In Non-Patent Literature 1 and Non-Patent Literature 2, DAT (Distributed Aggregation Tree) is proposed in which consideration of the load distribution, the scalability and the fault tolerance is carried out by using a P2P (Peer to Peer) network technique and the monitoring data are transferred and aggregated.
The DAT has a tree structure and operates on Chord which is one of the algorithms of DHT. While data are aggregated from a node to a node, the aggregation result is finally transmitted to a route node which exists on the DAT. It should be noted that the DHT is one of the structured P2P networks. The structured P2P network is one in which a network configuration (search request, route) can be described by an equation. As well-known algorithm of the DHT, there are Chord, Pastry, CAN (Content Addressable Network) and so on. When using these types of DHT algorithms, it is possible to store data and perform data search in a high reliability, because the high scalability and the fault tolerance are considered.
The data is not directly transmitted to a route node but the data is transmitted to the route node by repeating transmission from a node to a next node. Therefore, the network band and the processing load in the route node can be reduced, compared with a case that the data is directly transmitted to the route node. Moreover, by arranging the nodes to as uniform depth as possible, the load is distributed.
However, the techniques shown in Non-Patent Literature 1 and Non-Patent Literature 2 have simple monitoring functions of counting events, and do not have flexibility, so that the monitoring objects to which the above techniques can be applied are limited.
For example, the applications of the Internet such as VoIP (Voice over IP), IPTV, and VOD (Video On Demand) are configured of a control plane (signaling plane) and a data plane (user plane). Therefore, VoIP uses SIP (Session Initiation Protocol) as the protocol for a signaling and RTP (Real-time Transport Protocol) as the protocol for transmitting an audio signal. The SIP and the RTP sometimes pass different routes on the network. Therefore, the techniques proposed in Non-Patent Literature 1 and Non-Patent Literature 2 cannot efficiently relate the events.
Therefore, the technique is demanded which efficiently relates events generated in the control plane and the data plane.
In conjunction with the above description, a traffic data collecting apparatus is disclosed in JP 2003-158549A (Patent Literature 1). In a request receiving node of this technique, when a request of traffic data collection is received from a user terminal or a network management terminal for traffic data collection among two specific points in an IP communication network is received, a data request packet containing the request is transmitted to a neighbor communication unit in response to the received request. A data reply packet in which traffic data of a plurality of communication units other than its own unit are written is received from the neighbor communication unit, and the traffic data of its own unit and the received traffic data are aggregated. A data reply packet which contains the aggregated traffic data is transmitted to the terminal which requested a traffic data collection. In a request relay node, the data request packet is received, and the data reply packet is generated based on the traffic data in its own unit in response to the request contained in the received data request packet and the generated data reply packet is transmitted to the request receiving node. The data request packet containing the request is transmitted to the communication units other than a transmission source of the data request packet. In a request termination node, the data request packet is received, and the data replay packet is generated based on the traffic data in its own unit in response to the request contained in the received data request packet, and is transmitted to the request receiving node. The received data request packet is discarded.
In JP 2007-013590A (Patent Literature 2), a network monitoring system is disclosed. In this technique, communication data of a communication signal which flows through each monitoring line is always collected, and packet data and flow statistic data relating a transmission source and a transmission destination to each other are determined based on header data of the communication signal. The traffic data is aggregated by grouping collected data for every preset physical aggregation object.
Also, as a mechanism in which the event attribute to be collected is specified to provide a monitoring function, “A Scalable Distributed Information the management System” (ACM SIGCOMM Computer Communication Review Vol. 34, Issue 4 (October 2004) Pp. 379-390, Year of Publication: 2004) is proposed by Praveen Yalagandula, Mike Dahlin (Non-Patent Literature 3).
However, in the method shown in Non-Patent Literature 3, the load distribution is not considered in the tree structure of nodes.
In the wide area network monitoring, a manager collects data from the network, and there is a case that the detailed data is further requested, depending on the contents of the collected data. For example, when an event that a worm is generated occurs, there is a case that the data of an actual packet is referred to.
In order to realize such an operation, a function of acquiring the detailed data related to the event (to be referred to as a “back tracking function”, hereinafter) is necessary as a mechanism for the wide area monitoring, in addition to collection of the events from the whole network.
However, in Non-Patent Literature 1, Non-Patent Literature 2, and Non-Patent Literature 3, it is difficult for a manager to refer to the details of the collected data from behind, because there is the back tracking function.