Научная статья на тему 'Diagnostic expert systems of computer networks'

Diagnostic expert systems of computer networks Текст научной статьи по специальности «Компьютерные и информационные науки»

CC BY
151
49
i Надоели баннеры? Вы всегда можете отключить рекламу.

Аннотация научной статьи по компьютерным и информационным наукам, автор научной работы — Soloviev V.M., Koldobanov J.V.

In article questions of reception of the information on a technical status of the heterogeneous computer network and its use are considered at construction of diagnostic expert systems (DES). Results of article can be used at construction of network diagnostic systems.

i Надоели баннеры? Вы всегда можете отключить рекламу.
iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.
i Надоели баннеры? Вы всегда можете отключить рекламу.

Текст научной работы на тему «Diagnostic expert systems of computer networks»

Приведена методика определения номинальной пропускной способности ЛВС реального времени, при которой заявки обслуживаются за время, не большее директивного времени, с заданной вероятностью.

Результаты имеют практическую ценность, так как используются при проектировании КСО ИВС и СВРК нового поколения.

Представляется перспективным применение полученных результатов при разработке вычислительных систем реального времени, подобных рассмотренной.

Литература: 1. Горелик А.Х., Елисеев В.В., Орловский В. А. Опыт разработки новых и поэтапной реконструкции действующих информационно-вычислительных систем энергоблоков с реактором ВВЭР-1000 // Ядерная и радиационная безопасность. 2005. №1. С. 91-96. 2. Елисеев В.В., Ларгин В.А., Пивоваров Г.Ю. Программно-технические комплексы АСУ ТП. К.: Издательско-полиграфический

UDC519.713: 681.326

DIAGNOSTIC EXPERT SYSTEMS OF COMPUTER NETWORKS

SOLOVIEV V.M., KOLDOBANOV J.V._______________

In article questions of reception of the information on a technical status of the heterogeneous computer network and its use are considered at construction of diagnostic expert systems (DES). Results of article can be used at construction of network diagnostic systems.

Technical state of the computer network

One of the major characteristics of the computer network is reliability - ability of the computer network to save working capacity during the certain period of time. Reliability of complex technical systems and computer networks in particular is determined by their non-failure operation, durability and maintainability. As a quantitative measure of reliability time of non-failure operation (average time of a time between failures), probability of refusals (failure rate) and factor of readiness (time of restoration) more often act. A source of unreliability of the distributed systems are refusals of the environment of data transmission (more often cable systems), the switching equipment, the active network equipment and the software providing actually electric, radio or optical connectivity of separate net points among themselves. In the computer network refusals gradual, sudden and withdrawing failures are distinguished. On increase of reliability of computer networks due to application the whole complex of measures of prevention of refusals and failures is directed to them of self-tested electronic components with a high degree of integration, decrease in a level of in networks, simplification of operating modes of electronic handicaps schemes and a channelizing of the equipment, maintenance of optimum thermal modes of their job, and also due to perfection of the software and methods of installation of a network.

центр «Киевский университет», 2003. 429 с.. 3. ШварцМ. Сети связи: протоколы, моделирование и анализ. Ч.2. М.: Наука, 1992. 272 с. 4. Елисеев В. В. Оценка характеристик ЛВС нижнего уровня ИВС энергоблока ВВЭР-Ю00 // Радиоэлектроника и информатика. 2004. № 4. С. 88-93. 5. Основы теории вычислительных систем / Под ред. С.А. Майорова. М.: Высш. шк., 1978. 408 с. 6. Клейнрок Л. Вычислительные системы с очередями. М.: Мир, 1979. 600 с. 7. Кельтон В., Лоу А. Имитационное моделирование. 3-е изд. Киев: Издательская группа BnV, 2004. 847с.

Поступила в редколлегию 20.10.2005

Рецензент: д-р техн. наук, проф. Хаханов В.И.

Елисеев Владимир Васильевич, канд. техн. наук, доцент Северодонецкого технологического института Восточноукраинского национального университета. Научные интересы: компьютерная инженерия, программно-технические комплексы систем контроля и управления. Адрес: Украина, 93405, г. Северодонецк Луганской обл., пл. Победы, 2, тел. (06452) 2-95-87.

The basic operational measure of increase of reliability of the computer network is its maintainability increasing. Maintainability of the computer network assumes suppression of influence of refusals and failures on the network functioning by means of monitoring of a network, control and correction of errors, diagnosing and automatic restoration of circulation of the information in a network after detection and elimination of refusals. And monitoring tools more often are focused on gradual and withdrawing refusals, and the control and diagnosing tools - on sudden refusals. Increase of maintainability assumes decrease in an idle time (restoration) of the computer network. The distributed computing systems with a high maintainability concern to failure-safe systems. The failure-safe distributed computing systems to which computer networks concern also share on three categories. Computing systems of high readiness (high availability) are the systems executed on usual information technology, using superfluous equipment rooms and software and supposing time of restoration in an interval from 2 till 20 minutes. Computing systems steady against refusals (fault tolerance) - such systems which have in a hot reserve the superfluous equipment and software for all functional blocks: processors, operative memory, power supplies, subsystems of input-output, subsystems of disk memory, and time of restoration at refusal does not exceed one second. Computing systems of continuous readiness (continuous availability) - systems which also provide time of restoration within the limits of one second, but unlike systems steady against refusals, eliminate systems of continuous readiness not only the idle times which have resulted refusals, but also the scheduled downtimes connected with upgrade or service of system. The additional requirement to systems of continuous readiness is the support of a constant level of functionalities and productivity irrespective of occurrence of refusals. There is a close relationship between parameters of productivity and reliability of a network. Unreliable job of a network very often leads to essential decrease in its productivity, one of the basic parameters of quality of the computer

7 8

BE, 2005, 1 4

network. It happens because that failures, and refusals in a network lead to loss or distortion of some part of packages passed on a network therefore communication reports are compelled{forced} to organize repeated transfer of the lost data. In the majority of local area networks restoration of the lost data carries out the report of a transport or applied level.

The basic way of maintainability increase of the networks is its redundancy on the basis of which various variants of failure-safe network architecture are realized. Computer networks include various structural elements and redundancy is necessary for maintenance of reliability on each of key elements. If we consider a network as transport system redundancy should exist for all main routes of a network, that is the shared routes for the majority of clients of a network. Such routes in local computer networks usually are routes to corporate servers: to servers of databases, Web-servers, mail servers, a print-servers, etc. Therefore for the organization of failure-safe architecture all elements of a network through which such routes pass, should be reserved - there should be reserve channels with which can use at refusal of one of the basic channels. Reserve channels are realized through reserve cable segments, or through reserve routes with detour of the given up structural elements. Routing can be carried out in static, or in a dynamic mode on the basis of the analysis of data about a technical status of the computer network. All communication devices on the main ways should or to be realized under the failure-safe scheme with reservation of all basic functions, or for each communication device there should be a reserve similar device. Transition from the basic channel on reserve or from the basic device on reserve occurs as in an automatic mode, and manually, at participation of the manager of a network. Automatic transition increases the factor of readiness of the distributed system as the idle time of a network in this case will be essential less, than at intervention of the person. As computer networks are focused on service simultaneously big numbers of clients at definition of factor of readiness it is necessary to consider this circumstance. The factor of readiness of the computer network should correspond the performance of function for all clients. It is obvious, that in greater networks it is difficult to provide values of factor of the readiness, close to unit without automatic transition.

For network’s reconfiguring monitoring, diagnosing and the intellectual tools that distinguishing refusals in a network are required. Intellectual tools of the control and diagnosing prepare data for decision-making by the manager of a network, or automatically reconfigure a network, realizing the computing system of continuous readiness - « a self-recovering network » when clients of a network at all do not suspect about problems of her. Now three basic quality monitoring and diagnostics ofthe computer network are used: listening of the network traffic and decoding of reports, gathering of statistics about working of a network (it is usual under reports SNMP, ICMP or by means of special network probes),

loading or stressful testing. Practice of operation of computer networks shows, that it is possible to provide high factor of readiness of a network in that case when automatic transition to reserve elements is used, and procedures of the control of a technical status and diagnosing are built in communication reports. As an example of such network FDDI in which physical communications between sites and concentrators of a network are constantly tested can serve, and in case of their refusal automatic reconfiguration communications is carried out due to a secondary reserve ring.

Diagnostics of the computer network

The diagnostic information on a state of the computer network can be received by means of set of the tools applied to monitoring and the analysis of computer networks. First of all it is control systems of a network (Network Management Systems) - the centralized systems which are collected data about a state of sites and communication devices of a network, and also data about the traffic circulating in a network. These systems not only carry out monitoring and the control of a technical state of a network, but also carry out some actions on reconfiguring networks in an automatic or semi-automatic mode switching of ports of the active network equipment, change of parameters of bridges and address tables of bridges, switchboards and routers. They can carry out the elementary analysis of the network traffic. The built-in monitoring and diagnostics systems (Embedded Systems) - carried out in the form of the hardware-software modules installed in the communication network equipment, and also in the form of the program modules which have been built in network operational systems. They accumulate the diagnostic information and carry out the control of a technical status of one device, and this is their basic difference from the centralized control systems of a network. An example of such tool may be the module of management of the active concentrator, realizing function of auto-segmentation of ports on detection of defects of a network. As a rule, such modules also play a role of the SNMP-agents, delivering data about a technical state ofthe device for the centralized control systems of a network still carry out. Protocol Analyzers are program or hardware-software systems which carry out unlike the centralized control systems only functions of monitoring and the analysis of the traffic in networks. They can grasp and decode packets of many protocols applied in networks. Protocol analyzers, as well as the logic analyzers applied to diagnosing of discrete devices, can determine logic conditions of capture of separate packets and carry out full decoding and record of the grasped packets. They display written down in the form convenient for the manager an enclosure of packets of protocols of different layers with decoding the contents of separate fields of each packet. Besides their records can be used in intellectual tools of the analysis of a technical state of the computer network. Network monitors (network analyzers) - the devices intended for testing of cable systems. Unlike protocol analyzers, network monitors collect the diagnostic

7 9

BE, 2005, 1 4

information only about statistics of the traffic - average intensity of the common traffic of a network, average intensity of a stream of packets with the certain type of an error, etc. Cable scanners (cable testers) - the devices used for definition of key parameters and diagnosing of cable systems. Network monitors and cable scanners if necessary also can represent itself as SNMP-agents.

The centralized control systems of a network contain the big stock of the diagnostic information stored a special database of network devices, named MIB (Management Information Base). This system should not be confused to controlfacilities computers (SystemManagement) and their operational systems (OS) also having an internal database like the Registry in OS Windows which at desire can be used for the purposes of diagnostics. Modern control systems of networks are focused on the certain standards as the network software and the equipment develop set of the companies. Standardization concerns, first of all, management protocols. The most widespread management protocol is SNMP (Simple Network Management Protocol), it is supported by hundreds vendors. The main advantages of SNMP - simplicity, availability, independence of manufacturers, therefore he became the standard “de facto”. SNMP is used for reception from network devices of the information on their status, productivity and the characteristics stored a database ofnetwork devices MIB. The standard determines MIB structure, including a set of types of variables, their names and admissible operations above these variables. In MIB, alongside with the specified information, values of counters of the processed packets and errors, numbers, priorities and the information on a status of ports and many other things can be stored. Treelike structure MIB contains standard subtrees and private subtrees, allowing intellectual devices to realize functions of the control and diagnosing on the basis of the analysis of the chosen variables. The agent in SNMP is a processing element which provides to the managers placed at operating stations of a network, access to values of variables MIB and by that enables them to realize functions on management and supervision for the device. The example of simple structure of a control system is represented by a network on fig. 1.

Control

Fig. 1. A fragment of the computer network

8 0

Management of a network is usual carried out by operating station through the manager of a control system. It can be special allocated computer or one of workstations of a network. It is necessary to remember, that management uses all resource of a computer for performance of the basic functions; besides on this workstation intellectual tools of diagnostics of a network can be installed also. The agent collects statistics in a network, values of variables of a status of devices and passes all this information to the manager of a control system by means of SNMP. SNMP is a protocol of “request-answer” type, where each request of the manager is answered by the agent. Nowadays there are standards on required and passed objects and on their organization in the form of a database of the operating information. The basic standards are MIB-I and MIB-II, and also the version of remote management RMONMIB. Besides there are standards for special MIB devices of concrete type: MIB routers, MIB switches, MIB concentrators, MIB modems, etc. Also there are private MIB of particular vendors of the network equipment. According to the accepted standards (RFC 1213) MIB-II supposes up to 185 standard objects - 185 network parameters. Expansion of functionalities of SNMP is specification RMON (Remote Monitoring) which provides the remote interaction with base MIB. RMONMIB database contains the aggregated information on devices of a network and does not demand transfer on a network of great volumes of data. RMONMIB database consist of a set of statistical, analytical and diagnostic data. Difference between RMON and SNMP consists in character of the collected information. If in MIB-II this information characterizes only the events occurring on the site where the agent installed, RMON database characterize the traffic of any network structures. The key moment in efficiency of monitoring RMON is the opportunity to save statistical samples of data during the different moments of time in the probe or in database. Objects of RMONMIB database can include in addition counters of errors in packets, tools for analysis of graphic trends and statistics, tools of a filtration of capture and the analysis of separate packets, and also complex logic conditions of capture. RMON agents unlike SNMP ones carry out preliminary selection and processing of the information on the device or a segment of a network. These agents can settle down inside of various communication devices, and also can be executed in the form of hardware RMON-probes and the separate program RMON-modules working on universal computers and diagnostic notebook. By the standard (RFC 1271 for Ethernet, RFC 1513 for Token Ring) on RMONMIB about 200 objects are defined . Distinctive feature of RMON is it’s working in segments of a network with support of a plenty of network protocols (more than 20). Therefore it is convenient in the network heterogeneous environments using various protocols of network layer. Development of RMON technology is standard RMON2 (RFC 2021, RFC 2074), expanding opportunities of the analysis of the traffic in a network and applications used by users.

BE, 2005, 1 4

Thus for diagnosing a network different tools and, first of all - monitoring tools in control systems of a network can be used. Some measurements in a network can be executed by the software of type built in operational system components like Performance Monitor in OS Windows NT/2000. Modern cable testers also are capable to grasp and analyze packages and their contents. In a network where RMON/RMON2 and SNMP-agents are not supported, protocol analyzers are used for diagnostics. Protocol analyzers grasp the packets circulating in a network realizing this or that network protocol, and “study” their contents. For maintenance of high reliability of a network, being based on results of the analysis, intellectual tools or the manager of a network, carry out the proved and weighed change (configuration) of network structures, optimization of its productivity, search and elimination of defects of a network. Protocol analyzers represent or independent specialized devices, or the diagnostic computer (maybe notebook) equipped by the special communication equipment and the corresponding software. And the applied equipment should correspond the topology of a network in a point of connection. Modern analyzers are connected to a network the same way as usual network elements (workstations). They differ from workstations only by ability of accepting packets of data and analyzing them, and passing or obtaining data for the analysis from MIB database of network devices. The software of the analyzer consists of a kernel which supports working in a network and responsible for reception and decoding of data. The additional software delivered complete with the analyzer, can include library of procedures of decoding of data in different networks and agents of interaction with MIB database. It depends on topology of an investigated network and functions of the analyzer. The structure of the software of some analyzers also includes intellectual tools of the preliminary analysis of data which can give out recommendations for what diagnostic experiments should be spent in this or that situation, that mean those or other results of measurements how to eliminate some kinds of defects of a network, etc. Recently protocol analyzers are applied in so-called methods of loading or stressful testing when the special tests creating high loading on a network - very intensive traffic - are carried out. Such traffic provides the special software not a part of the protocol analyzer. And the network thus is not used only is tested. A task of the protocol analyzer - the analysis of packets at such it is artificial the created traffic. Practice shows, that stressful diagnosing has the highest reliability of the control of a technical status of a network. Inherently stressful testing is similar to check in extreme conditions of complex technical devices after assembly. The network is tested at absence of the user applications. At this time on all workstations the special test programs creating operated dosed out loading on a network synchronously work. Analyzers of reports or agents only carry out the functions on fixing parameters of the computer network.

Network monitors work in many aspects similar with RMON. They collect statistics about the traffic and packets, about broadcasting, group and single-address

BE, 2005, 1 4

transfer, about special situations (for example, about discrepancy of the control sums). Monitors give the information on the traffic in each of the listed categories and for each of reports separately. On these data they can make diagrams about distribution of packets in segments of a network, but do not make decoding these packets, as protocol analyzers. Network monitors are capable to define the most loaded segments of a network, to analyze distribution of broadcasting messages on sources, etc. Historically monitors have appeared before other network diagnostic tools in the form of non-standard utilities for monitoring a network. Program modules (utilities) of network monitors for gathering information can be carried out on servers (usually NetWare) as loaded modules or on a usual workstation (even on one used for monitoring a network), display of statistics and preparation of reports. As well as systems on the basis of RMON, network monitors are capable to conduct supervision and to prepare for reports on a technical status of a network and its productivity, to submit warning signals at excess of the set thresholds of normal functioning, for example, on number of errors in packets or on number of broadcasting packets. The network program monitor itself costs cheaply but if to consider, that is usual under the purposes of monitoring the separate computer (monitoring at the loaded traffic demands all resources of a computer) the total price appears compared with RMON probe. However some RMON probes for networks (IPX, AppleTalk, and FDDI) can be nonexistent, and then network monitors are the decision of a problem. Equipment ofnetworks by sufficient toolkit for diagnosing is rather expensive action, let alone creation to the most effective parallel diagnostic infrastructure SNMP, RMON, protocol analyzers, network monitors and intellectual tools of the control and diagnostics.

In modern heterogeneous computer networks the share of obvious sudden refusals constantly decreases, and the share failure and the latent gradual refusals [1] increase. Unlike hidden, obvious defects of a network simply enough to find out, having on one active SNMP-agent on each segment and analyzing, for example the traffic on number of the accepted tcp-segments (MIB variable -tcp.tcpinsegs) or on number accepted udp-datagrams (MIB variable - udp.udpindatagrams), fig. 2.

Fig. 2. A variation of variables tcpinsegs and udpindatagrams in an interval of time

8 1

For this purpose all traffic passing on a network needs to be checked up in real time on number of the accepted and deformed packets.

Principal cause of distortion of packets in a network are defects of the passive network equipment and some defects of receiving-transferring modules of the active network equipment. By different estimations this share of defects made from 65 up to 85 % [2]. Prevalence of defects of the passive network equipment over other defects of a network long time was one of the reasons of that rather simple means of diagnosing appeared the basic tool for localization of defects of a network. With development of network technologies and transition from a coaxial cable to twisted pair and optics the situation has changed. On the one hand, it has increased reliability (noise stability) of channels of transfer of the information and the passive network equipment. On the other hand, the active network equipment became more complex and intellectual, that has reduced in him a share of obvious sudden refusals and to prevail there were failures and the latent gradual refusals. Besides today the approach to an estimation of quality of work of the distributed computing systems undergoes serious changes. If earlier parameters of work of the network equipment - recycling (loading of a network) and number of the corrupted packets in a network now the greatest attention is given quality of work of the user applications and quality of services were considered as the basic criteria of quality. Criteria of quality of work of the user application or rendered service is the set of characteristics (time of reaction of the application and its productivity, availability of the application, time for the sanction of a problem) which are formulated in the form of a certain agreement. These characteristics also can be certain by means of network diagnostic tools by measuring of time user transactions and system transactions [3]. Hence, additional loading lays down on diagnostic system.

Nowadays definition of a technical status of the distributed computing system with high reliability and depth on one let even is impossible for very informative parameter. It is necessary to see work of all its numerous structural a component in interrelation: servers, workstations, passive and active network equipment, the system and application software. The information of work of these can be received a component, only using all diagnostic infrastructure of the computer network. So, for example, the information of work of servers Windows NT/2000 can be received by means of program Performance Monitor or SNMP-agents, the information of work of workstations by means of network probes or protocol analyzers, the information of work of the network equipment and separate segments of a network by means of package Observer Network Instruments, the information of work of the user applications by means of agents of agreements on a degree of service (Service Level Agreement), fig. 3.

Fig. 3. Trends of parameters of components of the computer network

To see work of all a component in interrelation, all volume of the collected diagnostic information needs to be distributed in time, on the basis of received given to construct trends, further trends it is necessary to synchronize, adhere them to a uniform time scale, and parameters to normalize, to smooth and identical image to average, adhere them to concrete network structure. For this purpose preprocessing of the received diagnostic information is carried out. Thus, at the analysis of a technical state of the modern computer network it is necessary to deal with greater files of diverse diagnostic data. It’s very difficult to analyze such data manually. For this purpose in modern computer networks expert systems, systems ofthe likelihood and correlation analysis are used. The diagnostic expert system (DES) usually operates with two basic concepts - symptoms (less critical problems) and diagnoses (critical problems or expert events). So, for example, the increased delay between inquiry and the answer of a server can concern to symptoms, and an overload of a segment of a network above the set threshold - to diagnoses. The revealed symptoms and diagnoses DES places at corresponding layers of model of network interaction (usually model OSI). To this model the graphic interface of expert system also corresponds. Summary data usually display a current status which for each level includes diagnoses and symptoms, all the found out network objects and a various sort flags. Despite of all opportunities of expert systems, refinement of tools of representation of the diagnostic information and perfection of tools of data gathering, a difference between reading and interpretation of hundreds and thousand symptoms and the correct diagnosis in network diagnostic systems leaves much to be desired [3]. Last 10 years works on expert systems of new generation with the algorithms of intellectual calculation working at substantial growth of number of rules and conclusions are conducted. Now the number of software products on the basis of these technologies promptly grows. They use elements of automatic processing and the analysis of data (Data Mining) and become an integral part of the concept of intellectual calculations (the intellectual analysis of data) in computer networks. Simple gathering and preprocessing of

8 2

BE, 2005, 1 4

diagnostic data provides at the best reception of answers on symptoms while Data Mining technology allows seeing and finding the latent rules and laws in files of diagnostic data which cannot be expected, and knowledge which can promote increase of efficiency of diagnosing of computer networks.

Human mind, even at the most good manager of a network, in itself is not adapted for recognition of greater files of the diverse information on a status of a network. Besides he is not capable to catch more than two-three interrelations even in small samples. It was helped always by traditional expert systems which were based on methods of mathematical statistics and long time applied for a role of the basic tool of the analysis of diagnostic data in computer networks. They operated with the average characteristics of sample which often appeared in fictitious sizes. Therefore methods of mathematical statistics appeared useful, mainly, for check of in advance formulated statistical hypotheses. At diagnostics of a modern network huge volumes of data collect. As it is possible to learn from these data how the network works and how will work in the further? New technologies of the intellectual analysis also are intended for the answer to these questions. They are used for a finding of diagnostic models and the relations hidden in databases, not accessible to usual methods. Data Mining technology helps with finding of models and relations in diagnostic data, but it tells nothing about value of these models. Each model should be checked in the concrete network environment, adapt for her. The intellectual analysis can release the manager of a network from possible complexities at the analysis of data. It demands from him understanding of work of tools and algorithms on which is based. Besides the, technology of a finding of new knowledge in a database cannot give the answer to not asked questions. Modern technologies of the intellectual analysis process the diagnostic information with the purpose of automatic search of patterns, characteristic for diverse fragments of non-uniform multivariate diagnostic data. Weight of a formulation of hypotheses and revealing of the necessary patterns is given DES. For successful carrying out of process of a finding of new knowledge by diagnostic expert system presence of storehouse of diagnostic data is necessary. The storehouse of diagnostic data is object-oriented, integrated, adhered by time, continuous and constant gathering of diagnostic data. As the key moment of successful application of Data Mining methods the choice of algorithm and skill of the person creating DES model and opportunities of diagnostic models serves not simply. The success in extraction of knowledge is provided with two reasons. First, a precise and clear formulation of the diagnostic problem which are a subject the decision. Secondly, use of correct diagnostic data.

The purpose of intellectual technologies is the finding of new knowledge which can be used in the further for improvement of work of a network and the resolving of network problems. The result of application of Data Mining technologies, for creation of perspective network

diagnostic systems is a revealing relation in data by modeling. The basic kinds of models which can be used for a finding of new knowledge on the basis of data in information storehouse, it is possible to receive in following methods of revealing and the analysis of knowledge: regresses, forecasting of time sequences, trend forecasts, classification, clusterization, associations, and sequences. First three can be used mainly for forecasting a technical state of the computer network while the last are convenient for definition of a current technical state of a network.

Regression analysis is used, when relations between the variables describing parameters of the computer network, can be expressed quantitatively in the form of some combination of these variables. The received combination is used for forecasting values of target (dependent) parameters of the computer network calculated on the set of values of entrance (independent) parameters. Forecasting of time sequences is based on the historical information of states of a network, stored in information storehouses in the form of timelines. A special case of such forecasting is trendforecast (forecasting of similar behavior in time). If it is possible to construct mathematical model and to find the patterns adequately displaying dynamics of changes of a technical state of a network, there is a probability, that with their help it is possible to forecast and behavior of the computer network in the future. Forecasting of time sequences allows estimating the future values of predicted parameters of a network on the basis of the analysis of behavior of timelines. These models should include attributes of time: hierarchy of the periods, special intervals of time, seasonal prevalence of work of a network, celebratory and the days off, preventive works, etc.

Classification - the most widespread model of the intellectual analysis of the data recommended for diagnosing of a network. With its help the diagnostic attributes describing group to which this or that technical state of the computer network belongs are found out. It is done by means of the analysis of already classified technical states of the computer network and a formulation of some set of rules. Clusterization differs from classification by that classes of technical states of a network in advance are not set and by means of clusterization model tools of intellectual calculations independently create homogeneous groups of diagnostic parameters. The association concerns to the analysis of structure of the computer network and is applied, when some events in her are connected among themselves. The classical example of the analysis of structure of a network concerns to supervision of some behavior of a network (reaction) in its various segments by carrying out of single diagnostic experiment (transaction ofmeasurements by means of the protocol analyzer). The purpose of such approach is the finding of trends (identical sites) among the big number of transactions (diagnostic experiments) which can be used for an explanation of behavior of the computer network. The sequence takes place, if there is a chain of the events connected in time occurring in a network (relationships of cause and effect). In such

8 3

BE, 2005, 1 4

situation it is important not only coexistence of data inside of one transaction, but also the order in which these data appear in other transactions and time between these transactions. The rules establishing these relations can be used for definition of a typical set of the previous reasons which can lead behind itself the subsequent problems in the computer network. The basic method (tool) of Data Mining technology applied to diagnosing of the computer network is neural networks (NN).

Neural networks and classical DES have the essential distinctions causing them traditionally developed sphere of application. Expert systems are traditionally applied to the decision of narrow tasks with well structured knowledge, for example in classification of defects of concrete type of the complex equipment. Neural networks are applied with a different degree of efficiency in problems with badly structured information. It is important to note and distinction in character of the implicit knowledge received in artificial NN, and the obvious, formal knowledge incorporated in expert systems. Such distinctions are presented in table.

Expert system (ES) Neural networks (NN)

Source of knowledge The formalized experience of the expert expressed in the form of logic statements - rules and the facts certainly accepted by system Cumulative experience of the expert-teacher, selecting examples for training plus individual experience of a neural network trained on these examples

Character of knowledge Is formal-logic ‘left-hemisphere’ knowledge in the form of rules Associative "right-hemisphere" knowledge in the form of connections in NN between neurons

Development of knowledge In the form of expansion of set of rules and the facts (knowledge base) In the form of aftereducation on additional sequence of examples, with specification of borders of categories and formation of new categories

The role of the expert Sets on the basis of rules full volume of knowledge of expert system Selects characteristic examples, not formulating a special substantiation of the choice

Role of system Search of a chain of the facts and rules for the proof of judgment Formation of individual experience in the form of the categories received on the basis of examples and clusterization of images

The common problem of DES creation consists in development of methods of construction of systems of an artificial intellect (AI) with the set functional behavior. In a context of NN it is a problem of synthesis of a demanded artificial network, a choice of essential diagnostic attributes from a set of parameters and formation featured spaces, a choice or development of architecture of a neural network and rules of its activation to an adequate solved problem, reception of training sample of the most representative vectors of featured spaces, training of a neural network on training sample. As sets of diagnostic parameters it is offered to use the databases received by all diagnostic infrastructure of the modern computer network. And, training sample can have the minimal final length as in advance diagnostic properties of a file of the chosen parameters are not known. Their structure not necessarily corresponds{meets} to the future technical statuses of the computer network as there is no precise border in featured space of diagnostic parameters (is not certain precisely the category of a technical status of the computer network).

References: 1. Kyas Othmar. Network Troubleshooting. Agilent Technologies Publication. 2003. 2. Юдицкий С., БорисенковВ., Адаскин П. Лучше один раз измерить, чем сто раз гадать // Журнал сетевых решений / LAN. 1999. № 7-8. 3. Юдицкий С.С., Швецов В.И., Кузубов С.И. Увидеть слона целиком // Сети и Системы Связи. 2000. №9-10.

Soloviev V.M. The Saratov State University, street Astrakhan, 83, Saratov, Russia, phone: (8452) 511529, e-mail: [email protected].

Koldobanov J.V. The Saratov State University, street Astrakhan, 83, Saratov, Russia, phone: (8452) 511529, e-mail: [email protected].

8 4

BE, 2005, 1 4

i Надоели баннеры? Вы всегда можете отключить рекламу.