CN114444602A - Method and system for automatically constructing anomaly detection model - Google Patents

Method and system for automatically constructing anomaly detection model Download PDF

Info

Publication number
CN114444602A
CN114444602A CN202210106978.0A CN202210106978A CN114444602A CN 114444602 A CN114444602 A CN 114444602A CN 202210106978 A CN202210106978 A CN 202210106978A CN 114444602 A CN114444602 A CN 114444602A
Authority
CN
China
Prior art keywords
kpi
algorithm
time sequence
data
waveform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210106978.0A
Other languages
Chinese (zh)
Inventor
施沈池
陈华俊
吴一娜
严峻岭
吴志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN202210106978.0A priority Critical patent/CN114444602A/en
Publication of CN114444602A publication Critical patent/CN114444602A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters

Abstract

The invention provides a method and a system for automatically constructing an anomaly detection model, wherein the system comprises a server side and an equipment side, and the method comprises the following steps: the equipment terminal acquires KPI time sequence data corresponding to the appointed KPI in real time from the monitored network flow data and continuously uploads the KPI time sequence data to the server terminal; the service end carries out waveform classification on the KPI time sequence data to obtain a waveform classification result corresponding to the appointed KPI, and the waveform classification result is sent to the equipment end; and the equipment end dynamically matches an abnormality detection algorithm corresponding to the specified KPI from an algorithm library according to the waveform classification result corresponding to the specified KPI, and updates an abnormality detection model according to the abnormality detection algorithm, wherein the abnormality detection model is used for performing abnormality detection on data corresponding to the specified KPI at the equipment end. By the method, the construction efficiency and the self-adaption degree of the anomaly detection model can be improved.

Description

Method and system for automatically constructing anomaly detection model
Technical Field
The invention belongs to the field of network flow monitoring, and particularly relates to a method and a system for automatically constructing an anomaly detection model.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
The data center network has a large amount of KPI (Key Performance Indicator) data, such as TCP retransmission rate, TCP uplink bit rate, TCP download rate, TCP delay, and the like in network traffic. By carrying out real-time monitoring and abnormal detection on the KPI data, the method not only can find faults and send alarms in time, but also can help operation and maintenance personnel to carry out accurate fault positioning and support fault quick recovery.
However, current real-time monitoring and anomaly detection of KPI data faces two problems: firstly, in a traditional threshold value monitoring mode, the sensitivity and accuracy of the traditional threshold value monitoring mode cannot meet the current network requirements, and an intelligent model is usually trained by means of an artificial intelligence technology to perform more sensitive and accurate monitoring; and secondly, KPI data in the network field are various, different abnormal detection requirements exist in different service scenes, and the modeling technology threshold is higher, so that large-scale service requirements cannot be met.
Disclosure of Invention
In view of the above problems in the prior art, a method and system for automatically constructing an anomaly detection model are provided, and the above problems can be solved by using the method, the apparatus and the computer-readable storage medium.
The present invention provides the following.
In a first aspect, a method for automatically constructing an anomaly detection model is provided, and is applied to a system composed of a server side and a device side, and the method includes: the equipment terminal acquires KPI time sequence data corresponding to the appointed KPI in real time from the monitored network flow data and continuously uploads the KPI time sequence data to the server terminal; the service end carries out waveform classification on the KPI time sequence data to obtain a waveform classification result corresponding to the appointed KPI, and the waveform classification result is sent to the equipment end; and the equipment end dynamically matches an abnormality detection algorithm corresponding to the specified KPI from an algorithm library according to the waveform classification result corresponding to the specified KPI, and updates an abnormality detection model according to the abnormality detection algorithm, wherein the abnormality detection model is used for performing abnormality detection on data corresponding to the specified KPI at the equipment end.
In one embodiment, the service end performs waveform classification on the KPI time series data, and further includes: the server pre-extracts historical KPI time sequence data corresponding to the appointed KPI, and trains based on the historical KPI time sequence data to obtain a time sequence classification model corresponding to the appointed KPI; and the service end inputs the KPI time sequence data into the time sequence classification model to obtain a waveform classification result corresponding to the appointed KPI.
In one embodiment, the service end performs waveform classification on the KPI time series data, and further includes: the server side extracts stored full KPI time sequence data corresponding to the specified KPI and arranges the data according to the acquisition time; and the server side extracts fluctuation trend characteristics of the time sequence data of the full KPI, and obtains a waveform classification result corresponding to the appointed KPI according to the fluctuation trend characteristics.
In one embodiment, after the server extracts the stored full-amount KPI time series data corresponding to the specified KPI, the method further includes: the server side carries out data preprocessing on the full KPI time sequence data; the data pre-processing includes any one or more of: and (5) filtering, denoising and missing value filling operation.
In one embodiment, waveform classification of KPI time series data includes: extracting sequence characteristics of the KPI time sequence data, wherein the sequence characteristics comprise sequence length and/or sequence extreme values, and judging whether the waveform type of the KPI time sequence data is one of a few-point type, a low-value type and a linear type according to the sequence characteristics; and/or performing correlation analysis on the KPI time sequence data, wherein the correlation analysis comprises fast Fourier transform and autocorrelation calculation, and judging whether the waveform category of the KPI time sequence data is periodic or not according to the correlation analysis result; and/or extracting a first statistical feature of the KPI time sequence, and judging whether the waveform type of the KPI time sequence data is one of a trend type, an oscillation type and a mutation type according to the first statistical feature, wherein the first statistical feature comprises one or more of a first-order difference value, a second-order difference value and a 3Sigma value of the KPI time sequence data.
In one embodiment, the waveform classification result includes: KPI identification, waveform category, cycle length and second statistical characteristics; wherein the second statistical characteristic comprises one or more of a maximum value, a minimum value, a mean value, and a variance of the KPI time series data; wherein, if the waveform type is non-periodic type, the period length is null value.
In one embodiment, the method further comprises: the server side responds to the trigger instruction and/or periodically issues a model updating instruction to the equipment side; and the equipment end responds to a model updating instruction issued by the server end, dynamically matches a corresponding anomaly detection algorithm from the algorithm library according to the waveform classification result corresponding to the specified KPI, and updates the anomaly detection model according to the anomaly detection algorithm.
In one embodiment, the method further comprises: the equipment terminal automatically matches a corresponding abnormal detection algorithm according to the waveform type of the KPI time sequence data; detecting a parameter according to a second statistical characteristic abnormality of the KPI time series data; updating and training the anomaly detection model according to an anomaly detection algorithm; and carrying out anomaly detection on the KPI time sequence data acquired by the equipment end in real time according to the anomaly detection model and the anomaly detection parameters.
In one embodiment, the device side performs update training on the anomaly detection model according to an anomaly detection algorithm, including: and the equipment end performs model training by using historical KPI time sequence data in a set historical time period and an anomaly detection algorithm.
In one embodiment, further comprising: and when the abnormal detection alarm result output by the abnormal detection model is in a false alarm condition, attaching a false alarm label to the corresponding historical KPI time sequence data and feeding back the data to the abnormal detection model so as to adjust the parameters of the model.
In one embodiment, the algorithm library includes one or more of the following anomaly detection algorithms: decision tree calculation, KNN algorithm, NSigma algorithm, CUSUM algorithm, STL decomposition algorithm, moving average algorithm, autocorrelation algorithm, exponential average algorithm, box graph algorithm, kurtosis algorithm, linear regression algorithm, isolated forest algorithm and dynamic threshold algorithm.
In one embodiment, the periodic fluctuation type has a corresponding relationship with an exponential averaging algorithm and/or a dynamic threshold algorithm; and/or the oscillation type fluctuation type has a corresponding relation with a box chart algorithm and/or an N Sigma algorithm; and/or the mutant fluctuation type has a corresponding relation with one or more of an autocorrelation algorithm, a decision tree algorithm, a KNN algorithm and a CUSUM algorithm; and/or the trend type fluctuation type has a corresponding relation with a linear regression algorithm and/or a dynamic threshold algorithm.
In one embodiment, the KPI comprises: TCP retransmission rate, TCP uplink bit rate, TCP download rate, TCP delay.
In a second aspect, a system for automatically building an anomaly detection model is provided, wherein the system is configured to perform the method according to the first aspect, and the system includes a server and a device, wherein the device is configured to: KPI time sequence data corresponding to the appointed KPI are collected in real time from the monitored network flow data and are continuously uploaded to a server; the server is configured for: carrying out waveform classification on the KPI time sequence data to obtain a waveform classification result corresponding to the appointed KPI, and sending the waveform classification result to an equipment end; the device side is configured to further: and dynamically matching an abnormality detection algorithm corresponding to the specified KPI from an algorithm library according to the waveform classification result corresponding to the specified KPI, and updating an abnormality detection model according to the abnormality detection algorithm, wherein the abnormality detection model is used for performing abnormality detection on data corresponding to the specified KPI at the equipment end.
One of the advantages of the above-mentioned embodiment is that monitoring of the designated KPI in the network traffic data can be automatically generated, the efficiency of constructing a network operation and maintenance model (abnormal detection model) is greatly improved, the technical threshold and the labor cost are reduced, and when the KPI data is found to be changed or new equipment is added, the waveform automatic identification and algorithm dynamic adjustment mechanism provided in the present solution can update the relevant models and parameters in time, thereby effectively improving the generalization ability of the models and reducing the maintenance cost of the algorithm models.
Other advantages of the present invention will be explained in more detail in conjunction with the following description and the accompanying drawings.
It should be understood that the above description is only an overview of the technical solutions of the present invention, so as to clearly understand the technical means of the present invention, and thus can be implemented according to the content of the description. In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
The advantages and benefits herein, as well as other advantages and benefits, will be apparent to one of ordinary skill in the art upon reading the following detailed description of the exemplary embodiments. The drawings are only for purposes of illustrating exemplary embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a block diagram of a system for automated construction of an anomaly detection model according to an embodiment of the present invention;
FIG. 2 is a schematic flow diagram of a method for automatically constructing an anomaly detection model according to an embodiment of the present invention;
FIG. 3 is a flow diagram illustrating another method for automatically constructing an anomaly detection model according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart diagram illustrating another method for automatically constructing an anomaly detection model according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating a further method for automatically constructing an anomaly detection model according to an embodiment of the present invention.
In the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In the description of the embodiments of the present application, it is to be understood that terms such as "including" or "having" are intended to indicate the presence of the features, numbers, steps, actions, components, parts, or combinations thereof disclosed in the specification, and are not intended to preclude the presence or addition of one or more other features, numbers, steps, actions, components, parts, or combinations thereof.
Unless otherwise stated, "/" indicates an OR meaning, e.g., A/B may indicate A or B; "and/or" herein is merely an association describing an associated object, and means that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone.
The terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first," "second," etc. may explicitly or implicitly include one or more of that feature. In the description of the embodiments of the present application, "a plurality" means two or more unless otherwise specified.
All code in this application is exemplary and variations will occur to those skilled in the art based upon the programming language used, the specific needs and personal habits without departing from the spirit of the application.
For clarity of explanation of the embodiments of the present application, some concepts that may appear in subsequent embodiments will first be described.
Description of concepts
KPI data refers to Key Performance Indicator (KPI) data, and specifically refers to Key Performance Indicator data in network traffic in the present application, such as TCP retransmission rate, TCP uplink bit rate, TCP download rate, TCP delay, and the like.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
As shown in fig. 1, fig. 1 is a schematic structural diagram of a hardware operating environment according to an embodiment of the present invention. Namely, the system for automatically constructing the anomaly detection model is composed of a server 10 and a plurality of equipment terminals (21, 22, 23), the system comprises two key components of the server and the equipment terminals, the method of the application is distributed and deployed at the server and the equipment terminals, and in the system, the server 10 only needs to execute: and carrying out waveform classification on the KPI time sequence data to obtain a waveform classification result corresponding to the appointed KPI, and sending the result to an equipment terminal. And at each device side (21, 22, 23) the deployment is carried out: KPI time sequence data corresponding to a specified KPI is collected in real time and continuously uploaded to a server; and dynamically matching an anomaly detection algorithm corresponding to the specified KPI from an algorithm library according to the waveform classification result corresponding to the specified KPI, and updating an anomaly detection model according to the anomaly detection algorithm. Therefore, the calculation pressure of the server side can be greatly reduced, and the whole data center network monitoring deployment can be adapted more easily.
Fig. 2 is a schematic flow chart of a method for automatically constructing an anomaly detection model according to an embodiment of the present application, in which, from a device perspective, an execution subject may be one or more electronic devices; from the program perspective, the execution main body may be a program loaded on these electronic devices, accordingly. In this embodiment, the execution subject of the method may be the system in the embodiment shown in fig. 1.
As shown in fig. 2, the method provided by this embodiment may include the following steps:
firstly, the device executes:
s201: KPI time sequence data corresponding to the appointed KPI are collected in real time from the monitored network flow data.
S202: and continuously uploading the acquired KPI time sequence data to a server.
Then, after receiving the KPI time series data, the server performs:
s203: and carrying out waveform classification on the KPI time sequence data to obtain a waveform classification result corresponding to the appointed KPI.
S204: and sending the waveform classification result to the equipment terminal.
Then, after receiving the waveform classification result of the KPI time series data, the device performs:
s205: and dynamically matching an abnormal detection algorithm corresponding to the appointed KPI from an algorithm library according to the waveform classification result.
S206: and updating the anomaly detection model according to an anomaly detection algorithm.
KPIs refer to key performance indicator data in network traffic data, including, for example: TCP retransmission rate, TCP uplink bit rate, TCP download rate, TCP delay, etc.
The KPI time sequence data refers to a time sequence formed by KPIs collected according to different sampling time points. For example, the TCP retransmission rate is sampled once per minute, and KPI time series data of the TCP retransmission rate is obtained by combining data of each day in time sequence.
And the anomaly detection model is used for carrying out anomaly detection on the specified KPI data acquired by the equipment terminal. For example, when an anomaly detection algorithm for the TCP retransmission rate is obtained through the above S201 to S205, an anomaly detection model for detecting whether the TCP retransmission rate is anomalous may be updated according to the anomaly detection algorithm.
Therefore, monitoring of the designated KPI in the network flow data can be automatically generated, the construction efficiency of a network operation and maintenance model (an abnormal detection model) is greatly improved, the technical threshold and the labor cost are reduced, and under the condition that the KPI data is found to be changed or new equipment is added, the waveform automatic identification and algorithm dynamic adjustment mechanism provided by the scheme can update related models and parameters in time, so that the generalization capability of the model is effectively improved, and the maintenance cost of the algorithm model is reduced.
Fig. 3 is a flowchart illustrating a method for automatically constructing an anomaly detection model according to another exemplary embodiment of the present invention, and this embodiment further describes in detail the process of S203 based on the embodiment illustrated in fig. 2.
In an embodiment, in order to more efficiently perform waveform classification on KPI time series data, the server may perform, in advance, before receiving the KPI time series data:
s2031: acquiring historical KPI time sequence data corresponding to a specified KPI in advance;
s2032: training based on historical KPI time series data to obtain a time series classification model corresponding to the specified KPI;
and after receiving the KPI time series data, the server may perform the more specific steps of S203:
s2033: and the service end inputs the KPI time sequence data into the time sequence classification model to obtain a waveform classification result of the KPI time sequence data.
The historical KPI time series data is a set of KPI time series data uploaded by the specified KPI, and the historical KPI time series data can be used as training sample data to learn respective historical fluctuation conditions of the specified KPI, so as to obtain a time series classification model through training. And then, classifying and identifying the newly acquired KPI time sequence data by using the time sequence classification model to obtain a waveform classification result.
The server can obtain the time series classification model aiming at each KPI through pre-training, and correspondingly input the corresponding time series classification model according to the identification of the appointed KPI after receiving newly uploaded KPI time series data corresponding to the appointed KPI.
Because the plurality of models are trained in advance by the server, the waveform classification result of the newly uploaded time series classification model can be obtained more efficiently.
It is understood that the steps S201 to S202 and S204 to S206 not mentioned in fig. 3 are the same as those in fig. 2, and are not described herein again.
Fig. 4 is a flowchart illustrating a method for automatically constructing an anomaly detection model according to another exemplary embodiment of the present invention, and this embodiment further describes in detail the process of S203 based on the embodiment illustrated in fig. 2.
In an embodiment, the service end may perform, after receiving KPI time series data corresponding to the specified KPI:
s2034: and the server extracts the stored full KPI time sequence data corresponding to the specified KPI and arranges the data according to the acquisition time.
The KPI time sequence data collected by the equipment end are stored in the storage module of the service end after being uploaded to the service end, and the full-amount KPI time sequence data refer to all KPI time sequence data aiming at the specified KPI in the storage module of the service end. After arranging the full KPI time series by acquisition time, KPI time series data over a longer time range are obtained. Alternatively, it may be the full amount of KPI time series data over a period of time.
Alternatively, S2035: carrying out data preprocessing on the full KPI time sequence data; the data pre-processing includes any one or more of: and (5) filtering, denoising and missing value filling operation. It is understood that in the full-scale KPI time series data, there may be one or more missing data due to missed sampling or missed transmission, and there may also be one or more redundant data due to multiple sampling or multiple transmission, the effect of which can be eliminated by the above-mentioned preprocessing step. Alternatively, missing value padding may be implemented, for example, by using a smooth difference method.
S2036: and the server side extracts fluctuation trend characteristics of the time sequence data of the full KPI, and obtains a waveform classification result corresponding to the appointed KPI according to the fluctuation trend characteristics.
In this embodiment, the waveform classification result corresponding to the designated KPI is obtained by analyzing the full-scale KPI time series data, so that the current fluctuation trend of the designated KPI can be known more comprehensively and accurately.
It is understood that the steps S201 to S202 and S204 to S206 not mentioned in fig. 4 are the same as those in fig. 2, and are not described herein again.
In an embodiment, in order to extract a waveform classification result corresponding to the specified KPI, the following operations may be performed:
(1) and extracting sequence characteristics of the KPI time sequence data, wherein the sequence characteristics comprise sequence length and/or sequence extreme values, and judging whether the waveform type of the KPI time sequence data is one of a few-point type, a low-value type and a linear type according to the sequence characteristics.
(2) And performing correlation analysis on the KPI time sequence data, wherein the correlation analysis comprises fast Fourier transform and autocorrelation calculation, and judging whether the waveform type of the KPI time sequence data is periodic or not according to the correlation analysis result.
(3) Extracting a first statistical feature of the KPI time sequence, and judging whether the waveform type of the KPI time sequence data is one of a trend type, a concussion type and a mutation type according to the first statistical feature, wherein the first statistical feature comprises one or more of a first-order difference value, a second-order difference value and a 3Sigma value of the KPI time sequence data.
The above operations (1) - (3) may be performed individually or in combination in any order, and are not particularly limited in this application.
Alternatively, the operation (1) may be performed first, and if the waveform type of the KPI time-series data is determined to be one of the low-point type, the low-value type, and the straight-line type, the analysis is stopped and the waveform type is output, and if not, the operation (2) is further performed, if the waveform type of the KPI time-series data is determined to be periodic, the analysis is stopped and the waveform type is output, and if not, the operation (3) is further performed to determine whether the waveform type of the KPI time-series data is one of the trend type, the oscillation type, and the mutant type. Therefore, the analysis operation is performed in sequence, and under some conditions, all feature extraction of KPI time sequence data is not required, so that the analysis efficiency can be improved, and the analysis calculation amount can be saved.
The waveform categories may be used to indicate a trend of fluctuations in the KPI time series data, including one or more of: few-point type, low-value type, linear type, trend type, oscillation type, mutation type, periodic type.
The above-described breakpoint-less KPIs indicate that the KPI time series data comprises a plurality of discrete 0 values. The above-mentioned low-value type KPI indicates that all sequence values of the KPI time-series data are smaller than the abnormality detection parameter. The linear KPI indicates that the sequence value of the KPI time sequence data is a fixed value; the above-described trend-type KPI indicates that the sequence value of the KPI time-series data is in an upward/downward trend with time. The oscillation type KPI indicates that the sequence value of the KPI time sequence data shows unstable oscillation trend along with the time. The mutant KPI indicates that the sequence value of the KPI time sequence data shows unstable mutation trend along with time. The periodic KPI indicates that the sequence value of the KPI time sequence data fluctuates periodically.
In one embodiment, the waveform classification result includes: KPI identification, waveform category, cycle length, and second statistical characteristic.
The second statistical characteristic comprises one or more of a maximum value, a minimum value, a mean value and a variance of the KPI time sequence data. The wave trend may be further presented on the premise that the waveform category is determined, for example, for the periodic wave category, the second statistical feature may indicate the amplitude of the periodic wave. For example, for the trend-type fluctuation category, the second statistical characteristic may indicate the magnitude of the rise or fall. This makes it possible to detect a distinctive abnormality for a different waveform type of the second statistical characteristic. Further, as the above-described waveform type is a non-periodic type, the period length may be set to a null value, such as a 0 value.
For example, the following table shows an example of a waveform classification result, which includes KPI identifier, i.e. KPI name TcpFlow, and waveform categories are: periodic type, the period length is: 288 with a maximum of 9.8, a minimum of 0.5, a mean of 5.6 and a variance of 1.1.
KPI name Waveform class name (Label) Length of cycle Maximum value Minimum value Mean value Variance (variance)
TcpFlow Periodic type (3) 288 9.8 0.5 5.6 1.1
Fig. 5 is a flowchart illustrating a method for automatically building an anomaly detection model according to another exemplary embodiment of the present invention, and this embodiment further details a process of updating a model based on the embodiment illustrated in fig. 2.
Firstly, the server executes:
s2041: responding to a trigger instruction and/or periodically issuing a model updating instruction to an equipment end;
then, after receiving the model update instruction, the device executes:
s205: responding to a model updating instruction issued by a server, and dynamically matching a corresponding abnormal detection algorithm from an algorithm library according to a waveform classification result of the KPI time sequence data;
s206: and updating the anomaly detection model according to the anomaly detection algorithm.
In this embodiment, the device side starts the algorithm matching program to perform algorithm matching only after receiving the model update instruction, so as to avoid frequently updating the anomaly detection algorithm model.
It is understood that the steps S201 to S204 not mentioned in fig. 5 are the same as those in fig. 2, and are not described herein again.
In one embodiment, the algorithm library includes one or more of the following anomaly detection algorithms: decision tree arithmetic, KNN algorithm, N Sigma algorithm, CUSUM algorithm, STL decomposition algorithm, moving average algorithm, autocorrelation algorithm, exponential average algorithm, boxed graph algorithm, kurtosis algorithm, linear regression algorithm, isolated forest algorithm and dynamic threshold algorithm.
In one embodiment, the periodic fluctuation type has a corresponding relationship with an exponential averaging algorithm and/or a dynamic threshold algorithm; the oscillation type fluctuation type has a corresponding relation with a box type graph algorithm and/or an N Sigma algorithm; the mutant fluctuation type has a corresponding relation with one or more of an autocorrelation algorithm, a decision tree algorithm, a KNN algorithm and a CUSUM algorithm; the trend type fluctuation type has a corresponding relation with a linear regression algorithm and/or a dynamic threshold value algorithm. Thus, the corresponding anomaly detection algorithm can be automatically matched according to the determined fluctuation type.
In an embodiment, the method further comprises: the equipment terminal automatically matches a corresponding abnormal detection algorithm according to the waveform type of the KPI time series data; detecting a parameter according to a second statistical characteristic abnormality of the KPI time series data; updating and training the anomaly detection model according to an anomaly detection algorithm; and carrying out anomaly detection on the KPI time sequence data acquired by the equipment end in real time according to the anomaly detection model and the anomaly detection parameters.
The abnormality detection parameter is determined according to a second statistical characteristic of the KPI time sequence data, the second statistical characteristic can indicate the fluctuation stability degree of the KPI time sequence data, the second statistical characteristic is used for being matched with the abnormality detection model, and the abnormality detection parameter can be used for adaptively performing differentiated detection aiming at the conditions that the fluctuation types are the same and the fluctuation stability degrees are different. For example, when the anomaly detection algorithm employs a dynamic baseline algorithm, the anomaly detection parameter may be a threshold value used in match with the dynamic baseline algorithm, and more specifically, if the fluctuation stability data indicates that the fluctuation of the KPI time-series data is stable, as described above, a smaller threshold value may be used, and conversely, a larger threshold value may be used.
For example, the following table shows an example of the matching result of an algorithm, which includes KPI id, i.e., KPI name TcpFlow, and algorithm name: dynamic baseline, threshold is: 30 percent.
KPI name Name of algorithm Threshold value
TcpFliw Dynamic baselines 30%
In an embodiment, the device performs update training on the anomaly detection model according to an anomaly detection algorithm, including: and the equipment end performs model training by using historical KPI time sequence data in a set historical time period and an anomaly detection algorithm.
For example, when using a dynamic baseline algorithm, historical data from the previous week may be used as input for training, predicting baselines for the future day and performing anomaly detection based on the baselines.
In one embodiment, aiming at the problem of high false alarm rate of the unsupervised algorithm, a false alarm suppression algorithm is added, and comprises the following steps: and when the abnormal detection alarm result output by the abnormal detection model is in a false alarm condition, attaching a false alarm tag to the corresponding historical KPI time sequence data and feeding back the data to the abnormal detection model so as to adjust the model parameters. Therefore, feedback can be added to model training, expert experience is combined with an automatically constructed intelligent model, and the false alarm rate of the model is effectively inhibited.
Optionally, for network index data without an obvious periodic rule, taking a port KPI-TCP retransmission rate of a non-golden access link of a current network as an example, an unsupervised integration algorithm is used to train history data of previous 30 days to obtain a plurality of anomaly detection models, and anomaly detection is performed on subsequent data in an integrated voting manner.
In one example, first, port TCP uplink bit rate data is collected in real time at a sampling frequency of one point per minute at a device side, and is uploaded to a large data platform storage node at a server side, and is stored according to a time sequence, then, a computing node of the large data platform at the server side extracts a whole amount of TCP uplink bit rate data to perform data preprocessing, fills up missing time point data caused by missed collection or missed transmission in a smooth interpolation mode, obtains complete time series data, a time series classification module analyzes and calculates the TCP uplink bit rate time series data, extracts statistical characteristics such as sequence length, maximum value, mean value, variance and the like of the data, extracts a period and a trend of the data by using a time series decomposition algorithm, and obtains a conclusion by comprehensive analysis and calculation: the data is a stable periodic time series with a period length of 1 day, i.e., 1440 samples are a period. And finally outputting waveform classification result information to a device end, starting an algorithm matching module after the device end receives the waveform classification result information of the KPI and a model updating instruction, automatically calculating and matching according to the periodicity characteristics of the bit rate time series data uploaded by the TCP and key information such as the period length, the value range, the fluctuation degree and the like of the bit rate time series data to obtain a dynamic baseline algorithm suitable for stable periodic time series abnormality detection, and setting a dynamic threshold value to be 20%. And finally, performing model training on the TCP uplink bit rate data by using a dynamic baseline algorithm, dynamically adjusting algorithm parameters according to data characteristics and a model training effect, repeatedly performing iterative training to find optimal parameters, finally generating a dynamic baseline, and further performing real-time online anomaly detection by using the baseline and anomaly detection parameters.
In the description of the present specification, reference to the description of the terms "some possible implementations," "some embodiments," "examples," "specific examples," or "some examples," or the like, means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
With regard to the method flow diagrams of embodiments of the present application, certain operations are described as different steps performed in a certain order. Such flow diagrams are illustrative and not restrictive. Certain steps described herein may be grouped together and performed in a single operation, may be divided into multiple sub-steps, and may be performed in an order different than that shown herein. The various steps shown in the flowcharts may be implemented in any way by any circuit structure and/or tangible mechanism (e.g., by software running on a computer device, hardware (e.g., logical functions implemented by a processor or chip), etc., and/or any combination thereof).
Based on the same technical concept, the embodiment of the invention also provides a system for automatically constructing the anomaly detection model, which is used for executing the method for automatically constructing the anomaly detection model provided by any embodiment. Fig. 1 is a schematic structural diagram of a system according to an embodiment of the present invention.
As shown in fig. 1, the system 100 includes: the server 10 and the device ends (21, 22, 23), in this embodiment, the device end 21 is taken as an example for description, and it can be understood that the operation logic of the device ends (23, 24) is the same as that of the device end 21.
The device side 21 is configured for: KPI time sequence data corresponding to the appointed KPI are collected in real time from the monitored network flow data and are continuously uploaded to a server;
the server 10 is configured for: performing waveform classification on the KPI time series data corresponding to the specified KPI to obtain a waveform classification result corresponding to the specified KPI, and sending the waveform classification result to the equipment terminal 21;
the device side 21 is configured to further: dynamically matching an abnormal detection algorithm corresponding to the appointed KPI from an algorithm library according to the waveform classification result corresponding to the appointed KPI, and updating an abnormal detection model according to the abnormal detection algorithm, wherein the abnormal detection model is used for performing abnormal detection on data corresponding to the appointed KPI at the equipment end 21
It should be noted that the apparatus in the embodiment of the present application may implement each process of the foregoing method embodiment, and achieve the same effect and function, which are not described herein again.
In one embodiment, the server 10 is configured to further: extracting historical KPI time sequence data corresponding to the appointed KPI in advance, and training based on the historical KPI time sequence data to obtain a time sequence classification model corresponding to the appointed KPI; and inputting the KPI time sequence data into a time sequence classification model to obtain a waveform classification result corresponding to the appointed KPI.
In one embodiment, the server 10 is configured to further: extracting stored full KPI time sequence data corresponding to the specified KPI, and arranging according to the acquisition time; and the server side extracts fluctuation trend characteristics of the time sequence data of the full KPI, and obtains a waveform classification result corresponding to the appointed KPI according to the fluctuation trend characteristics.
In one embodiment, the server 10 is configured to further: carrying out data preprocessing on the full KPI time sequence data; the data pre-processing includes any one or more of: and (5) filtering, denoising and missing value filling operation.
In one embodiment, the server 10 is configured to further: extracting sequence characteristics of the KPI time sequence data, wherein the sequence characteristics comprise sequence length and/or sequence extreme values, and judging whether the waveform type of the KPI time sequence data is one of a few-point type, a low-value type and a linear type according to the sequence characteristics; and/or performing correlation analysis on the KPI time sequence data, wherein the correlation analysis comprises fast Fourier transform and autocorrelation calculation, and judging whether the waveform category of the KPI time sequence data is periodic or not according to the correlation analysis result; and/or extracting a first statistical feature of the KPI time sequence, and judging whether the waveform type of the KPI time sequence data is one of a trend type, an oscillation type and a mutation type according to the first statistical feature, wherein the first statistical feature comprises one or more of a first-order difference value, a second-order difference value and a 3Sigma value of the KPI time sequence data.
In one embodiment, the waveform classification result includes: KPI identification, waveform category, cycle length and second statistical characteristics; wherein the second statistical characteristic comprises one or more of a maximum value, a minimum value, a mean value, and a variance of the KPI time series data; wherein, if the waveform type is non-periodic type, the period length is null value.
In one embodiment, the server 10 is configured to further: responding to a trigger instruction and/or periodically issuing a model updating instruction to an equipment end; the device side 21 is configured to further: responding to a model updating instruction issued by a server, dynamically matching a corresponding anomaly detection algorithm from an algorithm library according to a waveform classification result corresponding to the appointed KPI, and updating an anomaly detection model according to the anomaly detection algorithm.
In an embodiment, the device side 21 is configured to further: automatically matching a corresponding abnormal detection algorithm according to the waveform type of the KPI time sequence data; detecting a parameter according to a second statistical characteristic abnormality of the KPI time series data; updating and training the anomaly detection model according to an anomaly detection algorithm; and carrying out anomaly detection on the KPI time sequence data acquired by the equipment end in real time according to the anomaly detection model and the anomaly detection parameters.
In an embodiment, the device side 21 is configured to further: and performing model training by using historical KPI time sequence data in a set historical time period and an anomaly detection algorithm.
In an embodiment, the device side 21 is configured to further: and when the abnormal detection alarm result output by the abnormal detection model is in a false alarm condition, attaching a false alarm tag to the corresponding historical KPI time sequence data and feeding back the data to the abnormal detection model so as to adjust the model parameters.
In one embodiment, the algorithm library includes one or more of the following anomaly detection algorithms: decision tree arithmetic, KNN algorithm, N Sigma algorithm, CUSUM algorithm, STL decomposition algorithm, moving average algorithm, autocorrelation algorithm, exponential average algorithm, boxed graph algorithm, kurtosis algorithm, linear regression algorithm, isolated forest algorithm and dynamic threshold algorithm.
In one embodiment, the periodic fluctuation type has a corresponding relationship with an exponential averaging algorithm and/or a dynamic threshold algorithm; and/or the oscillation type fluctuation type has a corresponding relation with a box chart algorithm and/or an N Sigma algorithm; and/or the mutant fluctuation type has a corresponding relation with one or more of an autocorrelation algorithm, a decision tree algorithm, a KNN algorithm and a CUSUM algorithm; and/or the trend type fluctuation type has a corresponding relation with a linear regression algorithm and/or a dynamic threshold algorithm.
In one embodiment, the KPI comprises: TCP retransmission rate, TCP uplink bit rate, TCP download rate, TCP delay.
The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, device, and computer-readable storage medium embodiments, the description is simplified because they are substantially similar to the method embodiments, and reference may be made to some descriptions of the method embodiments for their relevance.
The system and the method provided by the embodiment of the application are in one-to-one correspondence, so the system also has the similar beneficial technical effects as the corresponding method, and the beneficial technical effects of the method are explained in detail above, so the beneficial technical effects of the device, the equipment and the computer readable storage medium are not repeated herein.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. Moreover, while the operations of the method of the invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
While the spirit and principles of the invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (14)

1. A method for automatically constructing an anomaly detection model is applied to a system consisting of a server side and a device side, and comprises the following steps:
the equipment terminal acquires KPI time sequence data corresponding to the appointed KPI in real time from the monitored network flow data and continuously uploads the KPI time sequence data to the server terminal;
the service end carries out waveform classification on the KPI time sequence data to obtain a waveform classification result corresponding to the appointed KPI and sends the waveform classification result to the equipment end;
and the equipment end dynamically matches an abnormality detection algorithm corresponding to the specified KPI from an algorithm library according to the waveform classification result corresponding to the specified KPI, and updates an abnormality detection model according to the abnormality detection algorithm, wherein the abnormality detection model is used for performing abnormality detection on data corresponding to the specified KPI at the equipment end.
2. The method of claim 1, wherein the server-side waveform classifies the KPI time series data, further comprising:
the server pre-extracts historical KPI time sequence data corresponding to the specified KPI, and trains to obtain a time sequence classification model corresponding to the specified KPI based on the historical KPI time sequence data; and the number of the first and second groups,
and the server inputs the KPI time sequence data into the time sequence classification model to obtain a waveform classification result corresponding to the appointed KPI.
3. The method of claim 1, wherein the server-side waveform classifies the KPI time series data, further comprising:
the server side extracts stored full KPI time sequence data corresponding to the specified KPI and arranges the data according to acquisition time;
and the server side extracts the fluctuation trend characteristics of the full-quantity KPI time sequence data and obtains a waveform classification result corresponding to the specified KPI according to the fluctuation trend characteristics.
4. The method according to claim 3, wherein after the server extracts the stored full-scale KPI time series data corresponding to the specified KPI, the method further comprises:
the server side carries out data preprocessing on the full KPI time sequence data;
the data pre-processing comprises any one or more of: and (5) filtering, denoising and missing value filling operation.
5. The method of claim 1, wherein waveform classifying the KPI time series data comprises:
extracting sequence features of the KPI time sequence data, wherein the sequence features comprise sequence length and/or sequence extreme values, and judging whether the waveform type of the KPI time sequence data is one of a few-point type, a low-value type and a linear type according to the sequence features; and/or the presence of a gas in the gas,
performing correlation analysis on the KPI time sequence data, wherein the correlation analysis comprises fast Fourier transform and autocorrelation calculation, and judging whether the waveform category of the KPI time sequence data is periodic or not according to the correlation analysis result; and/or the presence of a gas in the atmosphere,
extracting a first statistical feature of the KPI time sequence, and judging whether the waveform type of the KPI time sequence data is one of a trend type, an oscillation type and a mutation type according to the first statistical feature, wherein the first statistical feature comprises one or more of a first-order difference value, a second-order difference value and a 3Sigma value of the KPI time sequence data.
6. The method of claim 1, wherein the waveform classification result comprises: KPI identification, waveform category, cycle length and second statistical characteristics;
wherein the second statistical features comprise one or more of a maximum, a minimum, a mean, a variance of the KPI time series data; wherein, if the waveform type is non-periodic type, the period length is null value.
7. The method of claim 1, further comprising:
the server side responds to a trigger instruction and/or periodically issues a model updating instruction to the equipment side;
and the equipment end responds to the model updating instruction sent by the server end, dynamically matches a corresponding abnormity detection algorithm from an algorithm library according to the waveform classification result corresponding to the designated KPI, and updates an abnormity detection model according to the abnormity detection algorithm.
8. The method of claim 5, further comprising:
the equipment terminal automatically matches the corresponding abnormal detection algorithm according to the waveform type of the KPI time series data; detecting a parameter according to the second statistical feature anomaly of the KPI time series data; updating and training an anomaly detection model according to the anomaly detection algorithm; and carrying out abnormity detection on the KPI time sequence data acquired by the equipment end in real time according to the abnormity detection model and the abnormity detection parameters.
9. The method according to claim 1, wherein the device side performs update training on an anomaly detection model according to the anomaly detection algorithm, and the method comprises:
and the equipment end performs model training by using the historical KPI time sequence data in the set historical time period and the abnormal detection algorithm.
10. The method of claim 1, further comprising:
and when the abnormal detection alarm result output by the abnormal detection model is in a false alarm condition, attaching a false alarm tag to the corresponding historical KPI time sequence data and feeding back the data to the abnormal detection model so as to adjust the model parameters.
11. The method of claim 1, wherein the library of algorithms includes one or more of the following anomaly detection algorithms:
decision tree arithmetic, KNN algorithm, N Sigma algorithm, CUSUM algorithm, STL decomposition algorithm, moving average algorithm, autocorrelation algorithm, exponential average algorithm, boxed graph algorithm, kurtosis algorithm, linear regression algorithm, isolated forest algorithm and dynamic threshold algorithm.
12. The method of claim 1,
the periodic fluctuation type and the exponential averaging algorithm and/or the dynamic threshold algorithm have a corresponding relation; and/or the presence of a gas in the gas,
the oscillation type fluctuation type has a corresponding relation with the box type graph algorithm and/or the N Sigma algorithm; and/or the presence of a gas in the gas,
the mutant fluctuation type has a corresponding relationship with one or more of the autocorrelation algorithm, the decision tree algorithm, the KNN algorithm, and the CUSUM algorithm; and/or the presence of a gas in the gas,
the trend type fluctuation type has a corresponding relation with the linear regression algorithm and/or the dynamic threshold algorithm.
13. The method of claim 1, wherein the KPI comprises: TCP retransmission rate, TCP uplink bit rate, TCP download rate, TCP delay.
14. A system for automated construction of an anomaly detection model, configured for performing the method of claims 1-12, the system comprising a server-side and a device-side, wherein,
the device side is configured for: KPI time sequence data corresponding to the appointed KPI are collected in real time from the monitored network flow data and are continuously uploaded to the server;
the server is configured to: performing waveform classification on the KPI time sequence data to obtain a waveform classification result corresponding to the specified KPI, and sending the waveform classification result to the equipment end;
the device side is configured to further: and dynamically matching an abnormality detection algorithm corresponding to the specified KPI from an algorithm library according to the waveform classification result corresponding to the specified KPI, and updating an abnormality detection model according to the abnormality detection algorithm, wherein the abnormality detection model is used for performing abnormality detection on data corresponding to the specified KPI at the equipment end.
CN202210106978.0A 2022-01-28 2022-01-28 Method and system for automatically constructing anomaly detection model Pending CN114444602A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210106978.0A CN114444602A (en) 2022-01-28 2022-01-28 Method and system for automatically constructing anomaly detection model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210106978.0A CN114444602A (en) 2022-01-28 2022-01-28 Method and system for automatically constructing anomaly detection model

Publications (1)

Publication Number Publication Date
CN114444602A true CN114444602A (en) 2022-05-06

Family

ID=81371359

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210106978.0A Pending CN114444602A (en) 2022-01-28 2022-01-28 Method and system for automatically constructing anomaly detection model

Country Status (1)

Country Link
CN (1) CN114444602A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114722972A (en) * 2022-06-01 2022-07-08 新华三人工智能科技有限公司 Anomaly detection method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114722972A (en) * 2022-06-01 2022-07-08 新华三人工智能科技有限公司 Anomaly detection method and device

Similar Documents

Publication Publication Date Title
EP3798846B1 (en) Operation and maintenance system and method
Abdallah et al. Fault diagnosis of wind turbine structures using decision tree learning algorithms with big data
US9626600B2 (en) Event analyzer and computer-readable storage medium
CN112529023A (en) Configured artificial intelligence scene application research and development method and system
CN112800116B (en) Method and device for detecting abnormity of service data
KR20160143512A (en) Advanced analytical infrastructure for machine learning
CN107003992B (en) Perceptual associative memory for neural language behavior recognition systems
US11609812B2 (en) Anomalous equipment trace detection and classification
Kim et al. RDR-based knowledge based system to the failure detection in industrial cyber physical systems
US11675643B2 (en) Method and device for determining a technical incident risk value in a computing infrastructure from performance indicator values
CN107111609A (en) Lexical analyzer for neural language performance identifying system
CN109213034B (en) Equipment health degree monitoring method and device, computer equipment and readable storage medium
Cózar et al. An application of dynamic Bayesian networks to condition monitoring and fault prediction in a sensored system: A case study
CN108306997B (en) Domain name resolution monitoring method and device
CN113988325A (en) Power system fault early warning method and device, terminal equipment and storage medium
Kefalas et al. Automated machine learning for remaining useful life estimation of aircraft engines
CN114444602A (en) Method and system for automatically constructing anomaly detection model
Huangfu et al. System failure detection using deep learning models integrating timestamps with nonuniform intervals
CN115380294A (en) Data processing for industrial machine learning
Samarakoon et al. System abnormality detection in stock market complex trading systems using machine learning techniques
CN117170915A (en) Data center equipment fault prediction method and device and computer equipment
Bond et al. A hybrid learning approach to prognostics and health management applied to military ground vehicles using time-series and maintenance event data
US11188064B1 (en) Process flow abnormality detection system and method
CN115858606A (en) Method, device and equipment for detecting abnormity of time series data and storage medium
CN115080286A (en) Method and device for discovering log exception of network equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination