CN113282461B - Alarm identification method and device for transmission network - Google Patents

Alarm identification method and device for transmission network Download PDF

Info

Publication number
CN113282461B
CN113282461B CN202110590564.5A CN202110590564A CN113282461B CN 113282461 B CN113282461 B CN 113282461B CN 202110590564 A CN202110590564 A CN 202110590564A CN 113282461 B CN113282461 B CN 113282461B
Authority
CN
China
Prior art keywords
alarm
data
information
identification result
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110590564.5A
Other languages
Chinese (zh)
Other versions
CN113282461A (en
Inventor
高有利
李珊珊
吴珍珍
刘贤松
欧大春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202110590564.5A priority Critical patent/CN113282461B/en
Publication of CN113282461A publication Critical patent/CN113282461A/en
Application granted granted Critical
Publication of CN113282461B publication Critical patent/CN113282461B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3089Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2465Query processing support for facilitating data mining operations in structured databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S10/00Systems supporting electrical power generation, transmission or distribution
    • Y04S10/50Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications

Abstract

The embodiment of the invention provides a method and a device for identifying an alarm of a transmission network, wherein the method comprises the following steps: receiving alarm information reported by network element equipment in a transmission network; identifying the alarm information based on an alarm identification model to obtain an identification result, wherein the identification result comprises root alarm information and derivative alarm information in the alarm information, and the alarm identification model is obtained by training historical alarm data in advance based on a density noise clustering algorithm, a depth-first search algorithm and an association rule mining algorithm; and sending the identification result to a target terminal for display so as to instruct a target person to take corresponding measures according to the identification result. The embodiment of the invention can improve the accuracy and efficiency of the root cause alarm identification, and is convenient for target personnel to locate the fault network element in time.

Description

Alarm identification method and device for transmission network
Technical Field
The embodiment of the invention relates to the technical field of network alarm recognition, in particular to an alarm recognition method and device for a transmission network.
Background
In a network communication system, when a communication device fails, a network element generates alarm information and reports the alarm information to a gateway system, and meanwhile, the network device associated with the failed network element may fail, so that a large amount of derived alarm information may be generated in a short time, and the alarm information is mixed together, so that it is difficult to identify a real network element failure (namely, a root alarm) in a large amount of alarms.
In the related art, the transmission network fault processing method mainly comprises the following steps of; the method comprises the steps of carrying out topology analysis on a tree structure of a hierarchical network, defining time-space correlation of upper network nodes in the tree hierarchical network through time and space correlation of faults of network elements, clustering the upper nodes in the tree hierarchical network based on the time-space correlation of the upper network nodes, dividing a total alarm database into a plurality of sub alarm databases according to clustering results, determining weights of the characteristics according to the attributes of alarm characteristics, such as alarm occurrence frequency, alarm importance level and alarm fault type, carrying out association rule mining on the alarm databases by utilizing a weighted Apriori association rule algorithm, mining interesting alarm association rules from massive alarm data, and identifying root alarms according to the alarm association rules.
However, in the process of mining association rules, massive data needs to be processed, so that a transaction database is very large, if the Apriori algorithm is adopted for mining, the transaction database may need to be scanned once every time a frequent k-term set is generated, which is very time-consuming, and thus the alarm recognition efficiency is very low.
Disclosure of Invention
The embodiment of the invention provides an alarm identification method and device for a transmission network, which are used for solving the problem of low identification efficiency of the root alarm in the prior art.
A first aspect of an embodiment of the present invention provides an alarm identification method for a transmission network, including:
receiving alarm information reported by network element equipment in a transmission network;
identifying the alarm information based on an alarm identification model to obtain an identification result, wherein the identification result comprises root alarm information and derivative alarm information in the alarm information, and parameters of the alarm identification model are obtained by training historical alarm data in advance based on a density noise clustering algorithm, a depth-first search algorithm and an association rule mining algorithm;
and sending the identification result to a target terminal for display so as to instruct a target person to take corresponding measures according to the identification result.
Optionally, the method further comprises the step of training parameters of the alarm recognition model:
extracting historical alarm data from a network management system;
preprocessing the historical alarm data to obtain effective alarm data;
processing the effective alarm data according to time by a density noise clustering algorithm to obtain an alarm association matrix;
dividing the alarm incidence matrix according to the position according to a depth priority algorithm to obtain alarm clusters, wherein the alarm clusters are divided according to time and position;
processing the alarm cluster according to an association rule mining algorithm to obtain an alarm frequent item set;
and determining parameters according to the frequent alarm item set, wherein the parameters comprise a support degree, a confidence degree and a back-piece confidence degree, the support degree represents the occurrence frequency of ordered alarm pairs, the confidence degree represents the conditional probability of occurrence of a second alarm when a first alarm occurs, and the back-piece confidence degree represents the probability of occurrence of the second alarm before the first alarm.
Optionally, the preprocessing the historical alarm data to obtain effective alarm data includes:
determining the occurrence times of each type of alarm;
and deleting alarm data with the alarm occurrence number larger than a preset upper limit threshold value and smaller than a preset lower limit threshold value.
Optionally, after determining the parameter according to the alarm frequent item set, the method further includes:
and determining an alarm association rule according to the support degree, the confidence degree and the back-piece confidence degree so as to identify the root alarm information and the derivative alarm information in the alarm information according to the alarm association rule.
Optionally, the method further comprises:
the historical alarm data are sent to a target terminal so as to instruct a target person to label each alarm data with an alarm category label;
receiving each alarm data and corresponding alarm category labels input by the target personnel;
and optimizing the hyper-parameters of the alarm identification model according to each alarm data and the corresponding alarm category label.
Optionally, the method further comprises:
receiving the correct and incorrect judgment information of the identification result input by a target person through the target terminal;
and if the correct and incorrect judgment information indicates that the identification result is incorrect, adjusting parameters of the alarm identification model according to the modified identification result input by the target personnel.
A second aspect of an embodiment of the present invention provides an alarm recognition device for a transmission network, including:
the receiving module is used for receiving alarm information reported by network element equipment in the transmission network;
the identification module is used for identifying the alarm information based on an alarm identification model to obtain an identification result, wherein the identification result comprises the root alarm information and the derivative alarm information in the alarm information, and the parameters of the alarm identification model are obtained by training historical alarm data based on a density noise clustering algorithm, a depth-first search algorithm and an association rule mining algorithm in advance;
and the sending module is used for sending the identification result to a target terminal for display so as to instruct a target person to take corresponding measures according to the identification result.
A third aspect of an embodiment of the present invention provides a computer apparatus, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes the computer-executable instructions stored in the memory, so that the at least one processor executes the alarm recognition method of the transmission network according to the first aspect of the embodiment of the present invention.
A fourth aspect of the embodiment of the present invention provides a computer readable storage medium, where computer execution instructions are stored, and when a processor executes the computer execution instructions, the alarm identification method of the transmission network according to the first aspect of the embodiment of the present invention is implemented.
A fifth aspect of the embodiments of the present invention provides a computer program product, which comprises a computer program, wherein the computer program when executed by a processor implements the alarm recognition method of the transport network according to the first aspect of the embodiments of the present invention.
The embodiment of the invention provides an alarm identification method and device for a transmission network, wherein the method identifies a large amount of alarm information generated by network element equipment in the transmission network through a pre-trained alarm identification model, and finds out the root alarm information and derivative alarm information in the alarm information.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
Fig. 1 is an application scenario diagram of an alarm recognition method of a transmission network according to an exemplary embodiment of the present invention;
FIG. 2 is a flow chart of an alarm recognition method of a transmission network according to an exemplary embodiment of the present invention;
FIG. 3 is a flow chart of a training method of an alarm recognition model according to an exemplary embodiment of the present invention;
FIG. 4 is a schematic diagram of an alarm cluster shown in an exemplary embodiment of the present invention;
FIG. 5 is a flow chart of an alarm recognition method of a transmission network according to an exemplary embodiment of the present invention;
fig. 6 is a schematic structural view of an alarm recognition device of a transmission network according to an exemplary embodiment of the present invention;
fig. 7 is a schematic diagram of a computer device according to an exemplary embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented, for example, in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In a network communication system, when a communication device fails, a network element generates alarm information and reports the alarm information to a gateway system, and meanwhile, network devices associated with the failed network element may also fail, so that a large amount of derived alarm information may be generated in a short time, and the alarm information is mixed together, so that it is difficult to identify a real network element failure (namely, a root alarm) in a large amount of alarms.
In the related art, the transmission network fault processing methods mainly include two kinds, the first is to analyze and process alarm data based on experience of network management expert, and the expert analyzes layer by layer through network topology according to service experience and knowledge accumulation, so as to find out the alarm source causing fault and the corresponding network element position. However, the method for analyzing the alarm according to the network topology structure based on the expert experience to obtain the root cause of the fault has the defects of large workload and low efficiency due to manual analysis and investigation, and has higher cost in the aspects of labor cost and time consumption for removing the fault. The second method is to perform topology analysis on the tree structure of the hierarchical network, define the time-space correlation of upper network nodes in the tree hierarchical network through the time and space correlation of network elements with faults, cluster the upper nodes in the tree hierarchical network based on the time-space correlation of the upper network nodes, divide the total alarm database into a plurality of sub alarm databases according to the clustering result, and finally determine the weight of the feature according to the attribute of the alarm feature, such as the occurrence frequency of the alarm, the importance level of the alarm and the type of the alarm fault, perform association rule mining on the alarm databases by using a weighted Apriori association rule algorithm, mine the alarm association rule of interest from massive alarm data, and identify the root alarm according to the alarm association rule. However, in the process of mining association rules, massive data needs to be processed, so that a transaction database is very large, if the Apriori algorithm is adopted for mining, the transaction database may need to be scanned once every time a frequent k-term set is generated, which is very time-consuming, and thus the alarm recognition efficiency is very low.
Aiming at the defects, the technical conception of the application is mainly as follows: the method comprises the steps of constructing a transmission network alarm identification model through density noise clustering, a depth-first search algorithm and an association rule mining algorithm, and when network element equipment on the transmission network fails, directly inputting alarm data into the alarm identification model by a network management system, and distinguishing the root alarm and derivative alarms in a large number of alarms by the model. According to the historical alarm data, each alarm data is marked with an alarm type label according to experience by a research and development personnel, the alarm data marked with the alarm type label is input into the alarm identification model, so that model parameters are adjusted, and the model is optimized and evaluated. The root cause alarm of the fault is automatically identified through the trained model, so that the root cause alarm identification efficiency is improved, the judgment time of research personnel is further saved, and the fault troubleshooting efficiency is improved; through learning the historical alarm data, the new fault alarm root cause is automatically learned by means of the alarm data marked by expert experience, and the fault diagnosis efficiency and reliability are improved.
Fig. 1 is an application scenario diagram of an alarm recognition method of a transmission network according to an exemplary embodiment of the present invention.
As shown in fig. 1, the application scenario provided in this embodiment mainly includes a network management system 101, a display terminal 102 and various network element devices 103 in a transmission network, when the network element devices in the transmission network fail, alarm information is generated, and the alarm information is reported to the network management system, and a target person views the alarm information through the display terminal and takes corresponding measures.
Fig. 2 is a flow chart of an alarm recognition method of a transmission network according to an exemplary embodiment of the present invention, and an execution subject of the present embodiment may be a network management system in the embodiment shown in fig. 1.
As shown in fig. 2, the method provided in this embodiment may include the following steps.
S201, receiving alarm information reported by network element equipment in a transmission network.
Specifically, the transmission network includes various network element devices, when one of the network element devices fails, alarm information is generated, and meanwhile, the network device associated with the failed network element may also fail, so that a large amount of derived alarm information may be generated in a short time, when each network element device fails, the alarm information including information such as alarm occurrence time, alarm positioning information, alarm name and the like is reported to the gateway system, and the gateway system performs relevant processing after receiving the alarm information.
S202, identifying the alarm information based on an alarm identification model to obtain an identification result, wherein the identification result comprises the root alarm information and the derivative alarm information in the alarm information, and the alarm identification model is obtained by training historical alarm data in advance based on a density noise clustering algorithm, a depth-first search algorithm and an association rule mining algorithm.
In this step, the historical alarm data needs to be trained based on a density noise clustering algorithm, a depth-first search algorithm and an association rule mining algorithm in advance to obtain an alarm recognition model, so that the alarm recognition model recognizes the root alarm and derivative alarm in a large amount of alarm information according to a certain alarm association rule.
Specifically, the trained alarm recognition model is deployed in the gateway system, when the network management system receives the alarm information, the alarm information is input into the alarm recognition model, and the alarm recognition model recognizes the root alarm and the derivative alarm in the alarm information based on the alarm association rule.
It should be noted that, the detailed training process of the alarm recognition model will be described in the following embodiments.
And S203, the identification result is sent to a target terminal for display so as to instruct a target person to take corresponding measures according to the identification result.
Specifically, the identified root alarm information and the derivative alarm information are sent to the target terminal for display, so that research and development personnel can quickly locate the fault network element according to the root alarm information, and the fault network element is processed.
In this embodiment, a great amount of alarm information generated by network element equipment in a transmission network is identified through a pre-trained alarm identification model, so that the root alarm information and derivative alarm information in the alarm information are found out.
FIG. 3 is a flow chart of a training method of an alarm recognition model according to an exemplary embodiment of the present invention, where the alarm recognition model in this embodiment is a model for recognizing a root alarm in the embodiment shown in FIG. 2.
As shown in fig. 3, the method provided in this embodiment may include the following steps.
S301, extracting historical alarm data in a network management system.
In this step, the alarm information generated by each network element in the network is usually stored in the network management system, and can be directly obtained in the network management system when the historical alarm data is required to be queried.
S302, preprocessing the historical alarm data to obtain effective alarm data.
Specifically, after the original data of the historical alarm is obtained from the large client network management system, the obtained historical alarm data needs to be preprocessed to obtain complete and effective alarm data because the historical alarm data may have the conditions of data missing, invalid data, abnormal data and the like.
In some embodiments, the alarm data generally includes key information such as alarm occurrence time, alarm type and alarm name, after the history alarm data is acquired, each piece of history alarm data is checked in turn to determine whether each piece of history alarm data includes key information such as alarm occurrence time, alarm type and alarm name, and if there is alarm data with missing key information (such as information with missing alarm type or alarm occurrence time), the history alarm data with missing key information is deleted.
In some embodiments, after deleting the historical alarm data with the missing key information, the remaining alarm data are all complete alarm data, counting the occurrence times of each alarm according to the alarm type aiming at the complete alarm data, and deleting the alarm data with the alarm times greater than the upper threshold or less than the lower threshold to obtain the effective alarm data. In this embodiment, the number of alarms greater than the upper threshold belongs to frequent alarms, and the alarms are considered to be unimportant, and the number of alarms less than the lower threshold belongs to accidental events, which may cause unstable model output, so that the unimportant alarms and accidental alarms need to be deleted.
S303, processing the effective alarm data according to time and the density noise clustering algorithm to obtain an alarm association matrix.
Specifically, clustering is carried out on the effective alarm data according to time by a density noise clustering algorithm, and two super parameters are adjusted: the radius threshold eps (epsilon) and the data point threshold minPts are generally used for clustering objects with time density connection characteristics in all the effective alarm data, labeling a cluster label for each effective alarm data in each cluster, and obtaining an alarm association matrix according to the cluster labels.
S304, dividing the alarm incidence matrix according to the position according to a depth priority algorithm to obtain alarm clusters, wherein the alarm clusters are divided according to time and position.
In a possible embodiment, according to the AZ end (start end) connection of each network element device transmission circuit, each network element in the alarm association matrix is subjected to position division by using a Depth-First-Search (DFS) algorithm, so as to further obtain an alarm cluster divided according to time and position as shown in fig. 4.
Specifically, one network element is found out from all network elements in the alarm association matrix and used as a root node, the next network element is searched in sequence and deeply according to each transmission line branch connected with the network element, each possible branch going down from the root node network element is searched in sequence until the next alarm network element is not searched, and each alarm network element node can only search and access once, so that alarm clusters divided according to time and position are obtained.
As shown in fig. 4, the same network element corresponding to the reference numeral 1 is a normal network element, the same network element corresponding to the reference numeral 2 is an alarm network element, the line indicated by the reference numeral 3 is a transmission circuit between the network elements, all the network elements in the dashed line frame indicated by the reference numeral 4 form an alarm cluster-1, all the network elements in the dashed line frame indicated by the reference numeral 5 form an alarm cluster-2, and all the network elements in the dashed line frame indicated by the reference numeral 6 form an alarm cluster-3.
In another possible embodiment, the alert association matrix may also be divided into locations by a breadth first search (Breadth First Search, BFS) algorithm, to finally obtain alert clusters divided by time and location. It should be noted that the principle of the BFS algorithm may refer to the related art, and will not be described in detail herein.
S305, processing the alarm clusters according to an association rule mining algorithm to obtain an alarm frequent item set.
S306, determining parameters according to the frequent alarm item set, wherein the parameters comprise a support degree, a confidence degree and a back-piece confidence degree, the support degree represents the occurrence times of ordered alarm pairs, the confidence degree represents the conditional probability that a second alarm occurs when a first alarm occurs, and the back-piece confidence degree represents the probability that the second alarm occurs before the first alarm.
Specifically, after the alarm clusters are obtained, carrying out association analysis on alarm data of each cluster, and calculating Frequent item sets of alarms through an association rule mining (FP-Growth) algorithm.
Further, for the frequent alarm item set, a support degree, a confidence degree and a post-part confidence degree are calculated respectively to obtain 3 alarm association matrixes, wherein the support degree represents the occurrence times of ordered alarm pairs, the confidence degree represents the conditional probability of occurrence of a second alarm when a first alarm occurs, and the post-part confidence degree represents the probability of occurrence of the second alarm before the first alarm. The ordered alarm pair refers to that two alarm events often occur according to the same alarm sequence, for example, as long as an alarm a occurs and an alarm b occurs, the alarm a and the alarm b are called a pair of ordered alarm pairs; the confidence level refers to the conditional probability that the second alarm (alarm b) appears next when the first alarm (alarm a) appears, and the post-alarm confidence level refers to the probability that alarm b appears before alarm a.
In a possible embodiment, after the determining the parameter according to the frequent alarm item set, the method further includes: and determining an alarm association rule according to the support degree, the confidence degree and the back-piece confidence degree so as to identify the root alarm information and the derivative alarm information in the alarm information according to the alarm association rule.
Specifically, the calculated parameters are parameters required by the alarm recognition model when recognizing a large amount of alarm information, and an alarm rule is calculated through the support degree, the confidence degree and the back-piece confidence degree, for example, for alarms with the support degree larger than a first threshold value, the ordered alarm pairs are indicated to have a large number of occurrence times, and for ordered alarm pairs with a large number of occurrence times, the alarm pairs are indicated to have a strong association relation; for another example, for alarms with support degree greater than the second threshold, the probability of the condition that the second alarm appears when the first alarm appears is higher, the first alarm is likely to be the root alarm of the second alarm, and the second alarm is the derivative alarm of the first alarm; for alarms with the back-piece confidence level greater than the third threshold value, the probability that the second alarm appears before the first alarm is higher, and the second alarm is likely to be the root alarm of the first alarm, namely the first alarm is a derivative alarm of the second alarm. Therefore, the alarm recognition model can quickly and accurately determine which alarms are the root alarms and which alarms are derived alarms in the real-time alarm information according to the alarm rules.
In the embodiment, a large number of derivative alarms and root alarms are divided into a cluster according to time and position by a density noise clustering algorithm and a depth priority algorithm, so that the range of alarm analysis is reduced, and the efficiency and the effectiveness of alarm analysis are high. Moreover, the correlation rule mining algorithm FPGrow is adopted, and is superior to an Apriori algorithm which needs to scan a database for many times in terms of computational complexity and performance, so that the alarm recognition efficiency is further improved.
Fig. 5 is a flowchart of an alarm recognition method of a transmission network according to another exemplary embodiment of the present invention, and the embodiment further describes an overall implementation procedure of the alarm recognition method based on the embodiments shown in fig. 2 and 3.
As shown in fig. 5, the historical alarm data is firstly trained offline based on a density noise clustering algorithm, a depth-first search algorithm and an association rule mining algorithm to obtain an alarm recognition model, and the alarm recognition model can perform fault location and root cause analysis based on alarm information generated by a transmission network to determine root alarm information and derivative alarm information in a large amount of alarm information, so that the location of a fault network element is quickly located according to the root alarm information.
In one possible embodiment, the method further comprises: transmitting part of historical alarm data to a target terminal so as to instruct a target person to label each alarm data with an alarm category label; receiving each alarm data and corresponding alarm category labels input by the target personnel; and optimizing the hyper-parameters of the alarm identification model according to each alarm data and the corresponding alarm category label.
Specifically, the transmission network management expert marks the historical alarm data with alarm type labels (such as a root alarm label, a derivative alarm label and the like), the marked data is stored in an alarm label library and used for evaluating indexes such as the accuracy of an alarm recognition model, and the super parameters of the super parameter field radius eps and the direct density minPts of the density noise clustering algorithm and the super parameters of the FPGrowth algorithm are further adjusted: and simultaneously, writing alarm data marked with alarm type labels in an alarm tag library into an alarm rule library, wherein the data in the alarm rule library are used for analyzing current alarm data received in real time in an auxiliary alarm recognition model.
Further, after the alarm recognition model, the alarm tag library and the alarm recognition library are established, the alarm recognition model is deployed into a network management system, the network management system receives current alarm data generated by network elements in the system in real time, after receiving the current alarm data, the network management system judges whether each piece of data in the alarm data is in an alarm rule library, if yes, alarm type tags corresponding to the alarm data in the alarm rule library are directly obtained, and the alarm recognition tags can be used for judging which of the current alarm data are root alarms and which of the current alarm data are derived alarms and outputting the obtained alarm type tags; if not, the current alarm data is input into an alarm recognition model, the alarm recognition model analyzes the alarm data and outputs a recognition result, and the recognition result comprises which data in the current alarm data are the root alarm and which data are the derivative alarms.
Further, after the alarm recognition model outputs the recognition result or the alarm rule base acquires the result, the result is sent to the target terminal, and the target personnel performs fault checking on the recognition result output by the alarm recognition model or the result acquired in the alarm rule base to judge whether the output recognition result is correct or not, and after the target personnel checks, the target personnel performs fault checking feedback through the target terminal, namely, inputs the correct and incorrect judgment information of the recognition result. Then the network management system receives the correct and incorrect judgment information of the identification result input by the target personnel through the target terminal; if the positive and negative judgment information indicates that the output result is wrong in recognition, adjusting parameters of the alarm recognition model according to the modified recognition result input by the target person so as to optimize the alarm recognition model; if the positive and negative judgment information indicates that the output result is correctly identified, the current alarm data and the identification result of the current alarm data are stored in an alarm rule base, and then newly added data in the alarm rule base are written into an alarm tag base.
It should be noted that, for the part of this embodiment that is not described in detail, reference should be made to the detailed description of the other related method embodiments, and the description is not repeated here.
In this embodiment, the algorithm parameters are adjusted by combining the alarm data marked by the transmission network expert, and the historical alarm is trained offline, so that the accuracy and reliability of the alarm analysis of the alarm recognition model are higher. And the network management expert or the target personnel feed back the model identification result in the network management system according to the actual fault investigation situation, so that the alarm identification model is further optimized, the alarm rule base is enriched, the reliability of the model is improved, and the labor cost of fault investigation time is reduced.
Fig. 6 is a schematic structural view of an alarm recognition device of a transmission network according to an exemplary embodiment of the present invention.
As shown in fig. 6, the apparatus provided in this embodiment includes: a receiving module 601, an identifying module 602 and a transmitting module 603; the receiving module 601 is configured to receive alarm information reported by a network element device in a transmission network; the recognition module 602 is configured to recognize the alarm information based on an alarm recognition model, so as to obtain a recognition result, where the recognition result includes root alarm information and derivative alarm information in the alarm information, and parameters of the alarm recognition model are obtained by training historical alarm data in advance based on a density noise clustering algorithm, a depth-first search algorithm and an association rule mining algorithm; and the sending module 603 is configured to send the identification result to a target terminal for display, so as to instruct a target person to take corresponding measures according to the identification result.
Further, the device provided in this embodiment further includes: a training module 604, configured to extract historical alarm data in a network management system;
preprocessing the historical alarm data to obtain effective alarm data;
processing the effective alarm data according to time by a density noise clustering algorithm to obtain an alarm association matrix;
dividing the alarm incidence matrix according to the position according to a depth priority algorithm to obtain alarm clusters, wherein the alarm clusters are divided according to time and position;
processing the alarm cluster according to an association rule mining algorithm to obtain an alarm frequent item set;
and determining parameters according to the frequent alarm item set, wherein the parameters comprise a support degree, a confidence degree and a back-piece confidence degree, the support degree represents the occurrence frequency of ordered alarm pairs, the confidence degree represents the conditional probability of occurrence of a second alarm when a first alarm occurs, and the back-piece confidence degree represents the probability of occurrence of the second alarm before the first alarm.
Further, the training module is specifically configured to:
determining the occurrence times of each type of alarm;
and deleting alarm data with the alarm occurrence number larger than a preset upper limit threshold value and smaller than a preset lower limit threshold value.
Further, the training module is further configured to:
and determining an alarm association rule according to the support degree, the confidence degree and the back-piece confidence degree, and identifying the root alarm information and the derivative alarm information in the alarm information according to the alarm association rule.
Further, the sending module is further configured to: the historical alarm data are sent to a target terminal so as to instruct a target person to label each alarm data with an alarm category label;
the receiving module is further configured to: receiving each alarm data and corresponding alarm category labels input by the target personnel;
the training module is also used for optimizing the hyper-parameters of the alarm recognition model according to each alarm data and the corresponding alarm category label.
Further, the receiving module is further configured to: receiving the correct and incorrect judgment information of the identification result input by a target person through the target terminal;
and the training module is also used for adjusting parameters of the alarm recognition model according to the modified recognition result input by the target personnel when the correct and incorrect judgment information indicates that the recognition result is incorrect.
Specific functional implementation of each module provided in this embodiment may refer to the detailed description of the method embodiments described above.
Fig. 7 is a schematic hardware structure of a computer device according to an embodiment of the present invention. As shown in fig. 7, the computer device 70 provided in this embodiment includes: at least one processor 701 and a memory 702. The processor 701 and the memory 702 are connected by a bus 703.
In a specific implementation process, at least one processor 701 executes computer-executed instructions stored in the memory 702, so that the at least one processor 701 executes the alarm recognition method of the transport network in the above method embodiment.
The specific implementation process of the processor 701 can be referred to the above method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein again.
In the embodiment shown in fig. 7, it should be understood that the processor may be a central processing unit (english: central Processing Unit, abbreviated as CPU), or may be other general purpose processors, digital signal processors (english: digital Signal Processor, abbreviated as DSP), application specific integrated circuits (english: application Specific Integrated Circuit, abbreviated as ASIC), or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present invention may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in a processor for execution.
The memory may comprise high speed RAM memory or may further comprise non-volatile storage NVM, such as at least one disk memory.
The bus may be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (Peripheral Component Interconnect, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, the buses in the drawings of the present application are not limited to only one bus or one type of bus.
Another embodiment of the present application provides a computer readable storage medium, where computer executable instructions are stored, and when a processor executes the computer executable instructions, the alarm identification method of the transmission network in the foregoing method embodiment is implemented.
Another embodiment of the present application provides a computer program product, including a computer program, where the computer program when executed by a processor implements the alarm recognition method of the transport network according to the first aspect of the present invention.
The computer readable storage medium described above may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk, or optical disk. A readable storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.
An exemplary readable storage medium is coupled to the processor such the processor can read information from, and write information to, the readable storage medium. In the alternative, the readable storage medium may be integral to the processor. The processor and the readable storage medium may reside in an application specific integrated circuit (Application Specific Integrated Circuits, ASIC for short). The processor and the readable storage medium may reside as discrete components in a device.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a computer readable storage medium. The program, when executed, performs steps including the method embodiments described above; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.

Claims (8)

1. An alarm recognition method for a transmission network, comprising:
receiving alarm information reported by network element equipment in a transmission network;
identifying the alarm information based on an alarm identification model to obtain an identification result, wherein the identification result comprises root alarm information and derivative alarm information in the alarm information, and parameters of the alarm identification model are obtained by training historical alarm data in advance based on a density noise clustering algorithm, a depth-first search algorithm and an association rule mining algorithm;
the identification result is sent to a target terminal for display, so that a target person is instructed to take corresponding measures according to the identification result;
the method further comprises the step of training parameters of the alarm recognition model:
extracting historical alarm data from a network management system;
preprocessing the historical alarm data to obtain effective alarm data;
processing the effective alarm data according to time by a density noise clustering algorithm to obtain an alarm association matrix;
dividing the alarm incidence matrix according to the position according to a depth priority algorithm to obtain alarm clusters, wherein the alarm clusters are divided according to time and position;
processing the alarm cluster according to an association rule mining algorithm to obtain an alarm frequent item set;
and determining parameters according to the frequent alarm item set, wherein the parameters comprise a support degree, a confidence degree and a back-piece confidence degree, the support degree represents the occurrence frequency of ordered alarm pairs, the confidence degree represents the conditional probability of occurrence of a second alarm when a first alarm occurs, and the back-piece confidence degree represents the probability of occurrence of the second alarm before the first alarm.
2. The method of claim 1, wherein preprocessing the historical alert data to obtain valid alert data comprises:
determining the occurrence times of each type of alarm;
and deleting alarm data with the alarm occurrence number larger than a preset upper limit threshold value and smaller than a preset lower limit threshold value.
3. The method of claim 1, wherein after determining parameters from the set of alert frequent items, the method further comprises:
and determining an alarm association rule according to the support degree, the confidence degree and the back-piece confidence degree so as to identify the root alarm information and the derivative alarm information in the alarm information according to the alarm association rule.
4. The method as recited in claim 1, further comprising:
the historical alarm data are sent to a target terminal so as to instruct a target person to label each alarm data with an alarm category label;
receiving each alarm data and corresponding alarm category labels input by the target personnel;
and optimizing the hyper-parameters of the alarm identification model according to each alarm data and the corresponding alarm category label.
5. The method of any one of claims 1-4, further comprising:
receiving the correct and incorrect judgment information of the identification result input by a target person through the target terminal;
and if the correct and incorrect judgment information indicates that the identification result is incorrect, adjusting parameters of the alarm identification model according to the modified identification result input by the target personnel.
6. An alarm recognition device for a transmission network, comprising:
the receiving module is used for receiving alarm information reported by network element equipment in the transmission network;
the identification module is used for identifying the alarm information based on an alarm identification model to obtain an identification result, wherein the identification result comprises the root alarm information and the derivative alarm information in the alarm information, and the parameters of the alarm identification model are obtained by training historical alarm data based on a density noise clustering algorithm, a depth-first search algorithm and an association rule mining algorithm in advance;
the sending module is used for sending the identification result to a target terminal for display so as to instruct a target person to take corresponding measures according to the identification result;
the training module is used for extracting historical alarm data from the network management system;
preprocessing the historical alarm data to obtain effective alarm data;
processing the effective alarm data according to time by a density noise clustering algorithm to obtain an alarm association matrix;
dividing the alarm incidence matrix according to the position according to a depth priority algorithm to obtain alarm clusters, wherein the alarm clusters are divided according to time and position;
processing the alarm cluster according to an association rule mining algorithm to obtain an alarm frequent item set;
and determining parameters according to the frequent alarm item set, wherein the parameters comprise a support degree, a confidence degree and a back-piece confidence degree, the support degree represents the occurrence frequency of ordered alarm pairs, the confidence degree represents the conditional probability of occurrence of a second alarm when a first alarm occurs, and the back-piece confidence degree represents the probability of occurrence of the second alarm before the first alarm.
7. A computer device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing computer-executable instructions stored in the memory causes the at least one processor to perform the alert identification method for a transmission network as claimed in any one of claims 1-5.
8. A computer readable storage medium, wherein computer executable instructions are stored in the computer readable storage medium, which when executed by a processor, implement the alarm recognition method of a transmission network according to any one of claims 1-5.
CN202110590564.5A 2021-05-28 2021-05-28 Alarm identification method and device for transmission network Active CN113282461B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110590564.5A CN113282461B (en) 2021-05-28 2021-05-28 Alarm identification method and device for transmission network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110590564.5A CN113282461B (en) 2021-05-28 2021-05-28 Alarm identification method and device for transmission network

Publications (2)

Publication Number Publication Date
CN113282461A CN113282461A (en) 2021-08-20
CN113282461B true CN113282461B (en) 2023-06-23

Family

ID=77282277

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110590564.5A Active CN113282461B (en) 2021-05-28 2021-05-28 Alarm identification method and device for transmission network

Country Status (1)

Country Link
CN (1) CN113282461B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113641526B (en) * 2021-09-01 2024-04-05 京东科技信息技术有限公司 Alarm root cause positioning method and device, electronic equipment and computer storage medium
CN113891374B (en) * 2021-10-12 2023-07-18 中国联合网络通信集团有限公司 Fault network element identification method, device and equipment
CN114024829B (en) * 2021-10-26 2023-06-06 广东电网有限责任公司 Fault maintenance method, device, equipment and storage medium for power communication network
CN114091704B (en) * 2021-11-26 2022-07-12 奇点浩翰数据技术(北京)有限公司 Alarm suppression method and device
CN114422325A (en) * 2021-12-30 2022-04-29 优刻得科技股份有限公司 Content distribution network abnormity positioning method, device, equipment and storage medium
CN114567538A (en) * 2022-03-03 2022-05-31 中国工商银行股份有限公司 Alarm information processing method and device
CN115001941B (en) * 2022-04-20 2023-10-13 广东省电信规划设计院有限公司 Method and device for determining communication network management faults
CN115664938B (en) * 2022-12-26 2023-04-21 北京天维信通科技有限公司 Nonlinear statistical alarm method and device based on IRC platform and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108156037A (en) * 2017-12-29 2018-06-12 中国移动通信集团江苏有限公司 Alarm correlation analysis method, device, equipment and medium
CN108809734A (en) * 2018-07-16 2018-11-13 北京思特奇信息技术股份有限公司 Network alarm root-cause analysis method, system, storage medium and computer equipment
CN109389143A (en) * 2018-06-19 2019-02-26 北京九章云极科技有限公司 A kind of Data Analysis Services system and method for automatic modeling
CN109684181A (en) * 2018-11-20 2019-04-26 华为技术有限公司 Alarm root is because of analysis method, device, equipment and storage medium
CN111831857A (en) * 2019-04-23 2020-10-27 烽火通信科技股份有限公司 Network alarm rule multidimensional association generation method and system
CN112118141A (en) * 2020-09-21 2020-12-22 中山大学 Communication network-oriented alarm event correlation compression method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108156037A (en) * 2017-12-29 2018-06-12 中国移动通信集团江苏有限公司 Alarm correlation analysis method, device, equipment and medium
CN109389143A (en) * 2018-06-19 2019-02-26 北京九章云极科技有限公司 A kind of Data Analysis Services system and method for automatic modeling
CN108809734A (en) * 2018-07-16 2018-11-13 北京思特奇信息技术股份有限公司 Network alarm root-cause analysis method, system, storage medium and computer equipment
CN109684181A (en) * 2018-11-20 2019-04-26 华为技术有限公司 Alarm root is because of analysis method, device, equipment and storage medium
CN111831857A (en) * 2019-04-23 2020-10-27 烽火通信科技股份有限公司 Network alarm rule multidimensional association generation method and system
CN112118141A (en) * 2020-09-21 2020-12-22 中山大学 Communication network-oriented alarm event correlation compression method and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
An incremental frequent structure mining framework for real-time alert correlation;Reza Sadoddin 等;《 Computers & Security》;第28卷(第4期);153-173 *
基于数据挖掘的告警关联关键技术研究;吴东;《中国优秀硕士学位论文全文数据库 信息科技辑》(第9期);I138-494 *
高性能网络安全告警信息的关联分析方法;付泽强 等;《计算机科学》;第46卷(第5期);116-121 *

Also Published As

Publication number Publication date
CN113282461A (en) 2021-08-20

Similar Documents

Publication Publication Date Title
CN113282461B (en) Alarm identification method and device for transmission network
CN110958136A (en) Deep learning-based log analysis early warning method
AU2019275633B2 (en) System and method of automated fault correction in a network environment
CN105095048A (en) Processing method for alarm correlation of monitoring system based on business rules
CN109992484B (en) Network alarm correlation analysis method, device and medium
CN114785666B (en) Network troubleshooting method and system
CN114465874B (en) Fault prediction method, device, electronic equipment and storage medium
CN113360722B (en) Fault root cause positioning method and system based on multidimensional data map
CN113064873B (en) Log anomaly detection method with high recall rate
CN115269314A (en) Transaction abnormity detection method based on log
CN114880312B (en) Flexibly-set application system service data auditing method
CN113590451A (en) Root cause positioning method, operation and maintenance server and storage medium
CN114118295A (en) Anomaly detection model training method, anomaly detection device and medium
CN116361147A (en) Method for positioning root cause of test case, device, equipment, medium and product thereof
CN111913824A (en) Method for determining data link fault reason and related equipment
CN113626241B (en) Abnormality processing method, device, equipment and storage medium for application program
CN114647558A (en) Method and device for detecting log abnormity
CN114416573A (en) Defect analysis method, device, equipment and medium for application program
CN113282920A (en) Log abnormity detection method and device, computer equipment and storage medium
CN112882898A (en) Anomaly detection method, system, device and medium based on big data log analysis
CN114547318A (en) Fault information acquisition method, device, equipment and computer storage medium
CN111309584B (en) Data processing method, device, electronic equipment and storage medium
CN116582414A (en) Fault root cause positioning method, device, equipment and readable storage medium
CN115514627A (en) Fault root cause positioning method and device, electronic equipment and readable storage medium
CN116450137A (en) System abnormality detection method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant