CN108829794A - Alert analysis method based on interval graph - Google Patents

Alert analysis method based on interval graph Download PDF

Info

Publication number
CN108829794A
CN108829794A CN201810562364.7A CN201810562364A CN108829794A CN 108829794 A CN108829794 A CN 108829794A CN 201810562364 A CN201810562364 A CN 201810562364A CN 108829794 A CN108829794 A CN 108829794A
Authority
CN
China
Prior art keywords
alarm
alarm event
node
event
interval graph
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810562364.7A
Other languages
Chinese (zh)
Other versions
CN108829794B (en
Inventor
郭宇春
尹博艺
郑宏云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN201810562364.7A priority Critical patent/CN108829794B/en
Publication of CN108829794A publication Critical patent/CN108829794A/en
Application granted granted Critical
Publication of CN108829794B publication Critical patent/CN108829794B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The alert analysis method based on interval graph that the present invention provides a kind of.This method includes:All alarm events in the same place are sequentially converted into alarm event sequence by alarm time of origin, alarm event interval graph is established according to overlapping degree and the time of origin sequence in the alarm section of alarm event in alarm event sequence;Processing merged to each alarm event interval graph from different location, all nodes for merging same type alarm event are a node, assign side right value to the company side between the node in the alarm event interval graph that merges that treated, obtain alarm interval graph;According to the side right value on the company side between the alarm interval graph interior joint, the otherness of relevance between each alarm event is obtained using figure characteristic analysis method.Method of the invention is suitable for alerting uniform or uneven distribution a variety of situations in entire time series.For the redundancy for reducing alarm, alarm validity is improved, positioning failure root primordium provides scientific guidance.

Description

Alert analysis method based on interval graph
Technical field
The present invention relates to alarm correlation analysis technical field more particularly to a kind of alert analysis sides based on interval graph Method.
Background technique
In traditional alarm correlation analysis method, usually regards entire alarm data as a time series, accusing An alarm window width is usually set in the way of sliding time window in alert association analysis, then falls in the announcement for all Alarm in alert time window thinks it is all simultaneous.However alarm window width and sliding step do not set mark Standard, the principle of selection are the efficiency for considering alarm event sequential mode mining and the result accuracy of excavation.Therefore, general right In the analysis of one group of new data, one group of parameter will be taken to carry out repetition test comparison, finally therefrom select one relatively suitably Window width and step-length.This analysis method based on time window is limited to the distribution mode of alarm, is only applicable to alarm and exists The case where being uniformly distributed in entire time series.However, in practical situations density may be alerted very in some time zones Greatly, and some regions then absolutely not alert, this will result in the generation of many meaningless windows and empty window.
Method for digging in the prior art for alarm association mode is all based on Apriori algorithm, FP-growth etc. All kinds of association algorithms generate alarm correlation rule library, provide rule for relevant alarm prediction, alarm correlation analysis function It supports.
The shortcomings that above-mentioned method for digging in the prior art for alarm association mode is:In addition to there are when above-mentioned use Between window the problem of, these methods concentrate on the alarm of Mining Frequent generation, and it is low but may be important can not to find to occur the frequency Alarm;Further presentation is made for correlation alarm in addition, lacking, the correlation rule excavated is also lacked more intuitive Visual means.
Summary of the invention
The alert analysis method based on interval graph that the embodiment provides a kind of, to overcome lacking for the prior art Point.
To achieve the goals above, this invention takes following technical solutions.
A kind of alert analysis method based on interval graph, including:
All alarm events in the same place are sequentially converted into alarm event sequence by alarm time of origin, will be alerted Each alarm event in sequence of events regards a node as, according to the alarm section of alarm event in the alarm event sequence Overlapping degree and time of origin sequence establish alarm event interval graph;
Processing is merged to each alarm event interval graph from different location, merges the institute of same type alarm event Having node is a node, assigns side right value to the company side between the node merged in treated alarm event interval graph, obtains To alarm interval graph;
According to the side right value on the company side between the alarm interval graph interior joint, obtained using figure characteristic analysis method each The otherness of relevance between alarm event.
Further, all alarm events by the same place are sequentially converted into alarm by alarm time of origin Sequence of events, including:
The primary generation that each type is alerted is known as an alarm event, and in one place, an alarm event is by accusing Alert title, time of origin and checkout time uniquely determine, and duration time interval of the alarm event from occurring removing is known as alerting The time of origin of one alarm event is denoted as T by sections, checkout time is denoted as Te, alarm event is in alarm event sequence Sequence is denoted as k, and the alarm name of alarm event k is denoted as mk, by each alarm event with four-tuple (k, a mk,Ts,Te) carry out table Show, the alarm event with identical alarm name is same type alarm, the alarm having the same of the alarm event of same type etc. Grade;
The alarm event in the same place is converted into alarm event sequence S, S=by the sequencing of alarm time of origin {(1,m1,Ts1,Te1),(2,m2,Ts2,Te2),……(k,mk,Tsk,Tek), occur after the serial number ratio of first occurred alarm event Alarm event serial number it is low.
Further, each alarm event by alarm event sequence regards a node as, according to the announcement The overlapping degree in the alarm section of alarm event and time of origin sequence establish alarm event interval graph in alert sequence of events, wrap It includes:
By each alarm event in alarm event sequence treat as a node, according to alarm event order of occurrence successively Number, remembers that the number is k, while remembering that corresponding alarm name is mk, using kmkName the corresponding node of the alarm event;
Choose two alarm events (a, m in the alarm event sequencea,Tsa,Tea)、(b,mb,Tsb,Teb), a<B, such as Fruit Tea-TsaPeriod and Teb-TsbThere are time-interleavings period, then judge alarm event (a, ma,Tsa,Tea) and alarm Event (b, mb,Tsb,Teb) alarm section overlap, establish node amaIt is directed toward node bmbIt is oriented even side (ama, bmb); Otherwise, node am is not establishedaIt is directed toward node bmbIt is oriented even side;
Any two alarm event in the alarm event sequence is traversed, when the alarm section for judging a pair of of alarm event It overlaps, then the low serial number node established in the pair of alarm event is directed toward the oriented even side of high serial number node, according to announcement Company side of the alarm section overlapping degree between alarm event between alert event assigns side right value, completes alarm event interval graph Foundation.
Further, described that processing is merged to each alarm event interval graph from different location, merge same All nodes of type alarm event are a node, obtain alarm interval graph, including:
For K alarm event scene, the alarm event interval graph of each alarm event scene is respectively obtained, K alarm event interval graph is merged into processing, by same type alarm event in the alarm event interval graph after merging treatment All nodes merge into a node, when merge first two type alarm event between there are the nodes that at least one connects side It is right, then the company of foundation side between the node pair of two kinds of alarm event after merging, to merging treated alarm event Company side between node in interval graph assigns side right value, obtains alarm interval graph.
Further, the company side between the node merged in treated alarm event interval graph assigns side right Value, including:
The side right value function for alerting the company side in interval graph between a pair of of node is by the corresponding alarm thing of a pair of node Connect the company side between side frequency time and corresponding alarm event interval graph interior joint between part frequency of occurrence, alarm event node Side right value is comprehensive to be determined;
Assuming that the side right value P on the company side in alarm interval graph between a pair of of nodebCalculation formula it is as follows:
∑g(a,b)(D) indicate that the whole for being directed toward b class alarm event by a class alarm event in alarm event interval graph is oriented Cumulative, the f of the side right value on side(a,b)Indicate the directed edge of a class alarm event direction b class alarm event in alarm event interval graph Quantity, faAnd fbRespectively indicate the frequency that a class alarm event and b class alarm event occur.
Further, the company side between the node merged in treated alarm event interval graph assigns side right It is worth, further includes:
Different types of alarm event is set with different grades, defines the weight function based on alarm event grade, The corresponding weight function value in company side in alarm interval graph between a pair of of node is calculated by the weight function, according to described Company side of the weight function value between the pair of node assigns side right value.
Further, the side right value according to the company side between the alarm interval graph interior joint, using figure feature Analysis method obtains the otherness of relevance between each alarm event, including:
According to the company between the node in the alarm interval graph while the size of side right value judge that this connects while connect two The power of relevance between the alarm of a type, even the side right value on side is bigger, then judges that this connects two types of side connection Relevance between alarm is stronger;
According to the difference of relevance between alarm event, alarm event is determined based on the side right value on the company side between node The binary incidence relation is divided into 3 seed types by binary incidence relation:Because of fruit type and hair style and self relationship, by side right value Lower than a pair of of alarm of the threshold value of setting, and do not connect a pair of of alarm on side, is determined as a pair of of self incidence relation and accuses It is alert;
Definition symmetry coefficient R is R=min (Pab,Pba)/max(Pab,Pba), wherein PabAnd PbaRespectively represent alarm section Directed edge (m in figurea, mb) and (mb, ma) weight, when the difference between R and 1 be less than setting numerical value, it is determined that alarm type It is simultaneously hair style incidence relation between a and alarm type b, when the difference between R and 0 is less than the numerical value of setting, it is determined that alarm class For because of fruit type incidence relation between type a and alarm type b.
Further, the side right value between the node according in the alarm interval graph, using based on figure feature Analysis method obtains the otherness of relevance between each alarm event, further includes:
Based on the polynary incidence relation between community feature discovery alarm event, alarm area is obtained by community discovery method Between figure community structure, the relevance that judgement belongs between all alarm events of the same community is strong, is not belonging to the same society Relevance between all alarm events in area is weak.
As can be seen from the technical scheme provided by the above-mentioned embodiment of the present invention, the method for the embodiment of the present invention is for alarm The phenomenon that time-interleaving, is presented complicated overlapping alarm in the way of interval graph in a more intuitive way, and according to announcement The side right value of alert interval graph is inferred to the strong and weak relevance between all kinds of alarms and binary and polynary incidence relation, in combination with section Point power infers great alarm, probes into the potential rule that alarm occurs, be uniformly distributed in entire time series suitable for alarm or A variety of situations of person's uneven distribution.For the redundancy for reducing alarm data, alarm validity is improved, positioning failure root primordium mentions For scientific guidance.
The additional aspect of the present invention and advantage will be set forth in part in the description, these will become from the following description Obviously, or practice through the invention is recognized.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill of field, without creative efforts, it can also be obtained according to these attached drawings others Attached drawing.
Fig. 1 is a kind of realization principle figure of the alert analysis method based on interval graph provided in an embodiment of the present invention;
Fig. 2 is a kind of alarm a provided in an embodiment of the present invention and alarm b be overlapped schematic diagram on time interval;
Fig. 3 is a kind of schematic diagram of alarm event interval graph provided in an embodiment of the present invention;
Fig. 4 is a kind of alarm interval graph side right calculated examples figure provided in an embodiment of the present invention;
Fig. 5 is the relevance type schematic diagram between a kind of alarm provided in an embodiment of the present invention.
Fig. 6 is a kind of schematic diagram that community discovery is carried out in alarm interval graph provided in an embodiment of the present invention.
Specific embodiment
Embodiments of the present invention are described below in detail, the example of the embodiment is shown in the accompanying drawings, wherein from beginning Same or similar element or element with the same or similar functions are indicated to same or similar label eventually.Below by ginseng The embodiment for examining attached drawing description is exemplary, and for explaining only the invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singular " one " used herein, " one It is a ", " described " and "the" may also comprise plural form.It is to be further understood that being arranged used in specification of the invention Diction " comprising " refer to that there are the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition Other one or more features, integer, step, operation, element, component and/or their group.It should be understood that when the present invention claims Element is " connected " or when " coupled " to another element, it can be directly connected or coupled to other elements, or can also deposit In intermediary element.In addition, " connection " used herein or " coupling " may include being wirelessly connected or coupling.Wording used herein "and/or" includes one or more associated any cells for listing item and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art Language and scientific term) there is meaning identical with the general understanding of those of ordinary skill in fields of the present invention.Should also Understand, those terms such as defined in the general dictionary, which should be understood that, to be had and the meaning in the context of the prior art The consistent meaning of justice, and unless defined as here, it will not be explained in an idealized or overly formal meaning.
In order to facilitate understanding of embodiments of the present invention, it is done by taking several specific embodiments as an example below in conjunction with attached drawing further Explanation, and each embodiment does not constitute the restriction to the embodiment of the present invention.
Figure can almost be used to show all types of as being one of frame most powerful in Data Structure and Algorithm Structure or system analyze alarm association based on the method for figure, can not only overcome the limitation based on time window method, It is also convenient for intuitively showing various relevances.
The realization principle figure of alert analysis method based on interval graph provided in an embodiment of the present invention a kind of as shown in Figure 1, Including three processing steps:Alarm event interval graph generates and assigns power, alarm interval graph generates and assign power and alarm association mode It was found that.
One, the treatment process that alarm event interval graph generates includes:
1, data prediction
The present invention represents an alarm (i.e. an alarm event) with " 0-1 " square wave, by one alert generation when Between be denoted as Ts, alarm cleared time is denoted as Te, then each alarm can use four-tuple (k, a mk,Ts,Te) indicate, Sequence of the middle alarm event in alarm event sequence is denoted as k, and the alarm name of alarm event k is denoted as mk
Alarm event with identical alarm name is same type alarm, the alarm event of same type announcement having the same Alert grade, same type alarm can repeatedly occur, and the primary generation that each type is alerted is known as an alarm event.On a ground Point, an alarm event are uniquely determined by alarm name, time of origin and checkout time, event from occur to removing it is lasting when Between interval be known as alarm section.Alarm event sequence S is obtained by pretreatment:
S={ (1, m1,Ts1,Te1),(2,m2,Ts2,Te2),……(k,mk,Tsk,Tek)}
In alarm event sequence S, the serial number of first occurred alarm event is lower than the serial number of the alarm event of rear generation.
2, the extraction of overlap is alerted
For any two alarm event (a, the m in alarm event sequencea,Tsa,Tea)、(b,mb,Tsb,Teb), if Tea-TsaPeriod and Teb-TsbThere are time-interleavings period, then judge alarm event (a, ma,Tsa,Tea) and alarm thing Part (b, mb,Tsb,Teb) alarm section overlap.As shown in Figure 2.
3, alarm event interval graph is formed
Each alarm event is regarded as a node in alarm event interval graph, according to the time of origin of alarm event Sequencing number consecutively remembers that the number is k, while remembering that corresponding alarm name is mk, using kmkName node.
By each alarm event in alarm event sequence treat as a node, according to alarm event order of occurrence successively Number, remembers that the number is k, while remembering that corresponding alarm name is mk, using kmkName the corresponding node of the alarm event.
Choose two alarm events (a, m in the alarm event sequencea,Tsa,Tea)、(b,mb,Tsb,Teb), a<B, such as Fruit Tea-TsaPeriod and Teb-TsbThere are time-interleavings period, then judge alarm event (a, ma,Tsa,Tea) and alarm Event (b, mb,Tsb,Teb) alarm section overlap, establish node amaIt is directed toward node bmbIt is oriented even side (ama, bmb); Otherwise, node am is not establishedaIt is directed toward node bmbIt is oriented even side.
Any two alarm event in the alarm event sequence is traversed, when the alarm section for judging a pair of of alarm event It overlaps, then the low serial number node established in the pair of alarm event is directed toward the oriented even side of high serial number node, according to announcement Company side of the alarm section overlapping degree between alarm event between alert event assigns side right value, completes alarm event interval graph Foundation.
Fig. 3 is a kind of schematic diagram of alarm event interval graph provided in an embodiment of the present invention, and digital representation alerts thing in figure The generation serial number of part, is sequentially allocated by the sequence of alarm event time of origin.In Fig. 3, also according to the alarm area between alarm Between overlapping degree D define degree of overlapping function g (D), and the company according to the value of degree of overlapping function between corresponding alarm event Side assigns side right value.
The value of degree of overlapping function is by alerting siding-to-siding block length and a pair of duration for alerting the phenomenon that overlaps accordingly Comprehensive to determine, the functional form of degree of overlapping function g (D) is not unique.It may be assumed that the calculation of g (D) is as follows herein:
For two alarm events (a, ma,Tsa,Tea)、(b,mb,Tsb,Teb), a<B alerts section Tea-TsaWith alarm area Between Teb-TsbThe when a length of t for the phenomenon that overlapsd, from TsaTo max (Tea,Teb) duration be ts, then
Two, the treatment process that alarm interval graph generates includes:
For K alarm event scene, the alarm event interval graph of each alarm event scene is respectively obtained, K alarm event interval graph is merged into processing.By same type alarm event in the alarm event interval graph after merging treatment All nodes merge into a node, when merge first two type alarm event between there are the nodes that at least one connects side It is right, then the company of foundation side between the node pair of two kinds of alarm event after merging, to merging treated alarm event Company side between node in interval graph assigns side right value, obtains alarm interval graph.
The side right value for alerting the company side between a pair of of node in interval graph is by the corresponding alarm event of a pair of node Connect between frequency of occurrence, alarm event node company between side frequency time and corresponding alarm event interval graph interior joint while while Weight is comprehensive to be determined, the expression-form of side right value function is not unique.
Assuming that alerting the side right value P on the company side between a pair of of node in interval graphabCalculation formula it is as follows:
∑g(a,b)(D) indicate that the whole for being directed toward b class alarm event by a class alarm event in alarm event interval graph is oriented Cumulative, the f of the side right value on side(a,b)Indicate the directed edge of a class alarm event direction b class alarm event in alarm event interval graph Quantity, faAnd fbRespectively indicate the frequency that a class alarm event and b class alarm event occur.
It is to alert two alarm event interval graphs that spot generates respectively at two shown in Fig. 4 A, is to two shown in Fig. 4 B The alarm interval graph that a alarm event interval graph merges.In Figure 4 A, ∑ g(a,b)(D)=0.2, ∑ g(a,c)(D)=0.6, ∑g(b,c)(D)=0.1+0.23+0.72=1.05, ∑ g(c,a)(D)=0.45f(a,b)=1, f(a,c)=1, f(c,a)=1, f(b,c) =3, fa=2, fb=3, fc=4.
Side right value is calculated according to above-mentioned value, the result for obtaining the side right value in alarm interval graph is as shown in Figure 4 B.
3, setting different types of alarm event has different grades, defines the weight letter based on alarm event grade Number,
Assuming that representing its significance level with i for each alarm, the value of i is bigger, and its higher grade of explanation, significance level It is higher.It, further can be according to its significance level i for the alarm of a class and the alarm of b classaAnd ib, opposite side weight PabMake further meter It calculates:
The corresponding weight function value in company side in alert interval graph between a pair of of node, root are calculated by the weight function Side right value is assigned according to company side of the weight function value between the pair of node.
Three, the treatment process of alarm association mode discovery includes:
1. according to the company between the node in alarm interval graph while the size of side right value judge that this connects while connect two The power of relevance between the alarm of type, even the side right value on side is bigger, then judges that this connects the announcement of two types of side connection Relevance between police is stronger.
2. being associated with sexual norm with symmetry judgement based on threshold value screening
Fig. 5 is the relevance type schematic diagram between a kind of alarm provided in an embodiment of the present invention.According to all kinds of alarms it Between relevance difference, warning relation is divided into 3 seed types by the present invention:Because of fruit type (α type) and hair style (β type) and self (γ Type), as shown in Figure 5.Wherein, it indicates that cause and effect is directed toward with directed edge, concurrency relation is indicated with nonoriented edge, is represented by dotted lines independent pass It is (or negligible faint relationship).
Size according to side right in alarm interval graph, it can be determined that relevance is strong and weak.Threshold value screening is introduced, side right is worth low In a pair of of alarm of the threshold value of setting, and do not connect a pair of of alarm on side, is determined as a pair of of alarm of self incidence relation.
It is big according further to the side right between two nodes in alarm interval graph for the High relevancy of significant side right instruction It is small, the analysis of symmetry is carried out, concurrency relation and causality are further discriminated between.Due to being directed edge, PabAnd PbaSize is not Together, the symmetry size of the two side right values can disclose between alarm whether have causality.
Define symmetry coefficient R, R=min (Pab,Pba)/max(Pab,Pba), it is clear that R≤1.Judge to accuse according to symmetry coefficient R Symmetry between police.Difference when R is closer to 1 or between R and 1 is less than the numerical value of setting, and two classes alert the symmetrical of a, b Property it is stronger, it is meant that both the alarm of two classes does not have significant sequencing, i.e., is a pair of of alarm of concurrent incidence relation.When Difference when R is closer to 0 or between R and 0 is less than the numerical value of setting, and the succession of two classes alarm is stronger, while meaning to alert Between more there may be causality, i.e., both be a pair of of alarm of causal correlation.
Example:Assuming that Pab=0.9, Pba=0.1, illustrate alert a odds before alert b it is larger, i.e., in the presence of due to A possibility that generation of a causes b to occur in turn.That is alarm a and alarm b is causality.
3. obtaining the association mode between polynary alarm based on community discovery.
If there are the relationship of relative close between one group of alarm, the method that can use community discovery probes into alarm Community's phenomenon.Based on the side right value between alarming node, the community structure of alarm interval graph is obtained by community discovery method, With the presence or absence of the community's phenomenon being made of several " clusters " or " group " i.e. in these alarms.The alarm for belonging to a community more has May have similar property or a similar function, and the different alarm in affiliated community generally has biggish otherness.Fig. 6 is A kind of schematic diagram carrying out community discovery in alarm interval graph provided in an embodiment of the present invention, Fig. 6 are in alarm interval graph The schematic diagram of community discovery is carried out, 3 groups of community's phenomenons are had found altogether in Fig. 6, between the alarm event node in same community Relevance it is stronger, the relevance between alarm event node in different communities is weaker.
In conclusion the phenomenon that method of the embodiment of the present invention is overlapped for alarm time, it will in the way of interval graph Complicated overlapping alarm is presented in a more intuitive way.Meanwhile by calculating all kinds of alarms under large-scale dataset The overlapping frequency, overlapping degree and all kinds of alarm frequency of occurrences obtain the side right value of alarm interval graph, and according to alarm interval graph Side right value be inferred to the relevance between all kinds of alarms strong and weak and binary and n-tuple relation, find that the frequency is low according to node weight But possible important alarm type is probed into the potential rule that alarm occurs, is uniformly divided in entire time series suitable for alerting A variety of situations of cloth or uneven distribution improve alarm validity for the redundancy for reducing alarm data, and positioning failure root is former Cause, the reporting schemes for simplifying alarm data provide scientific guidance, and then improve the working efficiency of enterprise's operation maintenance personnel, and are subsequent The offers support such as research work and administrative decision.
Existing alarm correlation analysis method is in the way of sliding time window, by the alarm in the same window It is considered simultaneous, the mode of this set time window is limited to the distribution situation of alarm, when alarm is unevenly distributed When, this method is difficult to be utilized.Method of the invention is then that alarm association relationship is excavated by the time-interleaving phenomenon of alarm, is fitted It is evenly distributed or non-uniform situation for alerting.
Existing alarm correlation analysis is mostly based on the calculation of the association rule minings such as Apriori algorithm, Fp-Growth algorithm Method realizes, such algorithm and its innovatory algorithm can only Mining Frequent alarm correlation rule, low frequency cannot be excavated but may be important Alarm correlation rule.Method used herein can then excavate low frequency and the higher alarm of rank, therefore more real Meaning.
The incidence relation of all kinds of alarms can not only be obtained by using method used in the present invention, while can be according to right Title property finds the generation mode of all kinds of alarms, can excavate the sequencing that alarm occurs, and then is removal redundant alarm, failure Positioning and cause and effect sex determination provide scientific guidance.
Existing research lacks the Visualization for the relationship between each alarm event and all kinds of alarms, this hair It is bright intuitively to be showed complicated warning relation in the way of interval graph, provide a kind of alarm association rule being more clear Then visual means.
The incidence relation of alarm is converted graph theoretic problem by the present invention, so can in follow-up work knowing using graph theory Know solving practical problems.
Those of ordinary skill in the art will appreciate that:Attached drawing is the schematic diagram of one embodiment, module in attached drawing or Process is not necessarily implemented necessary to the present invention.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device or For system embodiment, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to method The part of embodiment illustrates.Apparatus and system embodiment described above is only schematical, wherein the conduct The unit of separate part description may or may not be physically separated, component shown as a unit can be or Person may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can root According to actual need that some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.Ordinary skill Personnel can understand and implement without creative efforts.
The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto, In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by anyone skilled in the art, It should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with scope of protection of the claims Subject to.

Claims (8)

1. a kind of alert analysis method based on interval graph, which is characterized in that including:
All alarm events in the same place are sequentially converted into alarm event sequence by alarm time of origin, by alarm event Each alarm event in sequence regards a node as, according to the weight in the alarm section of alarm event in the alarm event sequence Folded degree and time of origin sequence establish alarm event interval graph;
Processing is merged to each alarm event interval graph from different location, merges all sections of same type alarm event Point is a node, assigns side right value to the company side between the node merged in treated alarm event interval graph, is accused Alert interval graph;
According to the side right value on the company side between the alarm interval graph interior joint, each alarm is obtained using figure characteristic analysis method The otherness of relevance between event.
2. the method according to claim 1, wherein all alarm events by the same place are by announcement Alert time of origin is sequentially converted into alarm event sequence, including:
The primary generation that each type is alerted is known as an alarm event, and in one place, an alarm event is by alarm name Title, time of origin and checkout time uniquely determine, and duration time interval of the alarm event from occurring removing is known as alerting section, The time of origin of one alarm event is denoted as Ts, checkout time is denoted as Te, sequence note of the alarm event in alarm event sequence Make k, the alarm name of alarm event k is denoted as mk, by each alarm event with four-tuple (k, a mk,Ts,Te) indicate to have There is the alarm event of identical alarm name for same type alarm, the alarm event of same type alarm grade having the same;
By the alarm event in the same place by alarm time of origin sequencing be converted to alarm event sequence S, S=(1, m1,Ts1,Te1),(2,m2,Ts2,Te2),……(k,mk,Tsk,Tek), the announcement of the serial number of first occurred alarm event than rear generation The serial number of alert event is low.
3. according to the method described in claim 2, it is characterized in that, each alarm event by alarm event sequence A node is regarded as, according to the overlapping degree and time of origin sequence in the alarm section of alarm event in the alarm event sequence Alarm event interval graph is established, including:
Each alarm event in alarm event sequence is treated as into a node, is successively compiled according to the order of occurrence of alarm event Number, remember that the number is k, while remembering that corresponding alarm name is mk, using kmkName the corresponding node of the alarm event;
Choose two alarm events (a, m in the alarm event sequencea,Tsa,Tea)、(b,mb,Tsb,Teb), a<B, if Tea-TsaPeriod and Teb-TsbThere are time-interleavings period, then judge alarm event (a, ma,Tsa,Tea) and alarm thing Part (b, mb,Tsb,Teb) alarm section overlap, establish node amaIt is directed toward node bmbIt is oriented even side (ama, bmb);It is no Then, node am is not establishedaIt is directed toward node bmbIt is oriented even side;
Any two alarm event in the alarm event sequence is traversed, when the alarm section for judging a pair of of alarm event occurs Overlapping, then the low serial number node established in the pair of alarm event is directed toward the oriented even side of high serial number node, according to alarm thing Company side of the alarm section overlapping degree between alarm event between part assigns side right value, completes building for alarm event interval graph It is vertical.
4. according to the method described in claim 3, it is characterized in that, described to each alarm event area from different location Between figure merge processing, all nodes for merging same type alarm event are a node, obtain alarm interval graph, including:
For K alarm event scene, the alarm event interval graph of each alarm event scene is respectively obtained, by K A alarm event interval graph merges processing, by the institute of same type alarm event in the alarm event interval graph after merging treatment There is node to merge into a node, when between the alarm event for merging first two type there are the node pair that at least one connects side, The then company of foundation side between the node pair of two kinds of alarm event after merging, to merging treated alarm event section Company side between node in figure assigns side right value, obtains alarm interval graph.
5. according to the method described in claim 4, it is characterized in that, described to merging in treated alarm event interval graph Node between company side assign side right value, including:
The side right value function for alerting the company side in interval graph between a pair of of node is gone out by the corresponding alarm event of a pair of node Connect the side right on the company side between side frequency time and corresponding alarm event interval graph interior joint between the existing frequency, alarm event node Value is comprehensive to be determined;
Assuming that the side right value P on the company side in alarm interval graph between a pair of of nodeabCalculation formula it is as follows:
∑g(a,b)(D) it indicates to be directed toward whole directed edges of b class alarm event by a class alarm event in alarm event interval graph Cumulative, the f of side right value(a,b)Indicate the oriented number of edges of a class alarm event direction b class alarm event in alarm event interval graph Amount, faAnd fbRespectively indicate the frequency that a class alarm event and b class alarm event occur.
6. according to the method described in claim 4, it is characterized in that, described to merging in treated alarm event interval graph Node between company side assign side right value, further include:
Different types of alarm event is set with different grades, the weight function based on alarm event grade is defined, passes through The weight function calculates the corresponding weight function value in company side in alarm interval graph between a pair of of node, according to the weight Company side of the functional value between the pair of node assigns side right value.
7. according to method described in claim 5 or 6, which is characterized in that described according to the alarm interval graph interior joint Between company side side right value, the otherness of relevance between each alarm event is obtained using figure characteristic analysis method, including:
According to the company between the node in the alarm interval graph while the size of side right value judge that this connects while two classes connecting The power of relevance between the alarm of type, even the side right value on side is bigger, then judges that this connects the alarm of two types of side connection Between relevance it is stronger;
According to the difference of relevance between alarm event, the binary of alarm event is determined based on the side right value on the company side between node The binary incidence relation is divided into 3 seed types by incidence relation:Because of fruit type and hair style and self relationship, side right value is lower than A pair of of alarm of the threshold value of setting, and do not connect a pair of of alarm on side, it is determined as a pair of of alarm of self incidence relation;
Definition symmetry coefficient R is R=min (Pab,Pba)/max(Pab,Pba), wherein PabAnd PbaIt respectively represents in alarm interval graph Directed edge (ma, mb) and (mb, ma) weight, when the difference between R and 1 be less than setting numerical value, it is determined that alarm type a with It is simultaneously hair style incidence relation between alarm type b, when the difference between R and 0 is less than the numerical value of setting, it is determined that alarm type a For because of fruit type incidence relation between alarm type b.
8. according to method described in claim 5 or 6, which is characterized in that the section according in the alarm interval graph Side right value between point is also wrapped using the otherness of relevance between each alarm event is obtained based on figure characteristic analysis method It includes:
Based on the polynary incidence relation between community feature discovery alarm event, alarm interval graph is obtained by community discovery method Community structure, the relevance that judgement belongs between all alarm events of the same community is strong, is not belonging to the same community Relevance between all alarm events is weak.
CN201810562364.7A 2018-06-04 2018-06-04 Alarm analysis method based on interval graph Active CN108829794B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810562364.7A CN108829794B (en) 2018-06-04 2018-06-04 Alarm analysis method based on interval graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810562364.7A CN108829794B (en) 2018-06-04 2018-06-04 Alarm analysis method based on interval graph

Publications (2)

Publication Number Publication Date
CN108829794A true CN108829794A (en) 2018-11-16
CN108829794B CN108829794B (en) 2022-04-12

Family

ID=64143423

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810562364.7A Active CN108829794B (en) 2018-06-04 2018-06-04 Alarm analysis method based on interval graph

Country Status (1)

Country Link
CN (1) CN108829794B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493065A (en) * 2019-09-03 2019-11-22 浪潮云信息技术有限公司 The alarm association degree analysis method and system of a kind of cloud center O&M
CN113822570A (en) * 2021-09-20 2021-12-21 河南惠誉网络科技有限公司 Enterprise production data storage method and system based on big data analysis
CN114365505A (en) * 2019-11-07 2022-04-15 阿里巴巴集团控股有限公司 Data-driven object graph for data center monitoring
CN114944956A (en) * 2022-05-27 2022-08-26 深信服科技股份有限公司 Attack link detection method and device, electronic equipment and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291247A (en) * 2010-06-18 2011-12-21 中兴通讯股份有限公司 Alarm association diagram generation method and device and association alarm determination method and device
CN102938708A (en) * 2012-11-05 2013-02-20 国网电力科学研究院 Alarm transmission mode based alarm correlation analysis system and analysis method thereof
US20150373564A1 (en) * 2013-02-21 2015-12-24 Zte Corporation Alarm Processing Method and Device, Alarm Associated Information Setting Method
CN105677759A (en) * 2015-12-30 2016-06-15 国家电网公司 Alarm correlation analysis method in communication network
CN105847029A (en) * 2015-09-08 2016-08-10 南京联成科技发展有限公司 Information security event automatic association and rapid response method and system based on big data analysis
CN106330533A (en) * 2016-01-21 2017-01-11 华南师范大学 Real-time topology establishment method of large-scale network alarms
CN107547262A (en) * 2017-07-25 2018-01-05 新华三技术有限公司 Generation method, device and the Network Management Equipment of alarm level
CN107918670A (en) * 2017-11-29 2018-04-17 国网电力信息通信有限公司 A kind of alert processing method applied to power communication system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291247A (en) * 2010-06-18 2011-12-21 中兴通讯股份有限公司 Alarm association diagram generation method and device and association alarm determination method and device
CN102938708A (en) * 2012-11-05 2013-02-20 国网电力科学研究院 Alarm transmission mode based alarm correlation analysis system and analysis method thereof
US20150373564A1 (en) * 2013-02-21 2015-12-24 Zte Corporation Alarm Processing Method and Device, Alarm Associated Information Setting Method
CN105847029A (en) * 2015-09-08 2016-08-10 南京联成科技发展有限公司 Information security event automatic association and rapid response method and system based on big data analysis
CN105677759A (en) * 2015-12-30 2016-06-15 国家电网公司 Alarm correlation analysis method in communication network
CN106330533A (en) * 2016-01-21 2017-01-11 华南师范大学 Real-time topology establishment method of large-scale network alarms
CN107547262A (en) * 2017-07-25 2018-01-05 新华三技术有限公司 Generation method, device and the Network Management Equipment of alarm level
CN107918670A (en) * 2017-11-29 2018-04-17 国网电力信息通信有限公司 A kind of alert processing method applied to power communication system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493065A (en) * 2019-09-03 2019-11-22 浪潮云信息技术有限公司 The alarm association degree analysis method and system of a kind of cloud center O&M
CN110493065B (en) * 2019-09-03 2023-04-14 浪潮云信息技术股份公司 Alarm correlation degree analysis method and system for cloud center operation and maintenance
CN114365505A (en) * 2019-11-07 2022-04-15 阿里巴巴集团控股有限公司 Data-driven object graph for data center monitoring
CN113822570A (en) * 2021-09-20 2021-12-21 河南惠誉网络科技有限公司 Enterprise production data storage method and system based on big data analysis
CN113822570B (en) * 2021-09-20 2023-09-26 北京瀚博网络科技有限公司 Enterprise production data storage method and system based on big data analysis
CN114944956A (en) * 2022-05-27 2022-08-26 深信服科技股份有限公司 Attack link detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN108829794B (en) 2022-04-12

Similar Documents

Publication Publication Date Title
CN108829794A (en) Alert analysis method based on interval graph
CN111475804A (en) Alarm prediction method and system
CN109858140B (en) Fault diagnosis method for water chilling unit based on information entropy discrete Bayesian network
CN104268375A (en) Ship electric power station fault diagnosing method based on knowledge petri network
CN111563524A (en) Multi-station fusion system operation situation abnormity monitoring and alarm combining method
CN114465874B (en) Fault prediction method, device, electronic equipment and storage medium
WO2015131558A1 (en) Alarm correlation data mining method and device
CN109327480A (en) A kind of multi-step attack scene method for digging based on neural network and Bayesian network attack graph
Chen et al. Learning Bayesian network structure from distributed data
CN111858526A (en) Failure time space prediction method and system based on information system log
CN115237717A (en) Micro-service abnormity detection method and system
CN111581056B (en) Software engineering database maintenance and early warning system based on artificial intelligence
CN103942739A (en) Method for construction of construction project risk knowledge base
Weiss Predicting telecommunication equipment failures from sequences of network alarms
CN116383606B (en) Constant-current temperature acquisition method and system for distributed medical equipment
CN116523722A (en) Environment monitoring analysis system with machine learning capability
CN115620513B (en) Urban road network state monitoring method and visualization system based on toughness analysis
CN116707918A (en) Network security situation assessment method based on CBAM-EfficientNet anomaly detection
CN106874525B (en) Method and device for screening and counting equipment faults of wind turbine generator
CN114880584A (en) Generator set fault analysis method based on community discovery
Xu et al. Mining non-redundant association rules based on concise bases
Vellapandi et al. A new decision making approach for winning strategy based on muti soft set logic
Karaaslanli et al. Constrained spectral clustering for dynamic community detection
Yu et al. The knowledge trajectory and thematic evolution of the rough sets research: A main path and scientific mapping analysis
KR101852129B1 (en) Analysis system for environment research using environmental geographical information and textmining among big data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant