CN107086944B - Anomaly detection method and device - Google Patents
Anomaly detection method and device Download PDFInfo
- Publication number
- CN107086944B CN107086944B CN201710481863.9A CN201710481863A CN107086944B CN 107086944 B CN107086944 B CN 107086944B CN 201710481863 A CN201710481863 A CN 201710481863A CN 107086944 B CN107086944 B CN 107086944B
- Authority
- CN
- China
- Prior art keywords
- value
- current
- prediction error
- target flow
- actual value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0681—Configuration of triggering conditions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The invention provides an anomaly detection method and device, and relates to the technical field of anomaly detection. The method comprises the following steps: acquiring a current moment actual value of the baseline flow; acquiring a current moment actual value of target flow; predicting a predicted value of the target flow at the current moment according to the actual value of the baseline flow at the last moment, the actual value of the baseline flow at the current moment and the actual value of the target flow at the last moment; calculating a prediction error value at the current moment according to the actual value at the current moment and the predicted value at the current moment of the target flow; calculating an upper limit threshold and a lower limit threshold according to the historical prediction error value; and detecting whether the current time actual value of the target flow is in an abnormal state or not according to the current time prediction error value and the upper and lower limit thresholds. According to the invention, the historical prediction error value is adopted to calculate the upper and lower limit thresholds, and the abnormal state of the current actual value of the target flow is detected, so that the purpose of performing abnormal detection according to the dynamic upper and lower limit thresholds is realized, and the false alarm rate generated during abnormal detection is reduced.
Description
Technical Field
The present invention relates to the field of anomaly detection technologies, and in particular, to an anomaly detection method and an anomaly detection apparatus.
Background
With the continuous development of the anomaly detection technology, the system operation and maintenance technology is also commonly applied. In the system operation and maintenance, the monitored key performance indexes are detected, the abnormity of the monitored key performance indexes is found in time, and an alarm is sent to system operation and maintenance personnel, so that the abnormity identification of the monitored performance indexes is realized.
At present, the abnormity detection in the performance index monitoring is mainly realized by setting a fixed alarm threshold value by operation and maintenance personnel, and when the monitored performance index exceeds the alarm threshold value, the system judges that the monitored performance index is abnormal and sends an alarm prompt.
In the prior art, on the one hand, the monitored performance index time series has a periodically changing rule; the factors such as website diversion, promotion, activity update, new product online and the like can cause the flow to increase rapidly, so that the time sequence of the monitored performance index is not stable, and the fixed alarm threshold value cannot be applied to the situation, so that the false alarm is easy to generate when the abnormity detection is carried out. On the other hand, simply using a fixed alarm threshold value, when the alarm threshold value is set too low, false alarm is likely to occur, and when the alarm threshold value is set too high, false alarm is likely to occur.
Disclosure of Invention
In order to solve the problem that false alarm or false alarm is generated when abnormality detection is performed by using a fixed alarm threshold, the embodiment of the invention provides an abnormality detection method and device.
According to an aspect of the present invention, there is provided an abnormality detection method including:
acquiring a current moment actual value of the baseline flow;
acquiring a current moment actual value of target flow;
predicting a predicted value of the target flow at the current moment according to the actual value of the baseline flow at the last moment, the actual value of the baseline flow at the current moment and the actual value of the target flow at the last moment;
calculating a prediction error value at the current moment according to the actual value at the current moment of the target flow and the predicted value at the current moment;
calculating an upper limit threshold and a lower limit threshold according to the historical prediction error value; the historical prediction error value is a prediction error value at each moment before the current moment;
and detecting whether the current time actual value of the target flow is in an abnormal state or not according to the current time prediction error value and the upper and lower limit thresholds.
Optionally, the step of calculating an upper and lower threshold according to the historical prediction error value includes:
obtaining the historical prediction error value; the historical prediction error values comprise at least one prediction error value;
adopting a Gaussian model to perform Gaussian distribution curve fitting on the historical prediction error value;
determining a mean and a variance of the Gaussian distribution curve;
and determining the upper and lower limit thresholds according to the mean and the variance.
Optionally, the step of detecting whether the current-time actual value of the target flow is in an abnormal state according to the current-time prediction error value and the upper and lower limit thresholds includes:
judging whether the current time prediction error value is within the range of the upper and lower limit thresholds or not;
if the current time prediction error value is not in the range of the upper and lower limit threshold values, determining that the current time actual value of the target flow is in an abnormal state, and sending alarm information;
and if the prediction error at the current moment is within the range of the upper and lower limit thresholds, determining that the actual value of the target flow at the current moment is not in an abnormal state, and not sending alarm information.
Optionally, the step of predicting the predicted value of the target flow at the current time according to the actual value of the baseline flow at the last time, the actual value of the baseline flow at the current time, and the actual value of the target flow at the last time includes:
and calculating the predicted value of the target flow at the current moment by dividing the actual value of the baseline flow at the current moment by the actual value of the baseline flow at the previous moment and multiplying the actual value of the target flow at the current moment.
According to another aspect of the present invention, there is provided an abnormality detection apparatus including:
the first acquisition module is used for acquiring the current-time actual value of the baseline flow;
the second acquisition module is used for acquiring the current actual value of the target flow;
the prediction module is used for predicting a predicted value of the target flow at the current moment according to the actual value of the baseline flow at the last moment, the actual value of the baseline flow at the current moment and the actual value of the target flow at the last moment;
the first calculation module is used for calculating a prediction error value at the current moment according to the current moment value of the target flow and the prediction value;
the second calculation module is used for calculating an upper limit threshold and a lower limit threshold according to the historical prediction error value; the historical prediction error value is a prediction error value at each moment before the current moment;
and the detection module is used for detecting whether the current time actual value of the target flow is in an abnormal state or not according to the current time prediction error value and the upper and lower limit thresholds.
Optionally, the second computing module includes:
an obtaining submodule for obtaining the historical prediction error value; the historical prediction error values comprise at least one prediction error value;
the curve fitting submodule is used for carrying out Gaussian distribution curve fitting on the historical prediction error value by adopting a Gaussian model;
the first determining submodule is used for determining the mean value and the variance of the Gaussian distribution curve;
and the second determining submodule is used for determining the upper and lower limit thresholds according to the mean value and the variance.
Optionally, the detection module includes:
the judgment submodule is used for judging whether the prediction error value at the current moment is in the range of the upper and lower limit thresholds or not;
a third determining submodule, configured to determine that the current-time actual value of the target flow is in an abnormal state if the current-time prediction error value is not within the range of the upper and lower threshold values, and send alarm information;
and the fourth determining submodule is used for determining that the current time actual value of the target flow is not in an abnormal state and not sending alarm information if the current time prediction error is within the range of the upper and lower limit thresholds.
Optionally, the prediction module is configured to:
and calculating the predicted value of the target flow at the current moment by dividing the current moment value of the baseline flow by the last moment value of the baseline flow and then multiplying the current moment value of the target flow by the current moment value of the target flow.
Aiming at the prior art, the invention has the following advantages:
the invention provides an anomaly detection method and device, which are characterized in that a current-time actual value of baseline flow and a current-time actual value of target flow are collected in real time, a current-time predicted value of the target flow is predicted according to the previous-time actual value of the baseline flow, the current-time actual value of the baseline flow and the previous-time actual value of the target flow, the current-time predicted value of the target flow is calculated by utilizing the current-time actual value and the current-time predicted value of the target flow, and whether the current-time value of the target flow is in an abnormal state or not is detected through the current-time predicted value and upper and lower limit thresholds. According to the invention, the upper and lower limit thresholds for monitoring the target flow are calculated in real time through the historical prediction error value, and the abnormal state of the current time actual value of the target flow is detected through the current time prediction error value and the upper and lower limit thresholds of the target flow, so that the purpose of performing abnormal detection according to the dynamic upper and lower limit thresholds is realized, and the false alarm rate generated during abnormal detection is reduced.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
FIG. 1 is a flowchart illustrating steps of a method for detecting an anomaly according to a first embodiment of the present invention;
FIG. 2 is a flowchart illustrating the steps of a method for detecting an anomaly according to a second embodiment of the present invention;
FIG. 3 is a general block diagram of an anomaly detection method provided by an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an abnormality detection apparatus according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of an abnormality detection apparatus according to a fourth embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The anomaly detection method and apparatus provided by the present invention will be described in detail below by exemplifying several specific embodiments.
Example one
The embodiment of the invention provides an anomaly detection method.
Referring to fig. 1, a flowchart illustrating steps of an anomaly detection method in an embodiment of the present invention is shown, which may specifically include the following steps:
In the system operation and maintenance, the system operation and maintenance personnel can maintain the system by detecting the abnormal state of the target flow monitored by the system and sending an alarm to the system operation and maintenance personnel.
In the embodiment of the invention, the baseline flow can be the flow reflecting the real user behavior, the real user behavior refers to the behavior that a computer cannot be used for simulating the user, and the situation that the flow is maliciously forged does not exist in the acquisition process of the baseline flow. For example, the baseline traffic may be authentication traffic, viewing traffic, or shopping traffic, and the baseline traffic may be determined according to actual situations, which is not limited by the embodiment of the present invention.
And 102, acquiring the current actual value of the target flow.
In the embodiment of the invention, the target flow is the target flow to be monitored by the system, namely the abnormal state of the target flow needs to be detected and alarm information is sent to the operation and maintenance personnel of the system. The monitored target traffic is traffic reflecting non-real user behavior, the non-real user behavior refers to behavior that can completely simulate a user by using a computer, and in the acquisition process of the target traffic, a situation that the traffic is maliciously forged exists, for example, the target traffic may be registration traffic or login traffic.
It should be noted that the baseline flow rate can be used as a reference for measuring the target flow rate. In practical application, the actual values at various moments of the baseline flow are stored in the system, for example, taking a baseline flow as an example for description, a time interval is first selected, the actual value corresponding to each moment of the baseline flow in the time interval is obtained, for a target flow to be monitored by the system, the same time interval is selected, the actual value corresponding to each moment of the target flow in the time interval is obtained, and then the correlation coefficient between the baseline flow and the target flow is calculated according to the obtained actual values. Each baseline flow in the system can be calculated by the same method to obtain a correlation coefficient with the target flow to be monitored by the system. The embodiment of the invention can set a threshold value of the correlation coefficient, compare each calculated correlation coefficient with the threshold value, and if the correlation coefficient is larger than the threshold value and is the largest in all the calculated correlation coefficients, determine the baseline flow corresponding to the correlation coefficient as the reference for measuring the target flow to be monitored by the system.
It should be noted that the correlation coefficient is a statistical index used to reflect the closeness of the correlation between the variables. The correlation coefficient is calculated according to a product difference method, and the degree of correlation between two variables is reflected by multiplying the two dispersion differences on the basis of the dispersion difference of the two variables and the respective average value. In the embodiment of the present invention, the calculation method of the correlation coefficient may be implemented by the prior art, and the embodiment of the present invention does not describe it in detail. The value range of the correlation coefficient is 0-1, the threshold value of the correlation coefficient set in the embodiment of the present invention may be 0.7, and the specific value of the threshold value may be set by a system operation and maintenance worker according to an actual situation, which is not limited in the embodiment of the present invention.
And 103, predicting the predicted value of the target flow at the current moment according to the actual value of the baseline flow at the last moment, the actual value of the baseline flow at the current moment and the actual value of the target flow at the last moment.
The embodiment of the invention can obtain the actual value of the baseline flow at the last moment, the actual value of the baseline flow at the current moment and the actual value of the target flow at the last moment, divide the actual value of the baseline flow at the current moment by the actual value of the baseline flow at the last moment, and multiply the actual value of the target flow at the current moment, wherein the calculated result is the predicted value of the target flow at the current moment.
And 104, calculating a prediction error value at the current moment according to the actual value at the current moment of the target flow and the predicted value at the current moment.
The embodiment of the invention can subtract the current time prediction error value of the target flow from the current time actual value of the target flow, and the calculation result is the current time prediction error value which is the current time prediction error value of the target flow.
The historical prediction error value is a prediction error value at each moment before the current moment, and the upper and lower threshold values comprise an upper threshold value and a lower threshold value and are used for judging whether the prediction error value at the current moment of the target flow is between the upper threshold value and the lower threshold value.
For example, the upper and lower limit thresholds may be obtained by calling the spark sql offline analysis engine to execute a gaussian distribution fitting algorithm. Wherein spark sql is a component of spark for the computation of structured data.
And 106, detecting whether the current time actual value of the target flow is in an abnormal state or not according to the current time prediction error value and the upper and lower limit thresholds.
The embodiment of the invention can detect the abnormal state of the prediction error value at the current moment by utilizing the upper and lower threshold values, thereby detecting whether the actual value of the target flow at the current moment is in the abnormal state.
In summary, in the embodiment of the present invention, the current-time actual value of the baseline flow and the current-time actual value of the target flow are collected in real time, the current-time predicted value of the target flow is predicted according to the previous-time actual value of the baseline flow, the current-time actual value of the baseline flow and the previous-time actual value of the target flow, the current-time predicted value of the target flow is calculated by using the current-time actual value of the target flow and the current-time predicted value, and then whether the current-time value of the target flow is in an abnormal state is detected by using the current-time predicted value and the upper and lower limit thresholds. According to the invention, the upper and lower limit thresholds for monitoring the target flow are calculated in real time through the historical prediction error value, and the abnormal state of the current time actual value of the target flow is detected through the current time prediction error value and the upper and lower limit thresholds of the target flow, so that the purpose of performing abnormal detection according to the dynamic upper and lower limit thresholds is realized, and the false alarm rate generated during abnormal detection is reduced.
Example two
The embodiment of the invention provides an anomaly detection method.
Referring to fig. 2, a flowchart illustrating steps of an anomaly detection method according to an embodiment of the present invention is shown, which may specifically include the following steps:
In the system operation and maintenance, the system operation and maintenance personnel can maintain the system by detecting the abnormal state of the target flow monitored by the system and sending an alarm to the system operation and maintenance personnel.
In the embodiment of the invention, the baseline flow can be the flow reflecting the real user behavior, the real user behavior refers to the behavior that a computer cannot be used for simulating the user, and the situation that the flow is maliciously forged does not exist in the acquisition process of the baseline flow. For example, the baseline traffic may be authentication traffic, viewing traffic, or shopping traffic, and the baseline traffic may be determined according to actual situations, which is not limited by the embodiment of the present invention.
In practical application, the embodiment of the invention can acquire the current-time actual value of the baseline flow by adopting the intelligent alarm device, and particularly mainly adopts a spark stream (English) stream analysis engine to acquire the current-time actual value of the baseline flow and store the acquired current-time actual value of the baseline flow into a mysql database in the intelligent alarm device.
The spark streaming is a real-time computing framework established on spark, and a user can combine streaming, batch processing and interactive query applications to realize the processing of real-time streaming data with high throughput and a fault-tolerant mechanism through a rich Application Programming Interface (API) provided by the spark streaming and a high-speed execution engine based on a memory. The method supports data acquisition from various data sources, can use high-level functions to process complex algorithms after acquiring data from the data sources, and stores processing results in a file system, a database and a field instrument panel. mysql is a related database management system, and the related database stores data in different tables, and has the characteristics of small volume, high speed, low cost and the like.
In the embodiment of the invention, the target flow is the target flow to be monitored by the system, namely the abnormal state of the target flow needs to be detected and alarm information is sent to the operation and maintenance personnel of the system. The monitored target traffic is traffic reflecting non-real user behavior, the non-real user behavior refers to behavior that can completely simulate a user by using a computer, and in the acquisition process of the target traffic, a situation that the traffic is maliciously forged exists, for example, the target traffic may be registration traffic or login traffic.
It should be noted that the baseline flow rate can be used as a reference for measuring the target flow rate. In practical application, the actual values at various moments of the baseline flow are stored in the system, for example, taking a baseline flow as an example for description, a time interval is first selected, the actual value corresponding to each moment of the baseline flow in the time interval is obtained, for a target flow to be monitored by the system, the same time interval is selected, the actual value corresponding to each moment of the target flow in the time interval is obtained, and then the correlation coefficient between the baseline flow and the target flow is calculated according to the obtained actual values. Each baseline flow in the system can be calculated by the same method to obtain a correlation coefficient with the target flow to be monitored by the system. The embodiment of the invention can set a threshold value of the correlation coefficient, compare each calculated correlation coefficient with the threshold value, and if the correlation coefficient is larger than the threshold value and is the largest in all the calculated correlation coefficients, determine the baseline flow corresponding to the correlation coefficient as the reference for measuring the target flow to be monitored by the system.
It should be noted that the correlation coefficient is a statistical index used to reflect the closeness of the correlation between the variables. The correlation coefficient is calculated according to a product difference method, and the degree of correlation between two variables is reflected by multiplying the two dispersion differences on the basis of the dispersion difference of the two variables and the respective average value. In the embodiment of the present invention, the calculation method of the correlation coefficient may be implemented by the prior art, and the embodiment of the present invention does not describe it in detail. The value range of the correlation coefficient is 0-1, the threshold value of the correlation coefficient set in the embodiment of the present invention may be 0.7, and the specific value of the threshold value may be set by a system operation and maintenance worker according to an actual situation, which is not limited in the embodiment of the present invention.
In practical application, the embodiment of the invention can also acquire the current-time actual value of the target flow through the bypass circuit in the intelligent alarm device, and particularly, the spark streaming analysis engine is mainly adopted to acquire the current-time actual value of the target flow and store the acquired current-time actual value of the target flow into the mysql database in the intelligent alarm device. The mysql is a related database management system, the related database stores data in different tables, and the system has the characteristics of small size, high speed, low cost and the like.
And 203, predicting the predicted value of the target flow at the current moment according to the actual value of the baseline flow at the last moment, the actual value of the baseline flow at the current moment and the actual value of the target flow at the last moment.
In the embodiment of the invention, the current-time predicted value of the target flow can be predicted by adopting the predictor. Specifically, the actual value at the previous moment of the baseline flow, the actual value at the current moment of the baseline flow, and the actual value at the previous moment of the target flow are obtained, the actual value at the current moment of the baseline flow is divided by the actual value at the previous moment of the baseline flow, and then multiplied by the actual value at the current moment of the target flow, and the calculated result is the predicted value at the current moment of the target flow. For example, the last-time actual value of the baseline flow rate is x1, the current-time actual value of the baseline flow rate is x2, the last-time actual value of the target flow rate is y1, and the current-time predicted value of the target flow rate is y2_ estimate, where y2_ estimate is calculated as the current-time predicted value of the target flow rate according to a formula y2_ estimate ═ x2/x1 × 1. The proportional coefficient x2/x1 in the formula is determined by the current-time actual value of the baseline flow and the last-time actual value of the baseline flow, because the target flow monitored by the system in the embodiment of the invention is a flow related to the baseline flow, the variation trend of the acquired actual value of the baseline flow at each time is basically consistent with the variation trend of the acquired actual value of the target flow at each time, and the current-time actual value of the target flow can be predicted through the proportional coefficient x2/x1 and the last-time actual value y1 of the target flow.
For example, the embodiment of the present invention may perform statistical analysis on the actual value at each time of the acquired baseline flow and the actual value at each time of the acquired target flow to form a baseline curve and a target curve, respectively, where the data at each time corresponding to the baseline curve and the target curve are the actual value at each time of the acquired baseline flow and the actual value at each time of the target flow. For example, the time interval set in the embodiment of the present invention is 1 second, and if the current time t1 is thirteen minutes and six seconds, the actual value of the baseline flow at the time t1 corresponding to the baseline curve is x2, and the actual value of the target flow at the time t1 corresponding to the target curve is y 2; in the embodiment of the present invention, the previous time is a time before the current time, and when the previous time t0 is ten points thirty-six minutes and five seconds, the actual value of the baseline flow at the time t0 corresponding to the baseline curve is x1, and the actual value of the target flow at the time t0 corresponding to the target curve is y 1. Then, according to a formula y2_ estimate ═ x2/x1 ═ y1, the calculated y2_ estimate is the current time predicted value of the target flow.
It should be noted that the predictor provided in the embodiment of the present invention is a functional module for predicting the current predicted value of the target flow rate to be monitored, and the principle of the predictor is to calculate the current predicted value of the target flow rate by using the above-mentioned formula y2_ estimate ═ x2/x1 ═ y 1.
It should be noted that, in the embodiment of the present invention, the last-time actual value of the baseline traffic and the last-time actual value of the target traffic may be read from the mysql database, where the mysql database is used to store the acquired each-time actual value of the baseline traffic and the acquired target traffic to obtain each-time actual value, and an interval between each time may be set according to an actual situation, which is not limited in the embodiment of the present invention.
And 204, calculating a prediction error value at the current moment according to the actual value at the current moment of the target flow and the predicted value at the current moment.
In the embodiment of the invention, the acquired actual value of the target flow at the current moment is read from the mysql database, and the prediction error value at the current moment is calculated according to the actual value of the target flow at the current moment and the predicted value of the target flow at the current moment. That is, the current time actual value of the target flow is subtracted by the current time prediction error value of the target flow, and the calculation result is the current time prediction error value, which is the current time prediction error value of the target flow.
For example, if the current-time prediction error value is error, according to the example given in step 103, the current-time prediction error value is a difference between the current-time actual value y2 of the target flow and the current-time predicted value y2_ estimate. That is, the current time prediction error value of the target flow rate may be calculated according to the formula error 2-y2_ estimate.
In the embodiment of the invention, historical prediction error values are obtained from a mysql database, wherein the historical prediction error values comprise at least one prediction error value, and the historical prediction error values are prediction error values of all moments before the current moment.
And step 206, adopting a Gaussian model to perform Gaussian distribution curve fitting on the historical prediction error value.
In practical applications, a gaussian model refers to a model formed by accurately quantizing objects with a gaussian probability density function and decomposing one object into a plurality of objects based on the gaussian probability density function. The gaussian distribution curve is also the normal distribution curve.
In practice, the mean and variance may be determined in the fitted gaussian distribution curve.
And 208, determining the upper and lower limit thresholds according to the mean and the variance.
In the embodiment of the invention, the upper and lower limit thresholds can be calculated according to the determined mean value and variance. The upper and lower limit thresholds can be determined according to the setting of 1-time variance, 2-time variance, 3-time variance and the like, the multiple of the selected variance can be set according to the actual situation, and the embodiment of the invention does not limit the upper and lower limit thresholds.
For example, in the embodiment of the present invention, 1 time of the variance is taken as an example for description, the upper limit threshold is determined by using the mean plus 1 time of the variance, and the result is the upper limit threshold, and the lower limit threshold is determined by using the mean minus 1 time of the variance, and the result is the lower limit threshold. For example, in the embodiment of the present invention, 2 times of the variance is taken as an example for explanation, the upper threshold is determined by using the mean value plus 2 times of the variance, and the result is the upper threshold, and the lower threshold is determined by using the mean value minus 2 times of the variance, and the result is the lower threshold.
And step 210, if the current time prediction error value is not in the range of the upper and lower limit thresholds, determining that the current time actual value of the target flow is in an abnormal state, and sending alarm information.
And step 211, if the prediction error at the current moment is in the range of the upper and lower limit thresholds, determining that the actual value at the current moment of the target flow is not in an abnormal state, and not sending alarm information.
The embodiment of the invention can detect the abnormal state of the prediction error value at the current moment by utilizing the upper and lower threshold values, thereby detecting whether the actual value of the target flow at the current moment is in the abnormal state.
Specifically, it is determined whether the prediction error value at the current time is within the range of the upper and lower threshold values. And if the prediction error value at the current moment is not in the range of the upper and lower limit thresholds, namely the prediction error value at the current moment is greater than the upper limit threshold, or the prediction error value at the current moment is less than the lower limit threshold, determining that the actual value at the current moment of the target flow is in an abnormal state, and further sending alarm information to system operation and maintenance personnel by the intelligent alarm device. If the prediction error at the current moment is in the range of the upper and lower limit thresholds, namely, the prediction error at the current moment is greater than the lower limit threshold and less than the upper limit threshold, the actual value at the current moment of the target flow is determined not to be in an abnormal state, and the intelligent alarm device does not send alarm information.
For example, the embodiment of the present invention may perform statistical analysis on the actual value of the acquired target flow at each time to form a target curve, and may reflect which times of the target flow are abnormal according to the trend of the target curve. For example, when the current time prediction error value is greater than the upper limit threshold, the current time value of the target flow is in an abnormal state, and the target curve has a sharp increase trend; when the prediction error value at the current moment is smaller than the lower limit threshold, the current moment value of the target flow is in an abnormal state, and the target curve is in a decreasing trend.
It should be noted that, in the embodiment of the present invention, the spark streaming analysis engine is used to complete the calculation of the historical prediction error value and the current prediction error value, so that the spark streaming analysis engine is used to complete the functions of anomaly detection and sending the alarm information. Fig. 3 is a general block diagram of an anomaly detection method according to an embodiment of the present invention, and as shown in fig. 3, a website server transmits a user request to an alarm server according to an embodiment of the present invention through a kafka tool, completes monitoring of actual values at each time of a baseline flow and a target flow, that is, monitoring data in the graph, through a spark streaming analysis engine, and stores the monitoring data in a mysql database, where the user request is a kafka data flow. When the acquired actual value of the target flow at the current moment is subjected to abnormity detection, the actual value of the baseline flow at the previous moment and the actual value of the baseline flow at the current moment are acquired from the mysql database, the actual value of the target flow at the previous moment and the actual value of the target flow at the current moment are acquired, the predicted value of the target flow at the current moment is predicted by adopting the predictor, then, the predicted error value at the current moment is calculated according to the actual value of the target flow at the current moment and the predicted value at the current moment, and the predicted error value is stored in the mysql database. And then acquiring a historical prediction error value from a mysql database, training and calling a spark sql offline analysis engine to execute a Gaussian distribution fitting algorithm to obtain upper and lower limit thresholds by adopting a prediction error model according to the historical prediction error value, storing the upper and lower limit thresholds into the mysql database, comparing the current prediction error value with the upper and lower limit thresholds by adopting a spark streaming analysis engine, and calling an API (application programming interface) to send an alarm request to a unified alarm platform when detecting that the current prediction error value is not between the upper and lower limit thresholds.
The spark streaming is a real-time computing framework established on spark, and a user can combine streaming, batch processing and interactive query applications to realize the processing of real-time streaming data with high throughput and a fault-tolerant mechanism through a rich API provided by the spark streaming and a high-speed execution engine based on a memory. Data acquisition from a variety of data sources is supported, and after data acquisition from the data sources, complex algorithmic processing can be performed using high-level functions. And finally, the processing result can be stored in a file system, a database and a field instrument panel.
In summary, in the embodiment of the present invention, the historical prediction error value may be obtained; the historical prediction error values comprise at least one prediction error value; adopting a Gaussian model to perform Gaussian distribution curve fitting on the historical prediction error value; determining a mean and a variance of the Gaussian distribution curve; and determining the upper and lower limit thresholds according to the mean and the variance. Therefore, the accuracy of the upper and lower limit thresholds can be further improved.
In addition, in the embodiment of the present invention, it may also be determined whether the current time prediction error value is within the range of the upper and lower limit thresholds; if the current time prediction error value is not in the range of the upper and lower limit threshold values, determining that the current time actual value of the target flow is in an abnormal state, and sending alarm information; and if the prediction error at the current moment is within the range of the upper and lower limit thresholds, determining that the actual value of the target flow at the current moment is not in an abnormal state, and not sending alarm information. Therefore, the false alarm rate generated when the abnormity is detected can be further reduced.
EXAMPLE III
The embodiment of the invention provides an abnormality detection device.
Referring to fig. 4, a block diagram of an abnormality detection apparatus in an embodiment of the present invention is shown.
The abnormality detection apparatus 400 according to the embodiment of the present invention includes:
the functions of the modules and the interaction relationship between the modules are described in detail below.
The first collecting module 401 is configured to collect a current actual value of the baseline flow.
And a second collecting module 402, configured to collect a current-time actual value of the target flow.
The predicting module 403 is configured to predict a predicted value of the target flow at the current time according to the actual value of the baseline flow at the last time, the actual value of the baseline flow at the current time, and the actual value of the target flow at the last time.
A first calculating module 404, configured to calculate a current-time prediction error value according to the current-time value of the target flow and the predicted value.
A second calculating module 405, configured to calculate a current-time prediction error value according to the current-time value of the target flow and the predicted value.
And the detection module 406 is configured to detect whether the current-time actual value of the target flow is in an abnormal state according to the current-time prediction error value and the upper and lower limit thresholds.
In summary, in the embodiment of the present invention, the current-time actual value of the baseline flow and the current-time actual value of the target flow are collected in real time, the current-time predicted value of the target flow is predicted according to the previous-time actual value of the baseline flow, the current-time actual value of the baseline flow and the previous-time actual value of the target flow, the current-time predicted value of the target flow is calculated by using the current-time actual value of the target flow and the current-time predicted value, and then whether the current-time value of the target flow is in an abnormal state is detected by using the current-time predicted value and the upper and lower limit thresholds. According to the invention, the upper and lower limit thresholds for monitoring the target flow are calculated in real time through the historical prediction error value, and the abnormal state of the current time actual value of the target flow is detected through the current time prediction error value and the upper and lower limit thresholds of the target flow, so that the purpose of performing abnormal detection according to the dynamic upper and lower limit thresholds is realized, and the false alarm rate generated during abnormal detection is reduced.
Example four
The embodiment of the invention provides an abnormality detection device.
Referring to fig. 5, a block diagram of an abnormality detection apparatus in an embodiment of the present invention is shown.
The abnormality detection apparatus 500 according to the embodiment of the present invention includes:
the functions of the modules and the interaction relationship between the modules are described in detail below.
The first collecting module 501 is configured to collect a current actual value of the baseline flow.
And a second collecting module 502, configured to collect a current actual value of the target flow.
A predicting module 503, configured to predict a predicted value of the target flow at the current time according to the actual value of the baseline flow at the last time, the actual value of the baseline flow at the current time, and the actual value of the target flow at the last time. Optionally, in an embodiment of the present invention, the predicting module 403 is configured to: and calculating the predicted value of the target flow at the current moment by dividing the current moment value of the baseline flow by the last moment value of the baseline flow and then multiplying the current moment value of the target flow by the current moment value of the target flow.
A first calculating module 504, configured to calculate a current-time prediction error value according to the current-time value of the target flow and the predicted value.
And a second calculating module 505, configured to calculate a prediction error value at the current time according to the current time value of the target flow and the predicted value. Optionally, in an embodiment of the present invention, the second calculating module 505 further includes: an acquisition submodule 5051 for acquiring the historical prediction error value; the historical prediction error values include at least one prediction error value. A curve fitting submodule 5052 for performing gaussian distribution curve fitting on the historical prediction error value using a gaussian model. A first determination sub-module 5053 determines the mean and variance of the gaussian. A second determining sub-module 5054 is configured to determine the upper and lower threshold values according to the mean and the variance.
A detecting module 506, configured to detect whether the current-time actual value of the target flow is in an abnormal state according to the current-time prediction error value and the upper and lower threshold values. Optionally, in an embodiment of the present invention, the detecting module 506 further includes: the determining submodule 5061 is configured to determine whether the current prediction error value is within the range of the upper and lower threshold values. A third determining submodule 5062, configured to determine that the current-time actual value of the target flow is in an abnormal state if the current-time prediction error value is not within the range of the upper and lower threshold values, and send alarm information. A fourth determining submodule 5063, configured to determine that the current-time actual value of the target flow is not in an abnormal state and does not send alarm information if the current-time prediction error is within the range of the upper and lower limit thresholds.
In summary, in the embodiment of the present invention, the historical prediction error value may be obtained; the historical prediction error values comprise at least one prediction error value; adopting a Gaussian model to perform Gaussian distribution curve fitting on the historical prediction error value; determining a mean and a variance of the Gaussian distribution curve; and determining the upper and lower limit thresholds according to the mean and the variance. Therefore, the accuracy of the upper and lower limit thresholds can be further improved.
In addition, in the embodiment of the present invention, it may also be determined whether the current time prediction error value is within the range of the upper and lower limit thresholds; if the current time prediction error value is not in the range of the upper and lower limit threshold values, determining that the current time actual value of the target flow is in an abnormal state, and sending alarm information; and if the prediction error at the current moment is within the range of the upper and lower limit thresholds, determining that the actual value of the target flow at the current moment is not in an abnormal state, and not sending alarm information. Therefore, the false alarm rate generated when the abnormity is detected can be further reduced.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. An anomaly detection method is applied to system operation and maintenance, and is characterized by comprising the following steps:
acquiring a current moment actual value of the baseline flow; the baseline traffic is traffic reflecting real user behavior;
acquiring a current moment actual value of target flow; the target traffic is traffic reflecting non-real user behavior;
predicting a predicted value of the target flow at the current moment according to the actual value of the baseline flow at the last moment, the actual value of the baseline flow at the current moment and the actual value of the target flow at the last moment;
calculating a prediction error value at the current moment according to the actual value at the current moment of the target flow and the predicted value at the current moment;
calculating an upper limit threshold and a lower limit threshold according to the historical prediction error value; the historical prediction error value is a prediction error value at each moment before the current moment;
and detecting whether the current time actual value of the target flow is in an abnormal state or not according to the current time prediction error value and the upper and lower limit thresholds.
2. The method of claim 1, wherein the step of calculating an upper and lower threshold based on historical prediction error values comprises:
obtaining the historical prediction error value; the historical prediction error values comprise at least one prediction error value;
adopting a Gaussian model to perform Gaussian distribution curve fitting on the historical prediction error value;
determining a mean and a variance of the Gaussian distribution curve;
and determining the upper and lower limit thresholds according to the mean and the variance.
3. The method according to claim 2, wherein the step of detecting whether the current-time actual value of the target flow rate is in an abnormal state according to the current-time prediction error value and the upper and lower limit thresholds comprises:
judging whether the current time prediction error value is within the range of the upper and lower limit thresholds or not;
if the current time prediction error value is not in the range of the upper and lower limit threshold values, determining that the current time actual value of the target flow is in an abnormal state, and sending alarm information;
and if the prediction error at the current moment is within the range of the upper and lower limit thresholds, determining that the actual value of the target flow at the current moment is not in an abnormal state, and not sending alarm information.
4. The method according to claim 1, wherein the step of predicting the predicted value of the target flow at the current time based on the actual value of the baseline flow at the previous time, the actual value of the baseline flow at the current time, and the actual value of the target flow at the previous time comprises:
and calculating the predicted value of the target flow at the current moment by dividing the actual value of the baseline flow at the current moment by the actual value of the baseline flow at the previous moment and multiplying the actual value of the target flow at the current moment.
5. An abnormality detection device characterized by comprising:
the first acquisition module is used for acquiring the current-time actual value of the baseline flow; the baseline traffic is traffic reflecting real user behavior;
the second acquisition module is used for acquiring the current actual value of the target flow; the target traffic is traffic reflecting non-real user behavior;
the prediction module is used for predicting a predicted value of the target flow at the current moment according to the actual value of the baseline flow at the last moment, the actual value of the baseline flow at the current moment and the actual value of the target flow at the last moment;
the first calculation module is used for calculating a prediction error value at the current moment according to the current moment value of the target flow and the prediction value;
the second calculation module is used for calculating an upper limit threshold and a lower limit threshold according to the historical prediction error value; the historical prediction error value is a prediction error value at each moment before the current moment;
and the detection module is used for detecting whether the current time actual value of the target flow is in an abnormal state or not according to the current time prediction error value and the upper and lower limit thresholds.
6. The apparatus of claim 5, wherein the second computing module comprises:
an obtaining submodule for obtaining the historical prediction error value; the historical prediction error values comprise at least one prediction error value;
the curve fitting submodule is used for carrying out Gaussian distribution curve fitting on the historical prediction error value by adopting a Gaussian model;
the first determining submodule is used for determining the mean value and the variance of the Gaussian distribution curve;
and the second determining submodule is used for determining the upper and lower limit thresholds according to the mean value and the variance.
7. The apparatus of claim 6, wherein the detection module comprises:
the judgment submodule is used for judging whether the prediction error value at the current moment is in the range of the upper and lower limit thresholds or not;
a third determining submodule, configured to determine that the current-time actual value of the target flow is in an abnormal state if the current-time prediction error value is not within the range of the upper and lower threshold values, and send alarm information;
and the fourth determining submodule is used for determining that the current time actual value of the target flow is not in an abnormal state and not sending alarm information if the current time prediction error is within the range of the upper and lower limit thresholds.
8. The apparatus of claim 5, wherein the prediction module is configured to:
and calculating the predicted value of the target flow at the current moment by dividing the current moment value of the baseline flow by the last moment value of the baseline flow and then multiplying the current moment value of the target flow by the current moment value of the target flow.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710481863.9A CN107086944B (en) | 2017-06-22 | 2017-06-22 | Anomaly detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710481863.9A CN107086944B (en) | 2017-06-22 | 2017-06-22 | Anomaly detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107086944A CN107086944A (en) | 2017-08-22 |
| CN107086944B true CN107086944B (en) | 2020-04-21 |
Family
ID=59606416
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710481863.9A Active CN107086944B (en) | 2017-06-22 | 2017-06-22 | Anomaly detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107086944B (en) |
Families Citing this family (36)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109427177B (en) * | 2017-08-25 | 2020-12-22 | 贵州白山云科技股份有限公司 | Monitoring alarm method and device |
| CN107508815B (en) * | 2017-08-30 | 2020-09-11 | 杭州安恒信息技术股份有限公司 | Early warning method and device based on website traffic analysis |
| CN108089962A (en) * | 2017-11-13 | 2018-05-29 | 北京奇艺世纪科技有限公司 | A kind of method for detecting abnormality, device and electronic equipment |
| CN107864063B (en) * | 2017-12-12 | 2021-09-17 | 北京奇艺世纪科技有限公司 | Abnormity monitoring method and device and electronic equipment |
| CN109960905B (en) * | 2017-12-14 | 2020-11-03 | 北京京东尚科信息技术有限公司 | Information processing method, system, medium, and electronic device |
| CN108920336B (en) * | 2018-05-25 | 2021-10-15 | 麒麟合盛网络技术股份有限公司 | Service abnormity prompting method and device based on time sequence |
| CN108880931B (en) * | 2018-05-29 | 2020-10-30 | 北京百度网讯科技有限公司 | Method and apparatus for outputting information |
| CN108965055B (en) * | 2018-07-17 | 2021-07-13 | 成都信息工程大学 | Network flow abnormity detection method based on historical time point taking method |
| CN109039821A (en) * | 2018-08-21 | 2018-12-18 | 平安科技(深圳)有限公司 | Network flow monitoring method, device, computer equipment and storage medium |
| CN109932009B (en) * | 2018-08-31 | 2020-12-29 | 滁州市智慧水务科技有限公司 | Distributed tap water pipe network loss monitoring system and method |
| CN110896357B (en) * | 2018-09-13 | 2022-06-28 | 中国电信股份有限公司 | Flow prediction method, device and computer readable storage medium |
| CN109726075B (en) * | 2018-11-30 | 2022-10-14 | 深圳市创梦天地科技有限公司 | Abnormal data index analysis method and device |
| CN109768995B (en) * | 2019-03-06 | 2021-08-13 | 国网甘肃省电力公司电力科学研究院 | Network flow abnormity detection method based on cyclic prediction and learning |
| CN112188531B (en) * | 2019-07-01 | 2022-12-27 | 中国移动通信集团浙江有限公司 | Abnormality detection method, abnormality detection device, electronic apparatus, and computer storage medium |
| CN110635947A (en) * | 2019-09-20 | 2019-12-31 | 曹严清 | Abnormal access monitoring method and device |
| WO2021056435A1 (en) * | 2019-09-27 | 2021-04-01 | 华为技术有限公司 | Method and apparatus for abnormality detection |
| CN110830450A (en) * | 2019-10-18 | 2020-02-21 | 平安科技(深圳)有限公司 | Abnormal flow monitoring method, device and equipment based on statistics and storage medium |
| CN111027477B (en) * | 2019-12-10 | 2021-05-28 | 珠海读书郎网络教育有限公司 | Online flat learning degree early warning method based on facial recognition |
| CN113010389B (en) * | 2019-12-20 | 2024-03-01 | 阿里巴巴集团控股有限公司 | Training method, fault prediction method, related device and equipment |
| CN111006741B (en) * | 2019-12-25 | 2022-04-08 | 中国南方电网有限责任公司超高压输电公司广州局 | Oil level abnormity detection method and system for oil-immersed transformer body |
| CN111125195B (en) * | 2019-12-25 | 2023-09-08 | 亚信科技(中国)有限公司 | Data anomaly detection method and device |
| CN111046582A (en) * | 2019-12-27 | 2020-04-21 | 大亚湾核电运营管理有限责任公司 | Nuclear power station diesel generating set coil temperature early warning method and system |
| CN111163092A (en) * | 2019-12-30 | 2020-05-15 | 深信服科技股份有限公司 | Flow abnormity detection method, device, equipment and storage medium |
| CN111143169B (en) * | 2019-12-30 | 2024-02-27 | 杭州迪普科技股份有限公司 | Abnormal parameter detection method and device, electronic equipment and storage medium |
| CN111447193B (en) * | 2020-03-23 | 2022-11-04 | 网宿科技股份有限公司 | Method and device for anomaly detection of real-time data stream |
| CN111740865B (en) * | 2020-06-23 | 2022-09-02 | 北京奇艺世纪科技有限公司 | Flow fluctuation trend prediction method and device and electronic equipment |
| CN111884874B (en) * | 2020-07-15 | 2022-02-01 | 中国舰船研究设计中心 | Programmable data plane-based ship network real-time anomaly detection method |
| CN112866260A (en) * | 2020-08-27 | 2021-05-28 | 黄天红 | Flow detection method combining cloud computing and user behavior analysis and big data center |
| CN111931860B (en) * | 2020-09-01 | 2021-02-09 | 腾讯科技(深圳)有限公司 | Abnormal data detection method, device, equipment and storage medium |
| CN112749410B (en) * | 2021-01-08 | 2022-02-25 | 广州锦行网络科技有限公司 | Database security protection method and device |
| CN112948230A (en) * | 2021-03-31 | 2021-06-11 | 中国建设银行股份有限公司 | Data processing method and device based on machine room confidential air conditioner |
| CN113254877A (en) * | 2021-05-18 | 2021-08-13 | 北京达佳互联信息技术有限公司 | Abnormal data detection method and device, electronic equipment and storage medium |
| WO2023272520A1 (en) * | 2021-06-29 | 2023-01-05 | Siemens Aktiengesellschaft | Anomaly detection method and apparatus for industrial equipment, electronic device, and storage medium |
| CN113554229A (en) * | 2021-07-23 | 2021-10-26 | 国网青海省电力公司信息通信公司 | Three-phase voltage unbalance abnormality detection method and device |
| CN114564758A (en) * | 2022-04-28 | 2022-05-31 | 睿至科技集团有限公司 | Management method and system of operation and maintenance data |
| CN116150288B (en) * | 2023-04-17 | 2023-07-07 | 山东工程职业技术大学 | Network data analysis processing system based on computer |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101534305A (en) * | 2009-04-24 | 2009-09-16 | 中国科学院计算技术研究所 | Method and system for detecting network flow exception |
| CN101699787A (en) * | 2009-11-09 | 2010-04-28 | 南京邮电大学 | Worm detection method used for peer-to-peer network |
| CN103281293A (en) * | 2013-03-22 | 2013-09-04 | 南京江宁台湾农民创业园发展有限公司 | Network flow rate abnormity detection method based on multi-dimension layering relative entropy |
| CN103366091A (en) * | 2013-07-11 | 2013-10-23 | 西安交通大学 | Abnormal declare dutiable goods data detection method based on exponentially weighted average of multi-level threshold values |
| CN103945442A (en) * | 2014-05-07 | 2014-07-23 | 东南大学 | System anomaly detection method based on linear prediction principle in mobile communication system |
| CN104123334A (en) * | 2013-04-24 | 2014-10-29 | 波音公司 | Anomaly detection in chain-of-custody information |
| CN104809134A (en) * | 2014-01-27 | 2015-07-29 | 国际商业机器公司 | Method and device for detecting abnormal subsequence in data sequences |
| CN105049291A (en) * | 2015-08-20 | 2015-11-11 | 广东睿江科技有限公司 | Method for detecting network traffic anomaly |
| CN105718715A (en) * | 2015-12-23 | 2016-06-29 | 华为技术有限公司 | Anomaly detection method and device |
| CN105956734A (en) * | 2016-04-15 | 2016-09-21 | 广东轩辕网络科技股份有限公司 | Method and system for dynamically setting performance index threshold of IT equipment |
-
2017
- 2017-06-22 CN CN201710481863.9A patent/CN107086944B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101534305A (en) * | 2009-04-24 | 2009-09-16 | 中国科学院计算技术研究所 | Method and system for detecting network flow exception |
| CN101699787A (en) * | 2009-11-09 | 2010-04-28 | 南京邮电大学 | Worm detection method used for peer-to-peer network |
| CN103281293A (en) * | 2013-03-22 | 2013-09-04 | 南京江宁台湾农民创业园发展有限公司 | Network flow rate abnormity detection method based on multi-dimension layering relative entropy |
| CN104123334A (en) * | 2013-04-24 | 2014-10-29 | 波音公司 | Anomaly detection in chain-of-custody information |
| CN103366091A (en) * | 2013-07-11 | 2013-10-23 | 西安交通大学 | Abnormal declare dutiable goods data detection method based on exponentially weighted average of multi-level threshold values |
| CN104809134A (en) * | 2014-01-27 | 2015-07-29 | 国际商业机器公司 | Method and device for detecting abnormal subsequence in data sequences |
| CN103945442A (en) * | 2014-05-07 | 2014-07-23 | 东南大学 | System anomaly detection method based on linear prediction principle in mobile communication system |
| CN105049291A (en) * | 2015-08-20 | 2015-11-11 | 广东睿江科技有限公司 | Method for detecting network traffic anomaly |
| CN105718715A (en) * | 2015-12-23 | 2016-06-29 | 华为技术有限公司 | Anomaly detection method and device |
| CN105956734A (en) * | 2016-04-15 | 2016-09-21 | 广东轩辕网络科技股份有限公司 | Method and system for dynamically setting performance index threshold of IT equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107086944A (en) | 2017-08-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107086944B (en) | Anomaly detection method and device | |
| CN111045894B (en) | Database abnormality detection method, database abnormality detection device, computer device and storage medium | |
| US10914608B2 (en) | Data analytic engine towards the self-management of complex physical systems | |
| CN105718715B (en) | Method for detecting abnormality and equipment | |
| CN111046564B (en) | Residual life prediction method for two-stage degraded product | |
| CN113518011B (en) | Abnormality detection method and apparatus, electronic device, and computer-readable storage medium | |
| CN111314173B (en) | Monitoring information abnormity positioning method and device, computer equipment and storage medium | |
| CN110008247B (en) | Method, device and equipment for determining abnormal source and computer readable storage medium | |
| CN116112292B (en) | Abnormal behavior detection method, system and medium based on network flow big data | |
| CN110569166A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and medium | |
| CN114297036A (en) | Data processing method and device, electronic equipment and readable storage medium | |
| US20190164067A1 (en) | Method and device for monitoring a process of generating metric data for predicting anomalies | |
| US11055382B2 (en) | Methods and systems that estimate a degree of abnormality of a complex system | |
| CN115454778A (en) | Intelligent monitoring system for abnormal time sequence indexes in large-scale cloud network environment | |
| CN110795324B (en) | Data processing method and device | |
| CN110956278A (en) | Method and system for retraining machine learning models | |
| CN114365094A (en) | Timing anomaly detection using inverted indices | |
| JP5771317B1 (en) | Abnormality diagnosis apparatus and abnormality diagnosis method | |
| Hussain et al. | Analyzing the performance of smart industry 4.0 applications on cloud computing systems | |
| KR101960755B1 (en) | Method and apparatus of generating unacquired power data | |
| CN115705413A (en) | Method and device for determining abnormal log | |
| CN112380073A (en) | Fault position detection method and device and readable storage medium | |
| CN111447193A (en) | Method and device for anomaly detection of real-time data stream | |
| CN111258863A (en) | Data anomaly detection method, device, server and computer-readable storage medium | |
| CN110263811B (en) | Equipment running state monitoring method and system based on data fusion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |