CN113992496A - Abnormal operation warning method and device based on quartile algorithm and computing equipment - Google Patents

Abnormal operation warning method and device based on quartile algorithm and computing equipment Download PDF

Info

Publication number
CN113992496A
CN113992496A CN202010664741.5A CN202010664741A CN113992496A CN 113992496 A CN113992496 A CN 113992496A CN 202010664741 A CN202010664741 A CN 202010664741A CN 113992496 A CN113992496 A CN 113992496A
Authority
CN
China
Prior art keywords
baseline value
monitoring data
real
value
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010664741.5A
Other languages
Chinese (zh)
Other versions
CN113992496B (en
Inventor
冯雅琴
肖宝杰
汤卫东
田纪军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Hubei Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Hubei Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Hubei Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202010664741.5A priority Critical patent/CN113992496B/en
Publication of CN113992496A publication Critical patent/CN113992496A/en
Application granted granted Critical
Publication of CN113992496B publication Critical patent/CN113992496B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)

Abstract

The embodiment of the invention relates to the technical field of service monitoring, and discloses a transaction alarm method, a device and computing equipment based on a quartile algorithm, wherein the method comprises the following steps: dynamically acquiring a first upper limit baseline value and a first lower limit baseline value of the monitoring index of the previous time slice by applying a quartile algorithm according to historical monitoring data of the monitoring index; respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value; comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data; and performing graded alarm according to the abnormal state of the real-time monitoring data. Through the mode, the embodiment of the invention ensures the accuracy and timeliness of the alarm by increasing the baseline alarm of the dynamic curve value fitting analysis without manually setting a fixed threshold and defining the baseline deviation.

Description

Abnormal operation warning method and device based on quartile algorithm and computing equipment
Technical Field
The embodiment of the invention relates to the technical field of service monitoring, in particular to a transaction alarm method, a transaction alarm device and computing equipment based on a quartile algorithm.
Background
With the coming of the internet era, more and more business systems are loaded in a data center, various key monitoring index data are alarmed based on a fixed threshold value, and potential risks and hidden dangers can be reflected by abnormal fluctuation of the index data. Taking the traffic index of the service system as an example, when the service network environment is affected by an abnormality, the access traffic from the external user cannot reach the service system in the data center, and the traffic drops. When the system component has a problem and cannot respond to the request of the user, the traffic can also have a drop exception at the moment. Furthermore, when traffic is hacked, traffic may experience a sudden rise anomaly. A sudden rise or a sudden drop in traffic generally indicates that some sort of malfunction or abnormal behavior has occurred in the system. At present, flow monitoring data is collected based on a Simple Network Management Protocol (SNMP), each port takes data every 5 minutes, daily operation and maintenance data obtains a peak value according to 288 point values of each port every day, the peak value is presented in a service daily report mode, data points are single and isolated, a change trend and an abnormal value along with time cannot be found from flow operation data, and only when the bandwidth utilization rate exceeds 80% or other fixed thresholds, a dispatch worksheet is subjected to early warning. The transaction change condition of the service flow and the system operation health degree can not be mastered at the first time.
With the development of internet technology, the service of the IDC data center is rapidly increased, key indexes such as service flow and the like at the present stage are monitored and alarmed only on the basis of a fixed threshold, early warning study and judgment under abnormal conditions are omitted, and the condition that the hidden danger of the fault is known in advance before the fault occurs is superior to that of the fault, so that the key to automatic operation and maintenance is achieved. The flow analysis equipment in the traditional operation and maintenance has a certain flow alarm function, the alarm baseline is a fixed threshold, the alarm dimension is single, the abnormal behavior of the service or the network cannot be identified, and the alarm result cannot meet the fine operation and maintenance requirements of service system maintainers. The alarm threshold is set manually according to different service characteristics, the customer service experience and the maintainer experience play a key role in setting the threshold, the flow characteristics of monitored objects are different, the threshold setting difficulty is high, intelligent automatic adjustment is lacked, the monitored objects and indexes are numerous, and the workload of maintainers is large. And meanwhile, a dynamic baseline alarm threshold value adjusted according to historical behavior analysis and busy and idle time is lacked. The fixed alarm threshold is set to be larger, only has significance to the flow wave peak, and the flow in other time periods is in an out-of-control state; the fixed alarm threshold is set to be small, so that the state alarm of the wave crest cannot be met, the peak flow is in an alarm state for a long time, and the alarm significance is lost. At present, the mode of a fixed threshold bears the alarm identification of all network flows, the defect that efficient and accurate alarm cannot be realized is caused, the operation and maintenance risk is large, and a large number of potential risks make the operation and maintenance work difficult to deal with.
Disclosure of Invention
In view of the foregoing problems, embodiments of the present invention provide a method, an apparatus, and a computing device for alarming a transaction based on a quartile algorithm, which overcome the foregoing problems or at least partially solve the foregoing problems.
According to an aspect of the embodiments of the present invention, there is provided a transaction alarm method based on a quartile algorithm, the method including: dynamically acquiring a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice by applying a quartile algorithm according to historical monitoring data of the monitoring index; respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value; comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data; and performing graded alarm according to the abnormal state of the real-time monitoring data.
In an optional manner, the dynamically applying a quartile algorithm according to historical monitoring data of a monitoring index to obtain a first upper limit baseline value and a first lower limit baseline value of the monitoring index of a previous time slice includes: performing quartile analysis according to historical monitoring data of the monitoring index; taking the upper quartile of the historical monitoring data as the first upper limit base line value of the monitoring index of the previous time slice; and taking the next quartile of the historical monitoring data as the first lower limit base line value of the monitoring index of the previous time slice.
In an optional manner, the obtaining a second upper-limit baseline value and a second lower-limit baseline value of the current time slice by dynamic curve fitting according to the first upper-limit baseline value and the first lower-limit baseline value respectively includes: acquiring the flow of the normal condition of the current time slice; obtaining a second upper limit base line value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first upper limit base line value; and obtaining the second lower-limit baseline value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first lower-limit baseline value.
In an optional manner, the obtaining the second lower-limit baseline value by dynamic curve fitting according to the flow rate of the normal condition of the current time slice and the first lower-limit baseline value includes: according to the flow y of the normal condition of the current time slice and the first lower limit base line value b'1Obtaining the second lower-limit baseline value b by applying the following relational expression1
b1=a1*y+(1-a1)*b′1
The obtaining of the second upper-limit baseline value through dynamic curve fitting according to the flow rate of the normal condition of the current time slice and the first upper-limit baseline value includes: according to the flow y of the normal condition of the current time slice and the first upper limit base line value b'2Obtaining the second upper limit base line value b by applying the following relational expression2
b2=a2*y+(1-a2)*b′2
Wherein 0< a1,a2<1,a1Is the current timeThe flow rate y of the slice in a normal state is in the second lower limit base line value b'1Specific gravity of (a)2Is the flow y of the normal case of the current time slice at the second upper baseline value b'2The specific gravity of the Chinese medicinal materials.
In an optional manner, the comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data includes: determining deviation ranges of the second upper limit baseline value and the second lower limit baseline value respectively; and comparing the real-time monitoring data of the monitoring index with the deviation ranges of a second upper limit baseline value and a second lower limit baseline value to obtain the abnormal state of the real-time monitoring data.
In an alternative mode, the determining the deviation ranges of the second upper-limit baseline value and the second lower-limit baseline value respectively includes: calculating deviation ranges of the second upper base line value and the second lower base line value according to the following relations for the historical samples with the monitoring indexes y1, y2, y3, … …, yt at t previous identical time instants:
Figure BDA0002579915490000031
wherein S ist1Is the deviation range of the second lower base line value, St2A deviation range of the second upper base line value, b1Is the second lower base line value, b2Is the second upper baseline value.
In an optional manner, the performing a graded alarm according to the abnormal state of the real-time monitoring data includes: when the real-time monitoring data yt+1Satisfies b1-St1<yt+1<b2+St2When the real-time monitoring data is sliced at the next time, the deviation of the real-time monitoring data relative to the dynamic baseline is within an allowable range, and no alarm is generated; when the real-time monitoring data yt+1Satisfies b1-2St1<yt+1<b1-St1Or b is2+St2<yt+1<b2+2St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has smaller deviation relative to a dynamic baseline, and a primary alarm is generated; when the real-time monitoring data yt+1Satisfies b1-3St1<yt+1<b1-2St1Or b is2+2St2<yt+1<b2+3St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has larger deviation relative to a dynamic baseline, and a middle-level alarm is generated; when the real-time monitoring data yt+1Satisfy yt+1<b1-3St1Or y ist+1>b2+3St2And when the real-time monitoring data is sliced at the next time, the real-time monitoring data has great deviation relative to a dynamic baseline, and advanced alarm is generated.
According to another aspect of the embodiments of the present invention, there is provided a transaction warning device based on a quartile algorithm, the device including: the quartile algorithm module is used for dynamically acquiring a first upper limit baseline value and a first lower limit baseline value of the monitoring index of a previous time slice by applying a quartile algorithm according to historical monitoring data of the monitoring index; a curve fitting module, configured to obtain a second upper-limit baseline value and a second lower-limit baseline value of the current time slice through dynamic curve fitting according to the first upper-limit baseline value and the first lower-limit baseline value; the anomaly detection module is used for comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data; and the grading alarm module is used for carrying out grading alarm according to the abnormal state of the real-time monitoring data.
According to another aspect of embodiments of the present invention, there is provided a computing device including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the steps of the transaction alarm method based on the quartile algorithm.
According to another aspect of the embodiments of the present invention, there is provided a computer storage medium having at least one executable instruction stored therein, the executable instruction causing the processor to execute the steps of the above-mentioned quadrant algorithm-based transaction alarm method.
According to the embodiment of the invention, a quartile algorithm is applied to dynamically obtain a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice according to historical monitoring data of the monitoring index; respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value; comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data; and performing graded alarm according to the abnormal state of the real-time monitoring data, and increasing the baseline alarm of dynamic curve value fitting analysis without manually setting a fixed threshold and defining the baseline deviation, thereby ensuring the accuracy and timeliness of the alarm.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flow chart illustrating a transaction warning method based on a quartile algorithm according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating a collection line of the anomaly alarm method based on the quartile algorithm according to the embodiment of the present invention;
fig. 3 is a schematic structural diagram illustrating a transaction warning device based on a quartile algorithm according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computing device provided in an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 shows a schematic flow diagram of a transaction warning method based on a quartile algorithm according to an embodiment of the present invention. The abnormal operation alarming method based on the quartile algorithm is mainly applied to a server. As shown in fig. 1, the method for alarming a transaction based on a quartile algorithm includes:
step S11: and dynamically acquiring a first upper limit baseline value and a first lower limit baseline value of the monitoring index of the previous time slice by applying a quartile algorithm according to historical monitoring data of the monitoring index.
The embodiment of the invention integrates a learning mode by using a multi-depth algorithm, improves a quartile algorithm of the traditional anomaly detection, and introduces two methods of comparing a dynamic baseline and a historical behavior for anomaly detection aiming at a monitoring index with a time sequence characteristic. The embodiment of the invention can be used for monitoring the monitoring indexes of different services such as videos, games, downloads and the like.
In step S11, specifically, a quartile analysis is performed based on the historical monitoring data of the monitoring index. One monitoring data is collected every 5 minutes granularity, one day is divided into a plurality of time intervals, and the quartile interval of the normal flow in the same time interval every day is calculated. Taking the upper quartile of the historical monitoring data as the first upper limit base line value of the monitoring index of the previous time slice; and taking the next quartile of the historical monitoring data as the first lower limit base line value of the monitoring index of the previous time slice. Wherein the previous time slice refers to the same time period of the previous cycle.
In the embodiment of the invention, taking the flow index as an example, the improved baseline analysis method is to divide one day into a plurality of time intervals and calculate the quartile interval of the normal flow in the same time interval every day, and the flow interval values of the continuous different time intervals form a flow baseline; the baseline reflects the flow change trend presented under the normal behavior of the network, and is an important flow index. And establishing respective flow baselines by using the normal flow of each router, switch, link and application system every five minutes, and analyzing and comparing the network flow with the baseline value in the same slicing time period to screen out the abnormal flow in the network. The dynamic baseline is based on historical data, after deep learning is carried out by using an intelligent algorithm, the numerical value of each time point in a period of time in the future is accurately predicted, the predicted value is used as the baseline, and the deviation degree of the actual value and the baseline is compared to monitor and alarm. As shown in fig. 2, the depth in the figure refers to an acquisition line for acquiring flow data from a plurality of ports and acquiring the flow data for each time slice according to the combination of the flow data of the plurality of ports.
In an embodiment of the present invention, an acquisition point is an object property acquisition point generated by an acquisition task: < time, value >. The curve generated by the connection of acquisition points is called an acquisition line. After the acquisition lines are equally long sliced, the slices are selectively overlapped and compressed into a new curve according to a certain calculation mode, time sequence data formed by each base point dynamically generate base points with upper and lower limits appearing in pairs according to a quartile algorithm, the curve formed by the base points is a base line, and the base line is also divided into the upper and lower limits at a certain time point. The base point is a base point constituting a base line. An allelic acquisition point is a point divided across a slice by the granularity of the baseline, and may be considered as a projection of the base point onto the slice. The role of the allelic acquisition points is to generate the base points. The allelic basis points are points divided on the baseline by the granularity of the acquired samples, and can be considered as projections of the acquired points on the baseline. The equipotential base points function as thresholds for alarms.
Under the condition that a certain data index is known to be in periodic change and an accurate value of each period cannot be given or the data in the period is changed too much, by taking a video service scene as an example, the trend and the periodic change of the historical data are identified according to the learning of the historical flow value, and the change trend of the flow in a period of time in the future is predicted. And simultaneously, according to the distribution condition of the historical data, the change condition of the upper limit and the lower limit in a period of time in the future is given. And when the index to be detected is higher than the box-shaped baseline interval of the quartile, is higher than the upper limit or lower than the lower limit, judging that the abnormity occurs. Monitoring finds that the predicted actual value data is frequently smaller than the predicted data, and effectively detects the abnormity and tracks the root of the event. Once abnormal traffic occurs in the network, the abnormal traffic is directly reflected on the change of the traffic index data. The system is developed by adopting Python language, and when abnormal indexes are monitored, the system triggers mail alarm pushing in real time.
Step S12: and respectively obtaining a second upper limit base line value and a second lower limit base line value of the current time slice through dynamic curve fitting according to the first upper limit base line value and the first lower limit base line value.
In the embodiment of the invention, the target monitoring value is compared with the distribution of historical synchronous data and the change condition of a same-cycle ratio by carrying out unsupervised learning on massive historical data, whether the new data is abnormal or not is judged according to the distribution or percentage difference condition of the data, and whether an alarm is given or not is judged. For a network model of a service system, service traffic is contributed by a series of ports with collective similar behaviors, and the network traffic usually shows regular changes in a 24-hour period or has obvious peak and trough distribution conditions. Thus, each day is divided into several time segments, assuming that y is the normal traffic for this time segment, and b0 is the baseline value to the previous time slice, after this time segment, the new baseline value b is updated as follows:
b ═ a × y + (1-a) × b0, where 0< a < 1.
a represents the proportion of the network traffic in the baseline for the period of time on a day. If baseline analysis is performed only for network traffic on weekdays, it is intuitive to set a to 0.2 (1/5), meaning that y represents traffic for one of the days counted five days a week, and b0 represents a weighted average of the first four of the five days. The weighted average of the formula a reflects the attention degree of the user to the latest flow, so that b can quickly reflect the latest normal network flow change, when the baseline value b is updated, y must be determined to be the statistical value of the normal flow, and if the flow in the period is abnormal, the baseline value b is not updated. Since the baseline value b is used as a basis for determining whether the flow rate is normal, at the initial stage of calculating the flow rate baseline, since the statistical data is not enough and the value b does not have a certain representativeness, if the baseline value b is used for screening the normal flow rate, it is likely that the correct flow rate y is regarded as abnormal, and y cannot be reflected to the baseline value b, so that the calculation of b itself is incorrect, and further the subsequent abnormal monitoring and baseline updating are affected. Therefore, the normal network traffic should be collected for a period of time at the beginning of the traffic baseline calculation, and then the correct baseline value b should be established by using the y value of the period of time.
In embodiments of the present invention, the baseline values all occur in halves, including the lower baseline value b1And an upper base line value b2. In step S12, the flow rate of the normal case of the current time slice is acquired; obtaining a second upper limit base line value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first upper limit base line value; and obtaining the second lower-limit baseline value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first lower-limit baseline value. Specifically, assume y is the normal case flow, b 'for the current time slice'1Is a first lower bound baseline value, b ', previously obtained according to a quartile algorithm'2And updating the first upper limit baseline value and the first lower limit baseline value into a new second upper limit baseline value and a new second lower limit baseline value after the current time slice of the first upper limit baseline value obtained according to the quartile algorithm.
According to the flow y of the normal condition of the current time slice and the first time sliceBase line limiting value b'1Obtaining the second lower-limit baseline value b by applying the following relational expression1
b1=a1*y+(1-a1)*b′1
According to the flow y of the normal condition of the current time slice and the first upper limit base line value b'2Obtaining the second upper limit base line value b by applying the following relational expression2
b2=a2*y+(1-a2)*b′2
Wherein 0< a1,a2<1,a1Is the flow y of the normal case of the current time slice is at the second lower limit baseline value b'1Specific gravity of (a)2Is the flow y of the normal case of the current time slice at the second upper baseline value b'2The specific gravity of the Chinese medicinal materials.
Step S13: and comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data.
Specifically, the deviation ranges of the second upper limit baseline value and the second lower limit baseline value are respectively determined; and comparing the real-time monitoring data of the monitoring index with the deviation ranges of a second upper limit baseline value and a second lower limit baseline value to obtain the abnormal state of the real-time monitoring data.
In the embodiment of the invention, because network traffic has peaks and valleys, and each alarm state is a region range according to a traffic alarm classification system, corresponding classification is applicable as long as the alarm state is in the region. Therefore, if the flow is determined to be abnormal by using the dynamic baseline value, a certain error will be generated, and more abnormal flow information will be reported. Therefore, a dynamic critical area is established, and network traffic grading alarm is carried out. Specifically, the deviation ranges of the second upper-limit baseline value and the second lower-limit baseline value are respectively calculated for the historical samples according to the following relations for the monitoring indexes y1, y2, y3, … …, yt at the previous t same moments:
Figure BDA0002579915490000091
wherein S ist1Is the deviation range of the second lower base line value, St2A deviation range of the second upper base line value, b1Is the second lower base line value, b2Is the second upper baseline value.
The deviation range b of the real-time monitoring data yt +1 of the next time slice at the second lower-limit baseline value1-St1And a deviation range b of the second upper base line value2+St2And in the middle, the real-time monitoring data is normal. Otherwise, monitoring data abnormity in real time.
Step S14: and performing graded alarm according to the abnormal state of the real-time monitoring data.
In the embodiment of the invention, when the real-time monitoring data yt+1Satisfies b1-St1<yt+1<b2+St2And then, slicing the real-time monitoring data at the next time, wherein the deviation of the real-time monitoring data relative to the dynamic baseline is within an allowable range, and generating no alarm.
When the real-time monitoring data yt+1Satisfies b1-2St1<yt+1<b1-St1Or b is2+St2<yt+1<b2+2St2And then slicing the real-time monitoring data at the next time, wherein the real-time monitoring data has smaller deviation relative to the dynamic baseline, and generating a primary alarm.
When the real-time monitoring data yt+1Satisfies b1-3St1<yt+1<b1-2St1Or b is2+2St2<yt+1<b2+3St2And then slicing the real-time monitoring data at the next time, wherein the real-time monitoring data has larger deviation relative to a dynamic baseline, and generating a middle-level alarm.
When the real-time monitoring data yt+1Satisfy yt+1<b1-3St1Or y ist+1>b2+3St2Time, slice the next time the real-time monitoringThe data is highly skewed from the dynamic baseline, generating advanced alarms.
The embodiment of the invention adopts an unsupervised ensemble learning algorithm based on an improved quartile algorithm to detect the abnormal indexes of a plurality of items without manually setting a fixed threshold value and defining the deviation degree of a base line, selects different algorithms to perform targeted detection according to different data characteristics, performs integral evaluation on the abnormal indexes, and generates an alarm message after automatically identifying data which do not accord with expectations. Based on the characteristics of time sequence data, the abnormal operation state monitoring of the service is optimized by adopting segmented slicing to improve the existing quartile algorithm; different service characteristics such as videos, games and downloads are analyzed to realize unsupervised learning, so that when the proposal faces massive monitoring data, a baseline alarm is added through dynamic curve value fitting analysis based on a conventional common alarm with a fixed threshold value, and the accuracy and timeliness of the alarm are ensured; analyzing the problem of the operation health degree of the service by applying a multidimensional index monitoring method based on mass data, and supporting network planning construction; the method can be widely applied to various service system monitoring scenes, and is particularly suitable for scenes in which a certain data index is known to be in periodic change and an accurate value of each period cannot be given or data in the period is changed too much.
According to the embodiment of the invention, a quartile algorithm is applied to dynamically obtain a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice according to historical monitoring data of the monitoring index; respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value; comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data; and performing graded alarm according to the abnormal state of the real-time monitoring data, and increasing the baseline alarm of dynamic curve value fitting analysis without manually setting a fixed threshold and defining the baseline deviation, thereby ensuring the accuracy and timeliness of the alarm.
Fig. 3 shows a schematic structural diagram of a transaction warning device based on a quartile algorithm according to an embodiment of the present invention. As shown in fig. 3, the abnormal operation warning device based on the quartile algorithm includes: a quartile algorithm module 301, a curve fitting module 302, an anomaly detection module 303, and a hierarchical alarm module 304. Wherein:
the quartile algorithm module 301 is configured to dynamically obtain a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice by applying a quartile algorithm according to historical monitoring data of the monitoring index; the curve fitting module 302 is configured to obtain a second upper-limit baseline value and a second lower-limit baseline value of the current time slice through dynamic curve fitting according to the first upper-limit baseline value and the first lower-limit baseline value; the anomaly detection module 303 is configured to compare the real-time monitoring data of the monitoring index with the second upper-limit baseline value and the second lower-limit baseline value, and obtain an abnormal state of the real-time monitoring data; the graded alarm module 304 is configured to perform graded alarm according to the abnormal state of the real-time monitoring data.
In an alternative manner, the quartile algorithm module 301 is configured to: performing quartile analysis according to historical monitoring data of the monitoring index; taking the upper quartile of the historical monitoring data as the first upper limit base line value of the monitoring index of the previous time slice; and taking the next quartile of the historical monitoring data as the first lower limit base line value of the monitoring index of the previous time slice.
In an alternative approach, the curve fitting module 302 is configured to: acquiring the flow of the normal condition of the current time slice; obtaining a second upper limit base line value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first upper limit base line value; and obtaining the second lower-limit baseline value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first lower-limit baseline value.
In an alternative manner, the curve fitting module 302 is further configured to: according to the flow y of the normal condition of the current time slice and the first lower limit base line value b'1Obtaining the second lower-limit baseline value b by applying the following relational expression1
b1=a1*y+(1-a1)*b′1
According to the flow y of the normal condition of the current time slice and the first upper limit base line value b'2Obtaining the second upper limit base line value b by applying the following relational expression2
b2=a2*y+(1-a2)*b′2
Wherein 0< a1,a2<1,a1Is the flow y of the normal case of the current time slice is at the second lower limit baseline value b'1Specific gravity of (a)2Is the flow y of the normal case of the current time slice at the second upper baseline value b'2The specific gravity of the Chinese medicinal materials.
In an alternative manner, the anomaly detection module 303 is configured to: determining deviation ranges of the second upper limit baseline value and the second lower limit baseline value respectively; and comparing the real-time monitoring data of the monitoring index with the deviation ranges of a second upper limit baseline value and a second lower limit baseline value to obtain the abnormal state of the real-time monitoring data.
In an optional manner, the anomaly detection module 303 is further configured to: calculating deviation ranges of the second upper base line value and the second lower base line value according to the following relations for the historical samples with the monitoring indexes y1, y2, y3, … …, yt at t previous identical time instants:
Figure BDA0002579915490000111
wherein S ist1Is the deviation range of the second lower base line value, St2A deviation range of the second upper base line value, b1Is the second lower base line value, b2Is the second upper baseline value.
In an alternative approach, the hierarchical alarm module 304 is configured to: when the real-time monitoring data yt+1Satisfies b1-St1<yt+1<b2+St2When the real-time monitoring data is sliced at the next time, the deviation of the real-time monitoring data relative to the dynamic baseline is within an allowable range, and no alarm is generated; when the real-time monitoring data yt+1Satisfies b1-2St1<yt+1<b1-St1Or b is2+St2<yt+1<b2+2St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has smaller deviation relative to a dynamic baseline, and a primary alarm is generated; when the real-time monitoring data yt+1Satisfies b1-3St1<yt+1<b1-2St1Or b is2+2St2<yt+1<b2+3St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has larger deviation relative to a dynamic baseline, and a middle-level alarm is generated; when the real-time monitoring data yt+1Satisfy yt+1<b1-3St1Or y ist+1>b2+3St2And when the real-time monitoring data is sliced at the next time, the real-time monitoring data has great deviation relative to a dynamic baseline, and advanced alarm is generated.
According to the embodiment of the invention, a quartile algorithm is applied to dynamically obtain a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice according to historical monitoring data of the monitoring index; respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value; comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data; and performing graded alarm according to the abnormal state of the real-time monitoring data, and increasing the baseline alarm of dynamic curve value fitting analysis without manually setting a fixed threshold and defining the baseline deviation, thereby ensuring the accuracy and timeliness of the alarm.
The embodiment of the invention provides a nonvolatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the abnormal operation warning method based on the quartile algorithm in any method embodiment.
The executable instructions may be specifically configured to cause the processor to:
dynamically acquiring a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice by applying a quartile algorithm according to historical monitoring data of the monitoring index;
respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value;
comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data;
and performing graded alarm according to the abnormal state of the real-time monitoring data.
In an alternative, the executable instructions cause the processor to:
performing quartile analysis according to historical monitoring data of the monitoring index;
taking the upper quartile of the historical monitoring data as the first upper limit base line value of the monitoring index of the previous time slice;
and taking the next quartile of the historical monitoring data as the first lower limit base line value of the monitoring index of the previous time slice.
In an alternative, the executable instructions cause the processor to:
acquiring the flow of the normal condition of the current time slice;
obtaining a second upper limit base line value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first upper limit base line value;
and obtaining the second lower-limit baseline value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first lower-limit baseline value.
In an alternative, the executable instructions cause the processor to:
obtaining the second lower-limit base line value b by applying the following relational expression according to the flow y of the normal condition of the current time slice and the first lower-limit base line value b' 11
b1=a1*y+(1-a1)*b′1
According to the flow y of the normal condition of the current time slice and the first upper limit base line value b'2Obtaining the second upper limit base line value b by applying the following relational expression2
b2=a2*y+(1-a2)*b′2
Wherein 0< a1,a2<1,a1Is the flow y of the normal case of the current time slice is at the second lower limit baseline value b'1Specific gravity of (a)2Is the flow y of the normal case of the current time slice at the second upper baseline value b'2The specific gravity of the Chinese medicinal materials.
In an alternative, the executable instructions cause the processor to:
determining deviation ranges of the second upper limit baseline value and the second lower limit baseline value respectively;
and comparing the real-time monitoring data of the monitoring index with the deviation ranges of a second upper limit baseline value and a second lower limit baseline value to obtain the abnormal state of the real-time monitoring data.
In an alternative, the executable instructions cause the processor to:
calculating deviation ranges of the second upper base line value and the second lower base line value according to the following relations for the historical samples with the monitoring indexes y1, y2, y3, … …, yt at t previous identical time instants:
Figure BDA0002579915490000141
wherein the content of the first and second substances,St1is the deviation range of the second lower base line value, St2A deviation range of the second upper base line value, b1Is the second lower base line value, b2Is the second upper baseline value.
In an alternative, the executable instructions cause the processor to:
when the real-time monitoring data yt+1Satisfies b1-St1<yt+1<b2+St2When the real-time monitoring data is sliced at the next time, the deviation of the real-time monitoring data relative to the dynamic baseline is within an allowable range, and no alarm is generated;
when the real-time monitoring data yt+1Satisfies b1-2St1<yt+1<b1-St1Or b is2+St2<yt+1<b2+2St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has smaller deviation relative to a dynamic baseline, and a primary alarm is generated;
when the real-time monitoring data yt+1Satisfies b1-3St1<yt+1<b1-2St1Or b is2+2St2<yt+1<b2+3St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has larger deviation relative to a dynamic baseline, and a middle-level alarm is generated;
when the real-time monitoring data yt+1Satisfy yt+1<b1-3St1Or y ist+1>b2+3St2And when the real-time monitoring data is sliced at the next time, the real-time monitoring data has great deviation relative to a dynamic baseline, and advanced alarm is generated.
According to the embodiment of the invention, a quartile algorithm is applied to dynamically obtain a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice according to historical monitoring data of the monitoring index; respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value; comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data; and performing graded alarm according to the abnormal state of the real-time monitoring data, and increasing the baseline alarm of dynamic curve value fitting analysis without manually setting a fixed threshold and defining the baseline deviation, thereby ensuring the accuracy and timeliness of the alarm.
An embodiment of the present invention provides a computer program product, which includes a computer program stored on a computer storage medium, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the method for warning a malfunction based on a quartile algorithm in any of the above method embodiments.
The executable instructions may be specifically configured to cause the processor to:
dynamically acquiring a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice by applying a quartile algorithm according to historical monitoring data of the monitoring index;
respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value;
comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data;
and performing graded alarm according to the abnormal state of the real-time monitoring data.
In an alternative, the executable instructions cause the processor to:
performing quartile analysis according to historical monitoring data of the monitoring index;
taking the upper quartile of the historical monitoring data as the first upper limit base line value of the monitoring index of the previous time slice;
and taking the next quartile of the historical monitoring data as the first lower limit base line value of the monitoring index of the previous time slice.
In an alternative, the executable instructions cause the processor to:
acquiring the flow of the normal condition of the current time slice;
obtaining a second upper limit base line value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first upper limit base line value;
and obtaining the second lower-limit baseline value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first lower-limit baseline value.
In an alternative, the executable instructions cause the processor to:
according to the flow y of the normal condition of the current time slice and the first lower limit base line value b'1Obtaining the second lower-limit baseline value b by applying the following relational expression1
b1=a1*y+(1-a1)*b′1
According to the flow y of the normal condition of the current time slice and the first upper limit base line value b'2Obtaining the second upper limit base line value b by applying the following relational expression2
b2=a2*y+(1-a2)*b′2
Wherein 0< a1,a2<1,a1Is the flow y of the normal case of the current time slice is at the second lower limit baseline value b'1Specific gravity of (a)2Is the flow y of the normal case of the current time slice at the second upper baseline value b'2The specific gravity of the Chinese medicinal materials.
In an alternative, the executable instructions cause the processor to:
determining deviation ranges of the second upper limit baseline value and the second lower limit baseline value respectively;
and comparing the real-time monitoring data of the monitoring index with the deviation ranges of a second upper limit baseline value and a second lower limit baseline value to obtain the abnormal state of the real-time monitoring data.
In an alternative, the executable instructions cause the processor to:
calculating deviation ranges of the second upper base line value and the second lower base line value according to the following relations for the historical samples with the monitoring indexes y1, y2, y3, … …, yt at t previous identical time instants:
Figure BDA0002579915490000161
wherein S ist1Is the deviation range of the second lower base line value, St2A deviation range of the second upper base line value, b1Is the second lower base line value, b2Is the second upper baseline value.
In an alternative, the executable instructions cause the processor to:
when the real-time monitoring data yt+1Satisfies b1-St1<yt+1<b2+St2When the real-time monitoring data is sliced at the next time, the deviation of the real-time monitoring data relative to the dynamic baseline is within an allowable range, and no alarm is generated;
when the real-time monitoring data yt+1Satisfies b1-2St1<yt+1<b1-St1Or b is2+St2<yt+1<b2+2St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has smaller deviation relative to a dynamic baseline, and a primary alarm is generated;
when the real-time monitoring data yt+1Satisfies b1-3St1<yt+1<b1-2St1Or b is2+2St2<yt+1<b2+3St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has larger deviation relative to a dynamic baseline, and a middle-level alarm is generated;
when the real-time monitoring data yt+1Satisfy yt+1<b1-3St1Or y ist+1>b2+3St2And when the real-time monitoring data is sliced at the next time, the real-time monitoring data has great deviation relative to a dynamic baseline, and advanced alarm is generated.
According to the embodiment of the invention, a quartile algorithm is applied to dynamically obtain a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice according to historical monitoring data of the monitoring index; respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value; comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data; and performing graded alarm according to the abnormal state of the real-time monitoring data, and increasing the baseline alarm of dynamic curve value fitting analysis without manually setting a fixed threshold and defining the baseline deviation, thereby ensuring the accuracy and timeliness of the alarm.
Fig. 4 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the device.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein: the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408. A communication interface 404 for communicating with network elements of other devices, such as clients or other servers. The processor 402 is configured to execute the program 410, and may specifically execute the relevant steps in the above-described anomaly alarm method embodiment based on the quartile algorithm.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or an Integrated circuit or Integrated circuits configured to implement embodiments of the present invention. The one or each processor included in the device may be the same type of processor, such as one or each CPU; or may be different types of processors such as one or each CPU and one or each ASIC.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may specifically be configured to cause the processor 402 to perform the following operations:
dynamically acquiring a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice by applying a quartile algorithm according to historical monitoring data of the monitoring index;
respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value;
comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data;
and performing graded alarm according to the abnormal state of the real-time monitoring data.
In an alternative, the program 410 causes the processor to:
performing quartile analysis according to historical monitoring data of the monitoring index;
taking the upper quartile of the historical monitoring data as the first upper limit base line value of the monitoring index of the previous time slice;
and taking the next quartile of the historical monitoring data as the first lower limit base line value of the monitoring index of the previous time slice.
In an alternative, the program 410 causes the processor to:
acquiring the flow of the normal condition of the current time slice;
obtaining a second upper limit base line value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first upper limit base line value;
and obtaining the second lower-limit baseline value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first lower-limit baseline value.
In an alternative, the program 410 causes the processor to:
according to the flow y of the normal condition of the current time slice and the first lower limit base line value b'1Obtaining the second lower-limit baseline value b by applying the following relational expression1
b1=a1*y+(1-a1)*b′1
According to the flow y of the normal condition of the current time slice and the first upper limit base line value b'2Obtaining the second upper limit base line value b by applying the following relational expression2
b2=a2*y+(1-a2)*b′2
Wherein 0< a1,a2<1,a1Is the flow y of the normal case of the current time slice is at the second lower limit baseline value b'1Specific gravity of (a)2Is the flow y of the normal case of the current time slice at the second upper baseline value b'2The specific gravity of the Chinese medicinal materials.
In an alternative, the program 410 causes the processor to:
determining deviation ranges of the second upper limit baseline value and the second lower limit baseline value respectively;
and comparing the real-time monitoring data of the monitoring index with the deviation ranges of a second upper limit baseline value and a second lower limit baseline value to obtain the abnormal state of the real-time monitoring data.
In an alternative, the program 410 causes the processor to:
calculating deviation ranges of the second upper base line value and the second lower base line value according to the following relations for the historical samples with the monitoring indexes y1, y2, y3, … …, yt at t previous identical time instants:
Figure BDA0002579915490000191
wherein S ist1Is the deviation range of the second lower base line value, St2A deviation range of the second upper base line value, b1Is the second lower base line value, b2Is the second upper baseline value.
In an alternative, the program 410 causes the processor to:
when the real-time monitoring data yt+1Satisfies b1-St1<yt+1<b2+St2When the real-time monitoring data is sliced at the next time, the deviation of the real-time monitoring data relative to the dynamic baseline is within an allowable range, and no alarm is generated;
when the real-time monitoring data yt+1Satisfies b1-2St1<yt+1<b1-St1Or b is2+St2<yt+1<b2+2St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has smaller deviation relative to a dynamic baseline, and a primary alarm is generated;
when the real-time monitoring data yt+1Satisfies b1-3St1<yt+1<b1-2St1Or b is2+2St2<yt+1<b2+3St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has larger deviation relative to a dynamic baseline, and a middle-level alarm is generated;
when the real-time monitoring data yt+1Satisfy yt+1<b1-3St1Or y ist+1>b2+3St2And when the real-time monitoring data is sliced at the next time, the real-time monitoring data has great deviation relative to a dynamic baseline, and advanced alarm is generated.
According to the embodiment of the invention, a quartile algorithm is applied to dynamically obtain a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice according to historical monitoring data of the monitoring index; respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value; comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data; and performing graded alarm according to the abnormal state of the real-time monitoring data, and increasing the baseline alarm of dynamic curve value fitting analysis without manually setting a fixed threshold and defining the baseline deviation, thereby ensuring the accuracy and timeliness of the alarm.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.

Claims (10)

1. A transaction alarm method based on a quartile algorithm is characterized by comprising the following steps:
dynamically acquiring a first upper limit baseline value and a first lower limit baseline value of a monitoring index of a previous time slice by applying a quartile algorithm according to historical monitoring data of the monitoring index;
respectively obtaining a second upper limit baseline value and a second lower limit baseline value of the current time slice through dynamic curve fitting according to the first upper limit baseline value and the first lower limit baseline value;
comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data;
and performing graded alarm according to the abnormal state of the real-time monitoring data.
2. The method of claim 1, wherein the dynamically applying a quartile algorithm to obtain a first upper-limit baseline value and a first lower-limit baseline value of a monitoring index of a previous time slice according to historical monitoring data of the monitoring index comprises:
performing quartile analysis according to historical monitoring data of the monitoring index;
taking the upper quartile of the historical monitoring data as the first upper limit base line value of the monitoring index of the previous time slice;
and taking the next quartile of the historical monitoring data as the first lower limit base line value of the monitoring index of the previous time slice.
3. The method of claim 1, wherein obtaining a second upper baseline value and a second lower baseline value for the current time slice by dynamic curve fitting according to the first upper baseline value and the first lower baseline value comprises:
acquiring the flow of the normal condition of the current time slice;
obtaining a second upper limit base line value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first upper limit base line value;
and obtaining the second lower-limit baseline value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first lower-limit baseline value.
4. The method of claim 3,
the obtaining the second lower-limit baseline value through dynamic curve fitting according to the flow of the normal condition of the current time slice and the first lower-limit baseline value includes:
according to the flow y of the normal condition of the current time slice and the first lower limit base line value b'1Obtaining the second lower-limit baseline value b by applying the following relational expression1
b1=a1*y+(1-a1)*b′1
The obtaining of the second upper-limit baseline value through dynamic curve fitting according to the flow rate of the normal condition of the current time slice and the first upper-limit baseline value includes:
according to the flow y of the normal condition of the current time slice and the first upper limit base line value b'2Obtaining the second upper limit base line value b by applying the following relational expression2
b2=a2*y+(1-a2)*b′2
Wherein 0< a1,a2<1,a1Is the flow y of the normal case of the current time slice is at the second lower limit baseline value b'1Specific gravity of (a)2Is the flow y of the normal case of the current time slice at the second upper baseline value b'2The specific gravity of the Chinese medicinal materials.
5. The method according to claim 1, wherein the comparing the real-time monitoring data of the monitoring index with the second upper-limit baseline value and the second lower-limit baseline value to obtain the abnormal state of the real-time monitoring data comprises:
determining deviation ranges of the second upper limit baseline value and the second lower limit baseline value respectively;
and comparing the real-time monitoring data of the monitoring index with the deviation ranges of a second upper limit baseline value and a second lower limit baseline value to obtain the abnormal state of the real-time monitoring data.
6. The method of claim 5, wherein the determining ranges of deviation of the second upper and lower baseline values, respectively, comprises:
calculating deviation ranges of the second upper base line value and the second lower base line value according to the following relations for the historical samples with the monitoring indexes y1, y2, y3, … …, yt at t previous identical time instants:
Figure FDA0002579915480000021
wherein S ist1Is the deviation range of the second lower base line value, St2A deviation range of the second upper base line value, b1Is the second lower base line value, b2Is the second upper baseline value.
7. The method of claim 6, wherein the step of alarming according to the abnormal state of the real-time monitoring data comprises:
when the real-time monitoring data yt+1Satisfies b1-St1<yt+1<b2+St2When the real-time monitoring data is sliced at the next time, the deviation of the real-time monitoring data relative to the dynamic baseline is within an allowable range, and no alarm is generated;
when the real-time monitoring data yt+1Satisfies b1-2St1<yt+1<b1-St1Or b is2+St2<yt+1<b2+2St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has smaller deviation relative to a dynamic baseline, and a primary alarm is generated;
when the real-time monitoring data yt+1Satisfies b1-3St1<yt+1<b1-2St1Or b is2+2St2<yt+1<b2+3St2When the real-time monitoring data is sliced at the next time, the real-time monitoring data has larger deviation relative to a dynamic baseline, and a middle-level alarm is generated;
when the real-time monitoring data yt+1Satisfy yt+1<b1-3St1Or y ist+1>b2+3St2And when the real-time monitoring data is sliced at the next time, the real-time monitoring data has great deviation relative to a dynamic baseline, and advanced alarm is generated.
8. A transaction alarm device based on a quartile algorithm is characterized in that the device comprises:
the quartile algorithm module is used for dynamically acquiring a first upper limit baseline value and a first lower limit baseline value of the monitoring index of a previous time slice by applying a quartile algorithm according to historical monitoring data of the monitoring index;
a curve fitting module, configured to obtain a second upper-limit baseline value and a second lower-limit baseline value of the current time slice through dynamic curve fitting according to the first upper-limit baseline value and the first lower-limit baseline value;
the anomaly detection module is used for comparing the real-time monitoring data of the monitoring index with the second upper limit baseline value and the second lower limit baseline value to obtain the abnormal state of the real-time monitoring data;
and the grading alarm module is used for carrying out grading alarm according to the abnormal state of the real-time monitoring data.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the steps of the quartile algorithm based transaction alert method according to any of claims 1-7.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform the steps of the quartile algorithm based transaction alert method according to any of claims 1-7.
CN202010664741.5A 2020-07-10 2020-07-10 Abnormal alarm method and device based on quartile algorithm and computing equipment Active CN113992496B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010664741.5A CN113992496B (en) 2020-07-10 2020-07-10 Abnormal alarm method and device based on quartile algorithm and computing equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010664741.5A CN113992496B (en) 2020-07-10 2020-07-10 Abnormal alarm method and device based on quartile algorithm and computing equipment

Publications (2)

Publication Number Publication Date
CN113992496A true CN113992496A (en) 2022-01-28
CN113992496B CN113992496B (en) 2023-11-17

Family

ID=79731297

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010664741.5A Active CN113992496B (en) 2020-07-10 2020-07-10 Abnormal alarm method and device based on quartile algorithm and computing equipment

Country Status (1)

Country Link
CN (1) CN113992496B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111307A (en) * 2009-12-29 2011-06-29 亿阳信通股份有限公司 Method and device for monitoring and controlling network risks
WO2014023245A1 (en) * 2012-08-09 2014-02-13 中兴通讯股份有限公司 Flow prediction method and system and flow monitoring method and system
CN103973663A (en) * 2013-02-01 2014-08-06 中国移动通信集团河北有限公司 Method and device for dynamic threshold anomaly traffic detection of DDOS (distributed denial of service) attack
CN105406991A (en) * 2015-10-26 2016-03-16 上海华讯网络系统有限公司 Method and system for generating service threshold by historical data based on network monitoring indexes
CN107705149A (en) * 2017-09-22 2018-02-16 平安科技(深圳)有限公司 Data method for real-time monitoring, device, terminal device and storage medium
CN107871190A (en) * 2016-09-23 2018-04-03 阿里巴巴集团控股有限公司 A kind of operational indicator monitoring method and device
CN108123849A (en) * 2017-12-20 2018-06-05 国网冀北电力有限公司信息通信分公司 Detect threshold value determination method, device, equipment and the storage medium of network traffics
CN108989124A (en) * 2018-08-10 2018-12-11 中国移动通信集团海南有限公司 Network failure finds method, electronic device and computer readable storage medium
CN110324168A (en) * 2018-03-30 2019-10-11 阿里巴巴集团控股有限公司 Anomalous event monitoring method and device and electronic equipment
CN111262750A (en) * 2020-01-09 2020-06-09 中国银联股份有限公司 Method and system for evaluating baseline model
WO2020169053A1 (en) * 2019-02-21 2020-08-27 Beijing Didi Infinity Technology And Development Co., Ltd. Systems and methods for identifying abnormalities

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111307A (en) * 2009-12-29 2011-06-29 亿阳信通股份有限公司 Method and device for monitoring and controlling network risks
WO2014023245A1 (en) * 2012-08-09 2014-02-13 中兴通讯股份有限公司 Flow prediction method and system and flow monitoring method and system
CN103973663A (en) * 2013-02-01 2014-08-06 中国移动通信集团河北有限公司 Method and device for dynamic threshold anomaly traffic detection of DDOS (distributed denial of service) attack
CN105406991A (en) * 2015-10-26 2016-03-16 上海华讯网络系统有限公司 Method and system for generating service threshold by historical data based on network monitoring indexes
CN107871190A (en) * 2016-09-23 2018-04-03 阿里巴巴集团控股有限公司 A kind of operational indicator monitoring method and device
CN107705149A (en) * 2017-09-22 2018-02-16 平安科技(深圳)有限公司 Data method for real-time monitoring, device, terminal device and storage medium
CN108123849A (en) * 2017-12-20 2018-06-05 国网冀北电力有限公司信息通信分公司 Detect threshold value determination method, device, equipment and the storage medium of network traffics
CN110324168A (en) * 2018-03-30 2019-10-11 阿里巴巴集团控股有限公司 Anomalous event monitoring method and device and electronic equipment
CN108989124A (en) * 2018-08-10 2018-12-11 中国移动通信集团海南有限公司 Network failure finds method, electronic device and computer readable storage medium
WO2020169053A1 (en) * 2019-02-21 2020-08-27 Beijing Didi Infinity Technology And Development Co., Ltd. Systems and methods for identifying abnormalities
CN111262750A (en) * 2020-01-09 2020-06-09 中国银联股份有限公司 Method and system for evaluating baseline model

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
JUNBO ZHAO: "Robust Detection of Cyber Attacks on State Estimators Using Phasor Measurements", 《IEEE TRANSACTIONS ON POWER SYSTEMS 》 *
温粉莲;: "一种混合模型的时序数据异常检测方法", 数字通信世界, no. 01 *
马远东等: "RMON Probe中Trap告警的研究", 《电力系统通信》 *

Also Published As

Publication number Publication date
CN113992496B (en) 2023-11-17

Similar Documents

Publication Publication Date Title
US10673731B2 (en) System event analyzer and outlier visualization
US10038618B2 (en) System event analyzer and outlier visualization
CN110865929B (en) Abnormality detection early warning method and system
CN110351150B (en) Fault source determination method and device, electronic equipment and readable storage medium
US8635498B2 (en) Performance analysis of applications
US20190228296A1 (en) Significant events identifier for outlier root cause investigation
US8060342B2 (en) Self-learning integrity management system and related methods
EP1480126B1 (en) Self-learning method and system for detecting abnormalities
CN112712113B (en) Alarm method, device and computer system based on index
US11675687B2 (en) Application state prediction using component state
US20180219723A1 (en) Automated scoring of unstructured events in information technology environments
CN103069749B (en) The method and system of the isolation of the problem in virtual environment
CN105656693B (en) A kind of method and system of the information security abnormality detection based on recurrence
CN109670690A (en) Data information center monitoring and early warning method, system and equipment
EP3465509A1 (en) Classification of log data
Tang et al. Optimizing system monitoring configurations for non-actionable alerts
EP3465515A1 (en) Classifying transactions at network accessible storage
CN115454778A (en) Intelligent monitoring system for abnormal time sequence indexes in large-scale cloud network environment
CN111949429A (en) Server fault monitoring method and system based on density clustering algorithm
CN114338348A (en) Intelligent alarm method, device, equipment and readable storage medium
Wang Ebat: online methods for detecting utility cloud anomalies
Xue et al. Fill-in the gaps: Spatial-temporal models for missing data
CN113992496A (en) Abnormal operation warning method and device based on quartile algorithm and computing equipment
US20190018723A1 (en) Aggregating metric scores
Mata et al. Automated detection of load changes in large-scale networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant