CN114201374A - Operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning - Google Patents

Operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning Download PDF

Info

Publication number
CN114201374A
CN114201374A CN202111481612.3A CN202111481612A CN114201374A CN 114201374 A CN114201374 A CN 114201374A CN 202111481612 A CN202111481612 A CN 202111481612A CN 114201374 A CN114201374 A CN 114201374A
Authority
CN
China
Prior art keywords
data
module
time sequence
detection
machine learning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111481612.3A
Other languages
Chinese (zh)
Inventor
彭雷
高嵩峰
傅湘玲
刘春生
王友军
徐朗朗
苗丛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huarong Rongtong Beijing Technology Co ltd
Original Assignee
Huarong Rongtong Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huarong Rongtong Beijing Technology Co ltd filed Critical Huarong Rongtong Beijing Technology Co ltd
Priority to CN202111481612.3A priority Critical patent/CN114201374A/en
Publication of CN114201374A publication Critical patent/CN114201374A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3447Performance evaluation by modeling
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3452Performance evaluation by statistical analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Abstract

The invention discloses an operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning, wherein the method comprises the following steps: extracting data, preprocessing the data, predicting off-line, training off-line, detecting on-line, outputting a judgment result and the like; the system comprises a data extraction module, a data preprocessing module, an offline prediction module, an offline training module, an online detection module, a judgment module and a model evaluation module; the invention has the advantages that: by means of historical data, an unsupervised model is constructed by combining three parts of off-line prediction, off-line training and on-line detection, the abnormal detection of the intelligent operation and maintenance time sequence data can be completed on the premise of ensuring accuracy and timeliness, and the problems that the abnormal detection of the time sequence data in the current operation and maintenance scene is lack of marked data, low in efficiency, required to define a threshold value according to experience and large in number of false reports and missed reports are solved.

Description

Operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning
Technical Field
The invention relates to an intelligent operation and maintenance abnormity detection system, in particular to an operation and maintenance time sequence data abnormity detection method and system based on hybrid machine learning, and belongs to the field of intelligent operation and maintenance abnormity detection.
Background
Nowadays, global informatization is rapidly developed, the number of network devices is increasingly huge, and in order to guarantee the stability of network services in various fields, professional personnel are needed to monitor operation and maintenance data in real time to carry out operation and maintenance of a system. The most common data in the operation and maintenance system is Key Performance Indicator (KPI) data, such as web page response time, web page access volume, memory usage rate, and the like. KPI data needs professional personnel to mark relevant threshold values for real-time monitoring. Once an abnormality occurs in a KPI, it often means that an application associated with the KPI has a problem. With the continuously increasing scale and the increasing complexity of the system, the monitoring data amount is larger and larger, it is not practical to find the abnormality from the data manually, and the intelligent operation and maintenance data abnormality detection is more and more important.
The existing operation and maintenance time sequence data anomaly detection method comprises three major categories of detection based on fixed configuration, detection based on statistics and detection based on machine learning. The detection method based on fixed configuration is the most common operation and maintenance mode in the industry at present, and the method is clear and easy to understand. Common configuration methods include a threshold value division method, a ring ratio method, a same ratio method and the like. The abnormal detection mode based on fixed configuration requires operation and maintenance personnel to configure and set each operation and maintenance index according to experience, and selects a proper configuration mode, which easily causes great waste of time and resources, and index data needs to be configured repeatedly in continuous change, so that a single method based on fixed configuration cannot meet the requirement of intelligent operation and maintenance abnormal detection.
The detection method based on statistics is to perform statistical analysis on the collected monitoring data, assume that the data follows a certain distribution rule, select a proper probability model according to the distribution rule of the data, and perform anomaly detection according to the inconsistency of the distribution. Common detection methods based on statistics include Holt-Winters model, ARIMA model, PCA model and the like. The statistic-based anomaly detection method needs to observe the data distribution to obtain the rule followed by the data distribution, find a proper detection model and spend a large amount of time to find a model suitable for different indexes, so that a single statistic-based method cannot meet the requirement of intelligent operation and maintenance anomaly detection.
The detection method based on machine learning considers the problem of abnormal detection of operation and maintenance time sequence data as a two-classification problem, and performs abnormal detection by learning and modeling historical data. The detection method based on machine learning comprises a supervised learning detection method and an unsupervised learning detection method. The supervised learning detection method needs to be combined with labeled data to establish a model, in an actual operation and maintenance scene, label data are few, operation and maintenance personnel need to manually label the label data to obtain the label data, and meanwhile, the supervised learning method is long in training time and low in detection efficiency; the unsupervised learning detection method does not need to mark data, and the anomaly score of a data point is generated by modeling monitoring original data to finish anomaly detection.
Disclosure of Invention
The invention aims to design an operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning, an unsupervised model is constructed by means of historical data and combining three major parts of off-line prediction, off-line training and on-line detection, the anomaly detection of intelligent operation and maintenance time sequence data can be completed on the premise of ensuring accuracy and timeliness, and the problems that the time sequence data anomaly detection in the current operation and maintenance scene lacks marked data, the efficiency is low, a threshold value needs to be defined according to experience, and a large amount of false reports and false reports exist are solved.
The technical scheme of the invention is as follows:
an operation and maintenance time sequence data anomaly detection method based on hybrid machine learning comprises the following steps:
step one, extracting data, taking the operation and maintenance data in the database according to the minute level, and returning to the required data format. The operation and maintenance data are periodic time sequence data, the data at the current moment are extracted as operation and maintenance time sequence data, all the data in 30 days before the current moment are extracted as operation and maintenance historical data, and the data format at least comprises an operation and maintenance monitoring index name, a timestamp and an operation and maintenance monitoring index value.
And secondly, preprocessing data, namely preprocessing the operation and maintenance historical data and the operation and maintenance time sequence data in the first step, balancing positive and negative samples, filling missing values, normalizing timestamps, and completing data segmentation to obtain clean historical data and clean time sequence data.
And thirdly, performing off-line prediction, namely performing short-term fitting on the clean historical data obtained in the second step by using a machine learning-based time sequence data prediction algorithm random forest algorithm, constructing a difference value sequence by using the difference value of a predicted value and a true value as an original sequence for 3-sigma judgment, adopting an indirect detection thought, fitting to obtain a predicted value of the current moment, comparing the predicted value with the true value of the moment, and judging as abnormal once the deviation of 3-sigma is exceeded.
And 301, dividing the clean historical data in the second step into data of the previous 29 days and data of the last 1 day, and performing short-term fitting on the data of the previous 29 days by using a machine learning-based time sequence data prediction algorithm to obtain a fitting model. The time sequence data prediction algorithm is a random forest algorithm, the random forest is a classification method based on machine learning, a plurality of decision trees are constructed by utilizing data of the previous 29 days, output results of each decision tree are counted, and the abnormality judgment of a current point is determined by adopting a voting method;
step 302, performing fitting prediction on the data of the last 1 day by using the fitting model of the step 301 to obtain a predicted value of the data of the last 1 day, and calculating a difference sequence between the predicted value and a true value of the data of the last 1 day;
step 303, obtaining a predicted value of the operation and maintenance monitoring time sequence data at the current moment by using the fitting model prediction in the step 301, calculating a current difference value between the predicted value and the operation and maintenance monitoring index value at the moment, performing 3-sigma judgment on the current difference value by using the difference value sequence in the step 302, and outputting a judgment result of 'abnormal' if the current difference value exceeds a 3-sigma range; if not, outputting a judgment result of 'normal'; and the 3-sigma calculates the mean value and the standard deviation of the difference value sequence on the premise of assuming that the original data is a normal distribution sequence, the probability of 99.74 percent of the data falls in the range of 3 standard deviations above and below the mean value, and if the data exceeds the range, the data is judged to be abnormal data.
And step four, off-line training, namely periodically training the machine learning model which needs long training time in advance by using the clean historical data in the step two, and storing the trained model for on-line detection and calling.
Performing online detection, namely performing anomaly detection on the clean time sequence data obtained in the step two, extracting data characteristics from three angles, filtering and screening abnormal data by using a mixed machine learning-based 'point-line-surface' time sequence data anomaly detection algorithm, and obtaining a judgment result by adopting a hard voting mode;
step 501, performing anomaly detection on the clean time sequence data obtained in the step two, extracting data information from three angles, and filtering and screening abnormal data by using a 'point-line-surface' time sequence data anomaly detection algorithm comprising multiple machine learning methods, wherein the 'point-line-surface' time sequence data anomaly detection algorithm comprises a 'point' method, a 'line' method and a 'surface' method, and is characterized by comprising the following three specific methods:
the "dot" method: an isolated forest method is an anomaly detection method based on machine learning, a decision tree is randomly constructed, and statistics is constructed by using the average value of the depths of all trees of samples falling on the decision tree for anomaly judgment;
the "line" method: a unity-ratio amplitude method, which is an abnormality detection method based on statistics, and performs abnormality judgment by comparing an amplitude value of a current point with a maximum value of a unity-ratio amplitude for a past period of time;
the method of 'noodle': SR-CNN method, SR-CNN is based on the abnormal detection method of machine learning, change the abnormal detection of the time series data into the detection of the image significance, utilize the whole information of the image to carry on the abnormal judgement;
step 502, outputting a judgment result for the three detection results in the step 501 by adopting a hard voting method, wherein the hard voting method is a 'minority obeying majority' principle, and if two or more results are 'abnormal', the judgment result is output to be 'abnormal'; otherwise, the output is "normal".
Step six, outputting a judgment result, combining detection results of an offline prediction module, an offline training module and an online detection module, and if the judgment results in the step three and the step five are all abnormal, outputting a final judgment result which is abnormal; otherwise, outputting the final judgment result as normal.
An operation and maintenance time sequence data anomaly detection system based on hybrid machine learning comprises a data extraction module, a data preprocessing module, an offline prediction module, an offline training module, an online detection module, a judgment module and a model evaluation module; wherein the content of the first and second substances,
the data extraction module is connected with the database and used for extracting operation and maintenance monitoring time sequence data from the database and returning to a data format required by the operation and maintenance monitoring time sequence data;
the data preprocessing module is connected with the data extraction module and is used for preprocessing the extracted data, balancing positive and negative samples of the data, filling missing values, normalizing data timestamps, finishing data segmentation and outputting clean historical data and clean time sequence data;
the off-line prediction module is connected with the data preprocessing module and is used for performing short-term fitting and prediction operation on clean historical data, and an indirect detection idea is adopted to compare a predicted value with a real numerical value at the moment to obtain a judgment result;
the off-line training module is connected with the data preprocessing module, regularly trains the machine learning model with long training time in advance by using clean historical data, and stores the trained model for on-line detection and calling;
the online detection module is connected with the data preprocessing module and used for carrying out anomaly detection on clean time sequence data, filtering and screening the abnormal data by using a 'point-line-surface' time sequence data anomaly detection algorithm comprising a plurality of machine learning methods, and obtaining a judgment result by adopting a hard voting mode;
the judgment module is connected with the off-line prediction module and the on-line detection module and used for integrating judgment results of the two modules, and when the judgment results of the two modules are both abnormal, the judgment result is output to be abnormal; otherwise, outputting the final judgment result as normal.
The model evaluation module is connected with the judgment module and used for evaluating the abnormal detection result of the model, and the model result is evaluated by adopting precision ratio and recall ratio under an aging window evaluation system, wherein the aging window evaluation system represents that the detection is successful only by detecting the abnormality in an aging window in the actual industrial production.
The invention has the beneficial effects that: the off-line prediction module, the off-line training module and the on-line detection module are combined, the off-line training module is used for regularly training the model which needs long training time in advance, and the trained model is stored for real-time detection and calling, so that the detection timeliness is guaranteed; two-layer screening is performed by utilizing offline prediction and online detection, and only when the results of the two detections are abnormal, the current point is judged to be an abnormal point, so that the detection accuracy is improved, and false alarm and missing alarm are reduced. In addition, the invention provides a 'point-line-surface' time sequence data anomaly detection algorithm, completes anomaly detection by combining the characteristics of three aspects of operation and maintenance data, and improves the detection accuracy.
The invention is further illustrated by the following figures and examples.
Drawings
Fig. 1 is an overall structure diagram of an operation and maintenance timing sequence data anomaly detection method and system based on hybrid machine learning according to an embodiment of the present invention;
FIG. 2 is a flow diagram of an offline prediction module according to an embodiment of the present invention;
FIG. 3 is a flowchart of an offline training module according to an embodiment of the present invention;
FIG. 4 is a flowchart of an online detection module according to an embodiment of the present invention.
Detailed Description
The following description of the preferred embodiments of the present invention is provided for the purpose of illustration and description, and is in no way intended to limit the invention.
Example 1
As shown in fig. 1 to 4, a hybrid machine learning-based operation and maintenance time series data anomaly detection method includes the following steps:
step one, extracting data, as shown in table 1, taking data in the database according to a minute level, and returning to a required data format, where the required data format at least includes an operation and maintenance monitoring indicator name (KPI ID), a Timestamp (Timestamp), and an operation and maintenance monitoring indicator Value (Value), where the Value is a single indicator sequence concerned in the embodiment of the present invention. In order to detect the final judgment result, the embodiment of the invention adds a Label (Label) at the current time, so as to conveniently calculate the Recall ratio (Recall) and Precision ratio (Precision) of the detection result in the follow-up process. Dividing the extracted data into a training set and a testing set according to the ratio of 8:2, wherein the training set is used as historical data and is a sample for model training; the test set is used as time sequence data to test the accuracy and timeliness of the whole model construction. The python implementation of this step is encapsulated in a 1-getdata.
Table 1 data structure table
Figure 325994DEST_PATH_IMAGE002
Step two, data preprocessing, namely preprocessing the training data divided in the step one, clustering the training data according to KPI ID, wherein 28 cluster clusters are used in the embodiment of the invention, and storing the cluster clusters separately by using CSV files; normalizing the Timestamp value of each cluster, and changing the normalized Timestamp value into a format of 'year-month-day-hour-minute-second'; and (4) carrying out missing value detection on each cluster, and filling missing values according to a linear interpolation method to obtain clean data. This part of the python implementation is encapsulated in a 3-gettime. And (3) balancing clean data, because abnormal data are very few and original data have extremely large class imbalance, a Borderline-SMOTE method is required to be used for balancing a data set, and available training data with balanced positive and negative sample ratios are obtained. The python implementation of this part is encapsulated in a 2-datasplit.
Secondly, preprocessing the time sequence data divided in the first step, searching a cluster corresponding to each time sequence data according to the KPI ID, and changing the time stamp format of the time sequence data into a 'year-month-day-hour-minute-second' format to obtain available time sequence data; this part of the python implementation is encapsulated in a 3-gettime.
Step three, off-line prediction, and the flow structure followed in the step is shown in fig. 2. And D, dividing the available training data in the step two into data of the previous 29 days and data of the last 1 day, and performing short-term fitting on the data of the previous 29 days by using a machine learning-based time sequence data prediction algorithm to obtain a fitting model. The time sequence data prediction algorithm is a random forest algorithm, the random forest is a classification method based on machine learning, a plurality of decision trees are constructed by utilizing data of the previous 29 days, output results of the decision trees are counted, and the abnormality judgment of a current point is determined by adopting a voting method. Py document encapsulated in rfr.
Then, fitting and predicting the data of the last 1 day by using a fitting model to obtain a predicted value of the data of the last 1 day, and calculating a difference sequence between the predicted value and a true value of the data of the last 1 day;
predicting to obtain a predicted value of the operation and maintenance monitoring time sequence data at the current moment by using a fitting model, calculating a current difference value between the predicted value and the operation and maintenance monitoring index value at the moment, performing 3-sigma judgment on the current difference value by using a difference value sequence, and outputting a judgment result as abnormal if the current difference value exceeds a 3-sigma range; if not, outputting a judgment result of 'normal'; and the 3-sigma calculates the mean value and the standard deviation of the difference value sequence on the premise of assuming that the original data is a normal distribution sequence, the probability of 99.74 percent of the data falls in the range of 3 standard deviations above and below the mean value, and if the data exceeds the range, the data is judged to be abnormal data. Py document encapsulated in rfr.
Step four, off-line training, wherein the flow structure followed in the step is shown in fig. 3. And training a deep learning model by using the available training data in the step two, wherein the deep learning model is an SR-CNN model, converting time sequence data abnormity detection into image significance detection, performing abnormity judgment by using image overall information, storing the trained model of each cluster as a pkl file, and storing the files into a database respectively. This part of the python implementation is encapsulated in the srcnn.
Step five, online detection, wherein the flow structure followed in the step is shown in fig. 4. Processing the available time sequence data in the second step by a point-line-surface time sequence data abnormity detection algorithm to respectively obtain three detection results, wherein the point-line-surface time sequence data abnormity detection algorithm comprises a point method, a line method and a surface method, and is characterized by comprising the following three specific methods: the "dot" method: an isolated forest method is an anomaly detection method based on machine learning, a decision tree is randomly constructed, and statistics is constructed by using the average value of the depths of all trees of samples falling on the decision tree for anomaly judgment; the "line" method: a unity-ratio amplitude method, which is an abnormality detection method based on statistics, and performs abnormality judgment by comparing an amplitude value of a current point with a maximum value of a unity-ratio amplitude for a past period of time; the method of 'noodle': and SR-CNN is an anomaly detection method based on deep learning, converts time series data anomaly detection into image significance detection, and utilizes overall image information to judge anomalies. This part of the python implementation method is encapsulated in the files of inordest.
And then outputting judgment results by adopting a hard voting method for the three detection results. The hard voting method is a 'minority obeys majority' principle, and if two or more results are 'abnormal', the judgment result is output to be 'abnormal'; otherwise, the output is "normal". This part of the python implementation is encapsulated in a vote.
Step six, outputting a judgment result, and if the judgment results in the step three and the step five are both abnormal, outputting a final judgment result as abnormal; otherwise, outputting the final judgment result as normal.
The anomaly detection is essentially a binary problem, so the anomaly detection result can be determined by Precision (Precision) and Recall (Recall), and the part of the python implementation method is encapsulated in evalue. Precision and Recall have the following algorithmic formulas:
Figure 252362DEST_PATH_IMAGE003
Figure 332313DEST_PATH_IMAGE004
the precision ratio is related to the number of negative samples which are not reported, the recall ratio is related to the number of positive samples which are reported in a false mode, and the higher the two indexes are, the better the detection effect of the representative model is. Meanwhile, in actual industrial production, companies tend to enhance the ability to find abnormalities, i.e., reduce the number of false positives, so that the evaluation result of precision ratio is more important.
In reality, the abnormity always appears in a bundled state, and in actual industrial production, the detection is successful only by detecting the abnormity in an aging window. The aging window = the first detection time of a certain abnormal segment-the first occurrence time of a certain abnormal segment. In the present example, the aging window size was set to 10 minutes. In the aging window evaluation system, the precision ratio and the recall ratio of the method and the current common machine learning baseline method are shown in table 2. The SR-CNN method is the most effective in the three baseline methods of isolated forest, same-ratio amplitude and SR-CNN detection, and the precision ratio and the recall ratio are 0.80 and 0.90 respectively. The detection effect of the invention is further improved, and compared with the SR-CNN method, the precision rate is improved by 12.5%, and the recall rate is improved by 1%.
Comparing the detection result with the real label, 8 negative samples in 48 negative samples can be found out to be unsuccessfully detected and are all continuous abnormity of the same KPI ID, namely one report is missed. Of the 2272 positive samples, 10 positive samples were detected as errors, and three consecutive data of three KPI IDs were detected as errors, i.e., three false positives. On the whole, compared with the operation and maintenance conditions of a large number of false reports and missed reports in the current actual production, the model has very good effect and very good application value.
TABLE 2 comparison of the effects of the models
Evaluation index Isolated forest Amplitude of same proportion SR-CNN The invention
Precision 0.67 0.73 0.80 0.90
Recall checking rate Recall 0.90 0.80 0.90 0.91

Claims (5)

1. An operation and maintenance time sequence data anomaly detection method based on hybrid machine learning is characterized by comprising the following steps:
step one, extracting data, taking the operation and maintenance data in a database according to a minute level, and returning to a required data format; the operation and maintenance data are periodic time sequence data, the data at the current moment are extracted as operation and maintenance time sequence data, all data in 30 days before the current moment are extracted as operation and maintenance historical data, and the data format at least comprises an operation and maintenance monitoring index name, a timestamp and an operation and maintenance monitoring index value;
step two, data preprocessing, namely preprocessing operation is carried out on the operation and maintenance historical data and the operation and maintenance time sequence data, positive and negative samples are balanced, missing values are filled, timestamps are normalized, data segmentation is completed, and clean historical data and clean time sequence data are obtained;
thirdly, performing off-line prediction, namely performing short-term fitting on the clean historical data obtained in the second step by using a machine learning-based time sequence data prediction algorithm random forest algorithm, constructing a difference value sequence by using the difference value of a predicted value and a true value as an original sequence for 3-sigma judgment, adopting an indirect detection thought, obtaining a predicted value of the current moment by fitting, comparing the predicted value with the true value of the moment, and judging as 'abnormal' once the deviation of 3-sigma is exceeded;
step four, off-line training, namely periodically training the machine learning model which needs long training time in advance by using the clean historical data in the step two, and storing the trained model for on-line detection and calling;
performing online detection, namely performing anomaly detection on the clean time sequence data obtained in the step two, extracting data characteristics from three angles, filtering and screening abnormal data by using a mixed machine learning-based 'point-line-surface' time sequence data anomaly detection algorithm, and obtaining a judgment result by adopting a hard voting mode;
step six, outputting a judgment result, combining detection results of an offline prediction module, an offline training module and an online detection module, and if the judgment results in the step three and the step five are all abnormal, outputting a final judgment result which is abnormal; otherwise, outputting the final judgment result as normal.
2. The hybrid machine learning-based operation and maintenance time series data anomaly detection method according to claim 1, wherein the third step specifically comprises the following steps:
301, dividing the clean historical data in the second step into data of the previous 29 days and data of the last 1 day, and performing short-term fitting on the data of the previous 29 days by using a machine learning-based time sequence data prediction algorithm to obtain a fitting model; the time sequence data prediction algorithm is a random forest algorithm, the random forest is a classification method based on machine learning, a plurality of decision trees are constructed by utilizing data of the previous 29 days, output results of each decision tree are counted, and the abnormality judgment of a current point is determined by adopting a voting method;
step 302, performing fitting prediction on the data of the last 1 day by using the fitting model of the step 301 to obtain a predicted value of the data of the last 1 day, and calculating a difference sequence between the predicted value and a true value of the data of the last 1 day;
step 303, obtaining a predicted value of the operation and maintenance monitoring time sequence data at the current moment by using the fitting model prediction in the step 301, calculating a current difference value between the predicted value and the operation and maintenance monitoring index value at the moment, performing 3-sigma judgment on the current difference value by using the difference value sequence in the step 302, and outputting a judgment result of 'abnormal' if the current difference value exceeds a 3-sigma range; if not, outputting a judgment result of 'normal'; and the 3-sigma calculates the mean value and the standard deviation of the difference value sequence on the premise of assuming that the original data is a normal distribution sequence, the probability of 99.74 percent of the data falls in the range of 3 standard deviations above and below the mean value, and if the data exceeds the range, the data is judged to be abnormal data.
3. The hybrid machine learning-based operation and maintenance time series data anomaly detection method according to claim 1, wherein the step five specifically comprises the following steps:
step 501, carrying out anomaly detection on the clean time sequence data obtained in the step two, extracting data information from three angles, and filtering and screening abnormal data by using a 'point-line-surface' time sequence data anomaly detection algorithm comprising multiple machine learning methods;
step 502, outputting a judgment result for the three detection results in the step 501 by adopting a hard voting method, wherein the hard voting method is a 'minority obeying majority' principle, and if two or more results are 'abnormal', the judgment result is output to be 'abnormal'; otherwise, the output is "normal".
4. The hybrid machine learning-based operation and maintenance time series data anomaly detection method according to claim 3, wherein the point-line-plane time series data anomaly detection algorithm comprises a point method, a line method and a plane method, and specifically comprises the following steps:
the "dot" method: an isolated forest method is an anomaly detection method based on machine learning, a decision tree is randomly constructed, and statistics is constructed by using the average value of the depths of all trees of samples falling on the decision tree for anomaly judgment;
the "line" method: a unity-ratio amplitude method, which is an abnormality detection method based on statistics, and performs abnormality judgment by comparing an amplitude value of a current point with a maximum value of a unity-ratio amplitude for a past period of time;
the method of 'noodle': SR-CNN is an anomaly detection method based on machine learning, time series data anomaly detection is converted into image significance detection, and anomaly judgment is carried out by using image overall information.
5. The operation and maintenance time sequence data anomaly detection system based on hybrid machine learning is characterized by comprising a data extraction module, a data preprocessing module, an offline prediction module, an offline training module, an online detection module, a judgment module and a model evaluation module; wherein the content of the first and second substances,
the data extraction module is connected with the database and used for extracting operation and maintenance monitoring time sequence data from the database and returning to a data format required by the operation and maintenance monitoring time sequence data;
the data preprocessing module is connected with the data extraction module and is used for preprocessing the extracted data, balancing positive and negative samples of the data, filling missing values, normalizing data timestamps, finishing data segmentation and outputting clean historical data and clean time sequence data;
the off-line prediction module is connected with the data preprocessing module and is used for performing short-term fitting and prediction operation on clean historical data, and an indirect detection idea is adopted to compare a predicted value with a real numerical value at the moment to obtain a judgment result;
the off-line training module is connected with the data preprocessing module, regularly trains the machine learning model with long training time in advance by using clean historical data, and stores the trained model for on-line detection and calling;
the online detection module is connected with the data preprocessing module and used for carrying out anomaly detection on clean time sequence data, filtering and screening the abnormal data by using a 'point-line-surface' time sequence data anomaly detection algorithm comprising a plurality of machine learning methods, and obtaining a judgment result by adopting a hard voting mode;
the judgment module is connected with the off-line prediction module and the on-line detection module and used for integrating judgment results of the two modules, and when the judgment results of the two modules are both abnormal, the judgment result is output to be abnormal; otherwise, outputting a final judgment result of normal;
the model evaluation module is connected with the judgment module and used for evaluating the abnormal detection result of the model, and the model result is evaluated by adopting precision ratio and recall ratio under an aging window evaluation system, wherein the aging window evaluation system represents that the detection is successful only by detecting the abnormality in an aging window in the actual industrial production.
CN202111481612.3A 2021-12-07 2021-12-07 Operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning Pending CN114201374A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111481612.3A CN114201374A (en) 2021-12-07 2021-12-07 Operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111481612.3A CN114201374A (en) 2021-12-07 2021-12-07 Operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning

Publications (1)

Publication Number Publication Date
CN114201374A true CN114201374A (en) 2022-03-18

Family

ID=80650873

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111481612.3A Pending CN114201374A (en) 2021-12-07 2021-12-07 Operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning

Country Status (1)

Country Link
CN (1) CN114201374A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115080965A (en) * 2022-08-16 2022-09-20 杭州比智科技有限公司 Unsupervised anomaly detection method and unsupervised anomaly detection system based on historical performance
CN115361231A (en) * 2022-10-19 2022-11-18 中孚安全技术有限公司 Access baseline-based host abnormal traffic detection method, system and equipment
CN115412451A (en) * 2022-08-04 2022-11-29 浪潮通信信息系统有限公司 Internet link utilization rate prediction method based on fusion model
CN116823816A (en) * 2023-08-28 2023-09-29 济南正邦电子科技有限公司 Detection equipment and detection method based on security monitoring static memory
CN117439820A (en) * 2023-12-20 2024-01-23 国家电网有限公司客户服务中心 Network intrusion detection method capable of dynamically adjusting threshold

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115412451A (en) * 2022-08-04 2022-11-29 浪潮通信信息系统有限公司 Internet link utilization rate prediction method based on fusion model
CN115080965A (en) * 2022-08-16 2022-09-20 杭州比智科技有限公司 Unsupervised anomaly detection method and unsupervised anomaly detection system based on historical performance
CN115080965B (en) * 2022-08-16 2022-11-15 杭州比智科技有限公司 Unsupervised anomaly detection method and unsupervised anomaly detection system based on historical performance
CN115361231A (en) * 2022-10-19 2022-11-18 中孚安全技术有限公司 Access baseline-based host abnormal traffic detection method, system and equipment
CN115361231B (en) * 2022-10-19 2023-02-17 中孚安全技术有限公司 Host abnormal flow detection method, system and equipment based on access baseline
CN116823816A (en) * 2023-08-28 2023-09-29 济南正邦电子科技有限公司 Detection equipment and detection method based on security monitoring static memory
CN116823816B (en) * 2023-08-28 2023-11-21 济南正邦电子科技有限公司 Detection equipment and detection method based on security monitoring static memory
CN117439820A (en) * 2023-12-20 2024-01-23 国家电网有限公司客户服务中心 Network intrusion detection method capable of dynamically adjusting threshold
CN117439820B (en) * 2023-12-20 2024-03-19 国家电网有限公司客户服务中心 Network intrusion detection method capable of dynamically adjusting threshold

Similar Documents

Publication Publication Date Title
CN114201374A (en) Operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning
CN110223196B (en) Anti-electricity-stealing analysis method based on typical industry feature library and anti-electricity-stealing sample library
CN105653444B (en) Software defect fault recognition method and system based on internet daily record data
CN111507376B (en) Single-index anomaly detection method based on fusion of multiple non-supervision methods
CN111506478A (en) Method for realizing alarm management control based on artificial intelligence
CN107885642A (en) Business monitoring method and system based on machine learning
CN110837866A (en) XGboost-based electric power secondary equipment defect degree evaluation method
CN108304567B (en) Method and system for identifying working condition mode and classifying data of high-voltage transformer
CN105184084A (en) Fault type predicting method and system for automatic electric power measurement terminals
CN110636066B (en) Network security threat situation assessment method based on unsupervised generative reasoning
CN109472075B (en) Base station performance analysis method and system
CN107436277A (en) The single index data quality control method differentiated based on similarity distance
CN101738998B (en) System and method for monitoring industrial process based on local discriminatory analysis
CN111027615A (en) Middleware fault early warning method and system based on machine learning
CN108470022A (en) A kind of intelligent work order quality detecting method based on operation management
CN110580492A (en) Track circuit fault precursor discovery method based on small fluctuation detection
CN115222303B (en) Industry risk data analysis method and system based on big data and storage medium
CN115576738A (en) Method and system for realizing equipment fault determination based on chip analysis
CN113657747B (en) Intelligent assessment system for enterprise safety production standardization level
CN115883163A (en) Network safety alarm monitoring method
CN107357941A (en) A kind of system and method that watermark protocol data can be tested in real time
CN111275136B (en) Fault prediction system based on small sample and early warning method thereof
CN111737993B (en) Method for extracting equipment health state from fault defect text of power distribution network equipment
CN117113135A (en) Carbon emission anomaly monitoring and analyzing system capable of sorting and classifying anomaly data
CN117057644A (en) Equipment production quality detection method and system based on characteristic matching

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination