CN105227343B - The abnormality detection model and method of Distributed Services based on danger theory - Google Patents

The abnormality detection model and method of Distributed Services based on danger theory Download PDF

Info

Publication number
CN105227343B
CN105227343B CN201510518995.5A CN201510518995A CN105227343B CN 105227343 B CN105227343 B CN 105227343B CN 201510518995 A CN201510518995 A CN 201510518995A CN 105227343 B CN105227343 B CN 105227343B
Authority
CN
China
Prior art keywords
service
services
danger
signal
change
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510518995.5A
Other languages
Chinese (zh)
Other versions
CN105227343A (en
Inventor
李涛
李锦民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Science and Engineering WUSE
Original Assignee
Wuhan University of Science and Engineering WUSE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Science and Engineering WUSE filed Critical Wuhan University of Science and Engineering WUSE
Priority to CN201510518995.5A priority Critical patent/CN105227343B/en
Publication of CN105227343A publication Critical patent/CN105227343A/en
Application granted granted Critical
Publication of CN105227343B publication Critical patent/CN105227343B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network

Abstract

The invention discloses a kind of abnormality detection model and method of the Distributed Services based on danger theory, model includes:Situation of change is depicted as change curve by danger signal characterization module, the situation of change for monitoring each Distributed Services in real time;Danger signal extraction module, for according to characteristic point by these put based on point construction feature triple monitor the operating status each serviced in real time, if the character triple that real time data is constructed has exceeded the character triple that historical data is constructed, then think that the service there may be potential danger, as anomaly source;The characteristic point is the changed key point of change curve trend;Danger zone computing module, for after finding that exception occurs in some service S, calculating the danger zone of the service.Distributed Services abnormality detection model proposed by the present invention based on danger theory can effectively note abnormalities and source and can detect and the relevant independent path of anomaly source, improve the efficiency of service abnormality detection.

Description

The abnormality detection model and method of Distributed Services based on danger theory
Technical field
The present invention relates to computer technology more particularly to a kind of abnormality detection moulds of the Distributed Services based on danger theory Type and method.
Background technology
With the rise of mobile Internet, O2O (online to offline), more and more mobile applications, internet Using the user for having accumulated magnanimity, in response to the request of a large number of users, using Tencent, Twitter as the Internet company of representative Service ability is improved using Distributed Services, promotes concurrent processing performance.By taking Twitter as an example, Twitter deploys about 2000 A Distributed Services, these services meet SOA (service-oriented architecture) specification, pass through dynamic combined Meet the needs of different user.At the same time, material is thus formed complicated combination and adduction relationships, under distributed environment Service abnormality detection brings difficulty.
The behavior individually serviced is paid close attention to different from traditional service abnormality detection, the abnormality detection of Distributed Services needs Whole exception is found according to the syntagmatic of service.Magnanimity behavioral data is serviced caused by being asked due to a large number of users, and The uncertainty of Services Composition itself brings challenge to service abnormality detection:
1. the behavior serviced between service is at every moment all changing, there is uncertainty, therefore, it is difficult to simple Static models go to describe;
2. servicing the behavior between service is dynamic combined, is connected with each other, there is dependence between them, Therefore it is difficult the abnormality that entire Distributed Services are detected by single service state;
3. the service behavior data of magnanimity bring great challenge to the efficiency of the abnormality detection of Distributed Services.
Distributed Services are to solve the effective ways of mass users service, but simultaneously because the dynamic combined of service results in The uncertainty of service, therefore increase the difficulty of service abnormality detection.This paper presents a kind of dynamics based on danger theory Method go detection Distributed Services abnormal.In patent " the cloud service monitoring method based on service origin and device " (application number: 2014105550671) the detailed behavior catching method for elaborating Distributed Services, the patent pass through a service origin day in The dynamic behaviour of 9 tuple of will description service, i.e., (token, Invoking Service, Service Invoked, location, elapsed time,times tamp,input,output,status).The service behavior acquisition side in patent is used herein Method, and using 9 tuple as the input data of model, emphasis is by introducing danger theory, establishing the exception of Distributed Services Detection model.
Invention content
The technical problem to be solved in the present invention is for the defects in the prior art, to provide a kind of based on danger theory The abnormality detection model and method of Distributed Services.
The technical solution adopted by the present invention to solve the technical problems is:A kind of Distributed Services based on danger theory Abnormality detection model, including:
Danger signal characterization module, the situation of change for monitoring each Distributed Services in real time, situation of change is painted Change curve is made;The monitoring index monitored in real time comes from nine tuple of service origin daily record, and the situation of change includes adjusting Variation with number and time-consuming variation;
Danger signal extraction module, for according to characteristic point by these put based on point construction feature triple supervise in real time The operating status each serviced is surveyed, if the character triple that real time data is constructed has exceeded the feature three that historical data is constructed Tuple, then it is assumed that the service there may be potential danger, as anomaly source;The characteristic point is that change curve trend occurs The key point of variation;
The character triple is defined as { f ' (xi)left,f(xi),f′(xi) right, wherein f (xi) indicate feature Point;f′(xi) left illustrates the trend of characteristic point left-most curve, f ' (xi) right indicate characteristic point on the right of curve trend;
Danger zone computing module, for after finding that exception occurs in some service S, calculating the danger zone of the service.
It is each one monitoring of service distribution in Distributed Services in the danger signal characterization module by said program Device monitors the situation of change of each Distributed Services in real time.
By said program, the danger zone that the service is calculated in the danger zone computing module uses following methods, first First judge and the number t of the service S services being connected;
If numerical value t is less than threshold value, then the method for selecting the signal fused based on DCA exports danger zone, it is specific to walk It is rapid as follows:
(i) assume T at some time point, note abnormalities source S, initially sets up the service S being connected with service SiBetween people Work APC, and load multiple TRLs receptors on artificial APC, capture the call number between them and averagely take and melted It closes;
(ii) acquisition all service S of T time point and service SiBetween IS and ES (i=1,2,3..) and service S tune With total degree SIS and total time-consuming SES, IS and ES are merged, and calculate concentration valueSimilarly, by SIS It is also merged to obtain the weight that total concentration value C, wherein a and b are respectively the two input signals with SES;
(iii) determine whether the independent path between two services will produce danger by calculating exception coefficient u, wherein
(iv) step (i)~(iii) is repeated, a couple service Sj connected with service Si is merged again, carries out beta pruning behaviour Make (j=1,2,3..);
Wherein, artificial APC:That is artificial antigen presenting cells, the function of the cell are to receive the separate unit of signal;
Artificial T RLs receptors:The major function of this receptor is to capture and merge signal, signal by the call number that services and Average take collectively constitutes;
Invoking signal:It is denoted as IS, it is assumed that note abnormalities source S in some period T, takes within the time period Business S calls the number of service Si to be known as IS;
Elapsed time signal:It is denoted as ES, it is assumed that note abnormalities source S in some period T, in this period Interior, service S calls the number of service Si divided by time T as averagely to take ES;
If numerical value t is more than threshold value, danger zone is exported using the method for cloud model, is as follows:
(1) the state cloud of construction service S and the state cloud for the service being connected with the service;
(2) the state cloud of S is calculated:Assuming that there are n with the service S services being connected, each connected service is regarded as one Water dust, that is, have a n water dust, and the call number of S and each water dust regards the degree of certainty of the water dust as, be denoted as Ni (i=1,2, 3....n), the mean value Ex for calculating call number by Ni first, then can obtain entropy En and super entropy He, three numbers by mean value Characteristic value can determine a state cloud, note state cloud S (Ex, En, He);
Wherein
The number of service that wherein m is and service S is connected;
(3) the state cloud Si (Ex for n service being connected with S are calculated by the method for step 2i,Eni,Hei) (i=1, 2,3....n);
(4) degrees of membership of the Si relative to S is calculated:The state cloud of S and Si is constructed by cloud model and is calculated between them Degree of membership μ,
If degree of membership is bigger, illustrate that the variation of two services is more similar, then being less susceptible to occur between the two services It is abnormal, the two services are illustrated if instead degree of membership is less than given threshold there is larger difference, then it is easier go out It is now abnormal, then it is incorporated to danger zone using this path as dangerous path;
(5) step 2 and 3 is repeated, the state cloud for the service being connected with Si is constructed, calculates the degree of membership between them, until Be safe from danger path;
(6) all dangerous paths are summarized and constructs danger zone.
A kind of method for detecting abnormality of the Distributed Services based on danger theory, includes the following steps:
1) danger signal characterizes:Situation of change is depicted as becoming by the situation of change for monitoring each Distributed Services in real time Change curve;The monitoring index monitored in real time comes from nine tuple of service origin daily record, and the situation of change includes call number Variation and time-consuming variation;
2) danger signal is extracted:According to characteristic point by these put based on point construction feature triple monitoring is each in real time The operating status of service, if the character triple that real time data is constructed has exceeded the character triple that historical data is constructed, Then think that the service there may be potential danger, as anomaly source;The characteristic point is that change curve trend changes Key point;
The character triple is defined as { f ' (xi)left,f(xi),f′(xi) right, wherein f (xi) indicate feature Point;f′(xi) left illustrates the trend of characteristic point left-most curve, f ' (xi) right indicate characteristic point on the right of curve trend;
3) danger zone calculates:After finding that exception occurs in some service S, the danger zone of the service is calculated.
By said program, monitored in real time for each service one monitor of distribution in Distributed Services in the step 1) The situation of change of each Distributed Services.
By said program, the danger zone that the service is calculated in the step 3) uses following methods,
It first determines whether and the number t of the service S services being connected;
If numerical value t is less than threshold value, then the method for selecting the signal fused based on DCA exports danger zone, it is specific to walk It is rapid as follows:
(i) assume T at some time point, note abnormalities source S, initially sets up the service S being connected with service SiBetween people Work APC, and load multiple TRLs receptors on artificial APC, capture the call number between them and averagely take and melted It closes;
(ii) acquisition all service S of T time point and service SiBetween IS and ES (i=1,2,3..) and service S tune With total degree SIS and total time-consuming SES, IS and ES are merged, and calculate concentration valueSimilarly, by SIS It is also merged to obtain the weight that total concentration value C, wherein a and b are respectively the two input signals with SES;
(iii) determine whether the independent path between two services will produce danger by calculating exception coefficient u, wherein
(iv) step (i)~(iii) is repeated, a couple service Sj connected with service Si is merged again, carries out beta pruning behaviour Make (j=1,2,3..);
Wherein, artificial APC:That is artificial antigen presenting cells, the function of the cell are to receive the separate unit of signal;
Artificial T RLs receptors:The major function of this receptor is to capture and merge signal, signal by the call number that services and Average take collectively constitutes;
Invoking signal:It is denoted as IS, it is assumed that note abnormalities source S in some period T, takes within the time period Business S calls the number of service Si to be known as IS;
Elapsed time signal:It is denoted as ES, it is assumed that note abnormalities source S in some period T, in this period Interior, service S calls the number of service Si divided by time T as averagely to take ES;
If numerical value t is more than threshold value, danger zone is exported using the method for cloud model, is as follows:
(3.1) the state cloud of construction service S and the state cloud for the service being connected with the service;
(3.2) the state cloud of S is calculated:Assuming that there are n with the service S services being connected, each connected service is regarded as one A water dust, that is, have a n water dust, and the call number of S and each water dust regards the degree of certainty of the water dust as, be denoted as Ni (i=1,2, 3....n), the mean value Ex for calculating call number by Ni first, then can obtain entropy En and super entropy He, three numbers by mean value Characteristic value can determine a state cloud, note state cloud S (Ex, En, He);
Wherein
The number of service that wherein m is and service S is connected;
(3.3) the state cloud Si (Ex for n service being connected with S are calculated by the method for step (3.2)i,Eni,Hei) (i=1,2,3....n);
(3.4) degrees of membership of the Si relative to S is calculated:The state cloud of S and Si is constructed by cloud model and is calculated between them Degree of membership μ,
If degree of membership is bigger, illustrate that the variation of two services is more similar, then being less susceptible to occur between the two services It is abnormal, the two services are illustrated if instead degree of membership is less than given threshold there is larger difference, then it is easier go out It is now abnormal, then it is incorporated to danger zone using this path as dangerous path;
(3.5) step (3.2) and (3.3) is repeated, the state cloud for the service being connected with Si is constructed, calculates the person in servitude between them Category degree, until the path that is safe from danger;
(3.6) all dangerous paths are summarized and constructs danger zone.
The beneficial effect comprise that:Distributed Services abnormality detection model based on danger theory can be effective Note abnormalities source and can detect with the relevant independent path of anomaly source, to improve service abnormality detection efficiency.
Description of the drawings
Present invention will be further explained below with reference to the attached drawings and examples, in attached drawing:
Fig. 1 is the method flow diagram of the embodiment of the present invention.
Specific implementation mode
In order to make the purpose , technical scheme and advantage of the present invention be clearer, with reference to embodiments, to the present invention It is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, is not used to limit The fixed present invention.
A kind of abnormality detection model of the Distributed Services based on danger theory, including:
Danger signal characterization module, the situation of change for monitoring each Distributed Services in real time, situation of change is painted Change curve is made;The monitoring index monitored in real time comes from nine tuple of service origin daily record, and the situation of change includes adjusting Variation with number and time-consuming variation;
Each service is at every moment changing in system, and is also all discrete, by these discrete serial datas Connection gets up to describe in a manner of patterned to change its feature and trend for changing with the time.Become in computer systems Change also implies that the balance of system is broken, and implies dangerous generation, wherein extreme point (characteristic point) is exactly curvilinear trend hair The key point for changing, therefore we are first as the basis for comparing variation and expression variation.By acquiring each characteristic point Carry out construction feature triple, becoming for feature test point and its curve constituted with consecutive points can be portrayed using the triple Gesture acquires the triple corresponding to each characteristic point, it will be able to realize the description to system resource operating condition, then to normally transporting Calculated triple is made comparisons when in the case of row and to be checked, realizes the variation detection of feature based, and then the source that notes abnormalities.
Danger signal extraction module, for according to characteristic point by these put based on point construction feature triple supervise in real time The operating status each serviced is surveyed, if the character triple that real time data is constructed has exceeded the feature three that historical data is constructed Tuple, then it is assumed that the service there may be potential danger, as anomaly source;The characteristic point is that change curve trend occurs The key point of variation;
Service features can be changed by construction feature triple and carry out more accurate description.Character triple is defined as {f′(xi)left,f(xi),f′(xi) right, wherein f (xi) be ...;f′(xi) left illustrates characteristic point left-most curve Trend, f ' (xi) right indicates the trend of curve on the right of characteristic point respectively;
The method of construction feature triple is as follows:
According to the gathered data selected characteristic point of each service;
Characteristic point x is calculated to the characteristic point of all selectionsiLeft and right differential;
Construction feature triple { f ' (xi)left,f(xi),f′(xi)right};
The acquisition methods of anomaly source are specific as follows:
Successively to each service arrangement real-time data collection character triple FiWith history gathered data character triple Fj
If service FiLeft and right difference quotient>Fj
That is (f ' (xi)left>f′(xj)left&&f′(xi)right>f′(xj)right);
Then judge that the service there may be potential danger, is anomaly source.
Danger zone computing module, for after finding that exception occurs in some service S, calculating the danger zone of the service.
The danger zone for calculating the service uses following methods, first determines whether and the number t of the service S services being connected;
If numerical value t is less than threshold value, then the method for selecting the signal fused based on DCA exports danger zone, it is specific to walk It is rapid as follows:
(i) assume T at some time point, note abnormalities source S, initially sets up the service S being connected with service SiBetween people Work APC, and load multiple TRLs receptors on artificial APC, capture the call number between them and averagely take and melted It closes;
(ii) acquisition all service S of T time point and service SiBetween IS and ES (i=1,2,3..) and service S tune With total degree SIS and total time-consuming SES, IS and ES are merged, and calculate concentration valueSimilarly, by SIS It is also merged to obtain the weight that total concentration value C, wherein a and b are respectively the two input signals with SES;
(iii) determine whether the independent path between two services will produce danger by calculating exception coefficient u, wherein
(iv) step (i)~(iii) is repeated, a couple service Sj connected with service Si is merged again, carries out beta pruning behaviour Make (j=1,2,3..);
Wherein, artificial APC:That is artificial antigen presenting cells, the function of the cell are to receive the separate unit of signal;
Artificial T RLs receptors:The major function of this receptor is to capture and merge signal, signal by the call number that services and Average take collectively constitutes;
Invoking signal:It is denoted as IS, it is assumed that note abnormalities source S in some period T, takes within the time period Business S calls the number of service Si to be known as IS;
Elapsed time signal:It is denoted as ES, it is assumed that note abnormalities source S in some period T, in this period Interior, service S calls the number of service Si divided by time T as averagely to take ES;
If numerical value t is more than threshold value, danger zone is exported using the method for cloud model, is as follows:
Define one:If to the either element x in domain (range of research) U, all there are one number A (x) ∈ [0,1] is right therewith It answers, then A is referred to as the fuzzy set on U, and A (x) is known as degrees of membership of the x to A.When x changes in U, A (x) is exactly a function, is claimed For the membership function of A.For degree of membership A (x) closer to 1, the degree that expression x belongs to A is higher, and A (x) belongs to closer to 0 expression x The degree of A is lower.
Define two:Desired value Ex:Represent the mean value of each other service times of service call;Entropy En:Relative to desired value For, represent the span of each other service times of service call.
(1) the state cloud of construction service S and the state cloud for the service being connected with the service;
(2) the state cloud of S is calculated
2.1) assume that the service that is connected with S there are n, each service is regarded as a water dust, that is, have a n water dust, S and each The call number of water dust regards the degree of certainty of the water dust as, is denoted as Ni (i=1,2,3....n);
2.2) mean value of call number is calculated by Ni
2.3) by desired value Ex=X 2.2) can be obtained;
2.4) entropy can be obtained by mean value
2.5) three numerical characteristic values can determine a state cloud, so note state cloud S (Ex, En, He);
(3) the state cloud for the service being connected with S is calculated, the service being connected with S is Si(i=1,2,3..)
3.1) hypothesis and SiConnected service has n, and each service is regarded as a water dust, that is, has n water dust, SiWith it is every The call number of a water dust regards the degree of certainty of the water dust as, is denoted as Nj (j=1,2,3....n);
3.2) S is equally calculated with the method for calculating S state cloudiState cloud;
3.3)SiState cloud be Si(Exi,Eni,Hei);
(4) S is calculatediDegree of membership relative to S
When calculating the state cloud of certain service, it is attached thereto again without other services if the service is leaf node, So state cloud for not calculating the service.
If degree of membership is bigger, illustrate that the variation of two services is more similar, then being less susceptible to occur between the two services It is abnormal, the two services are illustrated if instead degree of membership is less than given threshold there is larger difference, then it is easier go out It is now abnormal, then it is incorporated to danger zone using this path as dangerous path;
(5) step 2 and 3 is repeated, the state cloud for the service being connected with Si is constructed, calculates the degree of membership between them, until Be safe from danger path;
(6) all dangerous paths are summarized and constructs danger zone.
As shown in Figure 1, the present invention also provides a kind of method for detecting abnormality of the Distributed Services based on danger theory, It is characterized by comprising the following steps:
1) danger signal characterizes:Situation of change is depicted as becoming by the situation of change for monitoring each Distributed Services in real time Change curve;The monitoring index monitored in real time comes from nine tuple of service origin daily record, and the situation of change includes call number Variation and time-consuming variation;The situation of change for monitoring each Distributed Services in real time is specifically:It is every in Distributed Services One service one monitor of distribution monitors the situation of change of each Distributed Services in real time;
2) danger signal is extracted:According to characteristic point by these put based on point construction feature triple monitoring is each in real time The operating status of service, if the character triple that real time data is constructed has exceeded the character triple that historical data is constructed, Then think that the service there may be potential danger, as anomaly source;The characteristic point is that change curve trend changes Key point;
The character triple is defined as { f ' (xi)left,f(xi),f′(xi) right, wherein f (xi) indicate feature Point;f′(xi) left illustrates the trend of characteristic point left-most curve, f ' (xi) right indicate characteristic point on the right of curve trend;
3) danger zone calculates:After finding that exception occurs in some service S, the danger zone of the service is calculated;
The danger zone that the service is calculated in step 3) uses following methods,
It first determines whether and the number t of the service S services being connected;
If numerical value t is less than threshold value, then the method for selecting the signal fused based on DCA exports danger zone, it is specific to walk It is rapid as follows:
(i) assume T at some time point, note abnormalities source S, initially sets up the service S being connected with service SiBetween people Work APC, and load multiple TRLs receptors on artificial APC, capture the call number between them and averagely take and melted It closes;
(ii) acquisition all service S of T time point and service SiBetween IS and ES (i=1,2,3..) and service S tune With total degree SIS and total time-consuming SES, IS and ES are merged, and calculate concentration valueSimilarly, by SIS It is also merged to obtain the weight that total concentration value C, wherein a and b are respectively the two input signals with SES;
(iii) determine whether the independent path between two services will produce danger by calculating exception coefficient u, wherein
(iv) step (i)~(iii) is repeated, a couple service Sj connected with service Si is merged again, carries out beta pruning behaviour Make (j=1,2,3..);
Wherein, artificial APC:That is artificial antigen presenting cells, the function of the cell are to receive the separate unit of signal;
Artificial T RLs receptors:The major function of this receptor is to capture and merge signal, signal by the call number that services and Average take collectively constitutes;
Invoking signal:It is denoted as IS, it is assumed that note abnormalities source S in some period T, takes within the time period Business S calls the number of service Si to be known as IS;
Elapsed time signal:It is denoted as ES, it is assumed that note abnormalities source S in some period T, in this period Interior, service S calls the number of service Si divided by time T as averagely to take ES;
If numerical value t is more than threshold value, danger zone is exported using the method for cloud model, is as follows:
(3.1) the state cloud of construction service S and the state cloud for the service being connected with the service;
(3.2) the state cloud of S is calculated:Assuming that there are n with the service S services being connected, each connected service is regarded as one A water dust, that is, have a n water dust, and the call number of S and each water dust regards the degree of certainty of the water dust as, be denoted as Ni (i=1,2, 3....n), the mean value Ex for calculating call number by Ni first, then can obtain entropy En and super entropy He, three numbers by mean value Characteristic value can determine a state cloud, note state cloud S (Ex, En, He);
Wherein
Wherein m is
(3.3) the state cloud Si (Ex for n service being connected with S are calculated by the method for step (3.2)i,Eni,Hei) (i=1,2,3....n);
(3.4) degrees of membership of the Si relative to S is calculated:The state cloud of S and Si is constructed by cloud model and is calculated between them Degree of membership μ,
If degree of membership is bigger, illustrate that the variation of two services is more similar, then being less susceptible to occur between the two services It is abnormal, the two services are illustrated if instead degree of membership is less than given threshold there is larger difference, then it is easier go out It is now abnormal, then it is incorporated to danger zone using this path as dangerous path;
(3.5) step (3.2) and (3.3) is repeated, the state cloud for the service being connected with Si is constructed, calculates the person in servitude between them Category degree, until the path that is safe from danger;
(3.6) all dangerous paths are summarized and constructs danger zone.
It should be understood that for those of ordinary skills, it can be modified or changed according to the above description, And all these modifications and variations should all belong to the protection domain of appended claims of the present invention.

Claims (4)

1. a kind of abnormality detection model of the Distributed Services based on danger theory, which is characterized in that including:
Danger signal characterization module, the situation of change for monitoring each Distributed Services in real time, situation of change is depicted as Change curve;The monitoring index monitored in real time comes from nine tuple of service origin daily record, and the situation of change includes calling time Several variations and time-consuming variation;
Danger signal extraction module, for according to characteristic point by these put based on point construction feature triple monitoring is every in real time The operating status of a service, if the character triple that real time data is constructed has exceeded the feature ternary that historical data is constructed Group, then it is assumed that the service there may be potential danger, as anomaly source;The characteristic point is that change curve trend becomes The key point of change;
The character triple is defined as { f ' (xi)left,f(xi),f′(xi)right, wherein f (xi) indicate characteristic point;f′ (xi)leftIllustrate the trend of characteristic point left-most curve, f ' (xi)rightIndicate the trend of curve on the right of characteristic point;
Danger zone computing module, for after finding that exception occurs in some service S, calculating the danger zone of the service;
The danger zone that the service is calculated in the danger zone computing module uses following methods,
It first determines whether and the number t of the service S services being connected;
If number t is less than threshold value, then the method for selecting the signal fused based on DCA exports danger zone, specific steps are such as Under:
(i) assume T at some time point, note abnormalities source S, initially sets up the service S being connected with service SiBetween artificial APC, And multiple TRLs receptors are loaded on artificial APC, capture the call number between them and averagely takes and is merged;
(ii) acquisition all service S of T time point and service SiBetween IS and ES (i=1,2,3..) and service S calling it is total Number SIS and total time-consuming SES, IS and ES is merged, and calculate concentration valueSimilarly, by SIS and SES Also it is merged to obtain the weight that total concentration value C, wherein a and b are respectively the two input signals;
(iii) determine whether the independent path between two services will produce danger by calculating exception coefficient u, wherein
(iv) step (i)~(iii) is repeated, a couple service Sj connected with service Si is merged again, carries out cut operator (j =1,2,3..);
Wherein, artificial APC:That is artificial antigen presenting cells, the function of the cell are to receive the separate unit of signal;
Artificial T RLs receptors:The major function of this receptor is to capture and merge signal, and signal is by the call number that services and average It takes and collectively constitutes;
Invoking signal:It is denoted as IS, it is assumed that note abnormalities source S in some period T, services S tune within the time period It is known as IS with the number of service Si;
Elapsed time signal:It is denoted as ES, it is assumed that note abnormalities source S in some period T, within the time period, clothes S calling of being engaged in services the number of Si divided by time T as averagely takes ES;
If number t is more than threshold value, danger zone is exported using the method for cloud model, is as follows:
(1) the state cloud of construction service S and the state cloud for the service being connected with the service;
(2) the state cloud of S is calculated:Assuming that there are n with the service S services being connected, each connected service is regarded as a water dust, There is a n water dust, the call number of S and each water dust regards the degree of certainty of the water dust as, is denoted as Ni (i=1,2,3....n), The mean value Ex for calculating call number by Ni first, then can obtain entropy En and super entropy He, three numerical characteristic values are by mean value It can determine a state cloud, note state cloud S (Ex, En, He);
Wherein
The number of service that wherein m is and service S is connected;
(3) the state cloud Si (Ex for n service being connected with S are calculated by the method for step 2i,Eni,Hei) (i=1,2, 3....n);
(4) degrees of membership of the Si relative to S is calculated:The state cloud of S and Si is constructed by cloud model and calculates being subordinate between them μ is spent,
If degree of membership is bigger, illustrate that the variation of two services is more similar, then it is less susceptible to exception occur between the two services, Illustrate that there is larger differences for the two services if instead degree of membership is less than given threshold, then being more susceptible to different Often, then it is incorporated to danger zone using this path as dangerous path;
(5) step 2 and 3 is repeated, the state cloud for the service being connected with Si is constructed, the degree of membership between them is calculated, until not having Dangerous path;
(6) all dangerous paths are summarized and constructs danger zone.
2. abnormality detection model according to claim 1, which is characterized in that be distribution in the danger signal characterization module Each service one monitor of distribution monitors the situation of change of each Distributed Services in real time in formula service.
3. a kind of method for detecting abnormality of the Distributed Services based on danger theory, which is characterized in that include the following steps:
1) danger signal characterizes:It is bent to be depicted as variation by the situation of change for monitoring each Distributed Services in real time for situation of change Line;The monitoring index monitored in real time comes from nine tuple of service origin daily record, and the situation of change includes the change of call number The variation changed and taken;
2) danger signal is extracted:According to characteristic point by these put based on each service of point construction feature triple monitoring in real time Operating status recognize if the character triple that real time data is constructed has exceeded the character triple that historical data is constructed Potential danger, as anomaly source are there may be for the service;The characteristic point is the changed pass of change curve trend Key point;
The character triple is defined as { f ' (xi)left,f(xi),f′(xi)right, wherein f (xi) indicate characteristic point;f′ (xi)leftIllustrate the trend of characteristic point left-most curve, f ' (xi)rightIndicate the trend of curve on the right of characteristic point;
3) danger zone calculates:After finding that exception occurs in some service S, the danger zone of the service is calculated;The step 3) The middle danger zone for calculating the service uses following methods,
It first determines whether and the number t of the service S services being connected;
If number t is less than threshold value, then the method for selecting the signal fused based on DCA exports danger zone, specific steps are such as Under:
(i) assume T at some time point, note abnormalities source S, initially sets up the service S being connected with service SiBetween artificial APC, And multiple TRLs receptors are loaded on artificial APC, capture the call number between them and averagely takes and is merged;
(ii) acquisition all service S of T time point and service SiBetween IS and ES (i=1,2,3..) and service S calling it is total Number SIS and total time-consuming SES, IS and ES is merged, and calculate concentration valueSimilarly, by SIS and SES Also it is merged to obtain the weight that total concentration value C, wherein a and b are respectively the two input signals;
(iii) determine whether the independent path between two services will produce danger by calculating exception coefficient u, wherein
(iv) step (i)~(iii) is repeated, a couple service Sj connected with service Si is merged again, carries out cut operator (j =1,2,3..);
Wherein, artificial APC:That is artificial antigen presenting cells, the function of the cell are to receive the separate unit of signal;
Artificial T RLs receptors:The major function of this receptor is to capture and merge signal, and signal is by the call number that services and average It takes and collectively constitutes;
Invoking signal:It is denoted as IS, it is assumed that note abnormalities source S in some period T, services S tune within the time period It is known as IS with the number of service Si;
Elapsed time signal:It is denoted as ES, it is assumed that note abnormalities source S in some period T, within the time period, clothes S calling of being engaged in services the number of Si divided by time T as averagely takes ES;
If number t is more than threshold value, danger zone is exported using the method for cloud model, is as follows:
(3.1) the state cloud of construction service S and the state cloud for the service being connected with the service;
(3.2) the state cloud of S is calculated:Assuming that there are n with the service S services being connected, each connected service is regarded as a cloud Drop, that is, have a n water dust, and the call number of S and each water dust regards the degree of certainty of the water dust as, be denoted as Ni (i=1,2, 3....n), the mean value Ex for calculating call number by Ni first, then can obtain entropy En and super entropy He, three numbers by mean value Characteristic value can determine a state cloud, note state cloud S (Ex, En, He);
Wherein
The number of service that wherein m is and service S is connected;
(3.3) the state cloud Si (Ex for n service being connected with S are calculated by the method for step (3.2)i,Eni,Hei) (i= 1,2,3....n);
(3.4) degrees of membership of the Si relative to S is calculated:The state cloud of S and Si is constructed by cloud model and calculates the person in servitude between them Category degree μ,
If degree of membership is bigger, illustrate that the variation of two services is more similar, then it is less susceptible to exception occur between the two services, Illustrate that there is larger differences for the two services if instead degree of membership is less than given threshold, then being more susceptible to different Often, then it is incorporated to danger zone using this path as dangerous path;
(3.5) step (3.2) and (3.3) is repeated, the state cloud of service that construction is connected with Si calculates being subordinate between them Degree, until the path that is safe from danger;
(3.6) all dangerous paths are summarized and constructs danger zone.
4. method for detecting abnormality according to claim 3, which is characterized in that be every in Distributed Services in the step 1) One service one monitor of distribution monitors the situation of change of each Distributed Services in real time.
CN201510518995.5A 2015-08-21 2015-08-21 The abnormality detection model and method of Distributed Services based on danger theory Active CN105227343B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510518995.5A CN105227343B (en) 2015-08-21 2015-08-21 The abnormality detection model and method of Distributed Services based on danger theory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510518995.5A CN105227343B (en) 2015-08-21 2015-08-21 The abnormality detection model and method of Distributed Services based on danger theory

Publications (2)

Publication Number Publication Date
CN105227343A CN105227343A (en) 2016-01-06
CN105227343B true CN105227343B (en) 2018-08-07

Family

ID=54996054

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510518995.5A Active CN105227343B (en) 2015-08-21 2015-08-21 The abnormality detection model and method of Distributed Services based on danger theory

Country Status (1)

Country Link
CN (1) CN105227343B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657005A (en) * 2016-11-16 2017-05-10 武汉科技大学 Abnormity detection multilayer model for cloud services

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101950334A (en) * 2010-08-05 2011-01-19 武汉大学 Information system danger sense method and system based on computer immunity
CN104518913A (en) * 2014-12-17 2015-04-15 武汉科技大学 Cloud service abnormality detection method based on artificial immunity

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100859808B1 (en) * 2007-01-05 2008-09-24 삼성전자주식회사 Optical Network Unit for Error Detection and Recovery of Optic Module and Control Method Thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101950334A (en) * 2010-08-05 2011-01-19 武汉大学 Information system danger sense method and system based on computer immunity
CN104518913A (en) * 2014-12-17 2015-04-15 武汉科技大学 Cloud service abnormality detection method based on artificial immunity

Also Published As

Publication number Publication date
CN105227343A (en) 2016-01-06

Similar Documents

Publication Publication Date Title
CN107851049A (en) System and method for providing Network Safety Analysis based on operating technology and information technology
Zadeh et al. Qos monitoring for web services by time series forecasting
CN110086674A (en) A kind of application high availability implementation method and system based on container
CN111179109A (en) Electricity consumption data processing method for detecting elderly people living alone
CN105511953A (en) System and method for evaluating load of virtual machine under cloud environment, and service node
CN110162445A (en) The host health assessment method and device of Intrusion Detection based on host log and performance indicator
CN107844406A (en) Method for detecting abnormality and system, service terminal, the memory of distributed system
CN113271224A (en) Node positioning method and device, storage medium and electronic device
CN105227343B (en) The abnormality detection model and method of Distributed Services based on danger theory
CN101237357B (en) Online failure detection method for industrial wireless sensor network
Ashibani et al. A machine learning-based user authentication model using mobile App data
CN108009077A (en) A kind of service operation status assessment algorithm and system based on big data environment
Kumarage et al. Granular evaluation of anomalies in wireless sensor networks using dynamic data partitioning with an entropy criteria
CN107204868A (en) A kind of task run monitoring information acquisition methods and device
CN103226572B (en) A kind of extendible monitoring method and system based on data compression
JPWO2017037801A1 (en) Monitoring system and monitoring method
CN105868079A (en) Method for Java memory inefficient usage detection based on memory usage propagation analysis
CN115037559A (en) Data safety monitoring system based on flow, electronic equipment and storage medium
CN105897503B (en) Hadoop cluster bottleneck detection method based on resource information gain
Dong Deployment cost optimal for composite event detection in heterogeneous wireless sensor networks
CN104578048A (en) Method for quickly evaluating transient security and stability of enumerated combined successive fault set on line
CN114065158A (en) Security login monitoring method for cloud computing management control platform based on 5G technology
Muros et al. Cooperative game theory tools to detect critical nodes in distributed control systems
CN112699048A (en) Program fault processing method, device and equipment based on artificial intelligence and storage medium
De Kerf A bibliography on fuzzy sets

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant