CN113852476A

CN113852476A - Method, device and system for determining abnormal event associated object

Info

Publication number: CN113852476A
Application number: CN202010598043.XA
Authority: CN
Inventors: 王仲宇; 王苗苗; 谢于明; 田上
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-06-28
Filing date: 2020-06-28
Publication date: 2021-12-28

Abstract

The application discloses a method, a device and a system for determining an abnormal event associated object, and belongs to the technical field of networks. The first device acquires a first abnormal event generated by the target network device. And the first equipment extracts the target characteristics representing the first abnormal event from the first abnormal event according to the abnormal event template matching file corresponding to the target network equipment. The abnormal event template matching file is used for indicating one or more characteristics of the abnormal events corresponding to the network equipment which characterizes the target network equipment. Then, the first device determines a target associated object of the first abnormal event according to the target feature, wherein the type of the target associated object is a device, an interface, a protocol or a service. In the method and the device, when the format or the content of the abnormal event changes, only the corresponding abnormal event template needs to be updated, codes do not need to be modified, and the maintenance difficulty and the maintenance cost are reduced.

Description

Method, device and system for determining abnormal event associated object

Technical Field

The present application relates to the field of network technologies, and in particular, to a method, an apparatus, and a system for determining an abnormal event related object.

Background

The scale of the current network is usually large, and when the network fails, a plurality of network devices in the network may simultaneously generate an alarm log, a Key Performance Indicator (KPI) abnormality or a table entry abnormality, which results in a plurality of abnormal events in the network. Firstly, it is necessary to specify which object or objects described by each abnormal event are abnormal, that is, the related objects of the abnormal event need to be determined, and then fault root cause positioning is performed in the network based on the related objects of each abnormal event.

Currently, expert experience is usually relied on to determine the associated objects of an abnormal event. After receiving a certain abnormal event reported by the network equipment, the management equipment determines the associated object type of the abnormal event based on expert experience, and then extracts the value of a specified parameter from the abnormal event to be associated with the object, wherein the specified parameter comprises the attribute of the associated object of the abnormal event. For example, the expert specifies the object type associated with the exception event "interface down" as the interface. After receiving the "interface down" abnormal event, the management device extracts an interface name, an Internet Protocol (IP) address of the interface, and/or a port number of the interface from the abnormal event, associates the interface with each interface of the network device that reports the abnormal event, and further determines which interface of the network device the associated object of the abnormal event is specifically.

However, at present, the type of the associated object of each exception event needs to be specified in a hard coding manner, and when the format or content of the exception event changes due to a change in product version and the like, the code needs to be modified, which makes maintenance difficult.

Disclosure of Invention

The application provides a method, a device and a system for determining an abnormal event associated object.

In a first aspect, a method for determining an abnormal event related object is provided. The method comprises the following steps: the first device acquires a first abnormal event generated by the target network device. The first device extracts target characteristics representing the first abnormal event from the first abnormal event according to an abnormal event template matching file corresponding to the target network device, wherein the abnormal event template matching file is used for indicating the characteristics representing one or more abnormal events corresponding to one type of network device to which the target network device belongs. The first device determines a target associated object of the first abnormal event according to the target characteristic, wherein the type of the target associated object is a device, an interface, a protocol or a service.

According to the method and the device, when the format or the content of the abnormal event generated by the network equipment changes, only the corresponding abnormal event template matching file needs to be updated, the first equipment determines the associated object of the abnormal event generated by the network equipment based on the updated abnormal event template matching file, codes do not need to be modified, and the maintenance difficulty and the maintenance cost are reduced.

Optionally, the abnormal event template matching file includes a plurality of abnormal event templates, and each abnormal event template is used to indicate a feature characterizing one abnormal event corresponding to one type of network device to which the target network device belongs. The implementation process of extracting target features representing the first abnormal event from the first abnormal event by the first device according to the abnormal event template matching file corresponding to the target network device comprises the following steps:

and the first device determines a target abnormal event template corresponding to the first abnormal event in the abnormal event template matching file. Then, the first device extracts the target feature indicated by the target exceptional template from the first exceptional.

Optionally, the exception event template includes a name of the corresponding exception event. The method for determining the implementation process of the target abnormal event template corresponding to the first abnormal event in the abnormal event template matching file by the first device comprises the following steps:

and the first device determines a target abnormal event template in the abnormal event template matching file according to the name of the first abnormal event, wherein the target abnormal event template comprises the name of the first abnormal event.

In the application, because the name of each abnormal event generated by the network device is usually unique, the first device determines the abnormal event template corresponding to the abnormal event in the abnormal event template matching file according to the name of the abnormal event, and the accuracy is high. In addition, the first device only needs to compare the acquired name of the abnormal event with the names of the abnormal events in the abnormal event templates, so that the complexity is low.

Optionally, the first device receives the abnormal event template matching file sent by the second device. Or, the first device may also generate the abnormal event template matching file by itself.

Optionally, the abnormal event template matching file is obtained based on a product manual of the target network device, where the product manual includes descriptions of one or more abnormal events corresponding to a type of network device to which the target network device belongs.

In the application, when the format or the content of the abnormal event generated by the network equipment is changed, the second equipment only needs to regenerate the abnormal event template matching file based on a new product manual, and the code does not need to be modified. For example, when the format or content of the abnormal event changes due to a change in the product version of the network device, the second device only needs to generate the abnormal event template matching file based on the product manual corresponding to the product version.

Optionally, the target feature includes an event parameter of the first abnormal event, and the determining, by the first device according to the target feature, an implementation procedure of the target associated object of the first abnormal event includes: and the first equipment determines a target associated object in the network entity of the target network equipment according to the event parameter of the first abnormal event and the attribute of the network entity of the target network equipment.

Wherein a network entity typically has one or more attributes, the attributes of the network entity being used to identify or characterize the network entity.

In a possible implementation manner, the determining, by the first device, an implementation procedure of the target associated object in the network entity of the target network device according to the event parameter of the first exceptional event and the attribute of the network entity of the target network device further includes:

the first device obtains target incidence relation indicating information corresponding to the first abnormal event from an incidence relation indicating information set according to the name of the first abnormal event, wherein the incidence relation indicating information set comprises one or more groups of incidence relation indicating information, the incidence relation indicating information comprises the name of the abnormal event, the type of an incidence object of the abnormal event, the parameter name of an event parameter matched with the attribute of the incidence object of the abnormal event in the abnormal event and the attribute name of an attribute matched with the event parameter of the abnormal event in the incidence object of the abnormal event, and the target incidence relation indicating information comprises the name of the first abnormal event. Then, the first device determines the type of the associated object of the first abnormal event, the parameter name of the target event parameter in the first abnormal event, which is matched with the attribute of the associated object of the first abnormal event, and the attribute name of the target attribute in the associated object of the first abnormal event, which is matched with the target event parameter, based on the target association relation indication information. Finally, the first device determines a target network entity of the target network device as a target associated object, and the target network entity satisfies the following conditions: the type of the target network entity is the type of the associated object of the first abnormal event, the target network entity has a target attribute, and the attribute value of the target attribute is the same as the parameter value of the target event parameter.

According to the method and the device, the first device determines the associated object of the abnormal event based on the associated relation indication information corresponding to the abnormal event, because the associated relation indication information comprises the type of the associated object of the abnormal event, the parameter name of the event parameter matched with the attribute of the associated object of the abnormal event in the abnormal event and the attribute name of the attribute matched with the event parameter of the abnormal event in the associated object of the abnormal event, the first device only needs to obtain the parameter value of the event parameter from the abnormal event according to the parameter name of the event parameter matched with the attribute of the associated object in the abnormal event, then adopts the parameter value to directionally match the specified attribute of the network entity of the specified type, the associated object of the abnormal event can be determined, and the process is high in efficiency and low in consumed computing resources.

Optionally, the first device receives the association relation indication information set sent by the second device.

Optionally, the association indication information set is obtained based on historical abnormal events generated by the target network device.

Optionally, when the association relation indication information set does not include the target association relation indication information, the first device determines, according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device, an implementation process of the target association object in the network entity of the target network device, further including:

the first device determines one or more candidate network entities in the network entities of the target network device according to the event parameter of the first abnormal event and the attributes of the network entities of the target network device to obtain a candidate network entity set, wherein the candidate network entities have candidate attributes, and the candidate attributes satisfy: the attribute value is the same as a parameter value of the at least one event parameter of the first exception event and/or the attribute meaning is similar to the meaning of the at least one event parameter of the first exception event. Then, the first device determines a target associated object in the candidate network entity set according to the target feature.

In the application, the first device may determine the related objects of the abnormal events which have occurred in the history or have not occurred in the history by using the candidate entity matching model, so as to realize the automatic related objects of various abnormal events.

In another possible implementation manner, the determining, by the first device, an implementation procedure of the target associated object in the network entity of the target network device according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device includes:

Optionally, the implementation process of determining the target associated object in the candidate network entity set by the first device according to the target feature includes: the first device inputs a candidate network entity set and target characteristics to a candidate entity matching model to obtain a target associated object output by the candidate entity matching model, wherein the candidate entity matching model is a machine learning model obtained based on sample abnormal events of known associated objects.

Optionally, the first device receives the candidate entity matching model sent by the second device.

Optionally, the first device further sends the first abnormal event and/or an association result of the first abnormal event to the second device, so that the cloud device updates an abnormal event association model, the abnormal event association model includes an association relation indication information set and/or a candidate entity matching model, and the association result of the first abnormal event includes indication information of the first abnormal event and indication information of the target association object. The indication information of the first abnormal event comprises the name of the first abnormal event and/or the parameter name of a target event parameter matched with the attribute of the target associated object in the first abnormal event, and the indication information of the target associated object comprises the type of the target associated object, the attribute name of the target attribute matched with the target event parameter in the target associated object and/or the name of the target associated object.

Optionally, the feature, indicated by the abnormal event template matching file, of one or more abnormal events corresponding to a type of network device to which the target network device belongs includes: the method comprises the following steps of one or more of the name of the abnormal event, the generation time of the abnormal event, the identification of equipment reporting the abnormal event, the identification of a module reporting the abnormal event, the severity of the abnormal event, the event parameter of the abnormal event or the message content of the abnormal event.

In the application, the generation time of the abnormal event, the identifier of the device reporting the abnormal event, the identifier of the module reporting the abnormal event, and the like can be used for further positioning the fault root cause in the network after determining the associated object of the abnormal event.

Optionally, the models of the network devices belonging to the class of the target network device are the same.

Optionally, the product versions of the class of network devices to which the target network device belongs are the same.

In the present application, the product manuals used by the plurality of network devices included in the target device class are the same.

Optionally, the first device is a management device, and the acquiring, by the first device, a first abnormal event generated by the target network device includes: the first device receives a first abnormal event sent by the target network device.

In a second aspect, a method of determining an exception event associated object is provided. The method comprises the following steps: and the second equipment generates an abnormal event template matching file corresponding to the network equipment of the type, wherein the abnormal event template matching file is used for indicating the characteristics of one or more abnormal events corresponding to the network equipment of the type. The second device sends the abnormal event template matching file to the first device, so that the first device can determine an associated object of the abnormal event generated by any network device in the network devices, wherein the type of the associated object is a device, an interface, a protocol or a service.

Optionally, the abnormal event template matching file includes a plurality of abnormal event templates, and each abnormal event template is used to indicate a feature that characterizes one abnormal event corresponding to the type of network device.

Optionally, the implementation process of the second device generating the abnormal event template matching file corresponding to the network device includes:

and the second equipment generates an abnormal event template matching file according to a product manual of the network equipment, wherein the product manual comprises descriptions of one or more abnormal events corresponding to the network equipment.

Optionally, the second device obtains correlation results of a plurality of historical abnormal events generated by the target network device, the correlation results of the historical abnormal events include indication information of the historical abnormal events and indication information of correlation objects of the historical abnormal events, the indication information of the historical abnormal events includes names of the historical abnormal events and/or parameter names of event parameters matched with the attributes of the correlation objects of the historical abnormal events in the historical abnormal events, and the indication information of the correlation objects of the historical abnormal events includes types of the correlation objects of the historical abnormal events, attribute names of the attributes matched with the event parameters of the historical abnormal events in the correlation objects of the historical abnormal events and/or names of the correlation objects of the historical abnormal events. The target network device is any one of the network devices. And then, the second equipment generates an abnormal event correlation model according to the correlation results of the plurality of historical abnormal events, wherein the abnormal event correlation model comprises a correlation relation indication information set and/or a candidate entity matching model, and the candidate entity matching model is a machine learning model obtained based on the training of the historical abnormal events of the known correlation object. The second device sends the abnormal event correlation model to the first device.

Optionally, the implementation process of the second device obtaining the correlation result of the plurality of historical abnormal events generated by the target network device includes: and the second equipment receives the correlation result of the plurality of historical abnormal events sent by the first equipment.

Or, the implementation process of the second device obtaining the correlation result of the plurality of historical abnormal events generated by the target network device includes: the second device receives a plurality of historical abnormal events sent by the first device. Then, the second device determines the associated objects of the plurality of historical abnormal events based on the abnormal event template matching file.

In a third aspect, an apparatus for determining an abnormal event related object is provided. The apparatus comprises a plurality of functional modules that interact to implement the method of the first aspect and its embodiments described above. The functional modules can be implemented based on software, hardware or a combination of software and hardware, and the functional modules can be combined or divided arbitrarily based on specific implementation.

In a fourth aspect, another apparatus for determining an object associated with an abnormal event is provided. The apparatus comprises a plurality of functional modules, which interact to implement the method of the second aspect and its embodiments described above. The functional modules can be implemented based on software, hardware or a combination of software and hardware, and the functional modules can be combined or divided arbitrarily based on specific implementation.

In a fifth aspect, there is provided a computer device comprising: a processor and a memory;

the memory for storing a computer program, the computer program comprising program instructions;

the processor is configured to invoke the computer program to implement the method for determining the object associated with the abnormal event according to any one of the first aspect.

In a sixth aspect, another computer device is provided, comprising: a processor and a memory;

the processor is configured to invoke the computer program to implement the method for determining the object associated with the abnormal event according to any one of the second aspect.

In a seventh aspect, a system for determining an abnormal event associated object is provided, including: a first device and a second device; the first device comprises an apparatus as described in the third aspect or is a computer device as described in the fifth aspect, and the second device comprises an apparatus as described in the fourth aspect or is a computer device as described in the sixth aspect.

In an eighth aspect, a computer storage medium is provided, which has instructions stored thereon, and when the instructions are executed by a processor, the method for determining an abnormal event related object according to any one of the first aspect or the second aspect is implemented.

In a ninth aspect, there is provided a chip comprising programmable logic and/or program instructions that, when run, implement the method of the first aspect and its embodiments or the method of the second aspect and its embodiments.

The beneficial effect that technical scheme that this application provided brought includes at least:

the first device determines the related object of the abnormal event generated by the network device based on the abnormal event template corresponding to the abnormal event, when the format or the content of the abnormal event changes, only the corresponding abnormal event template matching file needs to be updated, the code does not need to be modified, and the maintenance difficulty and the maintenance cost are reduced. The abnormal event template matching file corresponding to the network equipment can be obtained based on a product manual of the network equipment, and when the format or the content of the abnormal event generated by the network equipment changes, the first equipment only needs to use the abnormal event template matching file regenerated based on the new product manual. For example, when the format or content of an exception event changes due to a change in the product version of the network device, the first device only needs to use an exception event template matching file generated based on a product manual corresponding to the product version. In addition, when the associated object of the abnormal event changes, only the abnormal event associated model needs to be updated, and the code does not need to be modified; and by adopting the candidate entity matching model, the related objects of the abnormal events which have already appeared in history or have not appeared in history can be determined, and the automatic related objects of various abnormal events are realized.

Drawings

Fig. 1 is a schematic structural diagram of a system for determining an object associated with an abnormal event according to an embodiment of the present application;

FIG. 2 is a flowchart illustrating a method for determining an object associated with an abnormal event according to an embodiment of the present application;

fig. 3 is a schematic structural diagram of an apparatus for determining an abnormal event related object according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of another apparatus for determining an object associated with an abnormal event according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of another apparatus for determining an object associated with an abnormal event according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an apparatus for determining an object associated with an abnormal event according to another embodiment of the present application;

FIG. 7 is a schematic structural diagram of another apparatus for determining an object associated with an abnormal event according to another embodiment of the present application;

fig. 8 is a block diagram of a computer device provided in an embodiment of the present application.

Detailed Description

To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

Fig. 1 is a schematic structural diagram of a system for determining an abnormal event related object according to an embodiment of the present application. As shown in fig. 1, the system includes: a first device 101 and a second device 102. The first device 101 and the second device 102 are connected through a wired network or a wireless network. In this embodiment, the first device 101 is a network device, and the second device 102 is a management device; or, the first device 101 is a network device, and the second device 102 is a cloud device; or, the first device 101 is a management device, and the second device 102 is a cloud device.

The cloud device may be a server, a server cluster composed of a plurality of servers, or a cloud computing service center. The management device may be a server, a server cluster composed of several servers, or a cloud computing service center. The cloud device generally refers to an upper level device of the management device, and is used for providing a model for processing data for the management device and the like. Optionally, the cloud device and the management device may also be integrated in one device, which is not limited in this application embodiment. The management device may also serve as an analysis device and/or a control device for managing and controlling network devices in the communication network. The management device may be one or more devices.

In the embodiment of the present application, the first device 101 is taken as a management device, and the second device 102 is taken as a cloud device for example. Optionally, with continued reference to fig. 1, the management device 101 is connected to network devices 103a-103b (collectively referred to as network devices 103) in the communication network via a wired network or a wireless network, respectively. The number of network devices in fig. 1 is merely illustrative and is not intended to limit the communication network provided by the embodiments of the present application. The communication network may be a Data Center Network (DCN), a metropolitan area network, a wide area network, a campus network, a Virtual Local Area Network (VLAN), a virtual extended local area network (VXLAN), or the like, and the type of the communication network is not limited in the embodiments of the present application. The network device 103 may be a switch or router, etc.

The management device 101 is configured to collect device information of the network device 103 in the communication network and an abnormal event and the like generated in the communication network, and provide the cloud device 102 with the device information of the network device 103 and the abnormal event and the like generated in the communication network. The device information of the network device includes configuration information and/or routing table entries of the network device. The configuration information of the network device generally includes interface configuration information, protocol configuration information, service configuration information, and the like. The management apparatus 101 may also store therein a networking topology of a communication network managed by the management apparatus 101.

Alternatively, the management apparatus 101 periodically collects the apparatus information of the network apparatus 103 and abnormal events generated in the communication network. For example, the control device may employ Simple Network Management Protocol (SNMP) or network telemetry (network telemetry) technology to collect abnormal events generated in the communication network. When the device information of the network device 103 changes, the network device 103 actively reports the changed device information to the management device 101; when a communication network fails, the network device 103 actively reports the generated abnormal event to the management device 101. Of course, in some application scenarios, the management device may also be indirectly connected to the network device in the communication network through the acquisition device, that is, the application scenario may further include the acquisition device, which is not limited in this embodiment of the present application.

Fig. 2 is a flowchart illustrating a method for determining an abnormal event related object according to an embodiment of the present application. The method can be applied to a system for determining an abnormal event related object as shown in FIG. 1. As shown in fig. 2, the method includes:

step 201, the second device generates an abnormal event template matching file corresponding to a type of network device.

The abnormal event template matching file is used for indicating the characteristics of one or more abnormal events corresponding to the network equipment. The exceptional template matching file may be a JSON formatted file.

Optionally, the second device generates an abnormal event template matching file corresponding to the network device according to the product manual of the network device. The product manual of the network equipment comprises descriptions of one or more abnormal events corresponding to the network equipment. The abnormal events corresponding to the network devices include abnormal events which may be generated by each network device in the network devices. Or, the abnormal event template matching file corresponding to the network device may also be obtained based on expert experience.

Optionally, the models of the network devices are the same. Optionally, the product version of this type of network device is also the same.

In a possible implementation manner, network devices of the same model correspond to one abnormal event template matching file, and network devices of different models correspond to different abnormal event template matching files, that is, a plurality of network devices of the same model are used as one type of network device. Accordingly, in step 201, the second device may generate an abnormal event template matching file corresponding to a certain model of network device according to the product manual of the model.

In another possible implementation manner, network devices of the same model and the same product version correspond to one abnormal event template matching file, and network devices of the same model and the different product versions correspond to different abnormal event template matching files, that is, a plurality of network devices of the same model and the same product version are used as a type of network device. Accordingly, in step 201, the second device may generate an abnormal event template matching file corresponding to a certain version of a model according to a product manual of the certain version of the network device of the model.

In the embodiment of the application, when the format or the content of the abnormal event generated by the network device changes, the second device only needs to regenerate the abnormal event template matching file based on a new product manual, and the code does not need to be modified. For example, when the format or content of the abnormal event changes due to a change in the product version of the network device, the second device only needs to generate the abnormal event template matching file based on the product manual corresponding to the product version.

Optionally, the abnormal event template matching file includes a plurality of abnormal event templates, and each abnormal event template is used to indicate a feature that characterizes one abnormal event corresponding to the type of network device. Optionally, the feature that characterizes an abnormal event corresponding to the type of network device and is indicated by the abnormal event template matching file, that is, the feature that characterizes an abnormal event and is indicated by the abnormal event template, includes: one or more of the name of the abnormal event, the generation time of the abnormal event, the identifier of the device reporting the abnormal event, the identifier of the module reporting the abnormal event, the severity of the abnormal event, the event parameter of the abnormal event or the message content of the abnormal event. The identifier of the device may be information that can uniquely identify the device, such as a device name, a Media Access Control (MAC) address of the device, or a hardware address of the device. The identification of a module may be the name of the module.

Optionally, the second device generates an abnormal event template according to a description of an abnormal event in a product manual of the network device. For example, the description of the abnormal event "License file has expired" that may be reported by the network device in the product manual of the network device is as follows:

“LCS/1/hwGtlDefaltValue_active

log information

LCS/1/hwGtlDefaltValue_active:Current license value is default,

the reason is[hwGtlDefaultValueReason].(SlotID＝[entPhysicalName])

Log meaning

The License file has expired.

Log parameters

Parameter name	Meaning of parameters
		[hwGtlDefaultValueReason]	License expiration reason.
SlotID	The License file is located in the slot number.

”

The format of the generated exception template according to the description of the exception "License file is expired" by the second device is shown in table 1:

TABLE 1

Referring to table 1, the abnormal event template indicates that the features characterizing the abnormal event "License file has expired" include: the name of the exception event "hwgtlddefaltvalue _ active", the generation time of the exception event, the identifier of the device reporting the exception event, "LCS" of the module reporting the exception event, "1" of the severity of the exception event, "hwgtlddefaultvaluearson" and "SlotID" of the exception event, and the message content "Current license value is default," the replay [ hwgtldlfaultvaluearson ] (SlotID [ (] entiysphysical name ]) of the exception event.

Optionally, the abnormal event comprises one or more of an alarm log, a state change log, or an abnormal KPI. The alarm log includes the identifier of the abnormal network entity in the network device and the alarm type. The state change log includes configuration file change information and/or routing table entry change information, for example, the state change log may include information such as "access subinterface delete" and "destination IP host route delete". Abnormal KPIs are used to describe the occurrence of an abnormality in some indicator of some network entity.

Step 202, the second device sends the abnormal event template matching file to the first device.

Optionally, the second device sends the abnormal event template matching file corresponding to the network device to the first device, so that the first device determines an associated object of an abnormal event generated by any network device in the network device.

In the embodiment of the present application, the associated object of the abnormal event refers to an abnormal network entity. The type of associated object of the exception event includes a device, interface, protocol, or service. Optionally, the device class specifically includes a single board or a main card. The Protocol class includes Open Shortest Path First (OSPF) or Border Gateway Protocol (BGP), and the like. The service class specifically includes a Virtual Private Network (VPN) service or a Dynamic Host Configuration Protocol (DHCP) service. Illustratively, the type of the associated object of the above exception event "License file has expired" is a single board in the device class.

Optionally, the exception event template matching file may also be generated by the first device. Then the above steps 201 and 202 can be replaced by: and the first equipment generates an abnormal event template matching file corresponding to the network equipment. The implementation manner of generating the abnormal event template matching file by the first device may refer to the implementation manner of generating the abnormal event template matching file by the second device, and details are not repeated herein in this embodiment of the application.

Step 203, the first device obtains a first abnormal event generated by the target network device.

The target network device is any one of the above-mentioned types of network devices. The first exception event may be any exception event generated by the target network device. When the first device is a management device, the implementation process of the first device acquiring the first abnormal event generated by the target network device includes: the first device receives a first abnormal event sent by the target network device.

In the embodiment of the application, after acquiring a first abnormal event generated by a target network device, a first device extracts a feature representing the first abnormal event from the first abnormal event according to an abnormal event template matching file corresponding to the target network device. The abnormal event template matching file corresponding to the target network device is also referred to as an abnormal event template matching file corresponding to a type of network device to which the target network device belongs. Optionally, the first device may refer to steps 204 to 205 described below in an implementation process of extracting, from the first abnormal event, a target feature that characterizes the first abnormal event according to the abnormal event template matching file corresponding to the target network device.

And step 204, the first device determines a target abnormal event template corresponding to the first abnormal event in the abnormal event template matching file.

Optionally, the exception event template includes a name of the corresponding exception event. The first device may determine, according to the name of the first exceptional event, a target exceptional event template corresponding to the first exceptional event in the exceptional event template matching file. The target exception template includes a name of the first exception.

Illustratively, the content of the first abnormal event generated by the target network device acquired by the first device is as follows:

“<185>Mar 24 2020 11:15:21borderleaf01_2_49.81

％％01LCS/1/hwGtlDefaltValue_active(I):CID＝0x802b03ed-alarmID＝0x095c0006；Current license value is default,the reason is License is expired.(SlotID＝1)”

the name of the first exception event is "hwgtlddefaltvalue _ active", and the format of the target exception event template corresponding to the first exception event may be as shown in table 1.

In the embodiment of the application, because the name of each abnormal event described in the product manual of the network device is usually unique, the first device determines the abnormal event template corresponding to the abnormal event in the abnormal event template matching file according to the name of the abnormal event, and the accuracy is high. In addition, the first device only needs to compare the acquired name of the abnormal event with the names of the abnormal events in the abnormal event templates, so that the complexity is low.

Optionally, the abnormal event template includes a format of a message content of a corresponding abnormal event, and the first device may further determine, in the abnormal event template matching file, a target abnormal event template corresponding to the first abnormal event according to the format of the message content of the first abnormal event. The embodiment of the present application does not limit a manner in which the first device determines the target abnormal event template corresponding to the first abnormal event.

Step 205, the first device extracts the target feature, which is indicated by the target abnormal event template and characterizes the first abnormal event, from the first abnormal event.

Illustratively, referring to the example in step 204, the extraction by the first device of the target feature characterizing the first abnormal event, which is indicated by the abnormal event template shown in table 1, from the first abnormal event may be shown in table 2.

TABLE 2

Referring to table 2, the event parameter of the first exceptional event is "SlotID ═ 1", where "SlotID" is the parameter name and "1" is the parameter value.

Step 206, the first device determines a target associated object of the first abnormal event according to the target feature.

Optionally, the target feature comprises an event parameter of the first exception event. The first device may determine the target correlation object in the network entity of the target network device according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device. A network entity typically has one or more attributes, which are used to identify or characterize the network entity. For example, the interface has attributes such as an interface name and an Internet Protocol (IP) address of the interface. The first device may determine a network entity of the target network device from the device information of the target network device.

In an optional embodiment of the present application, the target feature comprises an event parameter of the first exceptional event and a name of the first exceptional event. The first device determines, according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device, an implementation procedure of the target associated object in the network entity of the target network device, including the following steps 2061a to 2063 a:

in step 2061a, the first device obtains target incidence relation indication information corresponding to the first abnormal event from the incidence relation indication information set according to the name of the first abnormal event.

The incidence relation indication information set comprises one or more groups of incidence relation indication information. Each set of incidence relation indication information comprises a name of an abnormal event, a type of an associated object of the abnormal event, a parameter name of an event parameter matched with the attribute of the associated object of the abnormal event in the abnormal event and an attribute name of an attribute matched with the event parameter of the abnormal event in the associated object of the abnormal event. The target incidence relation indication information comprises the name of the first abnormal event. The association relation indication information set can be obtained based on historical abnormal events generated by the target network equipment, or the association relation indication information set can be obtained according to expert experience.

Illustratively, continuing with the example in step 204, the format of a set of association indication information is shown in table 3.

TABLE 3

Name of abnormal event	hwGtlDefaltValue_active
		Parameter names for event parameters matching attributes of associated objects in exception events	SlotID
Type of associated object of exceptional event	Single board
		Attribute names associating attributes in objects that match event parameters of an exception event	Number of slot

When the first device acquires a first abnormal event with a name of "hwgtlddefaltvalue _ active", the first device may acquire a set of association relationship indication information as shown in table 3 according to the name of the first abnormal event.

In step 2062a, the first device determines, based on the target association relationship indicating information, the type of the associated object of the first exceptional event, the parameter name of the target event parameter matching the attribute of the associated object of the first exceptional event in the first exceptional event, and the attribute name of the target attribute matching the target event parameter in the associated object of the first exceptional event.

For example, referring to the example in step 2061a, the name of the first exception event is "hwgtlddefaltvalue _ active", the type of the target associated object is "single board", the parameter name of the target event parameter matching the attribute of the associated object of the first exception event in the first exception event is "SlotID", and the attribute name of the target attribute matching the target event parameter in the associated object of the first exception event is "slot number".

In step 2063a, the first device determines the target network entity corresponding to the target network device as the target association object.

The target network entity satisfies: the type of the target network entity is the type of the associated object of the first abnormal event, the target network entity has a target attribute, and the attribute value of the target attribute is the same as the parameter value of the target event parameter.

For example, please refer to the example in step 205 and step 2062a in combination, where the target event parameter is "SlotID ═ 1", and the target network entity is a board with slot number 1 in the target network device.

In the embodiment of the application, the first device determines the associated object of the abnormal event based on the association relationship indication information corresponding to the abnormal event, because the association relationship indication information includes the type of the associated object of the abnormal event, the parameter name of the event parameter in the abnormal event, which is matched with the attribute of the associated object of the abnormal event, and the attribute name of the attribute in the associated object of the abnormal event, which is matched with the event parameter of the abnormal event, the first device only needs to obtain the parameter value of the event parameter from the abnormal event according to the parameter name of the event parameter, which is matched with the attribute of the associated object in the abnormal event, and then directionally match the specified attribute of the network entity of the specified type by using the parameter value, so that the associated object of the abnormal event can be determined, and the process has high efficiency and consumes few computing resources.

Optionally, when the association relation indication information set does not include the target association relation indication information, the first device determines, according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device, an implementation procedure of the target association object in the network entity of the target network device, further including the following steps 2064a to 2065 a:

in step 2064a, the first device determines one or more candidate network entities from the network entities of the target network device according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device, so as to obtain a candidate network entity set.

The candidate network entity has a candidate attribute. The candidate attributes satisfy: the attribute value is the same as a parameter value of the at least one event parameter of the first exception event and/or the attribute meaning is similar to the meaning of the at least one event parameter of the first exception event. The meaning of the attribute of the network entity is similar to the meaning of the event parameter of the abnormal event, and comprises the following steps: the text similarity between the name of the attribute of the network entity and the name of the event parameter of the abnormal event is higher than a first threshold value, and/or the text similarity between the text content of the attribute of the network entity corresponding to the equipment information and the parameter meaning of the event parameter of the abnormal event corresponding to the product manual is higher than a second threshold value, and the like. The embodiment of the application does not limit the definition and the judgment mode of the attribute meaning of the network entity and the meaning of the event parameter of the abnormal event.

Optionally, the first device traverses all network entities of the target network device according to the event parameter of the first abnormal event, so as to obtain a candidate network entity set. The first device may specifically determine the candidate network entity from the network entities of the target network device by using a Natural Language Processing (NLP) algorithm and the like.

Illustratively, the first abnormal event has an event parameter with a parameter value of 1, the first device traverses all network entities of the target network device, and all network entities having an attribute with an attribute value of 1 in the target network device are taken as candidate network entities.

In step 2065a, the first device determines a target associated object in the set of candidate network entities based on the target feature.

Optionally, the first device inputs the candidate network entity set and the target feature to the candidate entity matching model to obtain the target associated object output by the candidate entity matching model. The candidate entity matching model is a machine learning model obtained by training based on sample abnormal events of known associated objects. That is, the candidate entity matching model is a machine learning model obtained by training using a supervised learning algorithm. The sample exception event may be a historical exception event generated by the target network device.

In the embodiment of the application, the first device may determine, by using a candidate entity matching model, an associated object of an abnormal event which has occurred in history or has not occurred in history, and implement automatic associated objects of various abnormal events.

In another optional embodiment of the present application, the target feature comprises an event parameter of the first exception event. The first device determines, according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device, an implementation procedure of the target associated object in the network entity of the target network device, including the following steps 2061b to 2062 b:

in step 2061b, the first device determines one or more candidate network entities from the network entities of the target network device according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device, so as to obtain a candidate network entity set.

The candidate network entity has a candidate attribute. The candidate attributes satisfy: the attribute value is the same as a parameter value of an event parameter of the first exception event and/or the attribute meaning is similar to the meaning of an event parameter of the first exception event. For the explanation of this step, reference may be made to the related explanation of step 2064a, and the detailed description of the embodiment of this application is omitted here.

In step 2062b, the first device determines a target associated object in the set of candidate network entities according to the target feature.

Optionally, the first device inputs the candidate network entity set and the target feature to the candidate entity matching model to obtain the target associated object output by the candidate entity matching model. For the explanation of this step, reference may be made to the related explanation of step 2065a, and the detailed description of the embodiment of this application is omitted here.

In the embodiment of the application, when the first device is a management device, after the first device determines the associated object of the abnormal event, the first device may further perform fault root cause location in the network. For example, the first device may mount the abnormal event to an associated network entity on the network knowledge graph, which is convenient for operation and maintenance personnel to view and perform troubleshooting.

Optionally, the set of incidence relation indication information and/or the candidate entity matching model (collectively referred to as an abnormal event incidence model) may be sent by the second device to the first device. Alternatively, the set of incidence relation indicating information and/or the candidate entity matching model may also be generated by the first device. In the embodiment of the present application, taking an example that the second device generates the abnormal event correlation model and sends the abnormal event correlation model to the first device, the implementation process includes the following steps S1 to S3. The manner in which the first device generates the abnormal event related model may refer to the manner in which the second device generates the abnormal event related model in steps S1 and S2.

In step S1, the second device acquires the correlation results of the plurality of historical abnormal events generated by the target network device.

The correlation result of the historical abnormal event comprises indication information of the historical abnormal event and indication information of a correlation object of the historical abnormal event. The indication information of the historical abnormal event comprises the name of the historical abnormal event and/or the parameter name of the event parameter matched with the attribute of the associated object of the historical abnormal event in the historical abnormal event. The indication information of the associated object of the historical abnormal event comprises the type of the associated object of the historical abnormal event, the attribute name of the attribute matched with the event parameter of the historical abnormal event in the associated object of the historical abnormal event and/or the name of the associated object of the historical abnormal event.

In one possible implementation manner, the implementation procedure of step S1 includes: and the second equipment receives the correlation result of the historical abnormal events sent by the first equipment. Optionally, the first device sends the association result of an exceptional event to the first device each time the association object of the exceptional event is determined.

In another possible implementation manner, the implementation process of step S1 includes: and the second equipment receives the historical abnormal events sent by the first equipment. And the second equipment determines the related object of the historical abnormal event based on the abnormal event template matching file.

Optionally, the process of determining the associated object of the historical abnormal event by the second device based on the abnormal event template matching file may refer to the process of determining the target associated object of the first abnormal event by the first device in the above step 204 to step 206, which is not described herein again in this embodiment of the present application.

In step S2, the second device generates an abnormal event correlation model based on the correlation results of the plurality of historical abnormal events.

Optionally, the second device generates a set of association relationship indicating information according to a name of a historical abnormal event, a type of an associated object of the historical abnormal event, a parameter name of an event parameter in the historical abnormal event, which matches an attribute of the associated object of the historical abnormal event, and an attribute name of an attribute in the associated object of the historical abnormal event, which matches the event parameter of the historical abnormal event.

Optionally, the second device obtains historical exceptions for the names of known associated objects. The second device determines one or more historical candidate network entities in the network entities of the target network device according to the event parameters of the historical abnormal event and the attributes of the network entities of the target network device, so as to obtain a historical candidate network entity set, and the implementation manner of this process may refer to step 2064a above. Then, the second device trains a machine learning model in a supervised manner by adopting the historical candidate network entity set, the extracted features of the abnormal event template corresponding to the historical abnormal events and the associated objects of the historical abnormal events to obtain a candidate entity matching model.

In step S3, the second device sends the abnormal event correlation model to the first device.

Optionally, when the abnormal event correlation model is generated by the second device and then sent to the first device, the first device may also send the first abnormal event to the second device, and/or after determining the target correlation object of the first abnormal event, send the correlation result of the first abnormal event to the second device, so that the second device updates the abnormal event correlation model. The correlation result of the first abnormal event comprises indication information of the first abnormal event and indication information of the target correlation object. The indication information of the first abnormal event comprises the name of the first abnormal event and/or the parameter name of a target event parameter matched with the attribute of the target associated object in the first abnormal event. The indication information of the target associated object comprises the type of the target associated object, the attribute name of the target attribute matched with the target event parameter in the target associated object and/or the name of the target associated object.

Optionally, the second device periodically updates the abnormal event correlation model according to the abnormal event and/or the correlation result of the abnormal event sent by the first device, and then sends the updated abnormal event correlation model to the first device.

The order of the steps of the method for determining the abnormal event associated object provided in the embodiment of the present application may be appropriately adjusted, for example, step 203 may also be executed before step 201 or step 202. The steps can be increased or decreased according to the situation. Any method that can be easily conceived by a person skilled in the art within the technical scope disclosed in the present application is covered by the protection scope of the present application, and thus the detailed description thereof is omitted.

In summary, in the method for determining an abnormal event associated object provided in the embodiment of the present application, the first device determines the associated object of the abnormal event generated by the network device based on the abnormal event template corresponding to the abnormal event, and when the format or content of the abnormal event changes, only the corresponding abnormal event template matching file needs to be updated, without modifying a code, so that the maintenance difficulty and the maintenance cost are reduced. The abnormal event template matching file corresponding to the network equipment can be obtained based on a product manual of the network equipment, and when the format or the content of the abnormal event generated by the network equipment changes, the first equipment only needs to use the abnormal event template matching file regenerated based on the new product manual. For example, when the format or content of an exception event changes due to a change in the product version of the network device, the first device only needs to use an exception event template matching file generated based on a product manual corresponding to the product version. In addition, when the associated object of the abnormal event changes, only the abnormal event associated model needs to be updated, and the code does not need to be modified; and by adopting the candidate entity matching model, the related objects of the abnormal events which have already appeared in history or have not appeared in history can be determined, and the automatic related objects of various abnormal events are realized.

Fig. 3 is a schematic structural diagram of an apparatus for determining an abnormal event related object according to an embodiment of the present application. The apparatus may be used in a first device 101 in a system as shown in fig. 1. As shown in fig. 3, the apparatus 30 includes:

the obtaining module 301 is configured to obtain a first abnormal event generated by a target network device.

The processing module 302 is configured to extract, from the first abnormal event, a target feature that characterizes the first abnormal event according to an abnormal event template matching file corresponding to the target network device, where the abnormal event template matching file is used to indicate features that characterize one or more abnormal events corresponding to a class of network devices to which the target network device belongs.

The processing module 302 is further configured to determine a target associated object of the first abnormal event according to the target feature, where the type of the target associated object is a device, an interface, a protocol, or a service.

Optionally, the abnormal event template matching file includes a plurality of abnormal event templates, and each abnormal event template is used to indicate a feature characterizing one abnormal event corresponding to one type of network device to which the target network device belongs. A processing module 302 configured to:

determining a target abnormal event template corresponding to the first abnormal event in the abnormal event template matching file; and extracting target characteristics indicated by the target abnormal event template from the first abnormal event.

Optionally, the exception template includes a name of a corresponding exception, and the processing module 302 is configured to:

and determining a target abnormal event template in the abnormal event template matching file according to the name of the first abnormal event, wherein the target abnormal event template comprises the name of the first abnormal event.

Optionally, as shown in fig. 4, the apparatus 30 further includes: a receiving module 303.

Optionally, the receiving module 303 is configured to receive the abnormal event template matching file sent by the second device.

Optionally, the target feature includes an event parameter of the first abnormal event, and the processing module 302 is configured to:

and determining a target associated object in the network entity of the target network equipment according to the event parameter of the first abnormal event and the attribute of the network entity of the target network equipment.

Optionally, the target feature further includes a name of the first exception event, and the processing module 302 is configured to:

acquiring target incidence relation indicating information corresponding to the first abnormal event from an incidence relation indicating information set according to the name of the first abnormal event, wherein the incidence relation indicating information set comprises one or more groups of incidence relation indicating information, the incidence relation indicating information comprises the name of the abnormal event, the type of an incidence object of the abnormal event, the parameter name of an event parameter matched with the attribute of the incidence object of the abnormal event in the abnormal event and the attribute name of an attribute matched with the event parameter of the abnormal event in the incidence object of the abnormal event, and the target incidence relation indicating information comprises the name of the first abnormal event; determining the type of an associated object of the first abnormal event, the parameter name of a target event parameter matched with the attribute of the associated object of the first abnormal event in the first abnormal event and the attribute name of a target attribute matched with the target event parameter in the associated object of the first abnormal event based on the target association relation indication information; determining a target network entity of the target network equipment as a target associated object, wherein the target network entity meets the following requirements: the type of the target network entity is the type of the associated object of the first abnormal event, the target network entity has a target attribute, and the attribute value of the target attribute is the same as the parameter value of the target event parameter.

Optionally, the receiving module 303 is configured to receive the association relation indication information set sent by the second device.

Optionally, when the association relation indication information set does not include the target association relation indication information, the processing module 302 is further configured to: determining one or more candidate network entities in the network entities of the target network equipment according to the event parameters of the first abnormal event and the attributes of the network entities of the target network equipment to obtain a candidate network entity set, wherein the candidate network entities have candidate attributes, and the candidate attributes meet the following requirements: the attribute value is the same as the parameter value of the at least one event parameter of the first abnormal event, and/or the attribute meaning is similar to the meaning of the at least one event parameter of the first abnormal event; and determining a target associated object in the candidate network entity set according to the target characteristic.

Optionally, the processing module 302 is configured to: determining one or more candidate network entities in the network entities of the target network equipment according to the event parameters of the first abnormal event and the attributes of the network entities of the target network equipment to obtain a candidate network entity set, wherein the candidate network entities have candidate attributes, and the candidate attributes meet the following requirements: the attribute value is the same as the parameter value of the at least one event parameter of the first abnormal event, and/or the attribute meaning is similar to the meaning of the at least one event parameter of the first abnormal event; and determining a target associated object in the candidate network entity set according to the target characteristic.

Optionally, the processing module 302 is configured to:

and inputting a candidate network entity set and target characteristics into the candidate entity matching model to obtain a target associated object output by the candidate entity matching model, wherein the candidate entity matching model is a machine learning model obtained by training sample abnormal events based on known associated objects.

Optionally, the receiving module 303 is configured to receive the candidate entity matching model sent by the second device.

Optionally, as shown in fig. 5, the apparatus 30 further includes: a sending module 304. The sending module 304 is configured to send the first abnormal event and/or the correlation result of the first abnormal event to the second device, so that the cloud device updates an abnormal event correlation model, where the abnormal event correlation model includes a correlation relationship indication information set and/or a candidate entity matching model, and the correlation result of the first abnormal event includes indication information of the first abnormal event and indication information of a target correlation object; the indication information of the first abnormal event comprises the name of the first abnormal event and/or the parameter name of a target event parameter matched with the attribute of the target associated object in the first abnormal event, and the indication information of the target associated object comprises the type of the target associated object, the attribute name of the target attribute matched with the target event parameter in the target associated object and/or the name of the target associated object.

Optionally, the first device is a management device, and the obtaining module 301 is configured to: and receiving a first abnormal event sent by the target network equipment.

In summary, in the apparatus for determining an abnormal event associated object provided in the embodiment of the present application, the first device determines the associated object of the abnormal event generated by the network device based on the abnormal event template corresponding to the abnormal event, and when the format or content of the abnormal event changes, only the corresponding abnormal event template matching file needs to be updated, without modifying a code, so that the maintenance difficulty and the maintenance cost are reduced. The abnormal event template matching file corresponding to the network equipment can be obtained based on a product manual of the network equipment, and when the format or the content of the abnormal event generated by the network equipment changes, the first equipment only needs to use the abnormal event template matching file regenerated based on the new product manual. For example, when the format or content of an exception event changes due to a change in the product version of the network device, the first device only needs to use an exception event template matching file generated based on a product manual corresponding to the product version. In addition, when the associated object of the abnormal event changes, only the abnormal event associated model needs to be updated, and the code does not need to be modified; and by adopting the candidate entity matching model, the related objects of the abnormal events which have already appeared in history or have not appeared in history can be determined, and the automatic related objects of various abnormal events are realized.

Fig. 6 is a schematic structural diagram of an apparatus for determining an object associated with an abnormal event according to another embodiment of the present application. The apparatus may be used in a second device 102 in a system as shown in fig. 1. As shown in fig. 6, the apparatus 60 includes:

the processing module 601 is configured to generate an abnormal event template matching file corresponding to a class of network devices, where the abnormal event template matching file is used to indicate characteristics of one or more abnormal events corresponding to the class of network devices.

The sending module 602 is configured to send the abnormal event template matching file to the first device, so that the first device determines an associated object of an abnormal event generated by any network device of the class of network devices, where the type of the associated object is a device, an interface, a protocol, or a service.

Optionally, the processing module 601 is configured to: and generating an abnormal event template matching file according to a product manual of the network equipment, wherein the product manual comprises descriptions of one or more abnormal events corresponding to the network equipment.

Optionally, as shown in fig. 7, the apparatus 60 further comprises:

the obtaining module 603 is configured to obtain correlation results of multiple historical abnormal events generated by a target network device, where the correlation results of the historical abnormal events include indication information of the historical abnormal events and indication information of associated objects of the historical abnormal events, the indication information of the historical abnormal events includes names of the historical abnormal events and/or parameter names of event parameters in the historical abnormal events that match attributes of the associated objects of the historical abnormal events, the indication information of the associated objects of the historical abnormal events includes types of the associated objects of the historical abnormal events, attribute names of attributes in the associated objects of the historical abnormal events that match the event parameters of the historical abnormal events, and/or names of the associated objects of the historical abnormal events, and the target network device is any one of the network devices.

The processing module 601 is further configured to generate an abnormal event correlation model according to correlation results of a plurality of historical abnormal events, where the abnormal event correlation model includes a correlation relationship indication information set and/or a candidate entity matching model, and the candidate entity matching model is a machine learning model obtained based on training of historical abnormal events of known correlation objects.

The sending module 602 is further configured to send the abnormal event correlation model to the first device.

Optionally, the obtaining module 603 is configured to: and receiving the correlation result of the plurality of historical abnormal events sent by the first equipment.

Optionally, the obtaining module 603 is configured to: receiving a plurality of historical abnormal events sent by first equipment; and determining the associated objects of a plurality of historical abnormal events based on the abnormal event template matching file.

With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.

An embodiment of the present application provides a computer device, including: a processor and a memory;

the processor is configured to invoke the computer program to implement the actions performed by the first device in the above method embodiments.

An embodiment of the present application provides another computer device, including: a processor and a memory;

the processor is configured to invoke the computer program to implement the actions performed by the second device in the above method embodiments.

Illustratively, fig. 8 is a block diagram of a computer device provided in an embodiment of the present application. The computer device may be the first device or the second device related to the embodiment of the present application, and specifically may be a network device, a management device, or a cloud device. As shown in fig. 8, the computer device 80 includes: a processor 801 and a memory 802.

A memory 802 for storing a computer program comprising program instructions;

the processor 801 is configured to invoke the computer program to implement the actions performed by the first device or the actions performed by the second device in the above method embodiments.

Optionally, the computer device 80 further comprises a communication bus 803 and a communication interface 804.

The processor 801 includes one or more processing cores, and the processor 801 executes various functional applications and data processing by running a computer program.

The memory 802 may be used to store computer programs. Alternatively, the memory may store an operating system and application program elements required for at least one function. The operating system may be a Real Time eXceptive (RTX) operating system, such as LINUX, UNIX, WINDOWS, or OS X.

The communication interface 804 may be multiple, and the communication interface 804 is used for communication with other devices. For example, in this embodiment of the present application, the communication interface 804 of the first device may be used to send the abnormal event and/or the associated result of the abnormal event to the second device.

The memory 802 and the communication interface 804 are connected to the processor 801 via a communication bus 803, respectively.

The embodiment of the application also provides a system for determining the abnormal event associated object. The system comprises: a first device and a second device. The first device comprises an apparatus as shown in any of fig. 3 to 5 or is a computer device as shown in fig. 8. The second device comprises an apparatus as shown in fig. 6 or fig. 7 or is a computer device as shown in fig. 8.

The embodiment of the present application further provides a computer storage medium, where instructions are stored on the computer storage medium, and when the instructions are executed by a processor, the instructions implement the actions performed by the first device or the actions performed by the second device in the foregoing method embodiments.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

In the embodiments of the present application, the terms "first", "second", and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.

The term "and/or" in this application is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.

The above description is only exemplary of the present application and is not intended to limit the present application, and any modifications, equivalents, improvements, etc. made within the spirit and principles of the present application are intended to be included within the scope of the present application.

Claims

1. A method of determining an anomalous event associated object, for use with a first device, the method comprising:

acquiring a first abnormal event generated by target network equipment;

extracting target characteristics representing the first abnormal event from the first abnormal event according to an abnormal event template matching file corresponding to the target network equipment, wherein the abnormal event template matching file is used for indicating characteristics representing one or more abnormal events corresponding to one type of network equipment to which the target network equipment belongs;

and determining a target associated object of the first abnormal event according to the target characteristic, wherein the type of the target associated object is equipment, an interface, a protocol or a service.

2. The method according to claim 1, wherein the abnormal event template matching file includes a plurality of abnormal event templates, each abnormal event template is used for indicating a feature characterizing an abnormal event corresponding to a type of network device to which the target network device belongs; the extracting, according to the abnormal event template matching file corresponding to the target network device, the target feature characterizing the first abnormal event from the first abnormal event includes:

determining a target abnormal event template corresponding to the first abnormal event in the abnormal event template matching file;

extracting the target feature indicated by the target exceptional template from the first exceptional.

3. The method according to claim 2, wherein the abnormal event template includes a name of a corresponding abnormal event, and the determining a target abnormal event template corresponding to a first abnormal event in the abnormal event template matching file includes:

and determining the target abnormal event template in the abnormal event template matching file according to the name of the first abnormal event, wherein the target abnormal event template comprises the name of the first abnormal event.

4. The method of any of claims 1 to 3, further comprising:

and receiving the abnormal event template matching file sent by the second equipment.

5. The method according to any one of claims 1 to 4, wherein the abnormal event template matching file is obtained based on a product manual of the target network device, and the product manual includes descriptions of one or more abnormal events corresponding to a type of network device to which the target network device belongs.

6. The method according to any one of claims 1 to 5, wherein the target feature comprises an event parameter of the first exceptional event, and the determining the target associated object of the first exceptional event according to the target feature comprises:

and determining the target associated object in the network entity of the target network equipment according to the event parameter of the first abnormal event and the attribute of the network entity of the target network equipment.

7. The method of claim 6, wherein the target feature further comprises a name of the first abnormal event, and wherein determining the target association object in the network entity of the target network device according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device comprises:

acquiring target incidence relation indicating information corresponding to the first abnormal event from an incidence relation indicating information set according to the name of the first abnormal event, wherein the incidence relation indicating information set comprises one or more groups of incidence relation indicating information, the incidence relation indicating information comprises the name of the abnormal event, the type of an incidence object of the abnormal event, the parameter name of an event parameter matched with the attribute of the incidence object of the abnormal event in the abnormal event and the attribute name of an attribute matched with the event parameter of the abnormal event in the incidence object of the abnormal event, and the target incidence relation indicating information comprises the name of the first abnormal event;

determining the type of the associated object of the first abnormal event, the parameter name of a target event parameter matched with the attribute of the associated object of the first abnormal event in the first abnormal event and the attribute name of a target attribute matched with the target event parameter in the associated object of the first abnormal event based on the target association relation indication information;

determining a target network entity of the target network device as the target associated object, wherein the target network entity satisfies the following conditions: the type of the target network entity is the type of an associated object of the first abnormal event, the target network entity has the target attribute, and the attribute value of the target attribute is the same as the parameter value of the target event parameter.

8. The method of claim 7, further comprising:

and receiving the incidence relation indication information set sent by the second equipment.

9. The method according to claim 7 or 8, wherein the set of association indication information is obtained based on historical abnormal events generated by the target network device.

10. The method according to any one of claims 7 to 9, wherein when the association relation indication information set does not include the target association relation indication information, the determining the target association object in the network entity of the target network device according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device further includes:

determining one or more candidate network entities in the network entities of the target network device according to the event parameters of the first abnormal event and the attributes of the network entities of the target network device to obtain a candidate network entity set, wherein the candidate network entities have candidate attributes, and the candidate attributes satisfy: the attribute value is the same as the parameter value of at least one event parameter of the first abnormal event, and/or the attribute meaning is similar to the meaning of at least one event parameter of the first abnormal event;

and determining the target associated object in the candidate network entity set according to the target characteristic.

11. The method according to claim 6, wherein the determining the target correlation object in the network entity of the target network device according to the event parameter of the first abnormal event and the attribute of the network entity of the target network device comprises:

12. The method according to claim 10 or 11, wherein said determining the target correlation object in the set of candidate network entities according to the target feature comprises:

and inputting the candidate network entity set and the target characteristics to a candidate entity matching model to obtain the target associated object output by the candidate entity matching model, wherein the candidate entity matching model is a machine learning model obtained by training sample abnormal events based on known associated objects.

13. The method of claim 12, further comprising:

and receiving the candidate entity matching model sent by the second equipment.

14. The method according to claim 8 or 13, characterized in that the method further comprises:

sending the first abnormal event and/or an association result of the first abnormal event to the second device so that the cloud device can update an abnormal event association model, wherein the abnormal event association model comprises an association relation indication information set and/or a candidate entity matching model, and the association result of the first abnormal event comprises indication information of the first abnormal event and indication information of the target association object;

the indication information of the first abnormal event comprises the name of the first abnormal event and/or the parameter name of a target event parameter matched with the attribute of the target associated object in the first abnormal event, and the indication information of the target associated object comprises the type of the target associated object, the attribute name of the target attribute matched with the target event parameter in the target associated object and/or the name of the target associated object.

15. The method according to any one of claims 1 to 14, wherein the characteristics, indicated by the abnormal event template matching file, that characterize the abnormal event corresponding to the type of network device to which the target network device belongs include: one or more of the name of the abnormal event, the generation time of the abnormal event, the identifier of the device reporting the abnormal event, the identifier of the module reporting the abnormal event, the severity of the abnormal event, the event parameter of the abnormal event or the message content of the abnormal event.

16. The method according to any of claims 1 to 15, wherein the network devices of the class to which the target network device belongs are of the same model.

17. The method of claim 16, wherein the product versions of the class of network devices to which the target network device belongs are the same.

18. The method according to any one of claims 1 to 17, wherein the first device is a management device, and the acquiring a first abnormal event generated by a target network device includes:

and receiving the first abnormal event sent by the target network equipment.

19. A method of determining an abnormal event associated object, for use with a second device, the method comprising:

generating an abnormal event template matching file corresponding to a type of network equipment, wherein the abnormal event template matching file is used for indicating the characteristics of one or more abnormal events corresponding to the type of network equipment;

and sending the abnormal event template matching file to a first device so that the first device can determine an associated object of the abnormal event generated by any network device in the class of network devices, wherein the type of the associated object is a device, an interface, a protocol or a service.

20. The method according to claim 19, wherein the abnormal event template matching file includes a plurality of abnormal event templates, and each abnormal event template is used for indicating a feature characterizing one abnormal event corresponding to the class of network devices.

21. The method according to claim 19 or 20, wherein the generating of the abnormal event template matching file corresponding to the class of network devices comprises:

and generating the abnormal event template matching file according to the product manual of the network equipment, wherein the product manual comprises the description of one or more abnormal events corresponding to the network equipment.

22. The method of any one of claims 19 to 21, further comprising:

acquiring correlation results of a plurality of historical abnormal events generated by target network equipment, wherein the correlation results of the historical abnormal events comprise indication information of the historical abnormal events and indication information of correlation objects of the historical abnormal events, the indication information of the historical abnormal events comprises names of the historical abnormal events and/or parameter names of event parameters matched with the attributes of the associated objects of the historical abnormal events in the historical abnormal events, the indication information of the associated object of the historical abnormal event comprises the type of the associated object of the historical abnormal event, the attribute name of the attribute matched with the event parameter of the historical abnormal event in the associated object of the historical abnormal event and/or the name of the associated object of the historical abnormal event, and the target network device is any one of the network devices;

generating an abnormal event correlation model according to the correlation results of the plurality of historical abnormal events, wherein the abnormal event correlation model comprises a correlation relation indication information set and/or a candidate entity matching model, and the candidate entity matching model is a machine learning model obtained by training the historical abnormal events based on a known correlation object;

and sending the abnormal event correlation model to the first equipment.

23. The method of claim 22, wherein obtaining the correlation result of the plurality of historical abnormal events generated by the target network device comprises:

receiving the correlation result of the plurality of historical abnormal events sent by the first device.

24. The method of claim 22, wherein obtaining the correlation result of the plurality of historical abnormal events generated by the target network device comprises:

receiving the plurality of historical abnormal events sent by the first device;

and determining the associated objects of the plurality of historical abnormal events based on the abnormal event template matching file.

25. An apparatus for determining an abnormal event related object, the apparatus being used for a first device, the apparatus comprising:

the acquisition module is used for acquiring a first abnormal event generated by target network equipment;

the processing module is used for extracting target characteristics representing the first abnormal event from the first abnormal event according to an abnormal event template matching file corresponding to the target network equipment, wherein the abnormal event template matching file is used for indicating characteristics representing one or more abnormal events corresponding to a type of network equipment to which the target network equipment belongs;

the processing module is further configured to determine a target associated object of the first abnormal event according to the target feature, where the type of the target associated object is a device, an interface, a protocol, or a service.

26. The apparatus according to claim 25, wherein the abnormal event template matching file includes a plurality of abnormal event templates, each of the abnormal event templates is used to indicate a feature characterizing an abnormal event corresponding to a type of network device to which the target network device belongs; the processing module is configured to:

27. The apparatus of claim 26, wherein the exception template includes a name of a corresponding exception, and wherein the processing module is configured to:

28. The apparatus of any one of claims 25 to 27, further comprising:

and the receiving module is used for receiving the abnormal event template matching file sent by the second equipment.

29. The apparatus according to any one of claims 25 to 28, wherein the abnormal event template matching file is obtained based on a product manual of the target network device, and the product manual includes descriptions of one or more abnormal events corresponding to a type of network device to which the target network device belongs.

30. The apparatus according to any one of claims 25 to 29, wherein the target feature comprises an event parameter of the first exception event, and the processing module is configured to:

31. The apparatus of claim 30, wherein the target feature further comprises a name of the first exception event, and wherein the processing module is configured to:

32. The apparatus of claim 31, further comprising:

and the receiving module is used for receiving the incidence relation indication information set sent by the second equipment.

33. The apparatus according to claim 31 or 32, wherein the set of association indication information is obtained based on historical abnormal events generated by the target network device.

34. The apparatus according to any one of claims 31 to 33, wherein when the association relation indication information set does not include the target association relation indication information, the processing module is further configured to:

35. The apparatus of claim 30, wherein the processing module is configured to:

36. The apparatus of claim 34 or 35, wherein the processing module is configured to:

37. The apparatus of claim 36, further comprising:

and the receiving module is used for receiving the candidate entity matching model sent by the second equipment.

38. The apparatus of claim 32 or 37, further comprising:

a sending module, configured to send the first abnormal event and/or an association result of the first abnormal event to the second device, so that the cloud device updates an abnormal event association model, where the abnormal event association model includes an association relation indication information set and/or a candidate entity matching model, and the association result of the first abnormal event includes indication information of the first abnormal event and indication information of the target association object;

39. The apparatus according to any one of claims 25 to 38, wherein the characteristics of the abnormal event template matching file indicating one or more abnormal events corresponding to a class of network devices to which the target network device belongs include: one or more of the name of the abnormal event, the generation time of the abnormal event, the identifier of the device reporting the abnormal event, the identifier of the module reporting the abnormal event, the severity of the abnormal event, the event parameter of the abnormal event or the message content of the abnormal event.

40. The apparatus according to any of claims 25 to 39, wherein the types of network devices belonging to the class of the target network device are the same.

41. The apparatus of claim 40, wherein product versions of a class of network devices to which the target network device belongs are the same.

42. The apparatus according to any one of claims 25 to 41, wherein the first device is a management device, and the obtaining module is configured to:

and receiving the first abnormal event sent by the target network equipment.

43. An apparatus for determining an abnormal event related object, the apparatus being used for a second device, the apparatus comprising:

the processing module is used for generating an abnormal event template matching file corresponding to one type of network equipment, wherein the abnormal event template matching file is used for indicating the characteristics of one or more abnormal events corresponding to the one type of network equipment;

and the sending module is used for sending the abnormal event template matching file to first equipment so that the first equipment can determine an associated object of the abnormal event generated by any one of the network equipment, wherein the type of the associated object is equipment, an interface, a protocol or a service.

44. The apparatus according to claim 43, wherein the abnormal event template matching file comprises a plurality of abnormal event templates, each of the abnormal event templates being used for indicating a characteristic characterizing an abnormal event corresponding to the class of network devices.

45. The apparatus of claim 43 or 44, wherein the processing module is configured to:

46. The apparatus of any one of claims 43 to 45, further comprising:

an obtaining module, configured to obtain correlation results of multiple historical abnormal events generated by a target network device, the correlation result of the historical abnormal event comprises indication information of the historical abnormal event and indication information of a correlation object of the historical abnormal event, the indication information of the historical abnormal events comprises names of the historical abnormal events and/or parameter names of event parameters matched with the attributes of the associated objects of the historical abnormal events in the historical abnormal events, the indication information of the associated object of the historical abnormal event comprises the type of the associated object of the historical abnormal event, the attribute name of the attribute matched with the event parameter of the historical abnormal event in the associated object of the historical abnormal event and/or the name of the associated object of the historical abnormal event, and the target network device is any one of the network devices;

the processing module is further configured to generate an abnormal event correlation model according to correlation results of the plurality of historical abnormal events, where the abnormal event correlation model includes a correlation relationship indication information set and/or a candidate entity matching model, and the candidate entity matching model is a machine learning model obtained by training the historical abnormal events based on a known correlation object;

the sending module is further configured to send the abnormal event correlation model to the first device.

47. The apparatus of claim 46, wherein the obtaining module is configured to:

48. The apparatus of claim 46, wherein the obtaining module is configured to:

receiving the plurality of historical abnormal events sent by the first device;

49. A computer device, comprising: a processor and a memory;

the processor is configured to invoke the computer program to implement the method for determining an object associated with an abnormal event according to any one of claims 1 to 18.

50. A computer device, comprising: a processor and a memory;

the processor, configured to invoke the computer program to implement the method for determining an object associated with an abnormal event according to any one of claims 19 to 24.

51. A system for determining an exception event associated object, comprising: a first device and a second device; the first device comprises an apparatus as claimed in any of claims 25 to 42 or a computer device as claimed in claim 49, and the second device comprises an apparatus as claimed in any of claims 43 to 48 or a computer device as claimed in claim 50.

52. A computer storage medium having stored thereon instructions which, when executed by a processor, carry out a method of determining an exception event correlation object according to any one of claims 1 to 24.