CN114722972A - Anomaly detection method and device - Google Patents

Anomaly detection method and device Download PDF

Info

Publication number
CN114722972A
CN114722972A CN202210616909.4A CN202210616909A CN114722972A CN 114722972 A CN114722972 A CN 114722972A CN 202210616909 A CN202210616909 A CN 202210616909A CN 114722972 A CN114722972 A CN 114722972A
Authority
CN
China
Prior art keywords
historical data
data
anomaly detection
data sequence
sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210616909.4A
Other languages
Chinese (zh)
Inventor
章晓晓
王明辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xinhuasan Artificial Intelligence Technology Co ltd
Original Assignee
Xinhuasan Artificial Intelligence Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xinhuasan Artificial Intelligence Technology Co ltd filed Critical Xinhuasan Artificial Intelligence Technology Co ltd
Priority to CN202210616909.4A priority Critical patent/CN114722972A/en
Publication of CN114722972A publication Critical patent/CN114722972A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/24765Rule-based classification

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The specification discloses a method and a device for anomaly detection, wherein the method for anomaly detection comprises the following steps: acquiring historical data of each target object; according to the sequence of the generation time of each historical data, a historical data sequence is constructed; determining a standard data sequence matched with the historical data sequence and a target anomaly detection algorithm corresponding to the standard data sequence in a pre-constructed detection library, and taking the target anomaly detection algorithm as an anomaly detection algorithm corresponding to the target object; and storing the corresponding relation between the target object and the target anomaly detection algorithm so as to detect the anomaly of the real-time data of the target object by using the target anomaly detection algorithm.

Description

Abnormity detection method and device
Technical Field
The present disclosure relates to the field of artificial intelligence, and in particular, to a method and an apparatus for anomaly detection.
Background
In recent years, with the development of Artificial Intelligence technology, intelligent operation and maintenance (AIOps) technology is gradually applied to various fields such as industry, communication, scientific research and the like, so as to perform intelligent anomaly detection on data generated by operation and maintenance objects such as systems or services through methods such as data mining or deep learning, and thus to discover possible anomalies in time.
However, the currently adopted anomaly detection method can only detect anomalies with obvious mutation in the detection data, the detection precision is often low for some non-obvious anomalies, and in practical production environments such as the industrial field, the acquired detection data usually has no fixed rule, which leads to the fact that the current method can not accurately judge the occurring anomalies and even misjudgments when facing the detection data without the periodic variation rule.
Therefore, how to improve the accuracy and precision of the anomaly detection is an urgent problem to be solved.
Disclosure of Invention
The present specification provides a method and an apparatus for anomaly detection, which partially solve the above problems in the prior art.
The technical scheme adopted by the specification is as follows:
the present specification provides a method of anomaly detection, comprising:
acquiring various historical data of a target object;
according to the sequence of the generation time of each historical data, a historical data sequence is constructed;
determining a standard data sequence matched with the historical data sequence and a target anomaly detection algorithm corresponding to the standard data sequence in a pre-constructed detection library, and taking the target anomaly detection algorithm as an anomaly detection algorithm corresponding to the target object;
and storing the corresponding relation between the target object and the target anomaly detection algorithm so as to detect the anomaly of the real-time data of the target object by using the target anomaly detection algorithm.
Optionally, the constructing a historical data sequence according to the sequence of the generation time of each historical data specifically includes:
sampling in each historical data according to a preset sampling frequency to obtain target data;
and constructing a historical data sequence according to the sequence of the generation time of each target data.
Optionally, the sampling in each historical data according to a preset sampling frequency specifically includes:
if the fact that data corresponding to the specified time needing to be sampled are not contained in the historical data is determined in the sampling process, predicting the data corresponding to the specified time according to the data corresponding to the time adjacent to the specified time in the time sequence in the historical data;
acquiring various historical data after completing the data;
and sampling each historical data after completing the data according to a preset sampling frequency.
Optionally, the sampling in each historical data according to a preset sampling frequency specifically includes:
and if the number of the historical data is determined to be larger than the preset number, reducing the preset sampling frequency, and sampling in each historical data according to the reduced sampling frequency.
Optionally, before obtaining the historical data of the target object, the method further includes:
acquiring each standard data sequence;
for each standard data sequence, carrying out anomaly detection on the standard data sequence through each determined candidate anomaly detection algorithm corresponding to the standard data sequence;
aiming at each candidate anomaly detection algorithm, acquiring first anomaly data detected from the standard data sequence by using the candidate anomaly detection algorithm and second anomaly data actually appearing in the standard data sequence;
taking the matching degree between the first abnormal data and the second abnormal data as the matching degree corresponding to the candidate abnormal detection algorithm;
determining a target anomaly detection algorithm matched with the standard data sequence according to the matching degree corresponding to each candidate anomaly detection algorithm;
and constructing a detection library according to a target anomaly detection algorithm matched with each standard data sequence.
Optionally, the acquiring each standard data sequence specifically includes:
acquiring each candidate historical data sequence;
and carrying out duplication elimination processing on each candidate historical data sequence to obtain each standard data sequence.
Optionally, after the obtaining of each standard data sequence, the method further includes:
determining the sequence type of the standard data sequence according to the distribution rule of the data in the standard data sequence;
and determining each candidate anomaly detection algorithm applicable to the standard data sequence according to the sequence type.
The present specification provides an apparatus for anomaly detection, comprising:
the acquisition module acquires historical data of a target object;
the construction module is used for constructing a historical data sequence according to the sequence of the generation time of each historical data;
the determining module is used for determining a standard data sequence matched with the historical data sequence and a target anomaly detection algorithm corresponding to the standard data sequence in a pre-constructed detection library, and taking the target anomaly detection algorithm as an anomaly detection algorithm corresponding to the target object;
and the detection module is used for storing the corresponding relation between the target object and the target abnormity detection algorithm so as to detect the abnormity of the real-time data of the target object by using the target abnormity detection algorithm.
The present specification provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the above-described method of anomaly detection.
The present specification provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the above-mentioned method of anomaly detection when executing the program.
The technical scheme adopted by the specification can achieve the following beneficial effects:
in the anomaly detection method provided by the present specification, historical data of a target object can be acquired, and a historical data sequence is constructed according to the historical data, so that a standard data sequence matched with the historical data sequence and a target anomaly detection algorithm corresponding to the standard data sequence are determined in a pre-constructed detection library, and further anomaly detection is performed on real-time data of the target object according to a stored correspondence between the target object and the target anomaly detection algorithm.
According to the method, the abnormal detection algorithm matched with the historical data sequence generated according to the historical data of the target object can be directly found in the detection library, and then the abnormal detection algorithm can be directly detected according to the abnormal detection algorithm.
Drawings
The accompanying drawings, which are included to provide a further understanding of the specification and are incorporated in and constitute a part of this specification, illustrate embodiments of the specification and together with the description serve to explain the specification and not to limit the specification in a non-limiting sense. In the drawings:
FIG. 1 is a schematic flow diagram of a method of anomaly detection provided herein;
FIG. 2 is a historical data sequence graph provided herein;
FIG. 3 is a historical data sequence graph provided herein;
FIG. 4 is a historical data sequence graph provided herein;
FIG. 5 is a historical data sequence graph provided herein;
FIG. 6 is a historical data sequence graph provided herein;
FIG. 7 is a historical data sequence graph provided herein;
FIG. 8 is a historical data sequence graph provided herein;
FIG. 9 is a schematic diagram of an anomaly detection apparatus provided herein;
fig. 10 is a schematic diagram of an electronic device corresponding to fig. 1 provided in the present specification.
Detailed Description
In order to make the objects, technical solutions and advantages of the present disclosure more clear, the technical solutions of the present disclosure will be clearly and completely described below with reference to the specific embodiments of the present disclosure and the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present specification without any creative effort belong to the protection scope of the present specification.
The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of a method for detecting an abnormality, which includes the following steps:
s101: and acquiring various historical data of the target object.
In the operation and maintenance process of operation and maintenance objects such as servers, network systems, websites, databases, etc., it is usually necessary to perform anomaly detection on the operation and maintenance objects, so as to find abnormal situations occurring in the actual operation process of the operation and maintenance objects, perform fault analysis on the operation and maintenance objects according to the abnormal situations, find possible faults occurring in the operation and maintenance objects, and further process the faults, so as to ensure the normal operation of the operation and maintenance objects.
In the process of anomaly detection, the operation and maintenance objects can be target objects for anomaly detection, and in general, the anomaly detection needs to be performed on the target objects according to data corresponding to the target objects (i.e., a series of data indexes generated by the target objects in the actual operation process, for example, when the target objects are network systems, the data corresponding to the target objects to be detected can be network delay, data throughput, bandwidth utilization, processor and memory occupancy, and the like).
In the actual operation process of the target object, data generated when the target object operates abnormally and data which is obviously different from other data can be regarded as abnormal data.
Based on this, in order to accurately detect abnormal data generated by the target object, thereby ensuring normal operation of the target object, the present specification provides an abnormal detection method. The history data of the target object needs to be acquired, and the target object may be a server, a network system, a website, a database, or the like, or may be other target objects, such as a thread, a processor, or the like, which is not limited in this specification.
Correspondingly, the historical data corresponding to the target object may be a data index capable of reflecting whether each function or module of the target object operates normally, where the data index may be network delay, data throughput, bandwidth utilization, processor occupancy, memory occupancy, and the like, and of course, the data may also be other types of data indexes, which is not limited in this specification.
In addition, since the target object may generate more data in the actual operation process, in the actual application, the server may not perform abnormality detection on all the historical data generated by the target object, and therefore, the server may collect the historical data generated by the target object within a preset time, where the preset time may be set according to the actual situation, and this is not specifically limited in this specification.
In the present specification, an execution subject of the method for implementing the anomaly detection may refer to a designated device such as a server installed on a service platform, and for convenience of description, the method for implementing the anomaly detection provided in the present specification will be described by taking the server as the execution subject.
S102: and constructing a historical data sequence according to the sequence of the generation time of each historical data.
After the historical data of the target object is acquired, the server may pre-process the historical data, so that a corresponding historical data sequence is constructed through the pre-processed historical data.
Specifically, the server may sample the historical data according to a preset sampling frequency, so as to collect, in the historical data, the historical data corresponding to each specified time that needs to be sampled, as the target data. For example, when the sampling frequency is 1 minute/time, it is stated that the above history data is sampled every 1 minute, and the history data is assumed to be sampled from 10: 00, the target data corresponding to the specified time needing sampling may be 10: 01. 10: 02. 10: 03 … …. The preset sampling frequency may be set according to actual conditions, and this specification is not particularly limited thereto.
In the process of actual operation of the target object, corresponding historical data may not be generated at a certain time due to some internal or external reasons of the target object (for example, the target object is restarted or closed at the certain time), and in the process of sampling the historical data, if the historical data is not generated at the specified time that needs to be sampled, it may be determined that the historical data does not include data corresponding to the specified time that needs to be sampled. Therefore, in order to ensure the integrity of the finally constructed historical data sequence, the server can perform complementation on the historical data.
Specifically, the server may predict data corresponding to the specified time in the historical data according to data corresponding to a time adjacent to the specified time in the time series in the historical data, thereby obtaining each historical data after completing the data, and then sample each historical data after completing the data according to a preset sampling frequency.
For example, the server may sample the history data corresponding to the last designated time of the designated time as the history data corresponding to the designated time. Also taking the above specified time as an example, if at 10: 03 no corresponding target data is acquired, the target object may be updated at 10: 02 as 10: 03, and if the target object is at 10: 02, no corresponding history data has been generated, 10: 01, as 10: 03 and 10: 02 corresponding to historical data.
The server may also determine data corresponding to a specified time in the history data based on data corresponding to times adjacent to the specified time, for example, an average of the history data corresponding to the adjacent specified time (i.e., an average of the history data corresponding to the last specified time and the next specified time) as the history data corresponding to the specified time.
Of course, the historical data may be supplemented by other methods, and this specification is not limited to this.
And then the server can construct a historical data sequence with time stamps through the target data at each specified time.
Furthermore, the server can construct a data curve graph corresponding to the historical data sequence according to the historical data sequence, so that the distribution rule and the change trend of each target data can be accurately determined, and the abnormal data can be accurately detected.
In the actual operation process of the target object, some types of historical data (such as network delay) are generated at a relatively high frequency, the amount of the historical data generated at such a frequency is very large, and if sampling is performed according to the preset sampling frequency, the data density of the generated historical data sequence is also relatively large, so that the historical data sequence construction process and the anomaly detection process consume a lot of time and occupy relatively large system resources.
Therefore, the server may determine whether the number of the historical data is greater than the preset number, and if the number of the historical data is greater than the preset number, the preset sampling frequency may be reduced, and the reduced sampling frequency may be obtained, for example, if the previous preset sampling frequency is 1 minute/time, the preset sampling frequency may be adjusted to 5 minutes/time, so that the collected historical data may be reduced on the premise of ensuring the overall distribution trend and distribution rule of the data in the historical data sequence, and the anomaly detection efficiency may be improved. The preset number may be set according to actual conditions, and this specification is not particularly limited thereto.
The server may then collect corresponding target data from the historical data based on the reduced sampling frequency.
In this specification, the server may first complete the historical data, and then determine whether the number of the historical data is greater than the preset number, so as to reduce the preset sampling frequency, thereby performing sampling according to the reduced sampling frequency.
Of course, the server may also determine whether the number of the historical data is greater than the preset number, decrease the preset sampling frequency after determining that the number of the historical data is greater than the preset number, and then determine whether there is corresponding historical data at each designated time under the decreased sampling frequency, so as to complete the corresponding historical data at the designated time under the adjusted sampling frequency.
In addition, when the server determines that the number of the historical data is smaller than the preset number, the data density in the generated historical data sequence is low, so that the overall distribution trend of the data in the historical data sequence and the accuracy of the distribution rule cannot be guaranteed, and therefore the server can improve the preset sampling frequency at the moment to acquire more target data.
S103: and determining a standard data sequence matched with the historical data sequence and a target anomaly detection algorithm corresponding to the standard data sequence in a pre-constructed detection library, and taking the target anomaly detection algorithm as an anomaly detection algorithm corresponding to the target object.
After the server constructs the historical data sequence, a standard data sequence matched with the historical data sequence and a target anomaly detection algorithm corresponding to the standard data sequence can be determined in a pre-constructed detection library.
Specifically, the server may determine, in a detection library that already includes correspondence relationships between different standard data sequences and respective target anomaly detection algorithms, a standard data sequence that matches the historical data sequence, and further determine a target anomaly detection algorithm that corresponds to the standard data sequence, as the target anomaly detection algorithm that corresponds to the historical data sequence.
For example, the server may determine a similarity between each standard data sequence and each historical data sequence by calculating a Dynamic Time Warping (DTW) value between the historical data sequence and each standard data sequence, where the larger the DTW value, the smaller the similarity, and the smaller the DTW value, the greater the similarity, so as to select the standard data sequence with the greatest similarity to the historical data sequence as the standard data sequence matching the historical data sequence.
In addition, the detection library may also contain a corresponding relationship between different standard data sequence graphs and target anomaly detection algorithms corresponding to different standard data sequences, so that the server may match a standard data sequence graph with the highest similarity to the historical data sequence graph through the detection library, and further determine a target anomaly detection algorithm of a standard data sequence corresponding to the standard data sequence graph as a target anomaly detection algorithm corresponding to the historical data sequence.
Before the server uses the detection library, the detection library needs to be constructed in advance, and in the process of constructing the detection library, the server may first obtain candidate historical data sequences, which may be historical data sequences of different types of historical data corresponding to different actually acquired target objects, wherein corresponding abnormal data have been determined in the historical data sequences, and the abnormal data are labeled.
After the candidate historical data sequences are acquired, the server can screen the candidate historical data sequences, and for each candidate historical data sequence, if the server determines that the similarity between the candidate historical data sequence and any other candidate historical data sequence is greater than a preset similarity, the candidate historical data sequence can be deleted, so that only non-repeated or non-similar candidate historical data sequences are reserved, and the non-deleted candidate historical data sequences are used as standard data sequences to finish the deduplication processing of each candidate historical data sequence.
And then the server can determine each candidate anomaly detection algorithm corresponding to the standard data sequence, wherein the server can determine the sequence type of the standard data sequence (such as the sequence type with a periodic variation rule, the sequence type without a periodic variation rule and the like) according to the distribution rule or the variation trend of the data in the standard data sequence, and use each anomaly detection algorithm corresponding to the sequence type as each candidate anomaly detection algorithm corresponding to the standard data sequence.
The above Anomaly detection algorithms may be various, such as a classification algorithm (K-Nearest Neighbor-CAD, KNN-CAD), a context Anomaly Detector (context Anomaly Detector) Anomaly detection algorithm, a Skyline Anomaly detection algorithm, a Relative Entropy (Relative Entropy) Anomaly detection algorithm, an Expected similarity estimation (Expected similarity estimation) Anomaly detection algorithm, a window Gaussian distribution (windowweighted Gaussian) Anomaly detection algorithm, a Bayesian variable point detection (Bayesian Changed point) Anomaly detection algorithm, and the like, where the detection accuracy of different historical data sequences may be different, and the historical data sequence graphs shown in fig. 2 to 8 are taken as examples, and different types of historical data sequences and corresponding Anomaly detection algorithms are exemplified below. The positions encircled by circles in fig. 2 to fig. 8 are abnormal data appearing in the history data sequence.
Fig. 2 is a graph of a historical data sequence provided by the present specification.
As can be seen from the historical data sequence graph shown in fig. 2, the data distribution manner in the historical data sequence of this type follows normal distribution, and the abnormal data is represented as more obvious sharp points (i.e., data corresponding to the circled curve) in the graph, and the abnormal data at these sharp points is abnormal data with a low occurrence probability.
The Skyline anomaly detection algorithm can exactly perform global analysis on a historical data sequence, so as to find out historical data with the smallest occurrence probability, and generally, the Skyline anomaly detection algorithm also comprises other multiple mutation anomaly detection algorithms, and votes for each detected data through the mutation anomaly detection algorithms, so as to determine whether the data is anomalous data (for example, when the number of the mutation anomaly detection algorithms for detecting that the data is anomalous data is higher than that of the mutation anomaly detection algorithms for detecting that the data is normal data, the data is anomalous data). Therefore, for the historical data sequence of the type, the Skyline anomaly detection algorithm has higher anomaly detection precision.
Fig. 3 is a graph of a historical data sequence provided by the present specification.
As can be seen from the historical data sequence graph shown in fig. 3, the historical data sequence graph of this type has a relatively obvious variation trend, and the fluctuation of the local amplitude of the graph is relatively obvious, and the data has no periodic variation law, and the abnormal data appearing in the historical data sequence of this type is usually the global maximum and minimum values. And the Skyline anomaly detection algorithm also has higher detection precision for anomaly data appearing in the historical data sequence of the type.
Fig. 4 is a graph of a historical data sequence provided by the present specification.
As can be seen from the historical data sequence graph shown in fig. 4, the historical data sequence of this type has a repetitive periodicity law, and abnormal data appears in a certain local period, and the abnormal data may be a maximum value or a minimum value in the period, and may also be a value in the middle of the maximum value or the minimum value.
In the process of anomaly detection, a relative entry anomaly detection algorithm divides historical data sequence segments corresponding to all fixed time sequence segments, so that different historical data sequence segments are compared, and anomaly data appearing in a local certain period are determined according to the difference between the amplitudes of different historical data sequence segments. Therefore, the relative entry exception detection algorithm has higher detection precision for the exception data appearing in the type history data sequence.
Fig. 5 is a graph of a historical data sequence provided by the present specification.
As can be seen from the historical data sequence graph shown in fig. 5, although the historical data sequence of this type has no repeated periodicity regularity, the abnormal data also appears in a local certain period (i.e., the abnormal data is a maximum value or a minimum value in a certain period, or a value in the middle of the maximum value or the minimum value). Therefore, the relative entry exception detection algorithm has higher detection precision for the exception data appearing in the type historical data sequence.
Fig. 6 is a graph of a historical data sequence provided by the present specification.
As can be seen from the historical data sequence graph shown in fig. 6, the historical data sequence of this type also has a certain periodicity law, but unlike the historical data sequence shown in fig. 4, the abnormal data in the historical data sequence is mainly represented as abnormal bulges appearing in the graph, and for the curve segment corresponding to each period, the distance between the curves in the curve segment corresponding to the abnormal data is obviously different from the distance between the curves in the curve segment corresponding to the normal historical data.
When the KNN CAD abnormity detection algorithm is used for carrying out abnormity detection, the historical data sequence segments in all the fixed time sequence segments are selected, so that different historical data sequence segments are compared, and the abnormal data appearing in a certain local period is determined according to the difference of the distances among different historical data sequence segments, therefore, the KNN CAD abnormity detection algorithm has higher detection precision on the type of the historical data sequence.
Fig. 7 is a graph of a historical data sequence provided by the present specification.
As can be seen from the historical data sequence graph shown in fig. 7, the historical data sequences of the type have a certain periodic regularity similar to that of fig. 6, but the difference is that the abnormal data appearing in the historical data sequences of the type mainly appears as local amplitude values (i.e., local extrema appearing in one or more cycles) in the historical data sequence graph.
In the process of anomaly detection, the window gaussian anomaly detection algorithm can just detect the local amplitude in the historical data sequence with the repeated periodic row rule, so that the window gaussian anomaly detection algorithm has higher detection precision for the historical data sequence of the type.
Fig. 8 is a graph of a historical data sequence provided by the present specification.
As can be seen from the historical data sequence graph shown in fig. 8, the historical data sequence appearing in the historical data sequence of the type is represented as an overall shift in the graph, and the bag change point anomaly detection algorithm has higher detection accuracy for the historical data sequence of the type.
The above description is only for a few representative anomaly detection algorithms, and of course, other types of anomaly detection algorithms may be included, and this description is not given here.
Then, the server may perform anomaly detection on each standard data sequence through the various candidate anomaly detection algorithms, so as to determine first anomaly data detected by each candidate anomaly detection algorithm and second anomaly data actually appearing in the standard data sequence, and use the matching degree between the first anomaly data and the second anomaly data as the matching degree corresponding to each candidate anomaly detection algorithm.
For example, the matching degree may be a quantity deviation between the quantity of the first abnormal data detected by each candidate abnormality detection algorithm and the quantity of the second abnormal data actually appearing in the standard data sequence, and the smaller the quantity deviation, the larger the matching degree is, and the larger the quantity deviation is, the smaller the matching degree is.
For another example, the matching degree may be a data deviation between each first abnormal data detected by each candidate abnormality detection algorithm and each second abnormal data actually appearing in the standard data sequence (if the first abnormal data and the second abnormal data are different data, a deviation between the different data is a data deviation), and the smaller the data deviation is, the greater the matching degree is, the greater the data deviation is, and the smaller the matching degree is.
The server may determine a target anomaly detection algorithm corresponding to the standard data sequence according to the matching degree, for example, the server may use a candidate anomaly detection algorithm with the highest matching degree with the standard data sequence as the target anomaly detection algorithm corresponding to the standard data sequence.
And then the server stores the corresponding relation between each standard data sequence and each target anomaly detection algorithm, so that a detection library comprising each standard sequence and the target anomaly detection algorithm corresponding to each standard sequence is constructed according to the corresponding relation.
S104: and storing the corresponding relation between the target object and the target anomaly detection algorithm so as to detect the anomaly of the real-time data of the target object by using the target anomaly detection algorithm.
After the target anomaly detection algorithm corresponding to the historical data sequence is determined, the server can perform anomaly detection on the target object through the target anomaly detection algorithm, so that fault analysis is performed according to the detected anomaly data, and the analyzed fault is processed to ensure normal operation of the target object.
In this specification, the server may obtain real-time data of the target object, so as to perform anomaly detection on the real-time data according to a target anomaly detection algorithm corresponding to the target object, which is previously stored in advance, and thus determine whether the real-time data is anomalous data.
Of course, the server may perform anomaly detection on the historical data of the target object according to a historical data sequence constructed from the historical data of the target object, so as to determine the abnormal data occurring in the historical operation process, and further find out the corresponding fault.
According to the method, the abnormal detection algorithm matched with the historical data sequence generated according to the historical data of the target object can be directly found in the detection library and then can be directly detected according to the abnormal detection algorithm.
Based on the same idea, the present specification also provides a device for detecting an abnormality, as shown in fig. 9.
Fig. 9 is a schematic diagram of an anomaly detection apparatus provided in the present specification, including:
an obtaining module 901, which obtains each history data of the target object;
the constructing module 902 constructs a historical data sequence according to the sequence of the generation time of each historical data;
a determining module 903, configured to determine, in a pre-constructed detection library, a standard data sequence matched with the historical data sequence and a target anomaly detection algorithm corresponding to the standard data sequence, and use the target anomaly detection algorithm as an anomaly detection algorithm corresponding to the target object;
the detection module 904 stores the corresponding relationship between the target object and the target anomaly detection algorithm, so as to perform anomaly detection on the real-time data of the target object by using the target anomaly detection algorithm.
Optionally, the constructing module 902 is specifically configured to, according to a preset sampling frequency, sample in each historical data to obtain target data; and constructing a historical data sequence according to the sequence of the generation time of each target data.
Optionally, the constructing module 902 is specifically configured to, if it is determined that each piece of historical data does not include data corresponding to a specified time that needs to be sampled in the sampling process, predict data corresponding to the specified time according to data corresponding to a time that is adjacent to the specified time in time sequence in each piece of historical data; acquiring various historical data after completing the data; and sampling each historical data after the completion of the data according to a preset sampling frequency.
Optionally, the constructing module 902 is specifically configured to, if it is determined that the number of the historical data is greater than a preset number, reduce the preset sampling frequency, and perform sampling in each historical data according to the reduced sampling frequency.
Optionally, before acquiring each historical data of the target object, the acquiring module 901 is further configured to acquire each standard data sequence; for each standard data sequence, carrying out anomaly detection on the standard data sequence through each determined candidate anomaly detection algorithm corresponding to the standard data sequence; aiming at each candidate anomaly detection algorithm, acquiring first anomaly data detected from the standard data sequence by using the candidate anomaly detection algorithm and second anomaly data actually appearing in the standard data sequence, and taking the matching degree between the first anomaly data and the second anomaly data as the matching degree corresponding to the candidate anomaly detection algorithm; determining a target anomaly detection algorithm matched with the standard data sequence according to the matching degree corresponding to each candidate anomaly detection algorithm; and constructing a detection library according to a target anomaly detection algorithm matched with each standard data sequence.
Optionally, the obtaining module 901 is specifically configured to obtain each candidate historical data sequence; and carrying out duplication elimination processing on each candidate historical data sequence to obtain each standard data sequence.
Optionally, after obtaining each standard data sequence, the obtaining module 901 is specifically configured to determine a sequence type of the standard data sequence according to a distribution rule of data in the standard data sequence; and determining each candidate anomaly detection algorithm applicable to the standard data sequence according to the sequence type.
The present specification also provides a computer readable storage medium storing a computer program operable to perform a method of anomaly detection as provided in fig. 1 above.
This specification also provides a schematic block diagram of an electronic device corresponding to that of figure 1, shown in figure 10. As shown in fig. 10, at the hardware level, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile memory, but may also include hardware required for other services. The processor reads a corresponding computer program from the non-volatile memory into the memory and then runs the computer program to implement the method for detecting an abnormality described in fig. 1. Of course, besides the software implementation, the present specification does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may be hardware or logic devices.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the various elements may be implemented in the same one or more software and/or hardware implementations of the present description.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The description has been presented with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present specification, and is not intended to limit the present specification. Various modifications and alterations to this description will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification should be included in the scope of the claims of the present specification.

Claims (10)

1. A method of anomaly detection, comprising:
acquiring various historical data of a target object;
according to the sequence of the generation time of each historical data, a historical data sequence is constructed;
determining a standard data sequence matched with the historical data sequence and a target anomaly detection algorithm corresponding to the standard data sequence in a pre-constructed detection library, and taking the target anomaly detection algorithm as an anomaly detection algorithm corresponding to the target object;
and storing the corresponding relation between the target object and the target anomaly detection algorithm so as to detect the anomaly of the real-time data of the target object by using the target anomaly detection algorithm.
2. The method according to claim 1, wherein the constructing of the historical data sequence according to the sequence of the generation time of each historical data specifically comprises:
sampling in each historical data according to a preset sampling frequency to obtain target data;
and constructing a historical data sequence according to the sequence of the generation time of each target data.
3. The method according to claim 2, wherein sampling in the historical data according to a preset sampling frequency specifically comprises:
if the fact that data corresponding to the specified time needing to be sampled are not contained in the historical data is determined in the sampling process, predicting the data corresponding to the specified time according to the data corresponding to the time adjacent to the specified time in the time sequence in the historical data;
acquiring various historical data after completing the data;
and sampling each historical data after the completion of the data according to a preset sampling frequency.
4. The method according to claim 2, wherein sampling in the historical data according to a preset sampling frequency specifically comprises:
and if the number of the historical data is larger than the preset number, reducing the preset sampling frequency, and sampling in each historical data according to the reduced sampling frequency.
5. The method of claim 1, wherein prior to obtaining the historical data for the target object, the method further comprises:
acquiring each standard data sequence;
for each standard data sequence, carrying out anomaly detection on the standard data sequence through each determined candidate anomaly detection algorithm corresponding to the standard data sequence;
aiming at each candidate anomaly detection algorithm, acquiring first anomaly data detected from the standard data sequence by using the candidate anomaly detection algorithm and second anomaly data actually appearing in the standard data sequence;
taking the matching degree between the first abnormal data and the second abnormal data as the matching degree corresponding to the candidate abnormal detection algorithm;
determining a target anomaly detection algorithm matched with the standard data sequence according to the matching degree corresponding to each candidate anomaly detection algorithm;
and constructing a detection library according to a target anomaly detection algorithm matched with each standard data sequence.
6. The method of claim 5, wherein the obtaining each standard data sequence specifically comprises:
acquiring each candidate historical data sequence;
and carrying out duplication elimination processing on each candidate historical data sequence to obtain each standard data sequence.
7. The method of claim 5, wherein after the obtaining each standard data sequence, the method further comprises:
determining the sequence type of a standard data sequence according to the distribution rule of data in the standard data sequence;
and determining each candidate anomaly detection algorithm suitable for the standard data sequence according to the sequence type.
8. An apparatus for anomaly detection, comprising:
the acquisition module acquires historical data of a target object;
the construction module is used for constructing a historical data sequence according to the sequence of the generation time of each historical data;
the determining module is used for determining a standard data sequence matched with the historical data sequence and a target anomaly detection algorithm corresponding to the standard data sequence in a pre-constructed detection library, and taking the target anomaly detection algorithm as an anomaly detection algorithm corresponding to the target object;
and the detection module is used for storing the corresponding relation between the target object and the target abnormity detection algorithm so as to detect the abnormity of the real-time data of the target object by using the target abnormity detection algorithm.
9. A computer-readable storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1 to 7 when executing the program.
CN202210616909.4A 2022-06-01 2022-06-01 Anomaly detection method and device Pending CN114722972A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210616909.4A CN114722972A (en) 2022-06-01 2022-06-01 Anomaly detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210616909.4A CN114722972A (en) 2022-06-01 2022-06-01 Anomaly detection method and device

Publications (1)

Publication Number Publication Date
CN114722972A true CN114722972A (en) 2022-07-08

Family

ID=82233063

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210616909.4A Pending CN114722972A (en) 2022-06-01 2022-06-01 Anomaly detection method and device

Country Status (1)

Country Link
CN (1) CN114722972A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117312635A (en) * 2023-11-30 2023-12-29 江西日月明测控科技股份有限公司 On-line detection data analysis processing method, system, electronic equipment and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107528722A (en) * 2017-07-06 2017-12-29 阿里巴巴集团控股有限公司 Abnormal point detecting method and device in a kind of time series
CN111522860A (en) * 2020-04-08 2020-08-11 蚌埠学院 Water quality early warning analysis method and system based on biological behaviors
CN111859384A (en) * 2020-07-23 2020-10-30 平安证券股份有限公司 Abnormal event monitoring method and device, computer equipment and storage medium
CN112286924A (en) * 2020-11-20 2021-01-29 中国水利水电科学研究院 Data cleaning technology for dynamic identification of data abnormality and multi-mode self-matching
CN112288021A (en) * 2020-11-02 2021-01-29 广东柯内特环境科技有限公司 Medical wastewater monitoring data quality control method, device and system
CN112818066A (en) * 2019-11-15 2021-05-18 深信服科技股份有限公司 Time sequence data anomaly detection method and device, electronic equipment and storage medium
CN112822291A (en) * 2021-02-07 2021-05-18 国网福建省电力有限公司电力科学研究院 Monitoring method and device for industrial control equipment
CN113888599A (en) * 2021-10-19 2022-01-04 中国科学院软件研究所 Target detection system operation monitoring method based on label statistics and result post-processing
CN113902334A (en) * 2021-10-28 2022-01-07 上海众源网络有限公司 Event abnormal fluctuation detection method and system, electronic equipment and storage medium
CN114444602A (en) * 2022-01-28 2022-05-06 中国银联股份有限公司 Method and system for automatically constructing anomaly detection model

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107528722A (en) * 2017-07-06 2017-12-29 阿里巴巴集团控股有限公司 Abnormal point detecting method and device in a kind of time series
CN112818066A (en) * 2019-11-15 2021-05-18 深信服科技股份有限公司 Time sequence data anomaly detection method and device, electronic equipment and storage medium
CN111522860A (en) * 2020-04-08 2020-08-11 蚌埠学院 Water quality early warning analysis method and system based on biological behaviors
CN111859384A (en) * 2020-07-23 2020-10-30 平安证券股份有限公司 Abnormal event monitoring method and device, computer equipment and storage medium
CN112288021A (en) * 2020-11-02 2021-01-29 广东柯内特环境科技有限公司 Medical wastewater monitoring data quality control method, device and system
CN112286924A (en) * 2020-11-20 2021-01-29 中国水利水电科学研究院 Data cleaning technology for dynamic identification of data abnormality and multi-mode self-matching
CN112822291A (en) * 2021-02-07 2021-05-18 国网福建省电力有限公司电力科学研究院 Monitoring method and device for industrial control equipment
CN113888599A (en) * 2021-10-19 2022-01-04 中国科学院软件研究所 Target detection system operation monitoring method based on label statistics and result post-processing
CN113902334A (en) * 2021-10-28 2022-01-07 上海众源网络有限公司 Event abnormal fluctuation detection method and system, electronic equipment and storage medium
CN114444602A (en) * 2022-01-28 2022-05-06 中国银联股份有限公司 Method and system for automatically constructing anomaly detection model

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
朱光亚 等: "《中国科学技术文库(天文学、地球科学)》", 31 January 1998 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117312635A (en) * 2023-11-30 2023-12-29 江西日月明测控科技股份有限公司 On-line detection data analysis processing method, system, electronic equipment and storage medium
CN117312635B (en) * 2023-11-30 2024-02-02 江西日月明测控科技股份有限公司 On-line detection data analysis processing method, system, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN110245047B (en) Time sequence abnormality detection method, device and equipment
CN107526667B (en) Index abnormality detection method and device and electronic equipment
CN110635962B (en) Abnormity analysis method and device for distributed system
CN110826894A (en) Hyper-parameter determination method and device and electronic equipment
CN111753328B (en) Private data leakage risk detection method and system
CN112965882B (en) Data fault analysis method and device
CN116663618B (en) Operator optimization method and device, storage medium and electronic equipment
CN114722972A (en) Anomaly detection method and device
CN107368281B (en) Data processing method and device
CN111538756B (en) Fusion method and device of access paths
CN116822606A (en) Training method, device, equipment and storage medium of anomaly detection model
CN117540825A (en) Method and device for constructing pre-training model based on reinforcement learning and electronic equipment
CN115567371B (en) Abnormity detection method, device, equipment and readable storage medium
CN111242195B (en) Model, insurance wind control model training method and device and electronic equipment
CN109903165B (en) Model merging method and device
CN109325127B (en) Risk identification method and device
CN107645541B (en) Data storage method and device and server
CN111666316A (en) Isolation distribution core construction method, abnormal data detection method and device
CN110516814A (en) A kind of business model parameter value determines method, apparatus, equipment and medium
CN110674184B (en) Method, system and equipment for constructing abnormal detection model library
CN117407690B (en) Task execution method, device and equipment based on model migration evaluation
CN111275095B (en) Object type identification method and device
CN112215471B (en) Index transaction detection method and device
CN114943307B (en) Model training method and device, storage medium and electronic equipment
CN110674495B (en) Detection method, device and equipment for group border crossing access

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220708

RJ01 Rejection of invention patent application after publication