JP4688083B2 - Reference value prediction method, system and program - Google Patents

Description

  The present invention relates to a technique for analyzing traffic time-series data having a period observed every moment, and in particular, using a periodicity, a reference value (base traffic, The present invention relates to a technique suitable for performing (baseline) prediction with high accuracy.

  Against the background of ever-increasing network demand, fraudulent acts that consume a large amount of network traffic resources, such as DDoS (Distributed Denial of Service) attacks, have increased. If the network bandwidth is wasted due to such illegal acts, the communication quality of general users will be significantly degraded. Therefore, a network administrator is required to detect and take measures as soon as possible that abnormal traffic such as this DDoS attack has occurred.

  As a technique for detecting the occurrence of abnormal traffic, there is a technique that pays attention to a change in the volume of observation traffic. Here, the observation traffic refers to a time transition of a data amount such as the number of packets and the number of bytes measured at a predetermined time interval. In this technique, when the observed traffic shows a certain amount of deviation from a reference value, it is determined that an abnormality has occurred in the traffic. Conventionally, the “reference value (base traffic)” and “a certain amount (threshold value)” have been determined based on the experience of the operator.

  However, when close monitoring of a large-scale network is assumed, the number of monitoring targets becomes enormous, and it is almost impossible to manage everything manually. This is because the traffic data of each monitoring target has different normal traffic amount and fluctuation range of traffic amount, so it is necessary to set the base traffic (reference value) and threshold value (constant amount) individually for each monitoring target. It is. Therefore, it is desired to automate the base traffic (reference value) setting and the threshold (constant amount) setting.

  As a technique for automating threshold setting, there is a technique that uses an outlier determination based on a statistical basis using a statistical quantity such as an average value or standard deviation of observation traffic. For example, as described in Non-Patent Document 1, a technique called a Bollinger band that uses a moving average value as a base traffic (reference value) and a standard deviation as a threshold value (a constant amount) is particularly frequently used.

  However, even if this Bollinger band is applied to traffic abnormality detection as it is, it is difficult to accurately detect abnormality. The reason is that the Bollinger band can detect a change in the statistical properties in the observed traffic, but it cannot be said that the change in the statistical properties is actually abnormal in the actual observed traffic.

  That is, the generation of traffic depends on the human life cycle, and in this case, the traffic data may show periodicity such as one day, one week, or one year.

  For example, in network traffic, the daily trend is that the amount of traffic is low from midnight to morning when there is little activity, and the amount of traffic increases from day to night when people are active. There is a tendency, and as a weekly periodic trend, there is a tendency that the traffic volume is high on weekdays and the traffic volume decreases on holidays, and further, the cyclical trend per year is long-term. There is a small amount of traffic during the holidays, and a tendency for traffic to increase during the holidays.

  In addition, the variation in observed traffic also shows a periodic increase and decrease with the amount of traffic.

  As described above, when the traffic amount shows periodicity, it can be said that it is normal if the change occurs every period even if the statistical properties of the traffic change dramatically in a specific time zone.

  However, like the Bollinger band, a moving average value that uses only observation values in the vicinity of the past cannot cope with periodic changes in the statistical properties of base traffic. In addition, the standard deviation indicating the variation in the observed value of the traffic amount has the same problem if only the observed values in the past are used.

  Thus, since the Bollinger band does not have a mechanism for considering periodicity, it is difficult to detect anomalies with high accuracy when periodic traffic is targeted.

  On the other hand, as an abnormality detection technique in consideration of periodicity, for example, a technique using the Holt-Winters method described in Non-Patent Document 2 is known. This technology uses not only the latest past information but also more distant past information, and realizes anomaly detection based on baseline prediction in consideration of periodicity.

  However, with this technique, it is necessary to empirically adjust a plurality of parameters in accordance with the traffic, and it is difficult to use it for anomaly detection targeting a plurality of observation traffic.

John A. Bollinger (John A. Bollinger), supervised by Shintaro Nagao, translated by Tsuneo Iida, “Introduction to Bollinger Band”, Pan Rolling Co., 2002, pp. 95-117,351. Jake D. Brutlag, "Aberrant Behavior Detection in Time Series for Network Monitoring", 14th Systems administration conference (LISA2000), Dec. 2000, pp. 138-146.

  The problem to be solved is that the conventional technology Bollinger band does not have a mechanism to consider periodicity, so it is difficult to detect anomalies with high accuracy when targeting periodic traffic. In the technique using the Holt-Winters method, it is necessary to empirically adjust a plurality of parameters in accordance with the traffic, which is difficult to use for detecting anomalies targeting a plurality of observed traffic.

  An object of the present invention is to solve these problems of the prior art, and to detect a traffic abnormality such as the amount of data transmitted and received over a network with high accuracy and efficiency.

  In order to achieve the above object, in the present invention, a criterion used for determining the normality (abnormality) of the amount of data when the amount of data aggregated in time series periodically increases or decreases in predetermined time interval units. In order to predict the value by a programmed computer, the accuracy of base traffic prediction for time-series data whose statistical properties change periodically can be improved by dividing one cycle into slots and handling statistical information precisely. Improve. That is, as a processing means to be executed by a programmed computer, a selection means, a plurality of parameter estimation means and a prediction means are provided, and the selection means divides data for one cycle into time series in units of preset time slots. Each parameter estimation unit predicts a reference value for each data in each time slot output from the selection unit using a first time series analysis method such as an EM algorithm, for example. And the weighting average value of the parameter estimation value in the same time slot of the past cycle is calculated as a parameter in the next cycle, and the prediction unit is configured to calculate the next cycle calculated by each parameter estimation unit. Second time series analysis method using time series analysis model such as Kalman filter using parameters in Calculating a reference value by.

  According to the present invention, by accurately handling statistical information by dividing one period into slots, it is possible to improve the accuracy of base traffic prediction for time-series data whose statistical properties change periodically. .

  The best mode for carrying out the present invention will be described below with reference to the drawings. FIG. 1 is a block diagram illustrating a configuration example of a reference value prediction system according to the present invention, FIG. 2 is an explanatory diagram illustrating a first example of slot allocation in a reference value prediction process according to the present invention, and FIG. FIG. 4 is an explanatory diagram showing a second example of slot allocation in the reference value prediction process according to the present invention. FIG. 4 is an explanatory diagram showing a third example of slot allocation in the reference value prediction process according to the present invention. 5 is a flowchart showing an example of reference value prediction processing operation according to the present invention.

  A reference value prediction system 1 in FIG. 1 has a computer configuration including a CPU (Central Processing Unit), a main memory, a display device, an input device, and an external storage device, and a storage medium such as a CD-ROM via an optical disk drive device or the like. After the program or data recorded in the external storage device is installed in the external storage device, it is read from the external storage device into the main memory and processed by the CPU, so that the amount of data aggregated in time series in a predetermined time interval unit Is a system for predicting a reference value for determining an abnormality in the amount of data when it increases or decreases automatically, and as a processing function of a programmed computer, a distributor 2, a selector 3, and a plurality of parameter estimators 4a to 4n And a plurality of mixers 5a to 5n and predictors 6a to 6n.

  In this example, the amount of data aggregated in time series in a predetermined time interval is defined as traffic on the network, and the reference value used when determining that an abnormality has occurred in the aggregated network traffic is defined as base traffic. An operation for predicting traffic will be described.

  The traffic assumed in this example refers to an aggregation of the number of packets and the number of bytes transmitted and received on the network observed by the traffic observation apparatus at regular intervals. For example, if the data is aggregated at one minute intervals, the observation traffic for one hour becomes 60 data time series.

  As long as it can be observed, the number of flows and the memory usage of the router may be handled as traffic.

  In this example, the goal is to predict normal traffic volume criteria (base traffic), where the necessity of predicting base traffic is based on whether newly received observations are outliers. It is to be judged quickly. In order to perform traffic prediction according to a change in traffic trend, information on the past cycle is referred to in this example.

  Specifically, the observed traffic is handled for each period, and the traffic tendency corresponding to the same time in the past period is used for the base traffic prediction at the current time.

  In addition, in this base traffic prediction, parameter setting is simplified.

  As described above, in this example, with respect to observation values such as the number of flows and the number of bytes measured on the network during a predetermined period, a time change of the observation value measured during the predetermined period is referred to as traffic. The timing at which the observation value is recorded is called time.

  With regard to this traffic, in this example, first, the data length for one cycle is determined, and the data for one cycle is divided into smaller units called slots. However, each slot includes one or more times.

  The length of one cycle and the slot division pattern are determined in advance as configuration information for controlling the system. For example, although the length of one cycle may take various values depending on the monitoring target, one day, one week, one year, etc. are appropriate for traffic depending on human activities.

  Further, in this example, since parameter estimation is performed for each slot, the size of the slot is appropriate to a certain extent that allows the traffic tendency to be estimated, for example, 30 minutes, 1 hour, 2 hours, and the like.

  The reason for dividing the traffic data in this way is to make it easier to utilize the fact that the statistical properties of the traffic change periodically. This is because the base traffic prediction in this example uses a prediction method based on statistics and a time series analysis method such as a Kalman filter.

  In any of such base traffic prediction methods, accurate input parameters are required to accurately predict traffic. For example, in the prediction method based on the statistical method, the rate of increase indicating how much the next observed value increases or decreases from the observed value at the current time, and in the time series analysis method, the algorithm is used to control the algorithm. One or more input values are parameters.

  These parameters are so accurate that they reflect the statistical properties of the traffic at the time of prediction, and accurate base traffic prediction can be realized if the parameters are accurate.

  In this example, assuming that the traffic tendency in a slot having a past cycle is close to the traffic tendency in a slot at the same position in the future, the parameter is estimated in units of slots. For example, if the traffic in the corresponding slot of the past cycle is increasing, the same trend will be observed in that slot in the future.

  At this time, since parameter estimation is performed using data in the slot, the parameter estimation timing is after all the data included in the corresponding slot has been observed. By parameter estimation using this periodicity, more accurate input parameter setting is realized, and traffic prediction accuracy in each prediction method is improved.

  In this example, the reason why the statistical property is estimated in slot units is that (a) to improve the estimation accuracy of the statistic in each period by securing a sufficient number of sample data, and (b) the statistical property of the traffic This is because one period is divided into granularities that can accurately estimate the change, and (c) a time shift for each period is allowed with respect to the timing of the statistical property change in the traffic.

  In parameter estimation, as the number of data that can be used for estimation increases, the estimation accuracy increases. Therefore, it is better to set the slot size to some extent. However, when the statistical properties of traffic change with time, if the slot size is too large, the change cannot be taken into account, resulting in a decrease in parameter estimation accuracy.

  Thus, although the parameter estimation accuracy deteriorates if the slot size is too large or too small, a slot size of 1 hour or 2 hours is appropriate for traffic depending on the human life cycle.

  At this time, the parameter estimation accuracy in the corresponding slot depends on how many times (data) are included in each slot. In this example, in order to improve the accuracy of the parameter estimation value, the weighted average value of the parameter estimation value in the slot of the past cycle and the latest parameter estimation value in the slot of the current cycle is adopted as a parameter used in the next cycle.

  Thus, in this example, since past data is indirectly used for parameter estimation, accurate parameter setting can be realized even when the slot size is small.

  The weighted average of the past estimated value and the current estimated value makes it possible to suppress deterioration in estimation accuracy due to an accidental traffic trend change and to learn a continuous traffic trend change.

  In this weighted average, the weight given to the past estimated value and the current estimated value increases the weight of the past estimated value when the periodic change is stable, and when the periodic change is unstable The weight of the current estimated value may be increased.

  In addition, by giving a certain amount of width to the slot, the statistical properties of each period when viewed in slots, even if the statistical properties of each cycle do not show a perfect match when viewed in time units. Can be regarded as almost matching.

  As described above, by coarsening the granularity for estimating the temporal change in statistical properties, it is possible to realize parameter estimation with higher accuracy as a result.

  As described above, there are three predetermined configurations in this example: (1) the length of one cycle, (2) the slot division pattern, and (3) the weight for taking a weighted average with the past parameters.

  However, these configurations do not need to be determined precisely as in the Holt-Winters method. This is because the traffic trend changes continuously, and even if there is a slight shift in the length of one cycle or the division pattern of the slot, the influence on the parameter estimation value is small.

  Further, when the observed traffic has periodicity, the statistical properties in the slot are similar in each period. For this reason, the weighted average weight in parameter estimation has little influence on the prediction accuracy due to the difference in the set values.

  In addition, as a technique for improving the parameter estimation accuracy, it is also conceivable to take a weighted average for parameter estimation values by a plurality of configurations. This is an effective technique when, for example, the traffic cycle has a complex structure. Here, the composite structure refers to a traffic structure in which a small cycle is seen in a larger cycle such as a daily cycle, a weekly cycle, or a yearly cycle.

  For traffic with such a complex periodic structure, parameter estimation by multiple configurations is performed, and each estimated parameter is synthesized at each time, so that short-term trends, medium-term trends, and long-term trends can be obtained. It is possible to realize more detailed parameter setting for reflecting the base traffic.

  In addition, this method is considered to be effective for dealing with traffic time fluctuations at a time granularity finer than the slot size while maintaining a slot size sufficient to ensure parameter estimation accuracy for each period. .

  For example, as shown in FIG. 4, if two parameter estimation values obtained by shifting the slot division time by half are combined, parameter setting can be realized with a time granularity that is half the slot size.

  Furthermore, in any case, the following methods can be considered as techniques for automating the weighting of parameter estimation values.

  First, for a prediction at a certain time based on a parameter estimation value in a certain configuration, a prediction error is defined as a difference between the observed value and the predicted value. In this case, it can be said that the smaller the cumulative prediction error that is the time accumulation of the prediction error, the higher the prediction accuracy.

  Next, an amount that is inversely proportional to the cumulative prediction error is set as a weight of the parameter estimation value in each configuration. Thus, a large weight is set for the parameter estimation value with high accuracy. By performing the weighted average with the weights set in this way, the base traffic prediction in which highly accurate parameters are strongly reflected is realized.

  As described above, the reference prediction system 1 in FIG. 1 uses the reference used to determine the normality of the data amount when the amount of data aggregated in time series periodically increases or decreases in predetermined time interval units. By accurately handling statistical information by dividing one period into slots, the accuracy of base traffic prediction for time-series data whose statistical properties change periodically is improved.

  That is, the reference prediction system 1 includes a distributor 2, a selector 3, parameter estimators 4a to 4n, mixers 5a to 5n, and predictors 6a to 6n as processing means executed by a programmed computer. The device 2 outputs the input observed value (the amount of data aggregated in time series in a predetermined time interval unit) to the selector 3 and the predictors 6a to 6n. The selector 3 outputs one of the input observed values. The period is divided into time series in units of preset time slots and output to parameter estimators 4a to 4n provided for each time slot.

  Each parameter estimator 4a to 4n applies, for example, “RH SHUMWAY and DS Stoffer,“ Dynamic Linear Models With Switching ”to each data in each time slot output from the selector 3. The first time series analysis method such as “EM algorithm” described in “Journal of the American Statistical Association, September 1991, Vol. 86, No. 415” is used to estimate parameters for predicting the reference value. The estimated parameter estimated value and the weighted average value of the parameter estimated value in the same time slot of the past cycle are calculated as parameters in the next cycle, and the predictors 6a to 6n are connected to the parameter estimators 4a to 4n. n to calculate the reference value by the second time-series analysis method using time series analysis model of e.g. Kalman filter or the like using the parameters in the next cycle is calculated.

  In order to improve the parameter estimation accuracy by the parameter estimators 4a to 4n, the reference value prediction system 1 in FIG. 1 has a particularly large traffic cycle such as a daily cycle, a week cycle, or a year cycle. In order to be effective when the traffic structure (compound structure) in which a small period is seen in the period is used, a weighted average is taken for parameter estimation values by a plurality of configurations.

  For each of the traffic having such a complex periodic structure, the parameter estimators 4a to 4n perform parameter estimation by a plurality of configurations, and the estimated parameters are mixed at the time points in the mixers 5a to 5n. By combining, it is possible to realize more detailed parameter setting for base traffic prediction reflecting the short-term trend, medium-term trend, and long-term trend.

  In this way, by taking a weighted average of the parameter estimation values by a plurality of configurations, for example, as shown in FIG. 4, by synthesizing two parameter estimation values obtained by shifting the slot division time by half. Parameter setting can be realized with a time granularity that is half the slot size. In other words, it is effective to cope with traffic time fluctuations at a time granularity finer than the slot size while maintaining a slot size sufficient to ensure parameter estimation accuracy for each period.

  Hereinafter, the details of the operation of the reference value prediction system 1 will be described.

For the traffic data y ₁ , y ₂ ,... Having a period T, the data for one period is divided into small units called slots (time slots) having a predetermined size. Each slot is numbered 1, 2,..., N in order of time.

When the current cycle is represented by i and the traffic data belonging to the cycle i is expressed by the following equation (Equation 1), the data y _t belonging to each slot shown in Equation 2 is expressed by Equations 3 to 5. , (A) No overlap, (b) No mixing, (c) No leakage.

  Further, as shown in Equation 6, (d) the size of each slot may be arbitrary, but the slot size is not changed in each cycle.

  A plurality of such divisions may be prepared for one observation traffic. For example, FIG. 2 shows a case where the slots are made to have a uniform size.

  Further, when there are a dense portion and a sparse portion depending on the time in the change in the statistical properties of the observed traffic, the statistics to be retained can be reduced by dividing as shown in FIG.

  Further, even in traffic whose statistical characteristics change with time, the statistical characteristics of the data in the slot can be regarded as almost constant by dividing the traffic into small slots.

Also, if there is periodicity, the statistical properties in the corresponding slots of the past period also match,
It is also possible to use statistics in the past cycle.

Next, as a specific traffic prediction method, a case where a Kalman filter is used will be described below.

  The observed traffic can be considered as the base traffic that is a large periodic component and the combined traffic of the instantaneous fluctuation that is a small periodic component.

  However, these two periodic components cannot be observed separately. Therefore, the base traffic is predicted by utilizing the Kalman filter, treating the base traffic as system evolution, and treating the instantaneous fluctuation as an observation error.

Now, the current time is represented by t. When using the Kalman filter, the traffic is first modeled. In this example, the traffic model in the period i and the slot j is _expressed by the following equation 7 and the system state evolution equation 8 based on the observed value y _t and the state value x _t of the system that cannot be explicitly observed. Is done.

It is to be noted that the increase rate is represented by Equation 9, the observation error variance is represented by Equation 10, and the system error variance is represented by Equation 11, and the observation error v _t and the system error w _t have an average of 0 and the variance follows a mutually independent normal distribution of Equation 12, respectively. Assume.

  Here, the increase rate, the observation error variance, and the system error variance are true parameters that cannot be observed in the traffic model in the period i and the slot j, and are automatically estimated by a method called an EM algorithm, for example.

Kalman filter utilizes state estimation value indicative of the number of the system 13 in addition to the observations y _t.

  Here, the notation shown in Equation 14 represents the estimated system state value at time i when the observation sequence up to time t is given.

  In addition, the parameter estimation value by the EM algorithm in the period i and the slot j is expressed as Equation 15.

  Each time the Kalman filter receives an observation value, the state estimation step and the state prediction step are alternately repeated.

Specifically, when receiving the observations traffic y _t at time t, the system of the state value estimating equation (16) by the updating formula as follows, is fed back to the model variance estimation (number 17). The model variance value is an index that represents the goodness of the estimated traffic model. Also assume that time t belongs to period i, slot j.

Here, k _t in an amount called the Kalman gain, given by the formula for a number of 18.

The state predicted value by the Kalman filter is calculated as shown in Equation 19 based on the system state evolution formula from the estimated value x _{t | t of the} system state.

  Therefore, the baseline prediction value (Equation 20) in this example is given by the following equation (21).

The model variance value _pt also evolves with time and is calculated by the following equation (22).

  Next, a method for calculating the statistics of each slot will be described.

  When the base traffic prediction is performed by the Kalman filter, the necessary statistics are input parameters expressed by the following equation (24).

  This parameter can be estimated by the EM algorithm if the observation data in the slot is available, but cannot be estimated in advance when predicting the base traffic.

  However, since the periodicity of the observed traffic is assumed in this example, the parameters estimated in the past period can be used as these input parameters.

  In addition, when the number of data in the slot is small, the estimation accuracy deteriorates, but by using a previously determined parameter η and estimating as shown in the following Equation 25 using a statistical amount estimated in the past. Improve accuracy.

  Here, what is shown in the following Expression 26 is a parameter estimation value by the EM algorithm for the observation time series (shown in Expression 27) of the same slot in the previous period.

  By mixing past estimated values and new estimated values, it is possible to suppress the influence of accidental changes in traffic trends and to learn traffic trends that last for a long time.

  Moreover, it is only necessary to hold the estimated statistics, and it is not necessary to hold all the past series.

  Next, a method of using a plurality of types of division methods together is shown below.

  In general, when the sample data used for estimation in the statistic estimation is small, the estimation accuracy deteriorates. Therefore, in order to increase the accuracy of statistics estimation, it is necessary to increase the sample data by enlarging the slot. However, if the slot is increased, there arises a problem that it becomes impossible to accurately handle the time change of the statistics.

  Several types of slot division methods are prepared in order to solve this problem. By mixing the statistical information estimated by each division pattern, both improvement in estimation accuracy and precise estimation of time change are achieved.

  For example, in the slot division at one hour intervals, the division from 12:00 and the division from 12:30 are prepared. In this case, each division pattern can only estimate a time change for each hour, but it is possible to estimate a time change for every 30 minutes by combining the statistics estimated for each (see FIG. 4). ).

More generally, a certain slot division pattern and S _n, represents the slot in the S _n the observed value belongs at time t S (t, S _n) and.

When preparing a different division pattern _{S n} of N kinds, statistics θt at time t, each slot S (t, _{S n)} for time t estimated statistics in than [theta] s (t, Sn),
The following calculation is performed.

Here, (u ₁ ,..., U _N ) is a predetermined weighting coefficient.

  In this way, by using a plurality of division patterns in combination, it is possible to estimate statistics with a finer granularity and a stable estimated value.

  Next, a processing procedure example of the reference value prediction system 1 in FIG. 1 will be described with reference to FIG.

  First, configuration information (data length for one cycle of network traffic, time slot size, etc.) that has been recorded in advance on a recording medium or input from an input device is read by a processing means (not shown) to set the configuration. The file is stored in the storage device (step S501).

  Each time the observation data is input via the distributor 2, the selector 3 refers to the configuration setting file, and handles the input observation data in order to handle the observation data for one period as slot-specific data. Then, the data are sequentially associated with a plurality of time slots set by dividing one cycle in advance and output to the storage device (step S502).

  The parameter estimators 4a to 4n provided corresponding to the respective time slots read the respective data in the respective time slots output from the selector 3 from the slot-specific data, and for example, the EM algorithm for each data. Is used to estimate a parameter for predicting the reference value (step S503), and the weighted average value of the estimated parameter estimate and the parameter estimate in the same time slot of the past cycle Is calculated as a parameter in the next period, and is output to the storage device as a parameter file (step S504).

  The predictors 6a to 6n read parameters in the next period calculated by the parameter estimators 4a to 4n from the parameter file, and use, for example, a Kalman filter or the like using the parameters and observation data input via the distributor 2. The reference value is calculated by the second time series analysis method using the series analysis model, and is output to the storage device as a prediction base traffic file (step S505).

  In the processing procedure of step S501, in order to improve the parameter estimation accuracy by the parameter estimators 4a to 4n, when the weighted average is taken for the parameter estimation values by a plurality of configurations, each parameter estimator is set for each configuration. 4a to 4n are provided, and in step S502, the selector 3 divides the observation value data for each period into each time slot unit and outputs it to each parameter estimator 4a to 4n for each configuration. In steps S503 and S504, the parameter estimators 4a to 4n perform parameter estimation based on a plurality of configurations, and combine the estimated parameters at the respective times in the mixers 5a to 5n. In step S505, The predictors 6a to 6n are configured (mixed) by the mixers 5a to 5n. Calculating a reference value using the parameters in the next cycle each parameter estimator 4a~4n were calculated for.

  As described above with reference to FIGS. 1 to 5, in this example, when the observed network traffic deviates from a reference value by a certain amount or more, for example, it is used to determine that an abnormality has occurred in the traffic. In order to predict the base traffic that means the reference value, the data length for one period of the observed network traffic is determined, and the data for one period is divided into small units called slots, and the data in each slot is divided into data. On the other hand, for example, a parameter for predicting base traffic is estimated using a time series analysis method such as an EM algorithm, and the estimated parameter estimated value and the weighted average value of the parameter estimated value in the corresponding slot of the past cycle are used as parameters in the next cycle. For example, a time series analysis method such as a Kalman filter using parameters in this next period To calculate a more-based traffic.

  In this way, in this example, by accurately handling statistical information by dividing one period into slots, it is possible to improve the accuracy of base traffic prediction for time-series data whose statistical properties change periodically. It becomes.

  In addition, the weighted average value is taken for parameter estimates based on the data length and slot designation method named multiple configurations, and when taking the weighted average for parameter estimates for multiple configurations, The prediction accuracy in the configuration is defined as the difference between the observed value and the prediction value, and a large weight is added to the parameter estimation value by the configuration having a good prediction accuracy.

  In this way, by taking a weighted average for the parameter estimation values by a plurality of configurations, for example, as shown in FIG. 4, by synthesizing two parameter estimation values obtained by shifting the slot division time by half. , Parameter setting can be realized with a time granularity that is half the slot size, and while maintaining a slot size sufficient to ensure the accuracy of parameter estimation for each period, it can handle traffic time fluctuations with a finer granularity than the slot size. This is also effective.

  In addition, this invention is not limited to the example demonstrated using FIGS. 1-5, In the range which does not deviate from the summary, various changes are possible. For example, in this example, the Kalman filter is taken as the time series analysis model, but the scope of application of the present invention is not limited to this. For example, the time-series data in each slot may be linearly approximated by least square estimation or the like and connected for each slot. The parameter held at this time is the slope of the approximate straight line of each slot.

  In this example, communication traffic in the network has been described as an example. However, the present invention can also be applied to the measurement of traffic on the road and the number of visitors to the facility.

  Further, regarding a computer configuration example, a computer configuration without a keyboard or an optical disk drive device may be used, and a recording medium is not limited to an optical disk, and an FD (Flexible Disk) or the like may be used. As for the program installation, the program may be downloaded and installed via a network via a communication device.

It is a block diagram which shows the structural example of the reference value prediction system which concerns on this invention. It is explanatory drawing which shows the 1st example of slot allocation of the reference value prediction process which concerns on this invention. FIG. 3 is an explanatory diagram showing a second example of slot allocation in the reference value prediction process according to the present invention. It is explanatory drawing which shows the 3rd example of slot allocation of the reference value prediction process which concerns on this invention. FIG. 5 is a flowchart showing an example of reference value prediction processing operation according to the present invention.

Explanation of symbols

  1: reference prediction system, 2: distributor, 3: selector, 4a-4n: parameter estimator, 5a-5n: mixer, 6a-6n: predictor.

Claims (10)

A method for predicting, by a programmed computer, a reference value used for determining the normality of the data amount when the amount of data aggregated in time series in a predetermined time interval periodically increases or decreases,
As a programmed computer processing means, comprising a selection means, a plurality of parameter estimation means and a prediction means,
The selection means includes
A first procedure of recording the input data amount information in the storage device in association with a plurality of time slots set in advance by dividing one cycle each time the aggregated data amount information is input. Run,
The plurality of parameter estimation means includes:
Reading each data amount information in each time slot recorded by the selection means, using the first time series analysis method for each data amount information, estimating a parameter for predicting the reference value, Executing a second procedure for calculating a weighted average value of parameter estimates in the same time slot of the past cycle as the estimated parameter estimate as a parameter in the next cycle;
The prediction means includes
Executing a third procedure for calculating the reference value by a second time series analysis method using the input data amount information and the parameter in the next period calculated by the parameter estimation means; Prediction method. The reference value prediction method according to claim 1,
The prediction means uses a time series analysis model when calculating base traffic in the third procedure. The reference value prediction method according to claim 2, wherein
The reference value prediction method, wherein the prediction means uses a Kalman filter as a time series analysis model used in the third procedure. A reference value prediction method according to any one of claims 1 to 3,
The calculation of the weighted average value of the parameter estimation value in the second procedure by the parameter estimation means is executed for each period set as a plurality of configuration information,
A reference value prediction method characterized by combining weighted average values calculated for each of a plurality of periods by mixing means provided as processing means of a programmed computer. A reference value prediction method according to any one of claims 1 to 3,
Calculation of the weighted average value of the parameter estimation value in the second procedure by the parameter estimation means is executed for each time slot set as a plurality of configuration information,
A reference value prediction method characterized by combining weighted average values calculated for each of a plurality of time slots by a mixing means provided as a processing means of a programmed computer. A reference value prediction method according to any one of claims 1 to 3,
The calculation of the weighted average value of the parameter estimated value in the second procedure by the parameter estimating means is executed for each period and each time slot set as a plurality of configuration information,
A reference value prediction method comprising: combining weighted average values calculated for a plurality of period fractions and a plurality of time slots by a mixing unit provided as a processing unit of a programmed computer. A reference value prediction method according to any one of claims 4 to 6,
In the calculation of the weighted average value of the parameter estimation value in the second procedure by the parameter estimation means, the difference between the observed value and the prediction value based on each configuration information is obtained as the prediction accuracy, and the configuration information with the good prediction accuracy A reference value prediction method characterized in that a large weight is added to a parameter estimation value based on the above. A reference value prediction method according to any one of claims 1 to 7,
The reference value predicting method according to claim 1, wherein the amount of data periodically increasing / decreasing that is aggregated in time series in the predetermined time interval unit is network traffic. A system for predicting a reference value used for determining the normality of the amount of data when the amount of data collected in a time series periodically increases and decreases in a predetermined time interval unit by a programmed computer,
9. A reference value prediction system comprising means for executing each procedure according to claim 1 as processing means of a programmed computer. The program for making a computer perform each procedure in the reference value prediction method in any one of Claims 1-8.

Images