JP7311480B2 - Information processing system and information processing method - Google Patents

Description

The present invention relates to data processing, and more particularly to an information processing apparatus that processes time-series data.

Devices that detect unauthorized network intrusions or sensor devices such as temperature sensors in factories (hereinafter collectively referred to as “detection devices”) detect the state or value of a predetermined attribute in the monitored object (network or factory). Observe. Attributes are physical values such as temperature, pressure, flow rate, or vibration, or operational states such as sending or receiving data or creating a predetermined message. Hereinafter, an observed value and an observed state are collectively referred to as an "observed value". Further, the sensing device typically continues to make observations continuously (in a sequence) rather than making observations at a single time. Based on the continuous observations, the sensing device generates data moment by moment that includes the value of the observed attribute (observed value) in association with time-related information (time stamp) such as the time of observation. That is, the detection device observes the monitored object and generates data including observation values and time stamps at a plurality of times (hereinafter referred to as "time-series data" or "sequence data"). Then, the detection device grasps the monitoring target by analyzing the generated sequence data. Here, grasping the monitored object means, for example, determination of whether the monitored object is normal or detection of suspicious behavior in the monitored object.

Examples of sequence data include micro-blogs (tweets) on Twitter and the like, proxy server or monitoring server logs, and intrusion detection (IDS: Intrusion Detection System) alert logs.

Techniques for processing such sequence data (time-series data) are applied to various fields (for example, Patent Documents 1 to 3).

Patent Literature 1 discloses a technique for analyzing electroencephalograms.

Patent Literature 2 discloses a technique for learning data in a normal operating state.

Patent Literature 3 discloses a technique for automatically extracting normal patterns.

The sequence data contains a mixture of different behaviors to be monitored. For example, sequence data may contain a mixture of behavior with temporal constancy and behavior without temporal constancy (hereinafter referred to as “random behavior”). A behavior having temporal constancy is, for example, “a behavior that often appears on a specific day of the week and/or during a specific time period” or “a behavior that occurs every day”. Random behavior is "behavior whose manifestation time or position cannot be specified".

In defense (cybersecurity) against unauthorized attacks (cyberattacks) on computer networks, behavior with temporal stability corresponds to operations related to normal business. Also, random behavior corresponds to cyberattacks such as targeted attacks, equipment failures, or some kind of anomaly.

Detecting patterns corresponding to both temporally stationary behavior and random behavior is important in detecting anomalies that do not normally occur in security devices that issue alerts. is.

Thus, in the analysis of sequence data, there is a demand to clearly separate patterns of temporally stationary behavior and random behavior.

Various techniques have been proposed as techniques for detecting major patterns in data. For example, matrix decomposition such as principal component analysis (PCA) or singular value decomposition (SVD) is known as such a method. These techniques can also be applied to sequence data. However, matrix decomposition cannot distinguish between temporally stationary behavior and random behavior. In addition, when there are many patterns with high frequency, such as behavior with temporal stationarity, the matrix decomposition may regard the random behavior as noise and may not be able to detect the random behavior as a pattern.

The technique described in Non-Patent Document 1 divides and stacks data consisting of "timestamp and attribute value" based on the period to create sequence data in a matrix format. Furthermore, the technique described in Non-Patent Document 1 generates a tensor consisting of "the number of cycles, the time stamp within the cycle, and the attribute value" based on sequence data in a matrix format. In this way, tensors stacked based on periods, that is, tensors stacked in the direction of the time axis, create new redundancy in the direction of time. The technique described in Non-Patent Document 1 applies tensor decomposition to this tensor to detect periodic patterns (patterns corresponding to behavior with temporal stationarity). In addition, the technique described in Non-Patent Literature 1 detects behavior that deviates from temporally stationary behavior as an abnormal value.

Calculations on matrices or tensors such as those described above are computationally expensive and, moreover, the resulting values may not converge to a single value. Therefore, constraints are used to reduce the amount of computation and to converge the results. Regularization is widely used as a constraint in such computations. Such regularization includes sparse regularization. Sparse regularization is a constraint that sets the value to 0 in many variables.

Non-Patent Document 2 discloses Group Lasso regularization, which is a kind of sparse regularization. Group Lasso regularization is a regularization that has the effect of squeezing variables belonging to a group to 0 at the same time, that is, making the values of variables sparse.

Non-Patent Document 3 uses Group Lasso to generate a variable group containing a predetermined number (k) of top components (top k components) in principal component analysis. In principal component analysis, the higher the component, the more dominant the data. Therefore, the above group of variables (top k components) is a dense pattern containing many common features of a lot of data, in other words, an estimation of a pattern that appears in a lot of data.

Non-Patent Document 4 discloses a technique of using Group Lasso regularization to make the pattern obtained by principal component analysis robust against outliers.

WO2012/133185 JP 2014-149840 A JP 2011-247696 A

Tsubasa Takahashi, Bryan Hooi, Christos Faloutsos, "AutoCyclone: Automatic Mining of Cyclic Online Activities with Robust Tensor Factorization", Proceedings of the 26th International Conference on World Wide Web, April 03-07, 2017, pp. 213-221 Ming Yuan, Yi Lin, "Model selection and estimation in regression with grouped variables", Journal of the Royal Statistical Society: Series B (Statistical Methodology), Volume 68, Issue 1, February 2006, pp.49-67 Ruoyi Jiang, Hongliang Fei, Jun Huan, "Anomaly localization for network data streams with graph joint sparse PCA", KDD '11 Proceeding of the 17th ACM SIGKDD international conference on Knowledge discovery and data mining, August 21-24, 2011, pp. 886-894 Gonzalo Mateos, Georgios B. Giannakis, "Robust PCA as Bilinear Decomposition With Outlier-Sparsity Regularization", IEEE Transactions on Signal Processing, Volume 60, Issue 10, Oct. 2012, pp.5176-5190

However, the technique described in Non-Patent Document 1 cannot extract patterns included in abnormal values.

In addition, the technique described in Non-Patent Document 1 is devised so that periodic patterns can be easily extracted by providing input data with redundancy in the time direction. However, in the technique described in Non-Patent Document 1, the tensor decomposition for extracting patterns is not necessarily restricted to extract only behavior patterns with temporal stationarity. . Therefore, in the technique described in Non-Patent Document 1, even if the behavior is random, when the frequency is high, or when the observed value corresponding to the random behavior is large, behavior with temporal stationarity Patterns can be mixed with patterns of random behavior.

Also, the top k component disclosed in Non-Patent Document 3 is simply a group of characteristic patterns in the entire data set. The top k-components are not necessarily estimates of patterns of behavior that are temporally stationary.

Non-Patent Document 2 is a document that discloses Group Lasso regularization, and does not disclose a technique for distinguishing between a pattern corresponding to temporally stationary behavior and a pattern corresponding to random behavior.

Non-Patent Document 4 discloses a technique for improving robustness against abnormal values in patterns obtained by principal component analysis. However, Non-Patent Document 4 does not disclose a technique for distinguishing patterns corresponding to temporally stationary behaviors from patterns corresponding to random behaviors.

Patent Literatures 1 to 3 do not disclose a technique for distinguishing between a behavior pattern having temporal stationarity and a random behavior pattern.

Thus, Patent Literatures 1 to 3 and Non-Patent Literatures 1 to 4 have the problem that patterns corresponding to temporally stationary behaviors and patterns corresponding to random behaviors cannot be extracted. .

SUMMARY OF THE INVENTION It is an object of the present invention to solve the above problems and to provide an information processing apparatus that extracts a pattern corresponding to temporally stationary behavior and a pattern corresponding to random behavior.

An information processing method according to one aspect of the present invention is an information processing method for detecting a random pattern as information for detecting an abnormality in a monitoring target facility, wherein a data providing device detects an observed value of a monitoring target facility in a factory and provides a plurality of times and observation values in time as first data, and the information processing device builds second data by layering the first data in time based on the first data Then, based on the second data, extract a steady pattern that is a combination of observation values with temporal stationarity in the first data, generate a difference in time between the first data and the steady pattern, A random pattern, which is a combination of observed values that do not have temporal stationarity, is extracted based on , the random pattern is transmitted, and the display device receives the random pattern and outputs the random pattern.

An information processing system according to one aspect of the present invention is an information processing system that detects a random pattern as information for detecting an abnormality in a monitored facility, and is an acquisition means for acquiring an observed value of the monitored facility in a factory. a data providing device including a plurality of times and a providing means for providing observation values in time as first data; and second data obtained by layering the first data in time based on the first data and a steady pattern extracting means for extracting a steady pattern that is a combination of observed values having temporal stationarity in the first data based on the second data, and the time between the first data and the steady pattern information including difference generation means for generating the difference in the difference, random pattern extraction means for extracting a random pattern that is a combination of observed values that do not have temporal stationarity based on the difference, and transmission means for transmitting the random pattern A display device including a processing device, receiving means for receiving the random pattern, and display means for outputting the random pattern.

According to the present invention, it is possible to extract a pattern corresponding to temporally stationary behavior and a pattern corresponding to random behavior.

FIG. 1 is a block diagram showing an example of the configuration of an information processing apparatus according to the first embodiment of the invention. 2 is a flowchart illustrating an example of the operation of the information processing apparatus according to the first embodiment; FIG. FIG. 3 is a diagram showing an example of sequence data. FIG. 4 is a diagram showing an example of sub-data. FIG. 5 is a diagram showing an example of a constructed tensor. FIG. 6 is a diagram showing an example of patterns obtained based on tensor decomposition. FIG. 7 is a diagram showing an example of a regular pattern in FIG. 6. FIG. FIG. 8 is a diagram showing individual differences in sub-data. FIG. 9 is a diagram showing differences obtained by matrixing the individual differences shown in FIG. FIG. 10 shows an example of the result of applying matrix decomposition to the difference shown in FIG. FIG. 11 is a block diagram showing an example of the hardware configuration. FIG. 12 is a diagram illustrating an example of the configuration of an information processing system according to the first embodiment;

Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Each drawing illustrates an embodiment of the invention. However, the present invention is not limited to the description of each drawing. In addition, the same numbers are assigned to the same configurations in each drawing, and repeated description thereof may be omitted. In addition, in the drawings used for the following description, the description of the configuration of the portion that is not related to the description of the present invention may be omitted and may not be illustrated.

First, the terms used in the description of this embodiment will be sorted out.

An “observed value” is a value observed for an attribute corresponding to a predetermined behavior in the monitored object. Observed values are not limited to directly observed values, but also indirectly observed values (e.g., values converted from values detected by sensors, or values calculated based on multiple observed values). good.

The number of monitoring targets (hereinafter sometimes referred to as "sources") is not limited to one, and may be plural. Also, the number of attributes of the observation target in each monitoring target is not limited to one, and may be plural. Furthermore, the attributes do not have to be the same for all targets. The attributes may be different in at least some monitored objects.

A "timestamp" is information about the time when an observation was observed. In other words, a timestamp is information about the time in an observation. A time stamp may be a time range with a predetermined width instead of a single time.

Observations and timestamps are associated.

The information processing apparatus in each embodiment receives data including observation values and time stamps, and performs operations described below. However, this data includes data at least at multiple timestamps. That is, this data is sequence data (time-series data). Further, this data includes multiple observations at each timestamp. Here, multiple observation values are observation values for which at least one of the monitoring target and the attribute is multiple. Note that this data may be data in which some observed values are missing.

In other words, sequence data is data that includes multiple observations at multiple times.

<First embodiment>
A first embodiment will be described below with reference to the drawings.

[Description of configuration]
First, the configuration of the information processing apparatus 100 according to the first embodiment will be described with reference to the drawings.

FIG. 1 is a block diagram showing an example configuration of an information processing apparatus 100 according to the first embodiment of the present invention. As shown in FIG. 1, the information processing apparatus 100 includes a regular pattern extraction section 102, a difference generation section 104, and a random pattern extraction section .

The regular pattern extraction unit 102 acquires sequence data (hereinafter sometimes referred to as “sequence data X” or simply “X”).

The acquisition source of the sequence data X in the regular pattern extraction unit 102 is arbitrary. For example, the regular pattern extraction unit 102 may receive sequence data X from an external device (not shown). Alternatively, the regular pattern extraction unit 102 may read the sequence data X from a storage unit (not shown).

The regular pattern extraction unit 102 then divides the sequence data X into a plurality of pieces of data based on the time stamps in the sequence data X. FIG. Each piece of divided data is hereinafter referred to as "sub-data".

Then, the regular pattern extraction unit 102 constructs data (hereinafter referred to as a tensor) in which the divided sub-data are layered.

Thus, a tensor is built by layering sub-data. Also, the order of the sub-data is the same as the order of the sequence data X. Therefore, the order of the constructed tensor is "the order of the sequence data X + 1". For example, if the order of the sequence data X is m, the order of the tensor is m+1. More specifically, for example, m is "2" when the sequence data X is a matrix. Therefore, in this case, the order of the tensor is "3=2+1". Such a tensor data format is a data format that more clearly expresses the temporal redundancy that sequence data has.

Note that sequence data and tensors are collections of data containing similar observations. Therefore, hereinafter, the sequence data may be called "first data", and the tensor may be called "second data".

The constant pattern extraction unit 102 extracts a behavior pattern having temporal continuity (hereinafter referred to as a “constant pattern”) from this tensor. In the following description, the regular pattern may be indicated as "regular pattern P" or simply as "P".

Sequence data X is a set of observation value combinations. A constant pattern P is a pattern in the sequence data X that has temporal continuity. Here, a pattern is a combination of observed values. In other words, the steady pattern P is a combination of observed values in the sequence data X that have temporal constancy.

Specifically, in extracting the stationary pattern P, the stationary pattern extraction unit 102 performs tensor factorization with restrictions so that patterns corresponding to data having temporal stationarity are extracted. Use

The regular pattern extractor 102 then transmits the regular pattern P to the difference generator 104 .

The regular pattern extraction unit 102 may output the extracted regular pattern P to an external device (not shown). Alternatively, the regular pattern extraction unit 102 may transmit the extracted regular pattern P to a processing unit inside the information processing apparatus 100 (not shown). Alternatively, the regular pattern extraction unit 102 may store the extracted regular pattern P in a storage unit (not shown).

The difference generator 104 extracts the difference Δ obtained by removing the portion corresponding to the regular pattern P from the sequence data X. FIG. In the description of this embodiment, the difference generator 104 extracts the difference Δ using the same format as the sequence data X. For example, if the sequence data X is a tensor of order m, the difference Δ is a tensor of order m. Alternatively, if the sequence data X is a matrix, the difference Δ is a matrix. However, the difference generator 104 may use another format.

Difference generation section 104 transmits difference Δ to random pattern extraction section 106 .

Note that the difference generator 104 may acquire the sequence data X in the same manner as the steady pattern extractor 102 . Alternatively, the difference generation section 104 may receive the sequence data X from the regular pattern extraction section 102 in the same manner as the regular pattern P.

The random pattern extraction unit 106 extracts a random pattern, which is a combination of observed values that do not have temporal stationarity, based on the difference Δ. Hereinafter, the random pattern may be indicated as "random pattern Z" or simply "Z".

The random pattern extraction unit 106 may output the extracted random pattern Z to an external device (not shown). Alternatively, the random pattern extraction unit 106 may transmit the extracted random pattern Z to a processing unit inside the information processing apparatus 100 (not shown). Alternatively, the random pattern extraction unit 106 may store the extracted random pattern Z in a storage unit (not shown).

Next, operations of the information processing apparatus 100 will be described with reference to the drawings.

FIG. 2 is a flow chart showing an example of the operation of the information processing apparatus 100 according to the first embodiment.

First, the regular pattern extraction unit 102 constructs a tensor based on the sequence data X (step S11). Specifically, first, the regular pattern extraction unit 102 divides the sequence data X into sub-data based on the time stamps in the sequence data X. FIG. Then, the regular pattern extraction unit 102 builds a tensor by stacking the divided sub-data.

FIG. 3 is a diagram showing an example of sequence data X. As shown in FIG. The sequence data X shown in FIG. 3 consists of a tuple consisting of (src, day, msg). Note that a tuple is a general term for a set consisting of a plurality of components (src, day, msg in FIG. 3).

In FIG. 3, src is information about the monitored object, that is, the data source. For example, src is the address of the source. For example, if the sequence data X is a computer network log, the source address is the IP (Internet Protocol) address of the source.

day is information about time, that is, a time stamp. day is, for example, date and/or time.

msg is information indicating the type of attribute in the sequence data X. FIG. For example, msg is information indicating a distinction between predetermined message types (for example, failure content).

In the case of FIG. 3, each cell indicates how many times each message has been received. For example, the leftmost top cell in FIG. 3 is the number of times msg1 was received by source src1 on timestamp day1.

In FIG. 3, cells with horizontal lines and shaded cells indicate values other than zero. However, in FIG. 3, the number of times is omitted.

Furthermore, in FIG. 3, cells with horizontal lines are cells that form a pattern (stationary pattern P) corresponding to a behavior having temporal stationarity. A shaded cell is a cell that constitutes a pattern (random pattern Z) corresponding to random behavior.

However, in the first embodiment, each cell does not need to be grasped in advance as a regular pattern P and a random pattern Z. FIG. The distinction in FIG. 3 is for facilitating the understanding of the following description. Also, in the following description, errors and the like that occur in matrix decomposition and tensor decomposition are omitted for the sake of clarity.

Note that in FIG. 3, the sources and attributes are shown as one-dimensional data. However, this is for convenience of explanation. In specific processing of this embodiment, the sources and/or attributes may be multi-dimensional data.

The regular pattern extraction unit 102 divides the sequence data X in FIG. 3 into sub-data based on the time information day (time stamp).

FIG. 4 is a diagram showing an example of sub-data. As shown in FIG. 4, the sub-data is divided with respect to time information day (time stamp).

Furthermore, the regular pattern extraction unit 102 constructs a tensor by layering the sub-data shown in FIG. 4 in the time direction.

FIG. 5 is a diagram showing an example of a constructed tensor.

The steady pattern extraction unit 102 extracts a steady pattern P based on the tensor (step S13). More specifically, the stationary pattern extraction unit 102 uses tensor factorization, which is constrained so that patterns of behavior with temporal stationarity are extracted from the target tensor.

FIG. 6 shows an example of a pattern obtained based on tensor factorization. FIG. 6 shows a regular pattern P on the left and a random pattern Z on the right.

FIG. 6 shows the patterns divided into groups for each axis of the tensor to make the patterns easier to understand. For example, the pattern on the far left has data on the msg axis, which is a set of cells in the horizontal direction, data on the src axis, which is a set of cells in the vertical direction, and a set of diagonal cells on the day axis (time stamp, that is, the time axis). ) data and As shown in FIG. 6, the stationary pattern P has a dense time axis (diagonal cells) (there is data or there is data almost entirely). On the other hand, in the random pattern, the time axis (diagonal cells) is sparse (no or almost no data).

A specific example of tensor factorization for obtaining the stationary pattern P shown in FIG. 6 will be described.

The stationary pattern extraction unit 102 uses tensor factorization to which sparse regularization is applied as constraints in order to extract patterns of behavior with temporal stationarity. More specifically, the steady pattern extraction unit 102 adds Group Lasso regularization as sparse regularization to the day axis (time axis) of the tensor.

Group Lasso regularization is a kind of sparse regularization, and has the effect of collapsing a set of variables set as a group to 0 at the same time. This effect (the effect of collapsing a set of variables to 0 simultaneously) occurs when the variables in the set have similarly small values. In other words, when a set of variables set as a group has a steady value occurrence more than a predetermined number of times, at least some of the variables in the group do not collapse to 0 in Group Lasso regularization. Also, a set of variables with high stationarity and values that always appear does not collapse to 0 at all.

The stationary pattern extraction unit 102 can achieve different effects for the stationary pattern P group and the random pattern Z group by applying such Group Lasso regularization to the tensor factorization. Specifically, the stationary pattern extraction unit 102 uses Group Lasso regularization to reduce the group variables and randomly generated noise of the random pattern Z to zero. That is, the regular pattern extraction unit 102 uses Group Lasso regularization to prevent the random pattern Z from being detected as a pattern. At this time, even in the stationary pattern P, many variables collapse to zero. However, in the stationary pattern P, at least some variables do not collapse to 0.

The regular pattern extraction unit 102 may extract, as the regular pattern P, patterns of variables that are not always 0 (non-zero variables). However, the pattern extracted by the regular pattern extraction unit 102 is not limited to the above. For example, the regular pattern extraction unit 102 may extract, as the regular pattern P, a pattern in which the number of appearances of non-zero variables or the ratio of non-zero variables is greater than a predetermined threshold. The resulting pattern is a pattern of behavior (stationary pattern P) having temporal constancy.

FIG. 7 is a diagram showing an example of the regular pattern P in FIG. 6. As shown in FIG.

Soft-thresholding is known as a method using Group Lasso regularization. With soft-thresholding, a sparse estimate (v _e ) using Group Lasso regularization of values v belonging to a group g of variables is derived using Equation 1 below.
[Formula 1]

Here, "(·) ₊ " is "max(·, 0)". That is, "(·) ₊ " is the value within the brackets if the value within the brackets is positive and 0 if the value within the brackets is negative. ||·|| ₂ is the L2 norm. λ is a parameter that determines the effect of regularization and is a preset value. That is, the estimated value (V _e ) is zero when the L2 norm of group g is smaller than a predetermined value.

Subsequently, the difference generator 104 extracts the difference between the sub data and the regular pattern P (hereinafter referred to as "individual difference Δ ^* ") (step S15). Sub-data is temporally divided data. Therefore, the individual differences Δ ^* are temporally divided differences.

FIG. 8 is a diagram showing an example of individual differences Δ ^* in sub-data.

Subsequently, the difference generation unit 104 performs a predetermined process on the individual difference Δ ^* to generate a difference Δ that is data in the same format (tensor format) as the sequence data X (step S17). When the sequence data X is a matrix as shown in FIG. 3, this process is generally called matricization. The difference Δ is the difference in time between the sequence data X and the regular pattern P. As shown in FIG.

FIG. 9 is a diagram showing differences Δ obtained by matrixing the individual differences Δ ^* shown in FIG. 8 .

Then, the random pattern extraction unit 106 extracts the random pattern Z based on the difference Δ (step S19). The method used by the random pattern extraction unit 106 is arbitrary. For example, the random pattern extraction unit 106 extracts a random pattern Z from the difference Δ using an analysis method such as matrix decomposition using sparse estimated values, frequent item set extraction, or clustering. Here, matrix decomposition is, for example, singular value decomposition or non-negative matrix factorization.

FIG. 10 is a diagram showing an example of the result of applying matrix decomposition using sparse estimates to the difference Δ shown in FIG. Random pattern extraction section 106 divides difference Δ into two matrices (U and V).

In FIG. 10, matrix V is a set of random patterns Z (PR1 to PR4). Each row of matrix V is a random pattern Z. Hereinafter, when it is not necessary to distinguish each random pattern Z, the random pattern Z will be referred to as a random pattern Z, including the case where there are a plurality of random patterns Z (in a set).

Also, the matrix U indicates the appearance position of the random pattern Z (src1 to 5 in FIG. 10), the time (days 1 to 5 in FIG. 10), and the random pattern Z to appear (PR1 to 4 in FIG. 10). Specifically, the random pattern Z appears in the cells of the matrix U marked with vertical lines. In the following description, the matrix U is also called "expression information".

For example, the expression information in the third row of matrix U indicates that the third random pattern Z (PR3) was expressed at time day1 of source src3.

In FIG. 10, r is the number of random patterns Z extracted. r depends on the number of attributes of the data (eg number of columns in FIG. 3) and the rank of the tensor. The difference Δ shown in FIG. 9 has four msg attributes. Therefore, the maximum number (r) of random patterns Z is "4". FIG. 10 shows an example of extracting random patterns Z up to the maximum number of r. However, the value of r is not limited to the maximum number. Any number from 1 to the maximum number may be set in advance as the value of r.

Note that the regular pattern extraction unit 102 extracts the regular pattern P. FIG. Therefore, the data (sequence data X in this case) to be processed by the steady pattern extraction unit 102 must have temporal redundancy.

On the other hand, the random pattern extraction unit 106 extracts a random pattern Z (a pattern corresponding to data without temporal stationarity). Therefore, the data targeted by the random pattern extraction unit 106 does not necessarily have temporal redundancy. Behaviors that do not have temporal stationarity often occur at low frequency and at irregular positions. Therefore, it is desirable that the data to be processed by the random pattern extraction unit 106 is data containing many tuples. Therefore, the random pattern extraction unit 106 may use other data in addition to the difference Δ.

[Explanation of effect]
In this manner, the information processing apparatus 100 according to the first embodiment can obtain the effect of extracting a pattern corresponding to a behavior having temporal stationarity and a pattern corresponding to a random behavior.

The reason is as follows.

The steady pattern extraction unit 102 generates a tensor (second data) obtained by layering the sequence data X (first data) in time based on the sequence data X (first data) including a plurality of observed values at a plurality of times. to build. Based on the tensor (second data), the steady pattern extraction unit 102 extracts a steady pattern P, which is a combination of observed values having temporal continuity in the sequence data X (first data). Then, the difference generator 104 generates a difference Δ between the sequence data X (first data) and the regular pattern P in time. Based on the difference Δ, the random pattern extraction unit 106 extracts a random pattern Z, which is a combination of observation values that do not have temporal stationarity.

As described above, in the information processing apparatus 100, first, the regular pattern extraction unit 102 constructs a tensor in which sequence data X including a plurality of observed values at a plurality of times are layered in time. So the temporal redundancy is evident in the constructed tensor. Then, the regular pattern extraction unit 102 extracts the regular pattern P based on the tensor. That is, since the regular pattern extraction unit 102 extracts the regular pattern P using a tensor with clear temporal redundancy, it is possible to extract the regular pattern P corresponding to the behavior having temporal stationarity. can.

Then, the difference generator 104 generates the difference Δ as the temporal difference between the sequence data X and the steady pattern P. FIG. A stationary pattern P is extracted using temporal redundancy. Therefore, the difference Δ becomes data without temporal stationarity as a result of considering temporal redundancy.

Then, the random pattern extraction unit 106 extracts a random pattern Z that does not have temporal stationarity using the difference Δ. The difference Δ is data generated considering temporal redundancy. Therefore, the random pattern extraction unit 106 can extract a random pattern Z corresponding to a behavior that does not have temporal stationarity as a result of considering temporal redundancy.

In this way, the information processing apparatus 100 can extract a steady pattern P corresponding to behavior with temporal constancy and a random pattern Z corresponding to random behavior.

[Hardware configuration]
The information processing apparatus 100 described above is configured as follows. For example, each component of the information processing apparatus 100 may be configured by a hardware circuit. Alternatively, in the information processing apparatus 100, each component may be configured using a plurality of devices connected via a network. Alternatively, the information processing apparatus 100 may have a plurality of components configured by one piece of hardware.

Alternatively, the information processing apparatus 100 may be realized as a computer device including a CPU (Central Processing Unit), a ROM (Read Only Memory), and a RAM (Random Access Memory). The information processing device 100 may be implemented as a computer device that further includes an input/output connection circuit (IOC: Input and Output Circuit) in addition to the above configuration. Alternatively, the information processing apparatus 100 may be realized as a computer apparatus that further includes a network interface circuit (NIC: Network Interface Circuit) in addition to the above configuration.

FIG. 11 is a block diagram showing the configuration of an information processing device 600 showing an example of the hardware configuration of the information processing device 100. As shown in FIG.

The information processing device 600 includes a CPU 610, a ROM 620, a RAM 630, an internal storage device 640, an IOC 650, and a NIC 680, and constitutes a computer device.

The CPU 610 reads programs from the ROM 620 . Then, the CPU 610 controls the RAM 630, the internal storage device 640, the IOC 650, and the NIC 680 based on the read program. A computer device including the CPU 610 controls these configurations and implements the functions of the regular pattern extraction unit 102, the difference generation unit 104, and the random pattern extraction unit 106 shown in FIG.

The CPU 610 may use the RAM 630 and/or the internal storage device 640 as temporary storage of programs when implementing each function.

Further, the CPU 610 may read the program included in the recording medium 700 storing the computer-readable program using a recording medium reading device (not shown). Alternatively, the CPU 610 may receive a program from an external device (not shown) via the NIC 680, store it in the RAM 630, and operate based on the stored program.

The ROM 620 stores programs executed by the CPU 610 and fixed data. The ROM 620 is, for example, a P-ROM (Programmable-ROM) or a flash ROM.

The RAM 630 temporarily stores programs executed by the CPU 610 and data (for example, pattern data shown in FIGS. 4 to 10 and other work data). The RAM 630 is, for example, a D-RAM (Dynamic-RAM).

The internal storage device 640 stores data and programs that the information processing device 600 saves for a long time. Moreover, the internal storage device 640 may operate as a temporary storage device for the CPU 610 . The internal storage device 640 is, for example, a hard disk device, a magneto-optical disk device, an SSD (Solid State Drive), or a disk array device.

Here, the ROM 620 and the internal storage device 640 are non-transitory recording media. On the other hand, the RAM 630 is a volatile (transitory) recording medium. The CPU 610 can operate based on programs stored in the ROM 620 , the internal storage device 640 , or the RAM 630 . That is, CPU 610 can operate using a non-volatile recording medium and/or a volatile recording medium.

IOC 650 mediates data between CPU 610 and input device 660 and display device 670 . The IOC 650 is, for example, an IO interface card or a USB (Universal Serial Bus) card. Furthermore, the IOC 650 is not limited to a wired connection such as USB, and may use a wireless connection.

The input device 660 is a device that receives input instructions from the operator of the information processing device 600 . The input device 660 is, for example, a keyboard, mouse or touch panel.

The display device 670 is a device that displays information to the operator of the information processing device 600 . The display device 670 is, for example, a liquid crystal display. The display device 670 may display the regular pattern P and/or the random pattern Z.

The NIC 680 relays data exchange with an external device (not shown) via the network. The NIC 680 is, for example, a LAN (Local Area Network) card. Furthermore, the NIC 680 is not limited to wired, and may be wireless. The NIC 680 may receive the sequence data X as part of the regular pattern extractor 102 . Alternatively, the NIC 680 may output the regular pattern P and/or the random pattern Z as part of the regular pattern extractor 102 and/or the random pattern extractor 106 .

The information processing device 600 configured in this way can obtain the same effects as the information processing device 100 .

The reason is that the CPU 610 of the information processing device 600 can implement the same functions as the information processing device 100 based on the program.

[Description of the system]
Next, the information processing system 10 including the information processing apparatus 100 of this embodiment will be described with reference to the drawings.

FIG. 12 is a diagram showing an example of the configuration of the information processing system 10 according to the first embodiment. The information processing system 10 includes an information processing device 100 according to the first embodiment, a monitoring target 200, and a display device 300. FIG.

The monitoring target 200 is a provider of the sequence data X that the information processing apparatus 100 is to process. The monitored object 200 is arbitrary. For example, the monitored object 200 may be a predetermined factory. In this case, the sequence data X includes attributes (temperature, pressure, flow rate, vibration, etc.) of each facility in the factory as observed values. Alternatively, monitored object 200 is a computer network that includes multiple computers. In this case, the sequence data X is, for example, a log containing, as observations, the data (eg packets) sent and received in the network and the state of the computer. FIG. 12 illustrates these cases.

The information processing device 100 acquires the sequence data X from the monitored object 200 . Then, the information processing apparatus 100 extracts the random pattern Z based on the above operation. The information processing device 100 then transmits the random pattern Z to the display device 300 .

The display device 300 displays the random pattern Z received. As a result, the user of the information processing system 10 can comprehend a pattern of observed values (random pattern Z) that does not have temporal stationarity.

Note that the information processing device 100 may transmit other information such as expression position information, regular pattern P, and/or sequence data X to the display device 300 . In this case, the display device 300 displays the expression information, the steady pattern P, and/or the sequence data X in addition to the random pattern Z.

For example, when the display device 300 displays the random pattern Z and the regular pattern P, the user of the information processing system 10 can grasp the random pattern Z more appropriately based on the comparison with the regular pattern P. .

Alternatively, for example, when the display device 300 displays the random pattern Z and the occurrence information, the user of the information processing system 10 can display the random pattern Z, the occurrence position and time of the random pattern Z, and the random pattern Z. The type can be grasped.

Note that the display device 300 is not limited to a device external to the information processing device 100 and may be included in the information processing device 100 .

Although the present invention has been described with reference to the embodiments, the present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

REFERENCE SIGNS LIST 10 information processing system 100 information processing device 102 regular pattern extraction unit 104 difference generation unit 106 random pattern extraction unit 200 monitoring target 300 display device 600 information processing device 610 CPU
620 ROMs
630 RAM
640 internal storage device 650 IOC
660 Input device 670 Display device 680 NIC
700 recording medium

Claims (10)

An information processing system that detects random patterns as information for detecting anomalies in monitored equipment,
Acquisition means for acquiring observed values of monitored equipment in the factory;
a data providing device comprising a plurality of times and providing means for providing said observed values at said times as first data;
constructing second data by stacking the first data in the time based on the first data, and based on the second data, the observation having temporal stationarity in the first data steady pattern extracting means for extracting a steady pattern that is a combination of values;
difference generating means for generating a difference in time between the first data and the steady pattern;
Random pattern extraction means for extracting the random pattern, which is a combination of the observed values without temporal stationarity, based on the difference;
an information processing device comprising a transmission means for transmitting the random pattern;
receiving means for receiving the random pattern;
display means for outputting the random pattern; and a display device including
The first data is data having temporal redundancy,
The random pattern is data containing a tuple,
the first data includes a tuple consisting of a plurality of information sources, the time, and a plurality of attribute types in each of the information sources;
The steady pattern extracting means constructs the second data in which the information source and the attribute type are layered at the time, and constructs the second data having the temporal constancy of the information source and the attribute type. extract the pattern,
The difference generation means generates the difference between the information source and the type of the attribute divided in time,
The random pattern extracting means extracts the random pattern including a tuple including the information source, the time, and the attribute type.
Information processing system. The information processing system according to claim 1, wherein said observed value includes at least one of temperature, pressure, flow rate, and vibration in said monitored equipment. The transmission means further transmits the steady pattern,
3. The information processing system according to claim 1, wherein said display means further displays said regular pattern. The first data includes position information where the observed value is expressed,
The transmission means further transmits the location information,
4. The information processing system according to any one of claims 1 to 3, wherein said display means further displays said position information. 5. The information processing system according to claim 1, wherein said display means displays said random pattern together with expression information. An information processing method for detecting a random pattern as information for detecting anomalies in monitored equipment,
The data providing device
Acquire the observed values of the monitored equipment in the factory,
providing a plurality of times and said observations at said times as first data;
The information processing device
constructing second data by stacking the first data in the time based on the first data, and based on the second data, the observation having temporal stationarity in the first data Extracting stationary patterns that are combinations of values,
generating a difference in time between the first data and the steady pattern;
Extracting the random pattern, which is a combination of the observed values without temporal stationarity based on the difference,
transmitting the random pattern;
the display device
receiving the random pattern;
outputting the random pattern;
The first data is data having temporal redundancy,
The random pattern is data containing a tuple,
The random pattern is data containing a tuple,
the first data includes a tuple consisting of a plurality of information sources, the time, and a plurality of attribute types in each of the information sources;
The information processing device is
Constructing the second data in which the information source and the attribute type are layered in the time, extracting the steady pattern having temporal constancy of the information source and the attribute type,
generating the deltas of the types of the sources and the attributes, separated in time;
extracting said random pattern containing a tuple containing said source, said time and said attribute type;
Information processing methods. The information processing method according to claim 6, wherein the observed value includes at least one of temperature, pressure, flow rate, and vibration in the monitored equipment. The information processing device further transmits the steady pattern,
The information processing method according to claim 6 or 7, wherein the display device further displays the steady pattern. The first data includes position information where the observed value is expressed,
The information processing device further transmits the location information,
The information processing method according to any one of claims 6 to 8, wherein the display device further displays the position information. The information processing method according to any one of claims 6 to 9, wherein the display device displays the random pattern together with expression information.

Images