CN110874674B - Abnormality detection method, device and equipment - Google Patents

Abstract

The application provides an abnormality detection method, device and equipment, wherein the method comprises the following steps: acquiring an initial monitoring threshold value, and carrying out anomaly detection on service data according to the initial monitoring threshold value; adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold; and carrying out anomaly detection on the business data according to the target monitoring threshold. According to the technical scheme, operation and maintenance personnel are not required to manually set the monitoring threshold, the monitoring threshold is automatically adjusted, and the alarm accuracy is improved.

Description

Abnormality detection method, device and equipment

Technical Field

The application relates to the technical field of internet, in particular to an anomaly detection method, an anomaly detection device and anomaly detection equipment.

Background

The automatic anomaly detection aims at discovering the anomaly fluctuation of the service data, is an important link of the intelligent monitoring system, and the anomaly detection needs to monitor various service data, such as the number of requests, the number of refuses, the response time, the volume of transactions, orders and the like, and the detection of the anomaly fluctuation of the service data is an important guarantee of service stability. For example, a monitoring threshold may be preset, and when the service data (for example, the monitoring threshold is a request number threshold and the service data is a request number generated per minute) is greater than the monitoring threshold, an abnormality in the service data is detected, and an alarm may be generated to an operation and maintenance person, and the operation and maintenance person analyzes the cause of the abnormality.

In the above manner, the monitoring threshold is usually set manually by the operation and maintenance personnel, the accuracy of the monitoring threshold is limited by the experience of the operation and maintenance personnel, the monitoring threshold cannot be automatically adjusted, and once the accuracy of the monitoring threshold is low, the number of alarms of the service data is possibly high, but the accuracy of the abnormal detection is low, or the number of alarms of the service data is possibly low, but the missing report of the abnormal detection is serious.

Disclosure of Invention

The application provides an anomaly detection method, which comprises the following steps:

acquiring an initial monitoring threshold value, and carrying out anomaly detection on service data according to the initial monitoring threshold value;

adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold; and carrying out anomaly detection on the business data according to the target monitoring threshold.

The application provides an anomaly detection method, which comprises the following steps:

acquiring service data of a current time point;

generating a data set according to the service data of the current time point;

determining statistical features of the data set;

determining a feature value corresponding to the statistical feature;

And carrying out anomaly detection on the service data according to the characteristic value.

The application provides an anomaly detection method, which comprises the following steps:

acquiring service data of a current time point;

performing abnormal detection on the service data by adopting a plurality of detection strategies to obtain a detection result of each detection strategy; the detection result of each detection strategy is that the business data is abnormal or not abnormal;

if the detection results of at least two detection strategies are that the service data are abnormal, determining that the final detection result of the service data is that the service data are abnormal; if the detection result of one detection strategy is that the service data is abnormal, determining that the final detection result of the service data is that the service data is not abnormal.

The application provides an abnormality detection apparatus, the apparatus includes:

the acquisition module is used for acquiring an initial monitoring threshold value;

the detection module is used for carrying out abnormal detection on the service data according to the initial monitoring threshold value;

the acquisition module is further used for adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold;

the detection module is further used for carrying out anomaly detection on the business data according to the target monitoring threshold.

The application provides an abnormality detection apparatus, the apparatus includes:

the acquisition module is used for acquiring service data of the current time point;

the generation module is used for generating a data set according to the service data of the current time point;

a determining module for determining statistical features of the data set;

the determining module is further used for determining a characteristic value corresponding to the statistical characteristic;

and the detection module is used for carrying out anomaly detection on the service data according to the characteristic value.

The application provides an abnormality detection apparatus, the apparatus includes:

the acquisition module is used for acquiring service data of the current time point;

the detection module is used for carrying out abnormal detection on the service data by adopting a plurality of detection strategies to obtain a detection result of each detection strategy; the detection result of each detection strategy is that the service data is abnormal or the service data is not abnormal;

the determining module is used for determining that the final detection result of the service data is abnormal if the detection results of the at least two detection strategies are abnormal;

if the detection result of one detection strategy is that the service data is abnormal, determining that the final detection result of the service data is that the service data is not abnormal.

The present application provides an abnormality detection apparatus including:

a processor and a machine-readable storage medium having stored thereon computer instructions that when executed by the processor perform the following:

acquiring an initial monitoring threshold value, and carrying out anomaly detection on service data according to the initial monitoring threshold value;

adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold; and carrying out anomaly detection on the business data according to the target monitoring threshold.

The present application provides an abnormality detection apparatus including:

a processor and a machine-readable storage medium having stored thereon computer instructions that when executed by the processor perform the following:

acquiring service data of a current time point;

generating a data set according to the service data of the current time point;

determining statistical features of the data set;

determining a feature value corresponding to the statistical feature;

and carrying out anomaly detection on the service data according to the characteristic value.

The present application provides an abnormality detection apparatus including:

A processor and a machine-readable storage medium having stored thereon computer instructions that when executed by the processor perform the following:

acquiring service data of a current time point;

performing abnormal detection on the service data by adopting a plurality of detection strategies to obtain a detection result of each detection strategy; the detection result of each detection strategy is that the business data is abnormal or not abnormal;

if the detection results of at least two detection strategies are that the service data are abnormal, determining that the final detection result of the service data is that the service data are abnormal; if the detection result of one detection strategy is that the service data is abnormal, determining that the final detection result of the service data is that the service data is not abnormal.

Based on the above technical scheme, in the embodiment of the application, the monitoring threshold value does not need to be manually set by operation and maintenance personnel, and can be automatically adjusted, so that the accuracy of the monitoring threshold value is higher, the problems that the number of alarms of service data is more, but the accuracy of anomaly detection is lower, and the problems that the number of alarms of service data is less and the missing report of anomaly detection is serious are avoided. The abnormal detection can be carried out according to the trend of the historical service data, the abnormal service data can be automatically detected, and the alarm accuracy is improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following description will briefly describe the drawings that are required to be used in the embodiments of the present application or the description in the prior art, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings may also be obtained according to these drawings of the embodiments of the present application for a person having ordinary skill in the art.

FIG. 1 is a flow chart of an anomaly detection method in one embodiment of the present application;

FIGS. 2A-2C are schematic diagrams of traffic data curves in one embodiment of the present application;

FIG. 3 is a flow chart of an anomaly detection method in another embodiment of the present application;

FIG. 4 is a flow chart of an anomaly detection method in another embodiment of the present application;

fig. 5 is a block diagram of an abnormality detection device in one embodiment of the present application;

fig. 6 is a block diagram of an abnormality detection device in another embodiment of the present application;

fig. 7 is a block diagram of an abnormality detection device according to another embodiment of the present application.

Detailed Description

The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to any or all possible combinations including one or more of the associated listed items.

It should be understood that although the terms first, second, third, etc. may be used in embodiments of the present application to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. Depending on the context, furthermore, the word "if" used may be interpreted as "at … …" or "at … …" or "in response to a determination".

Embodiment one:

an embodiment of the present application proposes an anomaly detection method for detecting whether an anomaly occurs in service data (may also be referred to as a service indicator), as shown in fig. 1, which is a flow chart of the method, where the method includes:

step 101, an initial monitoring threshold is obtained, and abnormality detection is performed on the service data according to the initial monitoring threshold, that is, whether abnormality occurs in the service data is detected according to the initial monitoring threshold.

The initial monitoring threshold may be configured empirically, may be determined based on a confidence interval, may be determined based on a specific parameter, and is not limited in the manner of acquiring the initial monitoring threshold.

In one example, taking the example of determining an initial monitoring threshold based on a confidence interval, the initial monitoring threshold may be obtained, which may include, but is not limited to: acquiring a confidence interval, wherein the confidence interval comprises a plurality of confidence values; a partial confidence value is selected from the plurality of confidence values for the confidence interval, and an initial monitoring threshold is determined based on the partial confidence value.

For example, a confidence interval may be empirically configured, and may include a plurality of confidence values, such as confidence value 5, confidence value 6 …, confidence value 24, confidence value 25, etc., without limitation.

All confidence values within the confidence interval may then be ranked and a portion of the confidence values may be selected from all confidence values based on the ranking result. For example, all confidence values in the opposite communication section are sorted by a normal distribution method (which may also be called a normal distribution method or a gaussian distribution method), and the sorting method is not limited. Then, selecting N confidence values with highest ranks; the value of N may be empirically configured, for example, 3, 4, 5% of the total confidence values in the confidence interval, and the like, which is not limited.

After a partial confidence value is selected from all confidence values, an initial monitoring threshold may be determined using the partial confidence value, e.g., the initial monitoring threshold may be a mean of the partial confidence values. For example, after the confidence value 10, the confidence value 11, and the confidence value 12 are selected from all the confidence values, the mean value 11 of the confidence value 10, the confidence value 11, and the confidence value 12 may be determined, and the mean value 11 may be determined as the initial monitoring threshold.

In one example, the initial monitoring threshold may be an upper limit monitoring threshold, a lower limit monitoring threshold, or a combination of a plurality of monitoring thresholds, and since the processing flow of each monitoring threshold is the same, in this embodiment, the initial monitoring threshold is exemplified as an upper limit monitoring threshold. For example, the initial monitoring threshold is 11, when the business data is greater than the initial monitoring threshold 11, the occurrence of the abnormality of the business data is detected, and an alarm can be generated to the operation and maintenance personnel, and the operation and maintenance personnel can analyze the reason of the abnormality.

In one example, different time intervals may correspond to different initial monitoring thresholds because of their different tolerance to anomalies. For example, a time interval a (e.g., 9 early to 5 late) corresponds to the confidence interval a, and an initial monitoring threshold a is determined based on the confidence interval a; based on this, for the service data in the time interval a, if the service data is greater than the initial monitoring threshold a, it is indicated that the service data is abnormal, and if the service data is not greater than the initial monitoring threshold a, it is indicated that the service data is not abnormal. The time interval B (from 9 to 11) corresponds to the confidence interval B, and an initial monitoring threshold B is determined based on the confidence interval B; based on this, for the service data in the time interval B, if the service data is greater than the initial monitoring threshold B, it is indicated that the service data is abnormal, and if the service data is not greater than the initial monitoring threshold B, it is indicated that the service data is not abnormal. The time interval C (from the late 11 th point to the early 9 th point on the next day) corresponds to the confidence interval C, and an initial monitoring threshold C is determined based on the confidence interval C; based on this, for the service data in the time interval C, if the service data is greater than the initial monitoring threshold C, it is indicated that the service data is abnormal, and if the service data is not greater than the initial monitoring threshold C, it is indicated that the service data is not abnormal.

Further, since the processing flow of the monitoring threshold value is the same for each time interval, in this embodiment, the initial monitoring threshold value is described as an example of the initial monitoring threshold value of one time interval.

In one example, after the initial monitoring threshold is obtained, the abnormal detection may be performed on the service data according to the initial monitoring threshold, for example, if the service data is greater than the initial monitoring threshold, it is indicated that the service data is abnormal, and an alarm may be generated to the operation and maintenance personnel, otherwise, it is indicated that the service data is not abnormal.

And 102, adjusting the initial monitoring threshold according to the abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold. Specifically, a feedback adjustment coefficient can be determined according to an abnormal detection result of the initial monitoring threshold, and the initial monitoring threshold is adjusted according to the feedback adjustment coefficient to obtain the target monitoring threshold.

In one example, determining the feedback adjustment factor based on the anomaly detection result for the initial monitoring threshold may include, but is not limited to: determining effective service data and ineffective service data according to an abnormality detection result of the initial monitoring threshold, selecting first service data from the effective service data, and selecting second service data from the ineffective service data; and determining a feedback adjustment coefficient according to the first service data and the second service data.

In one example, selecting the first service data from the valid service data may include, but is not limited to: sorting all the effective service data, and selecting the effective service data at the first position from the sorted effective service data as first service data; further, selecting the second service data from the invalid service data may include, but is not limited to: and sorting all the invalid service data, and selecting the invalid service data at the second position from the sorted invalid service data as second service data.

For example, when the abnormal detection is performed on the service data according to the initial monitoring threshold, an alarm may be generated on the abnormal service data, such as the service data A1-service data a100, and the operation and maintenance personnel may analyze whether the service data A1-service data a100 are abnormal service data, which is not limited. If the analysis result is abnormal service data, such as service data A1-service data A60 is abnormal service data, the service data A1-service data A60 is determined to be effective service data (namely effective alarm), and if the analysis result is not abnormal service data, such as service data A61-service data A100 is not abnormal service data, the service data A61-service data A100 is determined to be ineffective service data (namely ineffective alarm).

The service data A1-the service data a60 is ordered, for example, in order from large to small (when the service data A1 is greater than the service data A2, the service data A1 is ordered before), or in order from small to small (when the service data A1 is greater than the service data A2, the service data A2 is ordered before), and the mth 1 valid service data (i.e., the valid service data in the first position) is selected from the ordered valid service data, and the mth 1 valid service data (e.g., the service data a 20) is taken as the first service data. The value of M1 may be empirically configured, for example, 10, 11, 12, and M% (for example, 40%, 45%) of the total amount of the valid service data, and the value of M1 is not limited.

The service data a 61-the service data a100 is sorted, for example, in order from large to small (when the service data a61 is larger than the service data a62, the service data a61 is sorted in front), or in order from small to small (when the service data a61 is larger than the service data a62, the service data a62 is sorted in front), and the mth 2 invalid service data (i.e., the invalid service data in the second position) is selected from the sorted invalid service data, and the mth 2 invalid service data (such as the service data a 80) is taken as the second service data. The value of M2 may be empirically configured, for example, 20, 21, 22, n% (e.g., 50%, 55%) of the total amount of invalid service data, and the value of M2 is not limited.

Then, a feedback adjustment coefficient may be determined according to the first service data and the second service data, for example, when the first service data is x and the second service data is y, if x < = y, the feedback adjustment coefficient may be y x exp (y/x-1), or if x > y, the feedback adjustment coefficient may be x/(1+exp (-y/x)).

Of course, the above mentioned y x exp (y/x-1) and x/(1+exp (-y/x)) are just one example of the feedback adjustment coefficients, and the determination manner of the feedback adjustment coefficients is not limited as long as the feedback adjustment coefficients are related to the first service data x and the second service data y, for example, the feedback adjustment coefficients may also be (x+y)/2, x/2+y, x/2+y/3, and the like.

Where y x p (y/x-1) and x/(1+exp (-y/x)) are used as feedback adjustment coefficients, they consider the relevant ideas of logistic regression, which can guarantee: when the values of the first service data x and the second service data y are relatively large, the change of the feedback adjustment coefficient is relatively small, and when the values of the first service data x and the second service data y are relatively small, the change of the feedback adjustment coefficient is relatively large. In this way, the feedback adjustment coefficient determined based on y x exp (y/x-1) and x/(1+exp (-y/x)) can reflect the change of the initial monitoring threshold value, and when the initial monitoring threshold value is adjusted by adopting the feedback adjustment coefficient, the obtained target monitoring threshold value is more accurate.

In one example, when the initial monitoring threshold is adjusted according to the feedback adjustment coefficient to obtain the target monitoring threshold, the sum of the feedback adjustment coefficient and the initial monitoring threshold may be determined as the target monitoring threshold.

And 103, carrying out anomaly detection on the business data according to the target monitoring threshold. That is, after the target monitoring threshold is obtained, the anomaly detection is performed on the service data according to the target monitoring threshold, that is, whether the anomaly occurs in the service data is detected, and the anomaly detection is not performed on the service data according to the initial monitoring threshold.

In one example, anomaly detection of traffic data based on the target monitoring threshold may include, but is not limited to: if the business data is larger than the target monitoring threshold, the business data is abnormal, an alarm can be generated to operation and maintenance personnel, and if the business data is not larger than the target monitoring threshold, the business data is not abnormal. Alternatively, anomaly detection may be performed on the traffic data based on the traffic data residual and the target monitoring threshold. Of course, other manners of detecting the abnormality of the service data may be adopted, and the manner of detecting the abnormality is not limited, as long as the abnormality of the service data can be detected by using the target monitoring threshold.

In one example, taking the anomaly detection of the service data according to the service data residual error and the target monitoring threshold as an example, the anomaly detection process of the service data may include the following steps:

step 1031, a data set is determined, the data set comprising predicted traffic data for a plurality of time points.

In one example, determining the data set may include, but is not limited to, the following: acquiring historical service data and predicting service data of a plurality of time points behind the current time point; then, processing the historical service data and the service data of the plurality of time points, and determining the processed service data as predicted service data; the predicted traffic data may then be added to the data set.

Of course, the above manner is merely one example of determining a data set, and is not limited in this regard. For example, after the historical business data is obtained, the historical business data may be determined as predicted business data and the predicted business data added to the data set. Alternatively, after predicting the service data of a plurality of time points subsequent to the current time point, the service data of the plurality of time points may be determined as predicted service data, and the predicted service data may be added to the data set. Or, after predicting the service data of a plurality of time points after the current time point, the service data of the plurality of time points may be further processed, the processed service data may be determined as predicted service data, and the predicted service data may be added to the data set.

The manner of determining the data set is described below in connection with a specific application scenario. In this application scenario, taking the data set as an example, the baseline may include predicted traffic data at a plurality of time points.

Firstly, acquiring historical service data, such as all service data in the past 24 hours; performing data preprocessing on the historical service data, filtering invalid historical service data, and remaining valid historical service data; the remaining historical service data are formed into a curve according to time sequence, the abscissa is time, the ordinate is the value of the historical service data, and the curve diagram of the service data is shown in fig. 2A.

Wherein, the data preprocessing is performed on the historical service data, which may include but is not limited to: abnormal data such as noise, pressure measurement and the like in the historical service data are filtered, such as median filtering, box diagram denoising and the like, the abnormal data such as noise, pressure measurement and the like are filtered, and the data preprocessing mode is not limited.

Then, the traffic data at a plurality of time points subsequent to the current time point can be predicted. Specifically, a difference between the service data at the current time point and the average value of the service data at M (e.g., 50) time points before the current time point may be determined, and further, the difference may be mapped to N (e.g., 100) time points after the current time point, so as to obtain the service data at N time points after the current time point.

For example, after obtaining the service data a at the current time point, the service data at 50 time points before the current time point is determined, and the average value B of the service data at the 50 time points is determined. A difference C between the traffic data a and the mean B at the current point in time (i.e., difference c=traffic data a-mean B) is determined, and furthermore, it is determined that the traffic data at 100 points in time after the current point in time is traffic data a plus difference C.

Then, the service data of 100 time points are formed into a straight line, the abscissa is time, the ordinate is the service data of the 100 time points, and the curve of the historical service data (as shown in fig. 2A) is combined with the service data of 100 time points to obtain a new curve, as shown in fig. 2B. Further, the curve shown in fig. 2B is subjected to fitting processing, and the curve after the fitting processing is subjected to smoothing processing, so that the manner of the fitting processing and the smoothing processing is not limited, and the curve shown in fig. 2C is finally obtained.

In the above embodiment, when the curve is subjected to the fitting process and the curve after the fitting process is subjected to the smoothing process, the working day and the holiday may be distinguished, and for the working day service data, the curve may be subjected to the fitting process and the curve after the fitting process may be subjected to the smoothing process by using the STL (Seasonal and Trend decomposition using Loess, time series decomposition) algorithm; for business data of holidays, fitting processing can be carried out on the curve through a smoothing algorithm, and smoothing processing is carried out on the curve after fitting processing.

Further, after the curve shown in fig. 2C (this curve may also be referred to as a baseline), the traffic data at each time point in the curve may be the predicted traffic data at that time point, and the predicted traffic data at each time point in the curve may be the predicted traffic data in the data set.

Step 1032, determining a service data residual of the current time point according to the actual service data of the current time point and the predicted service data corresponding to the current time point in the data set, where the service data residual may be a difference between the actual service data of the current time point and the predicted service data of the current time point.

For example, assuming that the current time point is time point a (which may not be the same as the current time point in step 1041, e.g., time point a is the 10 th time point after the current time point in step 1041), after the service data of time point a is acquired, this service data may be referred to as actual service data for convenience of distinction. In addition, predicted traffic data for time point a may be queried from the data set (e.g., traffic data a plus difference C). Then, a difference between the actual traffic data at time point a and the predicted traffic data at time point a may be determined, and this difference is determined as a traffic data residual at time point a.

Step 1033, performing anomaly detection on the actual service data according to the service data residual error and the target monitoring threshold, that is, performing anomaly detection on the actual service data at the current time point according to the service data residual error corresponding to the actual service data at the current time point and the target monitoring threshold.

In one example, anomaly detection of actual traffic data based on the traffic data residual and a target monitoring threshold may include, but is not limited to: and according to the service data residual error, the historical residual error mean value, the historical residual error variance and the target monitoring threshold value, performing anomaly detection on the actual service data at the current time point. Of course, the above-described method is only an example of abnormality detection of actual service data, and is not limited thereto, as long as abnormality detection of actual service data can be performed according to the service data residual and the target monitoring threshold.

Specifically, if the difference between the service data residual error and the historical residual error mean value is greater than the product of the historical residual error variance and the target monitoring threshold value, determining that the actual service data at the current time point is abnormal; or if the difference between the service data residual and the historical residual mean is not greater than the product of the historical residual variance and the target monitoring threshold, determining that the actual service data at the current time point is not abnormal.

Prior to the above steps, a historical residual mean, which may be a mean value (may be referred to as a historical residual mean) between the service data residuals at a plurality of time points (e.g., T time points) before the current time point, and a historical residual variance, which may be a variance (may be referred to as a historical residual variance) between the service data residuals at a plurality of time points before the current time point, may be determined.

For example, assuming that the current time point is a time point a, for each of T time points before the time point a, actual service data of the time point and predicted service data corresponding to the time point in the data set may be determined, and a difference between the actual service data of the time point and the predicted service data of the time point is determined as a service data residual of the time point, so that service data residuals of T time points are obtained in total. Then, the average value of the service data residuals at the T time points is determined as a historical residual average value, and the variance of the service data residuals at the T time points is determined as a historical residual variance.

Through the processing, service data residual errors at the current time point, historical residual error mean values, historical residual error variances and target monitoring thresholds of a plurality of time points before the current time point can be obtained; further, if the difference between the service data residual and the historical residual mean is larger than the product between the historical residual variance and the target monitoring threshold, determining that the actual service data at the current time point is abnormal, and generating an alarm to operation and maintenance personnel; if the difference between the service data residual and the historical residual mean is not greater than the product between the historical residual variance and the target monitoring threshold, determining that the actual service data at the current time point is not abnormal.

In one example, the target monitoring threshold may also be adjusted during anomaly detection of traffic data based on the target monitoring threshold. In order to adjust the target monitoring threshold, the target monitoring threshold may be updated to an initial monitoring threshold, and then steps 101-104 are executed, except that the initial monitoring threshold in step 101 is the target monitoring threshold to be updated, and other processes are the same and are not described herein.

In summary, the current target monitoring threshold value can be updated to the initial monitoring threshold value at intervals, then the feedback adjustment coefficient is redetermined, and the initial monitoring threshold value is adjusted according to the feedback adjustment coefficient to obtain a new target monitoring threshold value, so that the target monitoring threshold value can be continuously adjusted, the target monitoring threshold value is dynamically updated, and more accurate target monitoring threshold value and abnormal detection result are ensured.

In one example, the above execution sequence is only given for convenience of description, and in practical application, the execution sequence between steps may be changed, which is not limited. In other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described herein, and may include more or less steps than described herein. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; various steps described in this specification, in other embodiments, may be combined into a single step.

Based on the above technical scheme, in the embodiment of the application, the monitoring threshold value does not need to be manually set by operation and maintenance personnel, and can be automatically adjusted, so that the accuracy of the monitoring threshold value is higher, the problems that the number of alarms of service data is more, but the accuracy of anomaly detection is lower, and the problems that the number of alarms of service data is less and the missing report of anomaly detection is serious are avoided. The abnormal detection can be carried out according to the trend of the historical service data, the abnormal service data can be automatically detected, and the alarm accuracy is improved.

Embodiment two:

an embodiment of the present application proposes an anomaly detection method for detecting whether an anomaly occurs in service data (may also be referred to as a service indicator), as shown in fig. 3, which is a flow chart of the method, where the method includes:

step 301, acquiring service data of a current time point, namely actual service data of the current time point.

Step 302, a data set is generated according to the service data of the current time point. Wherein the data set may include traffic data at time points within the first time window (e.g., traffic data at all time points within the first time window), and the current time point is the last time point within the first time window.

The length of the first time window may be empirically configured, for example, the length is N, which indicates that the first time window includes N time points, for example, the length N is 5, and so on. Thus, the data set may comprise traffic data for N time points within the first time window, the current time point being the last time point of the N time points, and the other time points being N-1 time points preceding the current time point.

For example, assuming that the first time window is 5 minutes in length, corresponds to a time point per minute, and the current time point is 2018.8.2-10:00, the data set may include traffic data 1 at time points 2018.8.2-09:56, traffic data 2 at time points 2018.8.2-09:57, traffic data 3 at time points 2018.8.2-09:58, traffic data 4 at time points 2018.8.2-09:59, and traffic data 5 at time points 2018.8.2-10:00 in that order.

Step 303, determining statistical features of the data set.

Wherein the statistical features may include, but are not limited to, one or any combination of the following: a mean value of the traffic data at time points (e.g., all time points) within the first time window; the variance of the traffic data at time points (e.g., all time points) within the first time window; business data of the current time point; a difference between the traffic data at the current time point and traffic data at a specified time point (e.g., a time point preceding the current time point); the current time point is the minutes of the day; the current time point is the day of the month; the current time point is the day of the week; the current time point is the hours of the day.

Of course, the foregoing is merely an example of a statistical feature, and the content of the statistical feature is not limited.

For example, the statistical features of the data set may include: service data 1, service data 2, service data 3, service data 4, service data 5; variance of service data 1, service data 2, service data 3, service data 4, service data 5; service data 5; the difference between traffic data 5 and traffic data 4; 600 minutes of the day; day 2 of the month; day 4 of the week; the 10 th hour of the day.

In step 304, a feature value corresponding to the statistical feature is determined.

In one example, determining the feature value corresponding to the statistical feature may include, but is not limited to, the following: and inquiring the mapping table through the statistical characteristics to obtain the characteristic value corresponding to the statistical characteristics.

In one example, a mapping table may be generated in advance, where the mapping table is used to record a correspondence between a statistical feature and a feature value, so after obtaining a statistical feature of a data set, the mapping table may be queried through the statistical feature of the data set to obtain the feature value corresponding to the statistical feature.

And 305, carrying out anomaly detection on the service data at the current time point according to the characteristic value.

Specifically, if the feature value is a first feature value (for example, 1, and the first feature value 1 indicates that an abnormality occurs), determining that the service data at the current time point is abnormal; or if the feature value is a second feature value (e.g. 0, and the second feature value 0 indicates that no abnormality occurs), determining that no abnormality occurs in the service data at the current time point.

In the above embodiment, the mapping table may be configured empirically, or may be trained according to historical service data, which is not limited in the generation manner of the mapping table, and the mapping table is trained according to the historical service data. Further, the process of training the mapping table based on the historical business data may include, but is not limited to: dividing the historical service data into a plurality of second time windows, wherein the lengths of different second time windows are the same, and the lengths of the second time windows are the same as those of the first time windows; and determining the statistical characteristics of the second time window and the characteristic values of the second time window, and recording the corresponding relation between the statistical characteristics (namely the statistical characteristics of the second time window) and the characteristic values (namely the characteristic values of the second time window) in a mapping table.

Wherein the statistical features may include, but are not limited to, one or any combination of the following: the mean value of the service data at all time points in the second time window; variance of traffic data at all time points within the second time window; business data of the last time point in the second time window; a difference between the traffic data at the last time point in the second time window and the traffic data at the penultimate time point in the second time window; the last time point in the second time window is the minute of the day; the last time point in the second time window is the day of the month; the last time point in the second time window is the day of the week; the last time point in the second time window is the hour of the day.

For example, assuming that the second time window is 5 minutes in length, one time point per minute, and the historical service data includes all service data between time points 2018.7.1-00:01-time points 2018.7.31-24:00, the historical service data may be divided into a plurality of second time windows, each of which includes 5 service data. For example, the second time window 1 may include traffic data at time point 2018.7.1-00:01, traffic data at time point 2018.7.1-00:02, traffic data at time point 2018.7.1-00:03, traffic data at time point 2018.7.1-00:04, and traffic data at time point 2018.7.1-00:05. The second time window 2 may include traffic data at time point 2018.7.1-00:02, traffic data at time point 2018.7.1-00:03, traffic data at time point 2018.7.1-00:04, traffic data at time point 2018.7.1-00:05, traffic data at time point 2018.7.1-00:06. The second time window 3 may include traffic data at time point 2018.7.1-00:03, traffic data at time point 2018.7.1-00:04, traffic data at time point 2018.7.1-00:05, traffic data at time point 2018.7.1-00:06, and traffic data at time point 2018.7.1-00:07.

And so on, taking the length 5 as a sliding window, dividing the historical service data into a plurality of second time windows, wherein each second time window corresponds to the service data of 5 continuous time points, and taking the second time window 1 as an example for each second time window, the statistical characteristics can comprise: the average value of all the service data in the second time window 1; the variance of all traffic data within the second time window 1; traffic data at time point 2018.7.1-00:05; the difference between the traffic data at time point 2018.7.1-00:05 and the traffic data at time point 2018.7.1-00:04; 5 th minute of the day; day 1 of the month; day 7 of the week; hour 1 of the day.

Taking the second time window 1 as an example for each second time window, the feature value of the second time window 1 may also be determined, for example, if all the service data of the second time window 1 are abnormal, determining that the feature value of the second time window 1 is the second feature value; if any one or more business data of the second time window 1 are abnormal, determining that the characteristic value of the second time window 1 is the first characteristic value.

Further, for each second time window, after the statistical feature and the feature value of the second time window are obtained, the corresponding relationship between the statistical feature and the feature value may be recorded in the mapping table.

In one example, the above execution sequence is only given for convenience of description, and in practical application, the execution sequence between steps may be changed, which is not limited. In other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described herein, and may include more or less steps than described herein. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; various steps described in this specification, in other embodiments, may be combined into a single step.

Based on the above technical scheme, in the embodiment of the application, the monitoring threshold value does not need to be set manually by operation and maintenance personnel, the statistical characteristics of the data set where the service data of the current time point is located can be utilized to detect the service data of the current time point, the problems that the number of alarms of the service data is large, but the accuracy of abnormal detection is low and the problem that the number of alarms of the service data is small but the missing report of the abnormal detection is serious are avoided. Moreover, abnormal business data can be automatically detected, and the alarm accuracy is improved.

Embodiment III:

an embodiment of the present application proposes an anomaly detection method for detecting whether an anomaly occurs in service data (may also be referred to as a service indicator), as shown in fig. 4, which is a flow chart of the method, where the method includes:

step 401, acquiring service data of a current time point, namely actual service data of the current time point.

Step 402, performing anomaly detection on the service data at the current time point by using a plurality of detection strategies (such as three or more detection strategies) to obtain a detection result of each detection strategy; the detection result of each detection policy may be that the service data is abnormal or that the service data is not abnormal.

Step 403, if the detection result of at least two detection strategies is that the service data is abnormal, it can be determined that the final detection result of the service data is that the service data is abnormal; if the detection result of one detection strategy is that the service data is abnormal, or if the detection results of all the detection strategies are that the service data is not abnormal, it can be determined that the final detection result of the service data is that the service data is not abnormal.

In this embodiment, a plurality of detection policies (e.g., three or more detection policies) may be adopted to perform anomaly detection on service data at a current time point, so as to obtain a detection result of each detection policy; thus, when only the detection result of one detection strategy is that the service data is abnormal, or the detection results of all the detection strategies are that the service data is not abnormal, the final detection result of the service data can be determined that the service data is not abnormal; when the detection results of at least two detection strategies are abnormal, determining that the final detection result of the service data is abnormal, thereby improving the detection accuracy.

In one example, the detection strategy described above may include, but is not limited to: threshold detection policy, feature detection policy, residual detection policy, of course, the above are just a few examples of detection policies, which are not limiting.

When the detection policy is a threshold detection policy, the threshold detection policy may be used to perform anomaly detection on the service data. Specifically, an initial monitoring threshold value can be obtained, and abnormal detection is performed on the service data according to the initial monitoring threshold value; then, the initial monitoring threshold value is adjusted according to the abnormal detection result of the initial monitoring threshold value to obtain a target monitoring threshold value (for example, a feedback adjustment coefficient is determined according to the abnormal detection result of the initial monitoring threshold value; the initial monitoring threshold value is adjusted according to the feedback adjustment coefficient to obtain the target monitoring threshold value); and carrying out anomaly detection on the service data at the current time point according to the target monitoring threshold.

Determining the feedback adjustment factor based on the anomaly detection result for the initial monitoring threshold may include, but is not limited to: determining effective service data and ineffective service data according to an abnormality detection result of the initial monitoring threshold, selecting first service data from the effective service data, and selecting second service data from the ineffective service data; then, a feedback adjustment factor is determined based on the first traffic data and the second traffic data.

The abnormal detection of the service data at the current time point according to the target monitoring threshold may include, but is not limited to: determining a data set, which may include predicted traffic data for a plurality of points in time; then, determining service data residual errors of the current time point according to the actual service data of the current time point and the corresponding predicted service data of the current time point in the data set; then, abnormality detection can be performed on the actual service data at the current time point according to the service data residual error and the target monitoring threshold value.

Determining a data set may include, but is not limited to: acquiring historical service data and predicting service data of a plurality of time points behind the current time point; then, processing the historical service data and the service data of the plurality of time points, and determining the processed service data as predicted service data; the predicted traffic data is then added to the data set, such that the data set is obtained.

The anomaly detection of the actual service data at the current time point based on the service data residual and the target monitoring threshold may include, but is not limited to: and according to the service data residual error, the historical residual error mean value, the historical residual error variance and the target monitoring threshold, carrying out anomaly detection on the actual service data at the current time point.

When the detection policy is a threshold detection policy, for the process of performing anomaly detection on the service data by using the threshold detection policy, reference may be made to the implementation of the first embodiment, and the description thereof will not be repeated here.

When the detection policy is a feature detection policy, the feature detection policy may be used to perform anomaly detection on the service data. Specifically, a data set can be generated according to service data of a current time point, and statistical characteristics of the data set are determined; then, determining a characteristic value corresponding to the statistical characteristic, and carrying out anomaly detection on the service data of the current time point according to the characteristic value. Further, the data set may include, but is not limited to: business data of a time point in the first time window, wherein the current time point is the last time point in the first time window; moreover, the statistical features may include, but are not limited to, one or any combination of the following: a mean value of the traffic data at a time point within the first time window; variance of traffic data at a point in time within a first time window; business data of the current time point; the difference between the service data at the current time point and the service data at the designated time point; the current time point is the minute of the day; the current time point is the day of the month; the current time point is the day of the week; the current time point is the hour of the day.

Determining a feature value corresponding to the statistical feature may include, but is not limited to: inquiring a mapping table through the statistical characteristics to obtain characteristic values corresponding to the statistical characteristics; the mapping table may be used to record the correspondence between the statistical features and the feature values. To generate the mapping table, the following may also be used: dividing the historical service data into a plurality of second time windows, wherein the lengths of different second time windows are the same, and the lengths of the second time windows are the same as those of the first time windows; determining the statistical characteristics of the second time window and the characteristic values of the second time window; and recording the corresponding relation between the statistical features and the feature values in the mapping table.

The abnormal detection of the service data at the current time point according to the characteristic value may include, but is not limited to: if the characteristic value is the first characteristic value, determining that the service data at the current time point is abnormal; if the characteristic value is the second characteristic value, it can be determined that no abnormality occurs in the service data at the current time point.

When the detection policy is a feature detection policy, for the process of performing anomaly detection on the service data by using the feature detection policy, reference may be made to implementation of the second embodiment, and detailed description is not repeated here.

When the detection policy is a residual detection policy, the residual detection policy may be used to perform anomaly detection on the service data. Specifically, a third time window and a fourth time window are determined, wherein the third time window and the fourth time window both comprise the current time point, and the length of the fourth time window is greater than that of the third time window; determining a first mean value according to the service data residual error of each time point in the third time window, and determining a second mean value and a variance according to the service data residual error of each time point in the fourth time window; and carrying out anomaly detection on the service data according to the first mean value, the second mean value and the variance.

In one example, a data set may also be determined, which may include predicted traffic data for a plurality of points in time; then, determining a service data residual error of each time point in the third time window according to the actual service data of the time point and the predicted service data corresponding to the time point in the data set; furthermore, the service data residual of each time point in the fourth time window can be determined according to the actual service data of the time point and the corresponding predicted service data of the time point in the data set.

The following describes a procedure for performing anomaly detection on service data using a residual detection strategy, with reference to specific embodiments. When adopting a residual error detection strategy to detect abnormality of service data, firstly determining a data set, wherein the data set comprises predicted service data of a plurality of time points; for example, historical service data may be acquired and service data for a plurality of time points subsequent to the current time point may be predicted; processing the historical service data and the service data of the plurality of time points, and determining the processed service data as predicted service data; adding the predicted traffic data to a data set; the specific determination may be found in step 1041.

Then, two time windows are selected, which are respectively called a third time window and a fourth time window, wherein the third time window and the fourth time window both comprise the current time point, and the length of the fourth time window is larger than that of the third time window. The length of the third time window may be empirically configured, e.g., the length is W, which indicates that W time points are included in the third time window, e.g., W is 5, etc. The length of the fourth time window may be empirically configured, for example, the length is S, which indicates that the fourth time window includes S time points, for example, S is 10000, where the value of S may be far greater than the value of W.

Among the W time points included in the third time window, the current time point may be the last time point of the W time points, and the other time points may be W-1 time points before the current time point. Further, among S time points included in the fourth time window, the current time point may be a last time point among the S time points, and the other time points may be S-1 time points before the current time point.

For each time point in the third time window, determining a service data residual error of the time point, namely, a difference between the actual service data and the predicted service data according to the actual service data of the time point and the predicted service data corresponding to the time point in the data set; then, determining the average value of the service data residual errors of each time point in the third time window to obtain a first average value. For each time point in the fourth time window, determining a service data residual error of the time point, namely, a difference between the actual service data and the predicted service data according to the actual service data of the time point and the predicted service data corresponding to the time point in the data set; then, determining the average value of the service data residual error of each time point in the fourth time window, obtaining a second average value, and determining the variance of the service data residual error of each time point in the fourth time window.

Furthermore, the anomaly detection can be performed on the service data according to the first mean value, the second mean value and the variance. For example, assuming that the first mean is W1, the second mean is W2, and the variance is S, then: if it is

If true, it can be determined that the business data is abnormal, if +.>

If not, it can be determined that the service data is not abnormal. Where erf represents the error function. Of course, the foregoing is merely an example, and the detection manner is not limited, as long as the abnormal detection is performed on the service data according to the first average, the second average and the variance.

Based on the application concept similar to the method, the embodiment of the application further provides an abnormality detection device, as shown in fig. 5, which is a structural diagram of the device, where the device may include:

an obtaining module 501, configured to obtain an initial monitoring threshold; the detection module 502 is configured to perform anomaly detection on the service data according to the initial monitoring threshold; the obtaining module 501 is further configured to adjust the initial monitoring threshold according to an anomaly detection result of the initial monitoring threshold, to obtain a target monitoring threshold; the detection module 502 is further configured to perform anomaly detection on service data according to the target monitoring threshold.

The obtaining module 501 adjusts the initial monitoring threshold according to the abnormal detection result of the initial monitoring threshold, and is specifically configured to: determining a feedback adjustment coefficient according to an abnormality detection result of the initial monitoring threshold; and adjusting the initial monitoring threshold according to the feedback adjustment coefficient to obtain a target monitoring threshold.

The detection module 502 is specifically configured to: determining a data set, the data set comprising predicted traffic data for a plurality of points in time; determining a service data residual error of the current time point according to the actual service data of the current time point and the predicted service data corresponding to the current time point in the data set; and carrying out anomaly detection on the actual service data according to the service data residual error and the target monitoring threshold value.

The detection module 502 is specifically configured to, when determining the data set: acquiring historical service data and predicting service data of a plurality of time points behind the current time point; processing the historical service data and the service data of the plurality of time points; determining the processed service data as predicted service data; and adding the predicted business data to the data set.

Based on the same concept as the above method, the present embodiment also provides an abnormality detection apparatus including: a processor and a machine-readable storage medium; the machine-readable storage medium has stored thereon computer instructions which, when executed by the processor, perform the following: acquiring an initial monitoring threshold value, and carrying out anomaly detection on service data according to the initial monitoring threshold value; adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold; and carrying out anomaly detection on the business data according to the target monitoring threshold.

The present embodiment also provides a machine-readable storage medium having stored thereon computer instructions that, when executed, perform the following: acquiring an initial monitoring threshold value, and performing anomaly detection on service data according to the initial monitoring threshold value; adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold; and carrying out anomaly detection on the business data according to the target monitoring threshold.

Based on the same application concept as the above method, the embodiment of the present application further provides an abnormality detection device, as shown in fig. 6, which is a structural diagram of the device, where the device may include:

An obtaining module 601, configured to obtain service data of a current time point;

a generating module 602, configured to generate a data set according to the service data of the current time point;

a determining module 603, configured to determine a statistical feature of the data set;

the determining module 603 is further configured to determine a feature value corresponding to the statistical feature;

and the detection module 604 is configured to perform anomaly detection on the service data according to the feature value.

The data set comprises business data of a time point in a first time window, and the current time point is the last time point in the first time window;

wherein the statistical features include one or any combination of the following: a mean value of the service data at a time point within the first time window; the variance of the service data at the time point within the first time window; business data of the current time point; the difference between the service data at the current time point and the service data at the designated time point; the current time point is the minute of the day; the current time point is the day of the month; the current time point is the day of the week; the current time point is the hour of the day.

Based on the same concept as the above method, the present embodiment also provides an abnormality detection apparatus including: a processor and a machine-readable storage medium; the machine-readable storage medium has stored thereon computer instructions which, when executed by the processor, perform the following: acquiring service data of a current time point; generating a data set according to the service data of the current time point; determining statistical features of the data set; determining a feature value corresponding to the statistical feature; and carrying out anomaly detection on the service data according to the characteristic value.

The present embodiment also provides a machine-readable storage medium having stored thereon computer instructions that, when executed, perform the following: acquiring service data of a current time point; generating a data set according to the service data of the current time point; determining statistical features of the data set; determining a feature value corresponding to the statistical feature; and carrying out anomaly detection on the service data according to the characteristic value.

Based on the same application concept as the above method, the embodiment of the present application further provides an abnormality detection device, as shown in fig. 7, which is a structural diagram of the device, where the device may include:

an acquiring module 701, configured to acquire service data of a current time point;

the detection module 702 is configured to perform anomaly detection on the service data by using a plurality of detection policies, so as to obtain a detection result of each detection policy; the detection result of each detection strategy is that the service data is abnormal or the service data is not abnormal;

a determining module 703, configured to determine that the final detection result of the service data is that the service data is abnormal if the detection results of the at least two detection strategies are that the service data is abnormal;

If the detection result of one detection strategy is that the service data is abnormal, determining that the final detection result of the service data is that the service data is not abnormal.

The detection policy includes a threshold detection policy, and the detection module 702 is specifically configured to, when performing anomaly detection on the service data by using the threshold detection policy: acquiring an initial monitoring threshold value, and carrying out anomaly detection on service data according to the initial monitoring threshold value; adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold; and carrying out anomaly detection on the service data of the current time point according to the target monitoring threshold.

The detection policy includes a feature detection policy, and the detection module 702 is specifically configured to, when performing anomaly detection on the service data by using the feature detection policy: generating a data set according to the service data of the current time point; determining statistical features of the data set; determining a feature value corresponding to the statistical feature; and carrying out anomaly detection on the service data according to the characteristic value.

The detection policy includes a residual detection policy, and the detection module 702 is specifically configured to, when performing anomaly detection on the service data by using the residual detection policy:

Determining a third time window and a fourth time window, wherein the third time window and the fourth time window both comprise the current time point, and the length of the fourth time window is larger than that of the third time window;

determining a first mean value according to the service data residual error of each time point in the third time window, and determining a second mean value and a variance according to the service data residual error of each time point in the fourth time window;

and carrying out anomaly detection on the service data according to the first mean value, the second mean value and the variance.

Based on the same concept as the above method, the present embodiment also provides an abnormality detection apparatus including: a processor and a machine-readable storage medium; the machine-readable storage medium has stored thereon computer instructions which, when executed by the processor, perform the following: acquiring service data of a current time point; performing abnormal detection on the service data by adopting a plurality of detection strategies to obtain a detection result of each detection strategy; the detection result of each detection strategy is that the business data is abnormal or not abnormal; if the detection results of at least two detection strategies are that the service data are abnormal, determining that the final detection result of the service data is that the service data are abnormal; if the detection result of one detection strategy is that the service data is abnormal, determining that the final detection result of the service data is that the service data is not abnormal.

The present embodiment also provides a machine-readable storage medium having stored thereon computer instructions that, when executed, perform the following: acquiring service data of a current time point; performing abnormal detection on the service data by adopting a plurality of detection strategies to obtain a detection result of each detection strategy; the detection result of each detection strategy is that the business data is abnormal or not abnormal; if the detection results of at least two detection strategies are that the service data are abnormal, determining that the final detection result of the service data is that the service data are abnormal; if the detection result of one detection strategy is that the service data is abnormal, determining that the final detection result of the service data is that the service data is not abnormal.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Moreover, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims (27)

1. An anomaly detection method, the method comprising:

acquiring an initial monitoring threshold value, and carrying out anomaly detection on service data according to the initial monitoring threshold value;

adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold;

performing anomaly detection on the business data according to the target monitoring threshold; the detecting the abnormality of the service data according to the target monitoring threshold includes: determining a data set, the data set comprising predicted traffic data for a plurality of points in time; determining a service data residual error of the current time point according to the actual service data of the current time point and the predicted service data corresponding to the current time point in the data set; and carrying out anomaly detection on the actual service data according to the service data residual error and the target monitoring threshold value.

2. The method of claim 1, wherein obtaining an initial monitoring threshold comprises:

acquiring a confidence interval, wherein the confidence interval comprises a plurality of confidence values;

selecting a partial confidence value from the plurality of confidence values of the confidence interval;

and determining the initial monitoring threshold according to the partial confidence value.

3. The method according to claim 1, wherein the adjusting the initial monitoring threshold according to the abnormality detection result of the initial monitoring threshold to obtain the target monitoring threshold includes:

determining a feedback adjustment coefficient according to an abnormality detection result of the initial monitoring threshold;

and adjusting the initial monitoring threshold according to the feedback adjustment coefficient to obtain a target monitoring threshold.

4. The method of claim 3, wherein the step of,

the determining the feedback adjustment coefficient according to the abnormality detection result of the initial monitoring threshold value includes:

determining effective service data and ineffective service data according to the abnormality detection result;

selecting first service data from the effective service data;

selecting second service data from the invalid service data;

and determining a feedback adjustment coefficient according to the first service data and the second service data.

5. The method of claim 4, wherein the step of determining the position of the first electrode is performed,

selecting the first service data from the valid service data comprises: sorting the effective service data, and selecting the effective service data at the first position from the sorted effective service data as first service data;

Selecting the second service data from the invalid service data comprises: and sorting the invalid service data, and selecting the invalid service data at the second position from the sorted invalid service data as second service data.

6. A method according to claim 3, wherein said adjusting the initial monitoring threshold according to the feedback adjustment factor to obtain a target monitoring threshold comprises:

and determining the sum of the feedback adjustment coefficient and the initial monitoring threshold value as a target monitoring threshold value.

7. The method of claim 1, wherein the determining the data set comprises:

acquiring historical service data and predicting service data of a plurality of time points behind the current time point;

processing the historical service data and the service data of the plurality of time points;

determining the processed service data as predicted service data;

and adding the predicted business data to the data set.

8. The method of claim 1, wherein the anomaly detection of actual traffic data based on the traffic data residual and a target monitoring threshold comprises:

and performing anomaly detection on the actual service data according to the service data residual error, the historical residual error mean value, the historical residual error variance and the target monitoring threshold value.

9. The method of claim 8, wherein the step of determining the position of the first electrode is performed,

the performing anomaly detection on the actual service data according to the service data residual error, the historical residual error mean value, the historical residual error variance and the target monitoring threshold value comprises the following steps:

if the difference between the service data residual error and the historical residual error mean value is larger than the product of the historical residual error variance and the target monitoring threshold value, determining that the actual service data is abnormal;

and if the difference between the service data residual error and the historical residual error mean value is not larger than the product of the historical residual error variance and the target monitoring threshold value, determining that the actual service data is not abnormal.

10. An anomaly detection method, the method comprising:

acquiring service data of a current time point;

performing abnormal detection on the service data by adopting a plurality of detection strategies to obtain a detection result of each detection strategy; the detection result of each detection strategy is that the business data is abnormal or not abnormal;

if the detection results of at least two detection strategies are that the service data are abnormal, determining that the final detection result of the service data is that the service data are abnormal; if the detection result of one detection strategy is that the service data is abnormal, determining that the final detection result of the service data is that the service data is not abnormal;

The detection strategy comprises a threshold detection strategy, and the abnormal detection of the service data is carried out by adopting the threshold detection strategy, which comprises the following steps: acquiring an initial monitoring threshold value, and carrying out anomaly detection on service data according to the initial monitoring threshold value; adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold; performing anomaly detection on the service data of the current time point according to the target monitoring threshold;

the detecting the abnormality of the service data at the current time point according to the target monitoring threshold includes: determining a data set, the data set comprising predicted traffic data for a plurality of points in time; determining a service data residual error of the current time point according to the actual service data of the current time point and the predicted service data corresponding to the current time point in the data set; and carrying out anomaly detection on the actual service data according to the service data residual error and the target monitoring threshold value.

11. The method of claim 10, wherein the adjusting the initial monitoring threshold according to the anomaly detection result of the initial monitoring threshold to obtain the target monitoring threshold comprises:

Determining a feedback adjustment coefficient according to an abnormality detection result of the initial monitoring threshold;

and adjusting the initial monitoring threshold according to the feedback adjustment coefficient to obtain a target monitoring threshold.

12. The method of claim 11, wherein the step of determining the position of the probe is performed,

the determining the feedback adjustment coefficient according to the abnormality detection result of the initial monitoring threshold value includes:

determining effective service data and ineffective service data according to the abnormality detection result;

selecting first service data from the effective service data;

selecting second service data from the invalid service data;

and determining a feedback adjustment coefficient according to the first service data and the second service data.

13. The method of claim 10, wherein the determining the data set comprises:

acquiring historical service data and predicting service data of a plurality of time points behind the current time point;

processing the historical service data and the service data of the plurality of time points;

determining the processed service data as predicted service data;

and adding the predicted business data to the data set.

14. The method of claim 10, wherein the anomaly detection of actual traffic data based on the traffic data residuals and a target monitoring threshold comprises:

And performing anomaly detection on the actual service data at the current time point according to the service data residual error, the historical residual error mean value, the historical residual error variance and the target monitoring threshold.

15. The method of claim 10, wherein the detection policy comprises a feature detection policy, and wherein employing the feature detection policy to perform anomaly detection on the traffic data comprises:

generating a data set according to the service data of the current time point;

determining statistical features of the data set;

determining a feature value corresponding to the statistical feature;

and carrying out anomaly detection on the service data according to the characteristic value.

16. The method of claim 15, wherein the data set comprises traffic data for a point in time within a first time window, and the current point in time is a last point in time within the first time window; wherein the statistical features include one or any combination of the following:

a mean value of the service data at a time point within the first time window; the variance of the service data at the time point within the first time window; business data of the current time point; the difference between the service data at the current time point and the service data at the designated time point; the current time point is the minute of the day; the current time point is the day of the month; the current time point is the day of the week; the current time point is the hour of the day.

17. The method of claim 15, wherein the step of determining the position of the probe is performed,

the determining the feature value corresponding to the statistical feature comprises the following steps:

inquiring a mapping table through the statistical features to obtain feature values corresponding to the statistical features;

the mapping table is used for recording the corresponding relation between the statistical features and the feature values.

18. The method of claim 17, wherein the method further comprises:

dividing the historical service data into a plurality of second time windows, wherein the lengths of different second time windows are the same, and the lengths of the second time windows are the same as those of the first time windows;

determining the statistical characteristics of the second time window and the characteristic values of the second time window;

and recording the corresponding relation between the statistical features and the feature values in the mapping table.

19. The method of claim 10, wherein the detection policy comprises a residual detection policy, and wherein using the residual detection policy to perform anomaly detection on the traffic data comprises:

determining a third time window and a fourth time window, wherein the third time window and the fourth time window both comprise the current time point, and the length of the fourth time window is larger than that of the third time window;

Determining a first mean value according to the service data residual error of each time point in the third time window, and determining a second mean value and a variance according to the service data residual error of each time point in the fourth time window;

and carrying out anomaly detection on the service data according to the first mean value, the second mean value and the variance.

20. The method of claim 19, wherein the method further comprises:

determining a data set, the data set comprising predicted traffic data for a plurality of points in time;

determining service data residual errors of each time point in the third time window according to the actual service data of the time point and the corresponding predicted service data of the time point in the data set;

and determining service data residual errors of the time points according to the actual service data of each time point in the fourth time window and the corresponding predicted service data of the time point in the data set.

21. An abnormality detection apparatus, characterized by comprising:

the acquisition module is used for acquiring an initial monitoring threshold value;

the detection module is used for carrying out abnormal detection on the service data according to the initial monitoring threshold value;

The acquisition module is further used for adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold;

the detection module is also used for carrying out abnormal detection on the business data according to the target monitoring threshold value; the detection module is specifically configured to: determining a data set, the data set comprising predicted traffic data for a plurality of points in time; determining a service data residual error of the current time point according to the actual service data of the current time point and the predicted service data corresponding to the current time point in the data set; and carrying out anomaly detection on the actual service data according to the service data residual error and the target monitoring threshold value.

22. The apparatus of claim 21, wherein the device comprises a plurality of sensors,

the acquisition module adjusts the initial monitoring threshold according to the abnormal detection result of the initial monitoring threshold, and is specifically used for obtaining a target monitoring threshold:

determining a feedback adjustment coefficient according to an abnormality detection result of the initial monitoring threshold;

and adjusting the initial monitoring threshold according to the feedback adjustment coefficient to obtain a target monitoring threshold.

23. An abnormality detection apparatus, characterized by comprising:

the acquisition module is used for acquiring service data of the current time point;

the detection module is used for carrying out abnormal detection on the service data by adopting a plurality of detection strategies to obtain a detection result of each detection strategy; the detection result of each detection strategy is that the service data is abnormal or the service data is not abnormal;

the determining module is used for determining that the final detection result of the service data is abnormal if the detection results of the at least two detection strategies are abnormal;

if the detection result of one detection strategy is that the service data is abnormal, determining that the final detection result of the service data is that the service data is not abnormal;

the detection strategy comprises a threshold detection strategy, and the detection module is specifically used for detecting the abnormality of the service data by adopting the threshold detection strategy: acquiring an initial monitoring threshold value, and carrying out anomaly detection on service data according to the initial monitoring threshold value; adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold; performing anomaly detection on the service data of the current time point according to the target monitoring threshold;

The detection module is specifically configured to, when performing anomaly detection on the service data at the current time point according to the target monitoring threshold value: determining a data set, the data set comprising predicted traffic data for a plurality of points in time; determining a service data residual error of the current time point according to the actual service data of the current time point and the predicted service data corresponding to the current time point in the data set; and carrying out anomaly detection on the actual service data according to the service data residual error and the target monitoring threshold value.

24. The apparatus of claim 23, wherein the device comprises a plurality of sensors,

the detection strategy comprises a feature detection strategy, and the detection module is specifically used for detecting the abnormality of the service data by adopting the feature detection strategy:

generating a data set according to the service data of the current time point;

determining statistical features of the data set;

determining a feature value corresponding to the statistical feature;

and carrying out anomaly detection on the service data according to the characteristic value.

25. The apparatus of claim 23, wherein the device comprises a plurality of sensors,

the detection strategy comprises a residual detection strategy, and the detection module is specifically used for performing anomaly detection on the service data by adopting the residual detection strategy:

Determining a third time window and a fourth time window, wherein the third time window and the fourth time window both comprise the current time point, and the length of the fourth time window is larger than that of the third time window;

determining a first mean value according to the service data residual error of each time point in the third time window, and determining a second mean value and a variance according to the service data residual error of each time point in the fourth time window;

and carrying out anomaly detection on the service data according to the first mean value, the second mean value and the variance.

26. An abnormality detection apparatus, characterized by comprising:

a processor and a machine-readable storage medium having stored thereon computer instructions that when executed by the processor perform the following:

acquiring an initial monitoring threshold value, and carrying out anomaly detection on service data according to the initial monitoring threshold value;

adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold;

performing anomaly detection on the business data according to the target monitoring threshold; the detecting the abnormality of the service data according to the target monitoring threshold includes: determining a data set, the data set comprising predicted traffic data for a plurality of points in time; determining a service data residual error of the current time point according to the actual service data of the current time point and the predicted service data corresponding to the current time point in the data set; and carrying out anomaly detection on the actual service data according to the service data residual error and the target monitoring threshold value.

27. An abnormality detection apparatus, characterized by comprising:

a processor and a machine-readable storage medium having stored thereon computer instructions that when executed by the processor perform the following:

acquiring service data of a current time point;

performing abnormal detection on the service data by adopting a plurality of detection strategies to obtain a detection result of each detection strategy; the detection result of each detection strategy is that the business data is abnormal or not abnormal;

if the detection results of at least two detection strategies are that the service data are abnormal, determining that the final detection result of the service data is that the service data are abnormal; if the detection result of one detection strategy is that the service data is abnormal, determining that the final detection result of the service data is that the service data is not abnormal;

the detection strategy comprises a threshold detection strategy, and the abnormal detection of the service data is carried out by adopting the threshold detection strategy, which comprises the following steps: acquiring an initial monitoring threshold value, and carrying out anomaly detection on service data according to the initial monitoring threshold value; adjusting the initial monitoring threshold according to an abnormal detection result of the initial monitoring threshold to obtain a target monitoring threshold; performing anomaly detection on the service data of the current time point according to the target monitoring threshold;

The detecting the abnormality of the service data at the current time point according to the target monitoring threshold includes: determining a data set, the data set comprising predicted traffic data for a plurality of points in time; determining a service data residual error of the current time point according to the actual service data of the current time point and the predicted service data corresponding to the current time point in the data set; and carrying out anomaly detection on the actual service data according to the service data residual error and the target monitoring threshold value.

Images