CN114003422A

CN114003422A - Host anomaly detection method, computer device, and storage medium

Info

Publication number: CN114003422A
Application number: CN202111231272.9A
Authority: CN
Inventors: 郭城阳
Original assignee: Jinan Inspur Data Technology Co Ltd
Current assignee: Jinan Inspur Data Technology Co Ltd
Priority date: 2021-10-22
Filing date: 2021-10-22
Publication date: 2022-02-01

Abstract

The application relates to a host anomaly detection method, a computer device and a storage medium. The method comprises the following steps: an OCSVM classification model is obtained by training an LSTM prediction model by using host historical data and a difference vector consisting of the difference between a predicted value and an actual value, and then whether the difference vector between the predicted value and the actual value is normal or not is predicted and detected on line by using a mode of combining the two models, so that whether the host is abnormal or not is judged. The method effectively improves the detection accuracy and avoids the problems of false alarm and missed alarm caused by fixed threshold values.

Description

Host anomaly detection method, computer device, and storage medium

Technical Field

The present application relates to the field of cloud host monitoring technologies, and in particular, to a host anomaly detection method, a computer device, and a storage medium.

Background

With the rapid development of big data and cloud computing, the construction of cloud platforms also caters for a phase of explosive development. The host server is one of the most basic and important resources in the cloud computing platform, the bottom layers of resources such as a memory and a CPU (central processing unit) on which virtual resources depend are provided by the host, and the host plays a significant role in the operation of the cloud platform. If the host is abnormal for various reasons, various resources in the cloud platform may be stuck, delayed, even the virtual machine is down, and the like. Therefore, the online anomaly detection method has very important significance for online anomaly detection of the host in the cloud platform. The method is mainly characterized in that various operation conditions of the host are detected by some fixed indexes, such as a resource utilization rate threshold value, the operation time of a certain process and the like, and the method is used for detecting, so that maintenance personnel can be informed by means of alarming, reminding and the like when the host is predictably abnormal, but the setting of the utilization rate, the time and other threshold values has subjectivity and fixity and cannot be adjusted in a self-adaptive manner according to the task role born by the host, and a large amount of false alarm and missing phenomenon can be generated.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a host anomaly detection method, a computer device, and a storage medium, which can accurately detect an anomaly occurring in a host in a cloud platform.

In one aspect, a host anomaly detection method is provided, and the method includes:

step S1, collecting host performance index data in a first operation time of the host, and classifying according to the host performance index class;

step S2, respectively constructing M LSTM training sequence data aiming at each category index according to the host performance index data of different category indexes, wherein M is more than or equal to 2;

step S3, training an original LSTM model by using the M LSTM training sequence data to obtain M trained LSTM prediction models;

step S4, collecting host performance index data in the second running time of the host, and respectively predicting the M index type running data at the first moment by using the M LSTM prediction models to obtain M predicted data values [ p ]₁,p₂,…,p_M]；

Step S5, using the M predicted data values [ p ]₁,p₂,…,p_M]And training the original OCSVM model by the actual operation values of the M index categories at the first momentObtaining a trained OCSVM model;

and step S6, continuously acquiring the running performance index data of the host, and performing online anomaly detection on the host by using the trained OCSVM model.

In one embodiment, the step S5 includes:

according to the M predicted data values [ p ]₁,p₂,…,p_M]And constructing a first difference vector [. v.p ] by the difference of the actual operating values of the M index categories at the first time instant₁,▽p₂,…,▽p_M]；

Utilizing the first difference vector [. v [₁,▽p₂,…,▽p_M]And training the original OCSVM model to obtain the trained OCSVM model.

In one embodiment, the steps S1, S4, and S6 further include performing a maximum-minimum normalization process on the collected host performance index data, and performing a subsequent operation using the processed index data.

In one embodiment, the step S3 includes:

and training the first N-1 data of the LSTM training sequence data of the performance index as an input sequence and the Nth data as output data, wherein the LSTM training sequence data comprises N data elements.

In one embodiment, where N is 60.

In one embodiment, the step S6 includes:

collecting host performance index data in the third running time of the host, and respectively predicting M index type running data at the second moment by using the M LSTM prediction models to obtain M predicted data values [ p ]₁’,p₂’,…,p_M’]；

According to the M predicted data values [ p ]₁’,p₂’,…,p_M’]And constructing a second difference vector [. v.p ] by the difference of the actual operating values of the M index categories at the second time₁’,▽p₂’,…,▽p_M’]；

Will be describedThe second difference vector [. v [.)₁’,▽p₂’,…,▽p_M’]And inputting the trained OCSVM model for anomaly detection.

In one embodiment, if the output result of the trained OCSVM model is 0, it indicates that the current difference is within a reasonable range and the current running state of the host is normal; if the output result is 1, the performance index of the current host is abnormal.

In one embodiment, if the host performance index is not abnormal within the preset time, adding normal data within the preset time into the training of the LSTM model and the OCSVM model, repeating the steps S2 to S5 to obtain an updated OCSVM model, and performing online abnormality detection on the host by using the updated OCSVM model.

In another aspect, a computer device is provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor implements the following steps when executing the computer program:

Step S5, using the M predicted data values [ p ]₁,p₂,…,p_M]Training an original OCSVM model by the actual operation values of the M index categories at the first moment to obtain a trained OCSVM model;

In yet another aspect, a computer-readable storage medium is provided, having stored thereon a computer program which, when executed by a processor, performs the steps of:

According to the host anomaly detection method, the computer equipment and the storage medium, the anomaly condition of the host in the cloud platform can be accurately detected under the condition that only the normal operation data of the host exist, and the maintenance personnel of the cloud platform can be timely notified and reminded, so that the health and stability of the host in the cloud platform can be favorably provided, and certain practical significance and practical value are achieved.

Drawings

FIG. 1 is a diagram of an embodiment of an application environment based on a host anomaly detection method;

FIG. 2 is a flow chart illustrating a method for host anomaly detection according to an embodiment;

FIG. 3 is a diagram illustrating an internal structure of a computer device according to an embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

The host anomaly detection method provided by the application can be applied to the application environment shown in FIG. 1.

In one embodiment, as shown in fig. 2, a host anomaly detection method is provided, which is exemplified by the application environment in fig. 1, and includes the following steps:

specifically, under the condition that a host in a cloud platform normally operates, monitoring data of performance indexes of the host are collected within a period of continuous time by taking 1min as a collection time point, and 5 individual performance index data of a CPU utilization rate, a memory utilization rate, a disk utilization rate, an IO read-write speed and a disk read-write speed are taken as examples for description (collection and processing modes of other related performance index data are the same as those of the other related performance index data). Then, a time window with the time length T being 60min is selected to intercept the data, and 5 time series data can be obtained, wherein each sequence has 60 elements.

In one embodiment, step S1 further includes performing a maximum-minimum normalization process on the collected host performance indicator data, and performing subsequent operations using the processed indicator data.

Specifically, in order to avoid the influence of dirty data, the method uses a mean filtering method to perform data preprocessing, and performs the maximum and minimum normalization processing on the data, as shown in formula (1),

x＝(x-x_min)/(x_max-x_min) (1)

where x denotes data at the current time, x_minRepresenting the smallest data value, x, in the sequence_maxRepresenting the largest data value in the sequence.

specifically, the description is given taking 5 performance index data of CPU usage, memory usage, disk usage, IO read-write speed, and disk read-write speed as an example, so that M is 5.

And (3) sliding a time window by taking 1min as a step length each time to obtain a large amount of sequence data, and dividing the data into 5 groups according to the performance types. Taking the CPU usage data as an example, the sequence data obtained are as shown in formula (2) and formula (3).

L_{cpu_use}＝[l₁,l₂,……,l_n] (2)

l_n＝[c₁,c₂,……,c₅₉,c₆₀] (3)

Wherein l_n[n＝1,2,…,n]Indicates the n-th sequence data acquired, c_iRepresents the CPU usage data collected by the imin within a time window.

in one embodiment, the step S3 includes:

In one embodiment, where N is 60.

Specifically, the LSTM model based on a neural network structure is adopted for predicting the performance data of the host, the LSTM comprises a unit consisting of an input valve, an output valve and a forgetting valve, and the input sequence data passes through a plurality of sigmod gate valves and then the forgetting valveAnd controlling the retention of the cell historical state information, and finally outputting the control information by an output gate. Sequence data l of various performance indexes_nThe first 59 data in (c) as input sequence₁,c₂,……,c₅₉]The 60 th data c₆₀Training is performed as output data. The principle formula of LSTM is shown in formula (4).

Wherein o is_t＝σ(W_o·[h_t-1,x_t]+b_o),

And i_t＝σ(W_i·[h_t-1,x_t]+b_i),f_t＝σ(W_f·[h_t-1,x_t]+b_f) Wherein W is_i，W_f，W_oWeight coefficients representing input gate, output gate, forgetting gate, b_i，b_o，b_fFor the bias vector, σ (-) is a sigmod activation function, so that inputting sequence data to LSTM, the output R at the current time can be obtained_t。

After training, various performance indexes can obtain an LSTM model which can be used for index prediction, five performance index data are trained by using the same method, and finally 5 LSTM prediction models can be obtained.

Specifically, after the prediction model is obtained through training, data under the normal operation condition of the host is collected as in the process S1, and the sequence data is obtained in the same processing manner. Inputting the input data in 5 groups of sequence data into 5 LSTM prediction models to obtain 5 predicted values p₁,p₂,p₃,p₄,p₅。

in one embodiment, the step S5 includes:

Specifically, following the previous example, the difference of these 5 values from the 5 actual values at that time is calculated and constitutes a difference vector [. lam [. sub. ] p₁,▽p₂,▽p₃,▽p₄,▽p₅]. With the sliding of the time window, a large number of difference vectors can be obtained by using the prediction model, and the vectors can form training data of the anomaly detection model.

The OCSVM is a single-classification unsupervised training model which can be trained only by using normal data, and can be well applied to the field of anomaly detection. The core idea is that a low-dimensional sample is converted into a high-dimensional feature space by using a kernel function, an optimal hyperplane is determined in the high-dimensional feature space, normal data and abnormal data can be distinguished to the greatest extent, and therefore a classification model is determined. By maximizing the Euclidean distance δ/| ω | of origin and positive sample data, where ω represents the normal vector that classifies the hyperplane and δ is the hyperplane intercept. Let T ═ x be the training sample_iI | ═ 1,2, …, n }, n denotes the number of training samples, x denotes the number of training samples_iRepresenting each difference vector, the problem in the invention can be finally transformed into the following problems according to the basic solving problem of the OCSVM:

min1/2∑_i,jα_iα_jK(x_i,x_j) (5)

s.t.0≤α_i≤1/v_i,∑_iα_i＝1，i＝1,2,…,n

wherein v is_iTaking a value between (0, 1); alpha is alpha_i,α_jThe lagrange multiplier is represented by a number of lagrange multipliers,

is a kernel function, i.e. x_i，x_jIn the dot product operation of the high-dimensional feature space, the penalty uses a gaussian kernel function, as shown in formula (6).

K(x_i,x_j)＝exp(-‖x_i-x_j‖²/σ²) (6)

In the scheme, the offset calculation formula is a formula (7), the offset calculation formula can be obtained according to a formula (6) and a formula (7), and the final decision function is a formula (8);

ρ＝∑ⁿ _i＝1α_iK(x_i,x_j) (7)

f(x)＝sgn(∑_iα_iK(x_i,x_j)-ρ) (8)

where sgn () represents the sign function and p represents the compensation value of the final decision function of the support vector machine.

And (4) putting all the normal samples in the decision flat boundary, substituting the samples into a formula for training to obtain a support vector, and finally obtaining a training model.

In one embodiment, the step S6 includes:

(iv) vector [ # p₁’,▽p₂’,…,▽p_M’]And inputting the trained OCSVM model for anomaly detection.

Specifically, in the case of abnormality detection, the manner of acquiring the detection data is still the same as that in step S1, so the variables used in this step are the same as those in step S1;

retention of Performance indicator data [ c ] for the past 59 minutes of running the host online₁’,c₂’,……,c₅₉’]Then, inputting various data into different LSTM prediction models respectively to predict the performance data p of the current minute_i；

Using predicted data p_iAnd current actual data t_iMaking difference to obtain difference value of current host machine performance index

The five indexes are processed in the same way to form a vector

And inputting the difference vector into the trained OCSVM model for recognition, namely, substituting the difference vector into the formula (8).

Specifically, if the output result is 0, it is proved that the current difference is within a reasonable range, and the host is in a normal operation state; if the output result is 1, the performance index of the current host is proved to be abnormal, and the host is further judged to be abnormal.

If the performance index data of the host at the current moment is normal, continuously using the past 59 minutes of data containing the current data, predicting the performance data of the next minute, and continuously carrying out online anomaly detection; if the performance index of the host computer at the current moment is abnormal, before the fault is not solved, 59 sequence data which are formed by data of the past 58 minutes and values predicted by the LSTM model at the moment are used for predicting data at the next moment, and online abnormality detection is continued.

Specifically, if the host is not detected to be abnormal in one continuous week, an offline data training process is automatically triggered, normal data of the week is added into training data, a new LSTM prediction model and an OCSVM detection model are continuously trained by using the same method, and then the new model is used for replacing the original model to continuously perform online abnormality detection.

The method mainly aims to detect the hosts with abnormal phenomena in the cloud platform, firstly, historical performance monitoring data of each host is used, a model for prediction is trained by using LSTM, and the method is determined to cause a large amount of false reports and false report omission due to the fact that certain deviation exists between the data predicted by a prediction algorithm and actual data and the reasonable error range is difficult to determine. Meanwhile, the instant numerical value change of a single index may be caused by the conditions of environment and the like, and the direct application range judgment can cause the generation of false alarm. The invention provides a prediction performance difference vector formed by the difference value of each index prediction data and the actual data, and the difference vector is commonly used for the abnormality detection of the host at the current moment. Meanwhile, because the abnormal condition of the host computer has uncertainty and diversity, and the performance data under the abnormal condition of the host computer is often difficult to collect or not complete, the OCSVM algorithm is introduced in the invention, the OCSVM algorithm can train a normal detection model by using only the state difference data when the host computer normally operates, and when the host computer is abnormal, the model can detect the abnormality in real time.

Firstly, the average value of each performance index of the host is collected and calculated by using each performance index data of the host in normal operation and taking 1 hour as a unit, so that a sequence of a plurality of performance indexes of the host is obtained. Then, a sliding time window with fixed duration is selected, and a prediction model of each performance index is trained by using the LSTM. Meanwhile, predicting each index by using the trained LSTM model of each performance index, calculating the difference between the prediction result and the actual value to form a performance difference vector, training an OCSVM model by using the normal performance difference vectors, and finally performing online anomaly detection on the host by using the obtained plurality of LSTM models and OCSVM together. When the host is detected to be abnormal, the alarm notification is effectively carried out in time.

The method includes the steps that based on historical data of various performance indexes of a host, data of various indexes at the current moment are predicted through an LSTM, a difference combination of the predicted data and actual data is calculated, then an OCSVM model is trained through the historical normal difference combination, the difference combination is detected, whether various data of the current host are normal or not is finally determined, and the method can timely and effectively find abnormal conditions of the host in a cloud platform.

The method is based on the historical data of the host, utilizes the LSTM prediction model and the OCSVM abnormity detection model to detect the abnormity of the host, has the detection precision of over 98 percent, can effectively avoid a large amount of false reports and missed reports in the traditional detection mode, can be well applied to the host which undertakes different tasks, and has good applicability. The method has extremely important significance for the anomaly detection of the host in the cloud platform.

It should be understood that, although the steps in the flowchart of fig. 1 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 1 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.

In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 3. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a host anomaly detection method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.

Those skilled in the art will appreciate that the architecture shown in fig. 3 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:

In one embodiment, the processor, when executing the computer program, further performs the steps of:

and carrying out maximum and minimum normalization processing on the collected host performance index data, and carrying out subsequent operation by using the processed index data.

wherein N is 60.

if the output result of the trained OCSVM model is 0, indicating that the current difference value is within a reasonable range and the current running state of the host is normal; if the output result is 1, the performance index of the current host is abnormal.

if the host performance index is not abnormal within the preset time, adding normal data within the preset time into the training of the LSTM model and the OCSVM model, repeating the steps S2-S5 to obtain an updated OCSVM model, and performing online abnormality detection on the host by using the updated OCSVM model.

In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:

In one embodiment, the computer program when executed by the processor further performs the steps of:

By using the saidFirst difference vector [. v [. ]₁,▽p₂,…,▽p_M]And training the original OCSVM model to obtain the trained OCSVM model.

wherein N is 60.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A host anomaly detection method, the method comprising:

2. The host abnormality detection method according to claim 1, characterized in that said step S5 includes:

according to the M predicted data values [ p ]₁,p₂,…,p_M]And the difference of the actual operation values of the M index classes at the first timeValue construction A first difference vector [. v [₁,▽p₂,…,▽p_M]；

3. The host computer anomaly detection method according to claim 1, wherein the steps S1, S4 and S6 further comprise performing maximum and minimum normalization processing on the collected host computer performance index data, and performing subsequent operations by using the processed index data.

4. The host abnormality detection method according to claim 1, characterized in that said step S3 includes:

5. The host anomaly detection method of claim 4, wherein N-60.

6. The host abnormality detection method according to claim 2, characterized in that said step S6 includes:

7. The method for detecting the host computer anomaly according to claim 6, wherein if the output result of the trained OCSVM model is 0, it indicates that the current difference is within a reasonable range and the current running state of the host computer is normal; if the output result is 1, the performance index of the current host is abnormal.

8. The method as claimed in claim 7, wherein if no abnormal performance index of the host occurs within the predetermined time, the normal data within the predetermined time is added to the training of the LSTM model and the OCSVM model, and the steps S2 to S5 are repeated to obtain the updated OCSVM model, and the updated OCSVM model is used to perform online abnormal detection on the host.

9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 8 are implemented when the computer program is executed by the processor.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 8.