CN105183659A - Software system behavior anomaly detection method based on multi-level mode predication - Google Patents

Abstract

The invention provides a software system behavior anomaly detection method based on multi-level mode predication. According to the method, through establishment of multi-level behavior prediction models, including a window state transition probability model and a behavior mode transition probability model, probabilistic modeling is conducted on the changing mode of system monitoring indexes, and anomaly detection is performed according to the principle that a small probability event is judged as a system behavior anomaly. The method has the advantages that the prediction models are utilized for predicting the state transition probability and comparing the predicted result with an actual system state, thereby judging whether the current system is in a small probability system state, namely a behavior anomaly mode, or not; the method can be applied to occasions with higher real-time requirements, and the model update of an algorithm can be performed in a real-time manner with data acquisition, so that the adaptability of the algorithm to window behavior anomaly detection problems can be further improved.

Description

Based on the software systems abnormal behavior detection method of multilevel mode prediction

Technical field

The present invention relates to computer system abnormality detection, particularly, relate to the software systems abnormal behavior detection method based on multilevel mode prediction.

Background technology

Along with the development of current infotech, modem computer systems all becomes to become increasingly complex in self structure and design attributes or the using forestland of system.Particularly universal and the tremendous lifting of computer process ability and the constantly perfect of Intel Virtualization Technology of High speed network in recent years, cloud computing concept is day by day burning hot, becomes current very important a kind of computer system use-pattern.How to ensure that cloud platform stable is run to become to become more and more important, and the system anomaly detection of robotization, alarm and even prediction are the bases of safeguarding the normal operation of cloud platform and abnormal quick restoring.This patent proposes a kind of system action Outlier Detection Algorithm based on pattern learning and prediction, by on-line study systematic state transfer rule, and then carries out predicting and comparing, finally judges that whether system is for abnormal behavior state fast.

Existing algorithm mainly focuses on and carries out the abnormal application scenarios automatically detected to the behavior pattern of complete cycle, and therefore these algorithms are needing to a great extent to wait for that the data that supervisory system gathered in complete behavior pattern cycle just can be carried out for detecting when whether current system behavior pattern belongs to abnormal behaviour pattern.In the computer system monitoring work of reality, also have the use-case that important, detect in current one shorter period whether occur that system action is abnormal exactly in real time.The requirement of real-time of this abnormality detection is stronger, needs automatically to detect for local system behavior instead of the exception in whole behavior pattern cycle.

Summary of the invention

For defect of the prior art, the object of this invention is to provide a kind of software systems abnormal behavior detection method based on multilevel mode prediction.

According to the software systems abnormal behavior detection method based on multilevel mode prediction provided by the invention, comprise the steps:

Step 1: modeling is carried out to the system action pattern in detection window, thus build the system action model in corresponding window;

Step 2: modeling is carried out to the metastatic rule between the system action pattern in system action model, obtains behavior pattern transition probability model;

Step 3: initial construction Window state transition probability model, and join in the middle of behavior pattern transition probability model;

Step 4: when there being new monitor data, moving window also obtains new Window state, and utilize behavior pattern transition probability model to find forecast model from Window state transition probability model, judge whether current window state belongs to abnormality according to forecast model;

If meet the prediction of forecast model, then illustrate that this forecast model is effective, upgrade Window state transition probability model according to new Window state;

If the difference between the prediction of forecast model and the Window state of reality is greater than the threshold value T of setting, then judge it is that Window state occurs abnormal conditions or occurs new behavior pattern;

When abnormal conditions only occur once, represent that system action occurs abnormal;

When there are abnormal conditions continuously, representing and occurring new Window state metastatic rule, new Window state transition probability model need be built;

Step 5: after Window state transition probability model completes and detects and upgrade, behavior pattern transition probability model is by detecting the accuracy of forecast model prediction and whether the newly-built renewal carrying out self of Window state transition probability model occurring.

Preferably, described step 3 comprises:

A: build Window state transition probability model, comprise the steps:

Steps A 1: note moving window size is W, and monitor data dimension D, monitor data is [S ₁, S ₂, S ₃... S _d], S _i=[(y ₁, t ₁), (y ₂, t ₂) ..., (y _n, t _n) ...] represent i-th monitoring period sequence flows, t _nrepresent sampling instant point, y _nrepresent at t _nthe desired value of instance sample, then the valid data in a moving window are:

In formula: S _{i, 1}... S _i,wrepresent W data sampled point in a moving window in i-th monitoring period sequence, 1≤i≤D;

Steps A 2: data acquisition sampling point is carried out sate discretization, discretize function is as follows:

In formula: M _i,jrepresent the numerical value after i-th monitoring period sequence j instance sample value discretize, M _i,j∈ [1,2 ..., N], 1≤i≤D, 1≤j≤W, N represents the interval number of discretize, and minimum represents minimum sampled value, and maximum represents maximum sampled value;

Steps A 3: the state M obtaining the current sliding window mouth of discretize:

In formula: M _i,jvalue calculated by the formula in steps A 2,1≤i≤D, 1≤j≤W;

Steps A 4: the Window state transition probability model P of the transfer process between Window state states, and its computing formula is as follows:

P (M _i| M _j)=from M _jstate transfers to M _ishape probability of state;

Wherein, M _jand M _irepresent two kinds of different Window states;

B: build behavior pattern transition probability model, comprise the steps:

Step B1: marking all Window state transition probability model set is and n is the number of model in the set of this moment; P _irepresent the Window state transition probability model of certain, 1≤i≤N;

Step B2: set up behavior pattern transition probability model R:

R (P _i| P _j, M)=when there is Window state M, from P _jp used instead by model _ithe probability of model;

In formula: P _jand P _irepresent two different Window state transition probability models, M represents current sliding window mouth state;

C: when new Window state transition probability model will be increased, comprise the steps:

If now total N number of Window state transition probability model, marking new Window state transition probability model is P _n, then new behavior pattern transition probability model is R _e, the formula of foundation is as follows:

$R_e\left(P_i\right|P_N,M)=\frac{100\%}{2^{W\×D}};$

$R_e\left(P_i|P_j,M\right)=\{\begin{array}{cc}{\Σ}_{j\∈\[1,N\]}^{j\≠N}{\mathrm{\βR}}_e\left(P_i|P_j,M\right)& i=N\\ \left(1-\mathrm{\β}\right)R_e\left(P_i|P_j,M\right)& i\≠N\end{array};$

In formula: 2 ^{w × D}represent state sum in state space, β (0≤β≤1) represents the undated parameter of behavior pattern transfering state model, and W represents moving window size, and D represents monitor data dimension, P _iand P _jrepresent two different Window state transition probability models, M represents current sliding window mouth state; Wherein, the R on the right of equation _e(P _i| P _j, M) and represent current behavior pattern transition probability model, the R on the equation left side _e(P _i| P _j, M) and represent the behavior pattern transition probability model upgraded;

D: when moving window moves, comprises following treatment step:

If the state of current window is M, Window state is M from M transfer _iprobability be P _e(M _i| M), in the moving window of subsequent time, state is M _e, then the computing formula of Window state transition probability is as follows:

$P_e\left(M_i\right|M)=\left\{\begin{array}{cc}\left(1-\mathrm{\α}\right)P_e\left(M_i|M\right)+\mathrm{\α}& i=e\\ P_e\left(M_i|M\right)-\frac{\mathrm{\α}\left(1-P_e\left(M_e|M\right)\right)P_e\left(M_i|M\right)}{\left(1-P_e\left(M_e|M\right)\right)}& i\≠e\end{array}\right.$

In formula: α (0≤α≤1) represents the undated parameter of Window state transition probability model; P wherein on the right of equation _e(M _i| M) represent the state transition probability model of current window, the P on the equation left side _e(M _i| M) represent the state transition probability model of window upgraded;

Regeneration behavior mode shifts state model R _e, computing formula is as follows:

$R_e\left(P_i\right|P_j,M)=\left\{\begin{array}{cc}\left(1-\mathrm{\γ}\right)R_e\left(P_i|P_j,M\right)+\mathrm{\γ}& i=N\\ P_e\left(P_i|P_j,M\right)-\frac{\mathrm{\γ}\left(1-P_e\left(P_i|P_N,M\right)\right)P_e\left(P_i|P_{j,M}\right)}{\left(1-P_e\left(P_i|P_N,M\right)\right)}& i\≠N\end{array}\right.;$

In formula: γ represents the undated parameter of behavior pattern transfering state model, wherein, 0≤γ≤1.

Preferably,

Initial construction Window state transition probability model, if state adds up to 2 in state space ^{w × D}, then, in initialization procedure, the transition probability between all states is all set to mean value by Window state transition probability model, namely

Preferably, described step 4 comprises: predicting the outcome and difference between the Window state of reality of computational prediction model, and described difference is compared with threshold value T, for judging the stability of Window state transition probability model.

Preferably, the abnormal situation referring to the small probability event occurred in behavior pattern transition probability model of the Window state in described step 4, or the change of current window state does not meet the prediction of system action mode shifts probability model.

Preferably, described step 4 comprises:

Step 4.1: when there being new monitor data, moving window also obtains new Window state, and utilizes behavior pattern transition probability model to find forecast model from Window state transition probability model;

Step 4.2: judge whether current window state belongs to abnormality according to forecast model;

If meet the prediction of forecast model, then illustrate that this forecast model is effective, upgrade Window state transition probability model according to new Window state;

If the difference between the prediction of forecast model and the Window state of reality is greater than the threshold value T of setting, then judge it is that Window state occurs abnormal conditions or occurs new behavior pattern further;

When abnormal conditions only occur once, represent that system action occurs abnormal;

When there are abnormal conditions continuously, build brand-new Window state transition probability model;

Step 4.3: regeneration behavior mode shifts probability model, for Window state abnormality detection next time.

Compared with prior art, the present invention has following beneficial effect:

1, method proposed by the invention relative to other based on sorter and statistical method, it is advantageous that the training data without the need to label and supervised learning process, and label training supervision Data Collection on Large Scale Computer System resolution system is abnormal just automatically pinpoint the problems in the process of the most difficult realization, therefore the method in the present invention has evaded this difficult problem, solves the abnormality detection problem of computer system better.

2, another advantage of method proposed by the invention by new data Renewal model, thus can realize automatic detectability to new abnormal patterns when system normal behaviour pattern constantly changes.

Accompanying drawing explanation

By reading the detailed description done non-limiting example with reference to the following drawings, other features, objects and advantages of the present invention will become more obvious:

Fig. 1 is the functional-block diagram of the software systems abnormal behavior detection method based on multilevel mode prediction provided by the invention;

Fig. 2 is the schematic flow sheet of the software systems abnormal behavior detection method based on multilevel mode prediction provided by the invention.

Embodiment

Below in conjunction with specific embodiment, the present invention is described in detail.Following examples will contribute to those skilled in the art and understand the present invention further, but not limit the present invention in any form.It should be pointed out that to those skilled in the art, without departing from the inventive concept of the premise, some distortion and improvement can also be made.These all belong to protection scope of the present invention.

According to the software systems abnormal behavior detection method based on multilevel mode prediction provided by the invention, comprise the steps:

Step 1: modeling is carried out to the system action pattern in detection window, thus build the system action model in corresponding window;

Step 2: modeling is carried out to the metastatic rule between the system action pattern in system action model, obtains behavior pattern transition probability model;

Step 3: initial construction Window state transition probability model, and join in the middle of behavior pattern transition probability model;

Step 4: when there being new monitor data, moving window also obtains new Window state, and utilize behavior pattern transition probability model to find forecast model from Window state transition probability model, judge whether current window state belongs to abnormality according to forecast model;

If meet the prediction of forecast model, then illustrate that this forecast model is effective, upgrade Window state transition probability model according to new Window state;

If the difference between the prediction of forecast model and the Window state of reality is greater than the threshold value T of setting, then judge it is that Window state occurs abnormal conditions or occurs new behavior pattern;

When abnormal conditions only occur once, represent that system action occurs abnormal;

When there are abnormal conditions continuously, representing and occurring new Window state metastatic rule, new Window state transition probability model need be built;

Step 5: after Window state transition probability model completes and detects and upgrade, behavior pattern transition probability model is by detecting the accuracy of forecast model prediction and whether the newly-built renewal carrying out self of Window state transition probability model occurring.

Described step 3 comprises:

A: build Window state transition probability model, comprise the steps:

Steps A 1: note moving window size is W, and monitor data dimension D, monitor data is [S ₁, S ₂, S ₃... S _d], S _i=[(y ₁, t ₁), (y ₂, t ₂) ..., (y _n, t _n) ...] represent i-th monitoring period sequence flows, t _nrepresent sampling instant point, y _nrepresent at t _nthe desired value of instance sample, then the valid data in a moving window are:

In formula: S _{i, 1}... S _i,wrepresent W data sampled point in a moving window in i-th monitoring period sequence, 1≤i≤D;

Steps A 2: data acquisition sampling point is carried out sate discretization, discretize function is as follows:

In formula: M _i,jrepresent the numerical value after i-th monitoring period sequence j instance sample value discretize, M _i,j∈ [1,2 ..., N], 1≤i≤D, 1≤j≤W, N represents the interval number of discretize, and minimum represents minimum sampled value, and maximum represents maximum sampled value;

Steps A 3: the state M obtaining the current sliding window mouth of discretize:

In formula: M _i,jvalue calculated by the formula in steps A 2,1≤i≤D, 1≤j≤W;

Steps A 4: the Window state transition probability model P of the transfer process between Window state states, and its computing formula is as follows:

P (M _i| M _j)=from M _jstate transfers to M _ishape probability of state;

Wherein, M _jand M _irepresent two kinds of different Window states;

B: build behavior pattern transition probability model, comprise the steps:

Step B1: marking all Window state transition probability model set is and n is the number of model in the set of this moment; P _irepresent the Window state transition probability model of certain, 1≤i≤N;

Step B2: set up behavior pattern transition probability model R:

R (P _i| P _j, M)=when there is Window state M, from P _jp used instead by model _ithe probability of model;

In formula: P _jand P _irepresent two different Window state transition probability models, M represents current sliding window mouth state;

C: when new Window state transition probability model will be increased, comprise the steps:

If now total N number of Window state transition probability model, marking new Window state transition probability model is P _n, then new behavior pattern transition probability model is R _e, the formula of foundation is as follows:

$R_e\left(P_i\right|P_N,M)=\frac{100\%}{2^{W\×D}};$

$R_e\left(P_i|P_j,M\right)=\{\begin{array}{cc}{\Σ}_{j\∈\[1,N\]}^{j\≠N}{\mathrm{\βR}}_e\left(P_i|P_j,M\right)& i=N\\ \left(1-\mathrm{\β}\right)R_e\left(P_i|P_j,M\right)& i\≠N\end{array};$

In formula: 2 ^{w × D}represent state sum in state space, β (0≤β≤1) represents the undated parameter of behavior pattern transfering state model, and W represents moving window size, and D represents monitor data dimension, P _iand P _jrepresent two different Window state transition probability models, M represents current sliding window mouth state; Wherein, the R on the right of equation _e(P _i| P _j, M) and represent current behavior pattern transition probability model, the R on the equation left side _e(P _i| P _j, M) and represent the behavior pattern transition probability model upgraded;

D: when moving window moves, comprises following treatment step:

Regeneration behavior mode shifts state model R _e, computing formula is as follows:

$R_e\left(P_i\right|P_j,M)=\left\{\begin{array}{cc}\left(1-\mathrm{\γ}\right)R_e\left(P_i|P_j,M\right)+\mathrm{\γ}& i=N\\ P_e\left(P_i|P_j,M\right)-\frac{\mathrm{\γ}\left(1-P_e\left(P_i|P_N,M\right)\right)P_e\left(P_i|P_{j,M}\right)}{\left(1-P_e\left(P_i|P_N,M\right)\right)}& i\≠N\end{array}\right.;$

In formula: γ represents the undated parameter of behavior pattern transfering state model, wherein, 0≤γ≤1.

Initial construction Window state transition probability model, if state adds up to 2 in state space ^{w × D}, then, in initialization procedure, the transition probability between all states is all set to mean value by Window state transition probability model, namely

Described step 4 comprises: predicting the outcome and difference between the Window state of reality of computational prediction model, and described difference is compared with threshold value T, for judging the stability of Window state transition probability model.

The abnormal situation referring to the small probability event occurred in behavior pattern transition probability model of Window state in described step 4, or the change of current window state does not meet the prediction of system action mode shifts probability model.

Described step 4 also comprises:

Step 4.1: when there being new monitor data, moving window also obtains new Window state, and utilizes behavior pattern transition probability model to find forecast model from Window state transition probability model;

Step 4.2: judge whether current window state belongs to abnormality according to forecast model;

If meet the prediction of forecast model, then illustrate that this forecast model is effective, upgrade Window state transition probability model according to new Window state;

If the difference between the prediction of forecast model and the Window state of reality is greater than the threshold value T of setting, then judge it is that Window state occurs abnormal conditions or occurs new behavior pattern further;

When abnormal conditions only occur once, represent that system action occurs abnormal;

When there are abnormal conditions continuously, build brand-new Window state transition probability model;

Step 4.3: regeneration behavior mode shifts probability model, for Window state abnormality detection next time.

More specifically, the software systems abnormal behavior detection method based on multilevel mode prediction provided by the invention comprises:

Steps A: modeling is carried out to the system action pattern in detection window, thus build the system action model in corresponding window; Particularly, due to the complicacy of Large Scale Computer System in design and use pattern, cause behavior pattern to change along with application, service and the change of time, needing to build multiple model to the behavior pattern that may occur in time window carries out learning model building;

Step B: modeling is carried out to the metastatic rule between system action pattern; Particularly, in system operation, the operational mode of system in fact shifts between multiple window behavior pattern, needs to learn and modeling transfer mode, sets up system action mode shifts probability model and Window state transition probability model;

Step C: initial construction Window state transition probability model, and join in the middle of behavior pattern transition probability model;

Step D: arrive when there being new monitor data, moving window also obtains new Window state, first usage behavior mode shifts probability model finds forecast model from Window state transition probability model, and judges whether current window state belongs to abnormality according to the probabilistic forecasting of this model.If meet the prediction of model, then illustrate that model is effective, can upgrade Window state transition probability model according to new Window state.If the difference between model prediction and the Window state of reality is greater than the threshold value T (measured value is 15% by experiment) of setting, then judge it is that Window state occurs abnormal conditions or occurs new behavior pattern further.When abnormal conditions only occur once, represent that system action occurs abnormal; When occurring abnormal continuously, select to build brand-new Window state transition probability model;

Step e: after Window state transition probability model completes and detects and upgrade, behavior pattern transition probability model is by detecting the accuracy of forecast model prediction and whether the newly-built renewal carrying out self of Window state transition probability model occurring.

Particularly, as shown in Figure 1, ground floor, algorithm carries out probability model modeling to the system action pattern in detection window, thus builds the system action state model in corresponding window.Due to the complicacy of Large Scale Computer System in design and use pattern, its usage behavior pattern is also along with application and service, and the change of time and having greatly changed.Therefore, ground floor needs to build multiple model, carries out learning model building to the behavior pattern that may occur in a period of time window.The second layer, carries out modeling to the metastatic rule between system action pattern.In system operation, the operational mode of system in fact shifts between multiple window behavior pattern.Such as system enters low load model from high capacity pattern, is that center of gravity such as to transfer to centered by consume network bandwidth resource at the situation from consumption calculations resource.The second layer learns and modeling this changing pattern.Algorithm often processes a sampled point, is just undertaken predicting whether the window to be detected at also this sampled point place of comparison meets the prediction of model, if matching degree is lower, then illustrative system may be in abnormality by original behavior pattern model.After completing the detection of current window, algorithm carries out renewal or the reconstruction of ground floor model and second layer model according to new moving window, to ensure the ageing of behavior pattern model.

Particularly, overall flow as shown in Figure 2.In order to the convenience illustrated, hereafter will refer to Window state transition probability model with state model, refer to behavior pattern transition probability model with pattern model.

First build a Window state transition probability model in initialization procedure, and join in the middle of behavior pattern transition probability model.Subsequently whenever having new monitor data to arrive, moving window moves and obtains new Window state.This algorithm first usage behavior pattern model finds forecast model the most suitable in the middle of state model, and judges whether current window state belongs to abnormality according to the probabilistic forecasting of this model.If meet the prediction of model, so illustrate that model is effective, state model can be upgraded according to new Window state.And if model prediction is larger with actual Window state difference, so may for two kinds of reasons, the first time Window state really for abnormal conditions, its two be current model also do not completed for this pattern study or have selected the state model of mistake.A Main Basis due to algorithm is in normal operating condition at the computer system most of the time, therefore when algorithm is judged to be abnormal, there are two kinds of tupes equally, when algorithm carries out the classification of mistake continuously, select to build brand-new state model and this section of historical data initialization, otherwise attempt using original model to be learnt by renewal.After state model completes and detects and upgrade, pattern model, by its feedback, comprises the accuracy of detection and whether the newly-built of state model occurs, carrying out the renewal of self.

Above specific embodiments of the invention are described.It is to be appreciated that the present invention is not limited to above-mentioned particular implementation, those skilled in the art can make various distortion or amendment within the scope of the claims, and this does not affect flesh and blood of the present invention.

Claims (6)

1., based on a software systems abnormal behavior detection method for multilevel mode prediction, it is characterized in that, comprise the steps:

Step 1: modeling is carried out to the system action pattern in detection window, thus build the system action model in corresponding window;

Step 2: modeling is carried out to the metastatic rule between the system action pattern in system action model, obtains behavior pattern transition probability model;

Step 3: initial construction Window state transition probability model, and join in the middle of behavior pattern transition probability model;

Step 4: when there being new monitor data, moving window also obtains new Window state, and utilize behavior pattern transition probability model to find forecast model from Window state transition probability model, judge whether current window state belongs to abnormality according to forecast model;

If meet the prediction of forecast model, then illustrate that this forecast model is effective, upgrade Window state transition probability model according to new Window state;

If the difference between the prediction of forecast model and the Window state of reality is greater than the threshold value T of setting, then judge it is that Window state occurs abnormal conditions or occurs new behavior pattern;

When abnormal conditions only occur once, represent that system action occurs abnormal;

When there are abnormal conditions continuously, representing and occurring new Window state metastatic rule, new Window state transition probability model need be built;

Step 5: after Window state transition probability model completes and detects and upgrade, behavior pattern transition probability model is by detecting the accuracy of forecast model prediction and whether the newly-built renewal carrying out self of Window state transition probability model occurring.

2. the software systems abnormal behavior detection method based on multilevel mode prediction according to claim 1, it is characterized in that, described step 3 comprises:

A: build Window state transition probability model, comprise the steps:

Steps A 1: note moving window size is W, and monitor data dimension D, monitor data is [S ₁, S ₂, S ₃... S _d], S _i=[(y ₁, t ₁), (y ₂, t ₂) ..., (y _n, t _n) ... ] represent i-th monitoring period sequence flows, t _nrepresent sampling instant point, y _nrepresent at t _nthe desired value of instance sample, then the valid data in a moving window are:

In formula: S _{i, 1}s _i,wrepresent W data sampled point in a moving window in i-th monitoring period sequence, 1≤i≤D;

Steps A 2: data acquisition sampling point is carried out sate discretization, discretize function is as follows:

In formula: M _i,jrepresent the numerical value after i-th monitoring period sequence j instance sample value discretize, M _i,j∈ [1,2 ..., N], 1≤i≤D, 1≤j≤W, N represents the interval number of discretize, and minimum represents minimum sampled value, and maximum represents maximum sampled value;

Steps A 3: the state M obtaining the current sliding window mouth of discretize:

In formula: M _i,jvalue calculated by the formula in steps A 2,1≤i≤D, 1≤j≤W;

Steps A 4: the Window state transition probability model P of the transfer process between Window state states, and its computing formula is as follows:

P (M _i| M _j)=from M _jstate transfers to M _ishape probability of state;

Wherein, M _jand M _irepresent two kinds of different Window states;

B: build behavior pattern transition probability model, comprise the steps:

Step B1: marking all Window state transition probability model set is and n is the number of model in the set of this moment; P _irepresent the Window state transition probability model of certain, 1≤i≤N;

Step B2: set up behavior pattern transition probability model R:

R (P _i| P _j, M)=when there is Window state M, from P _jp used instead by model _ithe probability of model;

In formula: P _jand P _irepresent two different Window state transition probability models, M represents current sliding window mouth state;

C: when new Window state transition probability model will be increased, comprise the steps:

If now total N number of Window state transition probability model, marking new Window state transition probability model is P _n, then new behavior pattern transition probability model is R _e, the formula of foundation is as follows:

$R_e\left(P_i\right|P_N,M)=\frac{100\%}{2^{W\×D}}$

$R_e\left(P_i|P_j,M\right)=\left\{\begin{array}{cc}{\Σ}_{j\∈\[1,N\]}^{j\≠N}{\mathrm{\βR}}_e\left(P_i|P_j,M\right)& i=N\\ \left(1-\mathrm{\β}\right)R_e\left(P_i|P_j,M\right)& i\≠N\end{array}\right.;$

In formula: 2 ^{w × D}represent state sum in state space, β (0≤β≤1) represents the undated parameter of behavior pattern transfering state model, and W represents moving window size, and D represents monitor data dimension, P _iand P _jrepresent two different Window state transition probability models, M represents current sliding window mouth state; Wherein, the R on the right of equation _e(P _i| P _j, M) and represent current behavior pattern transition probability model, the R on the equation left side _e(P _i| P _j, M) and represent the behavior pattern transition probability model upgraded;

D: when moving window moves, comprises following treatment step:

If the state of current window is M, Window state is M from M transfer _iprobability be P _e(M _i| M), in the moving window of subsequent time, state is M _e, then the computing formula of Window state transition probability is as follows:

$P_e\left(M_i\right|M)=\left\{\begin{array}{cc}(1-\mathrm{\α})P_e\left(M_i\right|M)+\mathrm{\α}& i=e\\ P_e\left(M_i\right|M)-\frac{\mathrm{\α}(1-P_e(M_e|M\left)\right)P_e\left(M_i\right|M)}{(1-P_e(M_e|M\left)\right)}& i\≠e\end{array}\right.$

In formula: α (0≤α≤1) represents the undated parameter of Window state transition probability model; P wherein on the right of equation _e(M _i| M) represent the state transition probability model of current window, the P on the equation left side _e(M _i| M) represent the state transition probability model of window upgraded;

Regeneration behavior mode shifts state model R _e, computing formula is as follows:

$R_e\left(P_i|P_j,M\right)=\left\{\begin{array}{cc}(1-\mathrm{\γ})R_e\left(P_i|P_j,M\right)+\mathrm{\γ}& i=N\\ P_e\left(P_i|P_j,M\right)-\frac{\mathrm{\γ}(1-P_e(P_i|P_N,M\left)\right)P_e\left(P_i\right|P_j,M)}{(1-P_e(P_i|P_N,M\left)\right)}& i\≠N\end{array}\right.;$

In formula: γ represents the undated parameter of behavior pattern transfering state model, wherein, 0≤γ≤1, P _e(P _i| P _j, M) and represent that the state of current window is M, Window state P _jp used instead by model _ithe probability of model.

3. the software systems abnormal behavior detection method based on multilevel mode prediction according to claim 2, is characterized in that

Initial construction Window state transition probability model, if state adds up to 2 in state space ^{w × D}, then, in initialization procedure, the transition probability between all states is all set to mean value by Window state transition probability model, namely

4. the software systems abnormal behavior detection method based on multilevel mode prediction according to claim 1, it is characterized in that, described step 4 comprises: predicting the outcome and difference between the Window state of reality of computational prediction model, and described difference is compared with threshold value T, for judging the stability of Window state transition probability model.

5. the software systems abnormal behavior detection method based on multilevel mode prediction according to claim 1, it is characterized in that, the abnormal situation referring to the small probability event occurred in behavior pattern transition probability model of Window state in described step 4, or the change of current window state does not meet the prediction of system action mode shifts probability model.

6. the software systems abnormal behavior detection method based on multilevel mode prediction according to claim 4, it is characterized in that, described step 4 comprises:

Step 4.1: when there being new monitor data, moving window also obtains new Window state, and utilizes behavior pattern transition probability model to find forecast model from Window state transition probability model;

Step 4.2: judge whether current window state belongs to abnormality according to forecast model;

If meet the prediction of forecast model, then illustrate that this forecast model is effective, upgrade Window state transition probability model according to new Window state;

If the difference between the prediction of forecast model and the Window state of reality is greater than the threshold value T of setting, then judge it is that Window state occurs abnormal conditions or occurs new behavior pattern further;

When abnormal conditions only occur once, represent that system action occurs abnormal;

When there are abnormal conditions continuously, build brand-new Window state transition probability model;

Step 4.3: regeneration behavior mode shifts probability model, for Window state abnormality detection next time.