CN115700553A - Anomaly detection method and related device - Google Patents
Anomaly detection method and related device Download PDFInfo
- Publication number
- CN115700553A CN115700553A CN202110834259.6A CN202110834259A CN115700553A CN 115700553 A CN115700553 A CN 115700553A CN 202110834259 A CN202110834259 A CN 202110834259A CN 115700553 A CN115700553 A CN 115700553A
- Authority
- CN
- China
- Prior art keywords
- time
- sequences
- clustering
- time period
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the application provides an anomaly detection method and a related device, wherein the method comprises the following steps: acquiring a plurality of time sequences of first equipment in a first time period and a plurality of time sequences of second time periods, wherein the time sequences are used for reflecting the change relation of the running data of the first equipment along with time; clustering is carried out on the basis of the plurality of time sequences of the first time period to obtain a first clustering result; clustering is carried out on the basis of the plurality of time sequences of the second time period to obtain a second clustering result; and determining a first state of the first device according to the difference between the first clustering result and the second clustering result, wherein the first state is used for representing whether the correlation type abnormity exists in the time series of the first device. By adopting the embodiment of the application, the association type abnormity of the time series can be reflected more obviously.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an anomaly detection method and a related apparatus.
Background
In a modern communication network, a large number of devices such as routers and switches are interconnected, and in order to comprehensively monitor the devices and discover device faults in real time, each device collects Key Performance Indicators (KPI) as many as ten thousands of dimensions, such as CPU occupancy, network packet receiving count, network packet sending count, memory occupancy, ethernet occupancy, and the like, as shown in fig. 1.
The indexes are collected at a certain frequency to form high-dimensional time series data, and due to the influence of factors inside and outside the equipment, such as equipment failure, sudden service change, configuration errors and the like, the equipment is abnormal or even down, as shown in fig. 2, the router R6 is down, and the down can cause changes of monitoring indexes in operation, such as reduction of network traffic and the like. The equipment faults of the communication network, particularly the backbone network, bring huge economic losses to enterprises and society, so timely and accurate detection of the faults has important significance for ensuring the reliability of communication services. The time series abnormity detection algorithm with high efficiency, strong robustness and high detection accuracy can greatly reduce the loss caused by system faults. According to the summary of the related documents and the observation of the actual system, the anomalies in the communication network are mainly divided into two types, one is a multi-dimensional index association type anomaly, such as part (b) in fig. 3, and the other is a single-index anomaly, such as part (a) in fig. 3. The anomaly detection is generally performed by a time series anomaly detection algorithm, such as a long and short term memory network-variation self-encoder (LSTM-VAE) based on a neural network, a long and short term memory network-non-parametric dynamic threshold (LSMT-NDT), and an anomaly analysis method based on a time series, such as a differential Autoregressive Moving Average model (ARIMA).
As shown in fig. 4, the multivariate time series anomaly detection technology based on Long Short-Term Memory network (LSTM) prediction uses wavelet transformation to preprocess data, predicts newly input data after training to obtain the LSTM network, and determines whether an anomaly occurs by analyzing whether an error between a prediction result and a real result is greater than a specified threshold. However, this method needs to collect a large amount of abnormal data for training, and it is difficult to obtain a large amount of continuous data containing no noise and abnormal data in practical applications, and even if the LSTM network is obtained by training, because the training process of the LSTM network has a lot of interpretability, it cannot be determined whether the abnormal predicted based on the LSTM is really the abnormal occurring in the correlation of the time series, that is, whether the correlated abnormal occurs really.
As shown in fig. 5, the method is an unsupervised time series abnormality detection technology based on statistics and machine learning, and the technology uses a KS-test (Kolmogorov-Smirnov test) and a Z-test (Z-test) to detect the abnormality occurring in a single-index time series. This technique cannot detect whether or not an abnormality occurs in the correlation of the time series, that is, whether or not a correlation-type abnormality occurs.
Overall, the current anomaly detection algorithm cannot better reflect the associated anomalies at all.
Disclosure of Invention
The embodiment of the application discloses an anomaly detection method and a related device, which can more obviously reflect the time-series associated anomaly.
In a first aspect, an embodiment of the present application provides an anomaly detection method, including: acquiring a plurality of time sequences of first equipment in a first time period and a plurality of time sequences of second time periods, wherein the time sequences are used for reflecting the change relation of the running data of the first equipment along with time; clustering is carried out on the basis of the plurality of time sequences of the first time period to obtain a first clustering result; clustering is carried out on the basis of the plurality of time sequences of the second time period to obtain a second clustering result; and determining a first state of the first device according to the difference between the first clustering result and the second clustering result, wherein the first state is used for representing whether the time series of the first device has correlation type abnormity.
It should be noted that, after analyzing a large amount of test data, the inventor of the present application finds that a clustering result obtained after clustering two batches of time sequences with a large difference also has a large difference, that is, the difference between the two batches of time sequences and the difference after clustering have a strong correlation relationship, so that, by comparing a first clustering result with a second clustering result, it is possible to reflect whether there is a large difference between a plurality of time sequences of a first time period and a plurality of time sequences of a second time period, thereby accurately determining whether there is an association type abnormality in the time sequence of a first device.
With reference to the first aspect, in a possible implementation of the first aspect:
the clustering process is performed on the plurality of time sequences based on the first time period to obtain a first clustering result, and the clustering process includes: and smoothing the plurality of time sequences of the first time period by using a self-adaptive index averaging algorithm based on kurtosis change to obtain a plurality of first noise reduction sequences, and clustering the plurality of first noise reduction sequences to obtain a first clustering result. The clustering process is performed on the plurality of time sequences based on the second time period to obtain a second clustering result, and the clustering process includes: and smoothing the plurality of time sequences in the second time period by using a self-adaptive exponential averaging algorithm based on kurtosis variation to obtain a plurality of second noise reduction sequences, and clustering the plurality of second noise reduction sequences to obtain a second clustering result.
It can be understood that the self-adaptive exponential averaging algorithm based on the kurtosis change can smooth the multiple time sequences of the first time period, so that the noise interference can be eliminated on the premise of keeping the original characteristics of the time sequences, and the clustering effect can be improved.
With reference to the first aspect, or any one of the foregoing possible implementation manners of the first aspect, in yet another possible implementation manner of the first aspect, the method further includes: analyzing based on the plurality of time sequences of the second time period to obtain a second state of the first equipment, wherein the second state is used for representing whether single-index abnormity exists in the plurality of time sequences of the second time period on the first equipment; determining a final state of the first device from the first state and the second state.
It should be noted that, in the embodiment of the present application, the second state of the single-index abnormal condition representing the time sequence is further determined, and then the state of the first device is comprehensively considered according to the second state and the first state, so that the abnormal condition of the first device can be determined more comprehensively by using the determination method, which is beneficial to better operation and maintenance of the first device.
With reference to the first aspect or any one of the foregoing possible implementation manners of the first aspect, in a further possible implementation manner of the first aspect, the analyzing based on multiple time series of the second time period to obtain the second state of the first device includes: generating a simulation sequence according to a plurality of time sequences of the second time period, wherein the simulation sequence is used for highlighting the common characteristic of the partial time sequences of the second time period; and analyzing the simulation sequence to obtain a second state of the first equipment.
It is understood that, when determining the second state, the second state is not determined on the basis of each time series, and the amount of calculation can be significantly reduced; meanwhile, since the analog sequence is used to highlight the common characteristic of the partial time series that is the second period, the second state of the first device can be determined relatively accurately based on the analog sequence as it is.
With reference to the first aspect, or any one of the foregoing possible implementation manners of the first aspect, in a further possible implementation manner of the first aspect, the generating a simulation sequence according to a plurality of time sequences of the second time period includes: and generating a simulation sequence corresponding to the same type according to the time sequence which is clustered into the same type in the plurality of time sequences of the second time period, wherein each type obtained on the basis of clustering of the plurality of time sequences corresponds to one simulation sequence.
It can be understood that the corresponding second state is generated for each class, so that the single-index abnormal condition of the first device can be relatively comprehensively covered.
In a second aspect, an embodiment of the present application provides an abnormality detection apparatus, including:
the device comprises an acquisition unit, a processing unit and a display unit, wherein the acquisition unit is used for acquiring a plurality of time sequences of first equipment in a first time period and a plurality of time sequences of a second time period, and the time sequences are used for embodying the change relationship of the running data of the first equipment along with time;
the clustering unit is used for clustering processing based on the plurality of time sequences of the first time period to obtain a first clustering result;
the clustering unit is further configured to perform clustering processing based on the plurality of time sequences of the second time period to obtain a second clustering result;
and the first analysis unit is used for determining a first state of the first equipment according to the difference between the first clustering result and the second clustering result, wherein the first state is used for representing whether the time sequence of the first equipment has correlation type abnormity.
It should be noted that, after analyzing a large amount of test data, the inventor of the present application finds that a clustering result obtained after clustering two time series with a large difference also has a large difference, that is, a strong correlation exists between the difference between the two time series and the difference after clustering, so that, by comparing the first clustering result with the second clustering result, it is possible to reflect whether there is a large difference between a plurality of time series of the first time period and a plurality of time series of the second time period, thereby accurately determining whether there is an association type abnormality in the time series of the first device.
With reference to the second aspect, in a possible implementation of the second aspect: in terms of performing clustering processing on the plurality of time sequences based on the first time period to obtain a first clustering result, the clustering unit is specifically configured to: smoothing the plurality of time sequences of the first time period by using a self-adaptive index average algorithm based on kurtosis change to obtain a plurality of first noise reduction sequences, and clustering the plurality of first noise reduction sequences to obtain a first clustering result; in terms of performing clustering processing based on the plurality of time sequences of the second time period to obtain a second clustering result, the clustering unit is specifically configured to: and smoothing the plurality of time sequences in the second time period by using a self-adaptive exponential averaging algorithm based on the kurtosis change to obtain a plurality of second noise reduction sequences, and clustering the plurality of second noise reduction sequences to obtain a second clustering result.
It can be understood that the self-adaptive exponential averaging algorithm based on the kurtosis change can smooth the multiple time sequences of the first time period, so that the noise interference can be eliminated on the premise of keeping the original characteristics of the time sequences, and the clustering effect can be improved.
With reference to the second aspect or any one of the foregoing possible implementation manners of the second aspect, in yet another possible implementation manner of the second aspect, the apparatus further includes:
the second analysis unit is used for analyzing the plurality of time sequences of the second time period to obtain a second state of the first equipment, wherein the second state is used for representing whether single index abnormality exists in the plurality of time sequences of the second time period on the first equipment;
and the comprehensive unit is used for determining the final state of the first equipment according to the first state and the second state.
It should be noted that, in the embodiment of the present application, a second state of a single-index abnormal condition representing a time sequence is further determined, and then the state of the first device is comprehensively considered according to the second state and the first state, and this determination manner can more comprehensively determine the abnormal condition of the first device, which is beneficial to better operation and maintenance of the first device.
With reference to the second aspect or any one of the foregoing possible implementation manners of the second aspect, in a further possible implementation manner of the second aspect, in analyzing a plurality of time series based on the second time period to obtain the second state of the first device, the second analyzing unit is specifically configured to:
generating a simulation sequence according to a plurality of time sequences of the second time period, wherein the simulation sequence is used for highlighting the common characteristics of the partial time sequences of the second time period;
and analyzing the simulation sequence to obtain a second state of the first equipment.
It is understood that when determining the second state, the second state is not determined on the basis of each time series, and the amount of calculation can be significantly reduced; meanwhile, since the analog sequence is used to highlight the common characteristic of the partial time series that is the second period, the second state of the first device can be determined relatively accurately based on the analog sequence as it is.
With reference to the second aspect or any one of the foregoing possible implementation manners of the second aspect, in a further possible implementation manner of the second aspect, in generating a simulation sequence according to a plurality of time series of the second time period, the second analysis unit is specifically configured to:
and generating a simulation sequence corresponding to the same class according to the time sequence which is clustered into the same class in the plurality of time sequences of the second time period, wherein each class obtained by clustering based on the plurality of time sequences corresponds to one simulation sequence.
It can be understood that the corresponding second state is generated for each type, so that the single-index abnormal condition of the first equipment can be relatively comprehensively covered.
In a third aspect, an embodiment of the present application provides an anomaly analysis device, which is a second device mentioned later, and includes a processor and a memory, where the memory is used to store a computer program, and the processor is used to invoke the computer program to execute the method described in the first aspect or any one of the possible implementation manners of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, in which a computer program is stored, which, when run on a processor, implements the method described in the first aspect or any one of the possible implementation manners of the first aspect.
Drawings
The drawings used in the embodiments of the present application are described below.
FIG. 1 is a schematic diagram of a KPI indicator in the prior art;
FIG. 2 is a schematic diagram of a prior art communication device failure;
FIG. 3 is a schematic diagram of a single index exception and a correlation-type exception in the prior art;
FIG. 4 is a schematic flow chart of an anomaly detection method provided by the prior art;
FIG. 5 is a schematic flow chart of another anomaly detection method provided by the prior art;
FIG. 6 is a schematic diagram of a deployment environment of an anomaly detection system according to an embodiment of the present application;
FIG. 7 is a schematic flow chart diagram illustrating an anomaly detection method according to an embodiment of the present application;
fig. 8 is a schematic flowchart of an anomaly detection method according to an embodiment of the present application;
FIG. 9 is a schematic diagram illustrating comparison between effects before and after a smoothing process according to an embodiment of the present application;
FIG. 10 is a schematic diagram of a time-series shift principle provided by an embodiment of the present application;
fig. 11 is a schematic flowchart of a DBSCAN algorithm provided in an embodiment of the present application;
fig. 12 is a schematic diagram of a clustering result provided in the embodiment of the present application;
FIG. 13 is a schematic diagram comparing inputs and outputs of a shape extraction process provided by embodiments of the present application;
FIG. 14 is a schematic diagram of a prediction result obtained by an anomaly detection method according to an embodiment of the present disclosure;
FIG. 15 is a diagram illustrating predicted results obtained by another anomaly detection method according to an embodiment of the present application;
fig. 16 is a schematic structural diagram of an abnormality detection apparatus according to an embodiment of the present application;
fig. 17 is a schematic structural diagram of an abnormality detection apparatus according to an embodiment of the present application.
Detailed Description
The embodiments of the present application will be described below with reference to the drawings.
Referring to fig. 6, fig. 6 is a schematic diagram of a deployment environment of an anomaly detection system according to an embodiment of the present application, where the system may include a first device (such as a communication network) 601, an index database 602, a multidimensional index anomaly detection module 603, and a visualization module 604, where the index database 602, the multidimensional index anomaly detection module 603, and the visualization module 604 may be deployed on the same device, and for convenience of description, the index database 602, the multidimensional index anomaly detection module 603, and the visualization module 604 may be deployed on a second device as an example. The introduction of each device and module is as follows:
the first device 601 may include one or more devices, such as all or part of devices (e.g., routers, switches, firewalls, etc.) in a communication network, and the device 601 is not limited to the communication network scenario.
The index database 602 is configured to store a time sequence collected from the second device, for example, KPI data, where the KPI data may include one or more of CPU utilization, network packet loss rate of an interface, transmission amount, and the like, and is not limited herein. The index database 602 may be deployed on the second device, or may be deployed on a designated data center.
The multi-dimensional index anomaly detection module 603 is configured to execute an anomaly detection process, and functionally divides the anomaly detection process into a plurality of categories, which may include a preprocessing module, a clustering module, an association-type anomaly detection module, a shape extraction module, a single-index anomaly detection module, and a comprehensive anomaly detection module, where:
the preprocessing module is used for smoothing the time sequence based on the kurtosis variation self-adaptive exponential averaging algorithm.
The clustering module is used for clustering the smoothed data and aggregating the data with similar shapes in the same class.
And the association type anomaly detection module is used for carrying out association type anomaly detection based on the clustering result.
The shape extraction module is used to determine a simulation sequence based on the clustering result, which can be regarded as "merging" the time sequences of the same class into a time sequence.
And the single index abnormity detection module is used for carrying out single index abnormity detection based on the simulation sequence.
The comprehensive abnormity detection module is used for synthesizing the correlation type abnormity detection result and the single index abnormity detection result.
The visualization module 604 is configured to display the detection result of the multi-dimensional index abnormality detection module 603, for example, to display whether a single-index abnormality exists, whether an associated abnormality exists, or which single indexes are abnormal.
The second device may be a single device, or may be a cluster formed by multiple nodes (e.g., servers).
Fig. 7 is a schematic flowchart of an anomaly detection method for a communication network provided by the present application.
Referring to fig. 8, fig. 8 is a schematic flowchart of an anomaly detection method provided in this embodiment, which may be implemented based on the architecture shown in fig. 6, where a device for executing the method may be a second device, and the method includes, but is not limited to, the following steps:
step S801: a plurality of time sequences of the first device in a first time period and a plurality of time sequences of a second time period are obtained.
Specifically, the second device or another device may periodically acquire (or acquire in real time) a time sequence of the first device, where the time sequence is used to represent a change relationship of operation data of the first device with time, where the operation data specifically includes what data related to the operation of the first device, for example, KPI data, where the KPI data may include one or more of CPU utilization, network packet loss rate of an interface, transmission amount, and the like.
After the time series of the first device is acquired, when the time series needs to be used, a part of the time series may be selected for use, for example, a plurality of time series of the first time period and a plurality of time series of the second time period are selected, and the plurality of time series of the first time period and the plurality of time series of the second time period may be regarded as two time series sets respectively.
In the embodiment of the application, if the time sequence of the first device is stored in the second device after being acquired, the second device may acquire the multiple time sequences of the first time period and the multiple time sequences of the second time period in a direct reading manner; if the time series of the first device is stored on other devices (such as an established data center) after being collected, the second device may send a data request to the other devices, and then receive the time series of the first time period and the time series of the second time period sent by the other devices; of course, other ways are possible, not just examples here.
Step S802: and clustering based on the plurality of time sequences of the first time period to obtain a first clustering result.
The first alternative scheme comprises two processes of preprocessing and clustering:
pretreatment: and smoothing the plurality of time sequences of the first time period by using a self-adaptive exponential averaging algorithm based on kurtosis change to obtain a plurality of first noise reduction sequences. The purpose of the smoothing process is to eliminate the noise interference while preserving the original characteristics of the time series, for example, the time series of the first time period may be represented as S = { x = 1 ,x 2 ,...,x H In which x 1 ,x 2 ,...,x H The time length L of each time sequence is the length of the first time period, and the first noise reduction sequences obtained after smoothing processing can be represented as S '= (x' 1 ,x′ 2 ,...x′ H X 'in the formula' 1 ,x′ 2 ,...x′ H Respectively represent H first denoising sequences, wherein H is a positive integer. Fig. 9 illustrates a comparison of the effect of a time series of the first time period before the smoothing process and a first noise reduction series after the smoothing process.
The principle of kurtosis in the adaptive exponential averaging algorithm for kurtosis variation may be as follows: kurt (x) = E [ (x-mu) is defined Kurt (x) = E [) 4 ]/E[(x-μ) 2 ] 2 Wherein x is all or part of data in a time sequence, x belongs to random variables, and mu is a time sequence mean value. Kurtosis is a common statistic that statistically measures how evenly a random variable x is distributed. In general, the more non-uniform x, the higher the kurtosis. By calculating the kurtosis change of the time series at a certain moment, the change degree of the time series at the moment can be known. At the moment of low variation degree, some noises exist in the time sequence, and the noises can be filtered in a smoothing mode with larger force; at the moment of high change degree, the time sequence contains more useful information, and the smoothing is carried out by using smaller force so as to keep the original characteristics in the data, thereby ensuring that the abnormity can be detected. The following adaptive exponential averaging algorithm for kurtosis variation is exemplified:
for a time series x = { b = 1 ,b 2 ,...,b L H, note that the output of the algorithm is x '= { b' 1 ,b′ 2 ,...,b′ L -means for, among other things,
b′ l =(1-α l )*b′ l-1 +α l *b′ l
α l =max(min(abs(Kurt({b 1 ,b 2 ,...,b l })-Kurt({b 1 ,b 2 ,...,b l-1 }))))
that is, at each time point l, the absolute value of the difference between the kurtosis of the first l values of the time series x and the kurtosis of the first l-1 values is calculated and limited to [0.1, 1%]Within a range of (a), a coefficient α of exponential smoothing is obtained l Thus, smoothed x '= { b' 1 ,b′ 2 ,...,b′ L In which l is e [1, L ]]。
Clustering: and clustering the plurality of first noise reduction sequences to obtain a first clustering result.
The clustering may be performed by a clustering algorithm, the input of which is a plurality of first noise reduction sequencesS′=(x′ 1 ,x′ 2 ,...x′ H H, output W '= { S' 1 ,S′ 2 ,...S′ R Are classes, e.g., S' 1 ,S′ 2 ,...S′ R Respectively represent R classes, and R is a positive integer.
Generally, each first noise reduction sequence with a relatively close distance is classified into one class, and the specific distance is not limited herein, and optionally, the distance may be the simplest euclidean distance, or a variation of the euclidean distance, or a variation of a Dynamic Time Warping (DTW) distance, or a variation of a DTW distance, or a Shape-based distance (SBD), and the like, where the SBD has the characteristics of high efficiency, strong robustness, and the like.
Taking the SBD distance as an example, the SBD distance measures the distance between two time sequences by the maximum inner product of the two time sequences after time sequence offset, and the specific method is to shift one time sequence continuously, multiply and accumulate the values of the aligned positions of the two time sequences after each shift, and determine the distance between the time sequences by the ratio of the maximum value of the accumulated result to the modulo length of the original time sequence. Fig. 10 illustrates an example of time series x shifted three bits to the left and three bits to the right, respectively, with the shifted series denoted y.
After the distance metric is defined, at each time l, each first noise reduction sequence x 'may be processed' h Get a window x ″) h =x′ h [l-windows:l],h∈[1,H]So as to obtain a plurality of samples S "= (x") of the first denoising sequence S' in the window 1 ,x″ 2 ,...,x″ H } then S ' is clustered by using a clustering algorithm to obtain a first clustering result W ' = { S ' 1 ,S′ 2 ,...S′ R }。
The clustering algorithm is not limited herein, for example, the clustering algorithm may be a DBSCAN algorithm, the DBSCAN algorithm is a common clustering algorithm, and it is considered that a part of data with dense distribution may be clustered, specifically, whether a data point is a core point is judged by the number of data points around the data point, and if so, the data points around the data point are classified into a category, and optionally, the implementation flow of the DBSCAN algorithm is as shown in fig. 11.
Fig. 12 illustrates a scene diagram of two types of first noise reduction sequences obtained by a clustering algorithm, wherein a type illustrated in part (a) of fig. 12 includes 6 first noise reduction sequences, and the 6 first noise reduction sequences have similar features, i.e., are closer in distance; another class, illustrated in part (b) of fig. 12, also includes 6 first noise reduction sequences, which have similar characteristics, i.e., relatively close distances; fig. 12 is merely exemplary.
Alternatively, the multiple time series of the first time period may be directly clustered to obtain a first clustering result. The clustering principle is the same as the clustering principle of the first noise reduction sequences, so that, in comparison, the input of the clustering algorithm only needs to be replaced by the first noise reduction sequences as well as the time sequences of the first time segment.
Step S803: and clustering based on the plurality of time sequences of the second time period to obtain a second clustering result.
The first alternative includes two processes of preprocessing and clustering, wherein the implementation principle of the two processes of preprocessing and clustering is the implementation of the two processes of preprocessing and clustering in step S802, and the related principle is not repeated here.
Alternatively, the multiple time series of the second time period may be directly clustered to obtain a second clustering result. The clustering principle is the same as the clustering principle of the second noise reduction sequences, so that, in comparison, the input of the clustering algorithm only needs to be replaced by the first noise reduction sequences as well as the time sequences of the second time period.
For ease of subsequent understanding, the second clustering result may be represented as W "= { S ″", where 1 ,S″ 2 ,...S″ R′ In which, S ″) 1 ,S″ 2 ,...S″ R′ Are respectively R' categories. The number of categories in the second clustered result may or may not be equal to the number of categories in the first clustered result.
Step S804: and determining the first state of the first device according to the difference between the first clustering result and the second clustering result.
Optionally, the association type anomaly refers to a change of an association relationship between time series, for example, a change from no association to association, a change from association to no association, or a change in association degree significantly, but it is difficult to observe situations such as significant anomaly only from a single index.
Specifically, if the first clustering result is greatly different from the second clustering result, it is considered that an association-type abnormality, such as
And if the difference between the first clustering result and the second clustering result is small, determining that no association type abnormity occurs. Normalized Mutual Information (NMI) indicators can be used to measure how much the clustering result changes, such as:
definition of
The ratio of the number of the time sequences contained in the ith class in the first clustering result to the total number of the time sequences is represented, and the ratio can represent the probability that one time sequence belongs to the ith class in the first clustering result S'; definition of
Representing the probability that a time series belongs to the ith class in the first clustering result and the jth class in the second clustering result, the information entropy of the first clustering result S' can be defined as
This value may represent the amount of information of the first clustering result S' itself; the mutual information MI (S ', S ") between the first clustering result S' and the second clustering result S ″ is defined as follows:
the mutual information may measure the degree of difference between the first clustering result S' and the second clustering result S ″. By normalizing the mutual information, NMI indicators were obtained as follows:
if the NMI index is close to 0, the difference between the first clustering result and the second clustering result is obvious, and therefore the first equipment is considered to have the incidence type abnormality; in contrast, if the NMI index is close to 1, it means that the difference between the first clustering result and the second clustering result is small, and thus it can be considered that no association-type abnormality has occurred in the first device.
Step S805: and obtaining a second state of the first equipment based on a plurality of time sequences of the second time period.
The second state is used to characterize whether a single-index abnormality exists in multiple time sequences of a second time period on the first device, and optionally, the single-index abnormality refers to a significant change occurring on a single time sequence, such as an outlier or a jump occurring in a behavior pattern.
There are many detection modes of single-index abnormality, which are not limited herein, for example, a prophet time series prediction algorithm may be used as the single-index abnormality detection algorithm, and other single-index abnormality detection models such as ARIMA or LSTM may be selected. For example, when detecting single-index abnormality for a time series x, the size of a model fitting window for detecting single-index abnormality is set to be w, and x is used h [l-w:l-1]This piece of data is fit to a prophet model, which is then used to predict x h Predicted value val, upper bound and lower bound lowerbound at time l, if true value x h [l]Outside the upper and lower bounds, i.e. x h [l]> upperbound or x h [l]< lowerbound, then consider the time series x h An exception has occurred.
In the embodiment of the present application, the single index abnormality detection method includes, but is not limited to, the following cases:
first, the multiple time series of the second time period are all subjected to single index abnormality detection.
Second, only a part of the time series is subjected to single index anomaly detection, for example, a plurality of time series in the second time period are clustered into R' classes, one time series is sampled from each of the classes, then single index anomaly detection is performed on each time series obtained by sampling, optionally, the single index anomaly detection result of each time series represents the anomaly detection results of all the time series in the class where the time series is located.
Thirdly, generating a simulation sequence according to a plurality of time sequences of the second time period, wherein the simulation sequence is used for highlighting the common characteristics of the partial time sequences of the second time period; then, the simulation sequence is analyzed to obtain a second state of the first device. For example, the simulation sequence corresponding to the same class is generated according to the time sequence which is clustered into the same class from the plurality of time sequences of the second time period, wherein each class obtained by clustering based on the plurality of time sequences corresponds to one simulation sequence, and this process is equivalent to performing shape extraction on the time sequence of the same class.
The input in the shape extraction process is a plurality of types of time sequences obtained after clustering, generally more than one time sequence in each type, and the shape extraction process outputs one time sequence for each type. The idea of shape extraction is: the time series of the same type are relatively similar in shape, and if a single index abnormality occurs in one time series, the time series of the same type can be completely considered to be abnormal. And the shape of the time sequence of the same type is extracted to obtain a representative time sequence, so that the workload of single index abnormality detection can be reduced. Fig. 13 is a schematic diagram comparing the input and output of the shape extraction process, and it can be seen that the output of the shape extraction process, i.e., the shape of the result of the shape extraction, substantially represents the common characteristics of the time series of the same class.
The input to the process of time series shape extraction is S ″) 1 ,S″ 2 ,...S″ R′ Here, S ″) i Clustered by multiple time series representing second time segmentClass i, containing multiple time series, i.e. S ″) i ={x i1 ,x i2 ,...,x iZ′ Z 'is the number of time series in the ith class of the second clustering result (note that the number of time series Z' for different classes may be different); the output of the shape extraction algorithm is R' time series U = { U = { U 1 ,u 2 ,...,u R′ },u i Represents the result of the class i shape extraction, which is compared with { x } i1 ,x i2 ,...,x iZ′ The sum of the distances of (i) } should be as small as possible, i.e. u i And { x i1 ,x i2 ,...,x iZ′ The sum of the squares of the dot products of } should be maximal and can be written as an optimization problem:
the above equation, however, cannot be solved for u, because each element of u is multiplied by 2,
is enlarged by a factor of 4, it is impossible to find a value of u such that the value is maximized. It is also necessary to normalize the equation by multiplying each element of u by a value or adding a value, and the result remains unchanged. Memory matrix
(i.e., S ″) i Each time series of (a) is multiplied by its transpose and summed), matrix
Wherein L represents the length of the time series, I is a matrix of size L x L, all diagonals are 1, and other values are 0; o is a matrix of size L x L, all values being 1. The result of Qu is then u minus its average. To eliminate the effect of the magnitude of u, u may be defined T U =1, becoming the optimization problem as follows:
the optimization problem is equivalent to:
wherein V i =Q T P i And Q. Will u T V i u-λ(u T u-1) derivation of u to obtain V i u- λ u, making it equal to 0, i.e. V i u = λ u, so u is the matrix V i The maximum eigenvalue of (2) corresponds to the eigenvector. This feature vector can be considered as representative of the time series of the same class and is therefore taken as the analog series corresponding to the same class, i.e. u i As the analog sequence corresponding to the ith class.
Step S806: determining a final state of the first device from the first state and the second state.
After the first state and the second state are obtained, that is, under the condition that the related information of the associated abnormality and the related information of the single-index abnormality are obtained, the two conditions are integrated to obtain the final state of the equipment, wherein the final state can represent whether the associated abnormality exists or whether the single-index abnormality exists or which indexes have the single-index abnormality or the abnormal degree level of the whole equipment, and the like. The form of presentation of the final state is not limited herein.
Optionally, if the multi-index detection algorithm detects that the associated abnormality exists, the single-index abnormality detection result of the single-index detection algorithm does not need to be checked, but the abnormality is directly reported; if the multi-index algorithm does not detect the associated abnormality, further confirming the single-index abnormality detection result of the single-index algorithm, if the single-index algorithm detects the single-index abnormality, reporting the abnormality, otherwise, considering that the equipment is not abnormal. Of course, other methods of comprehensive analysis may exist, and are not limited herein.
Step S807: outputting a final state of the first device.
Specifically, the output here may be a display, such as an image, a video, a text, or the like, or an output by voice broadcasting, or sending the final state of the first device to other devices, or the like.
In order to verify the detection effect of the above-described anomaly detection method, the following provides relevant test data:
fig. 14 and fig. 15 are the prediction results obtained by the anomaly detection method provided in the embodiment of the present application, and are graphs showing the comparison effect between the prediction results and the actual anomaly labels, as can be seen, the anomaly detection method of the present application has very high accuracy, and the average F1-score can reach 0.85. In addition, under the condition that the GPU is not used, the efficiency of the algorithm is about 10p/s under the condition that the time sequence dimension exceeds 2000 dimensions, namely whether the abnormality occurs at 10 time points can be detected every second, and the detection efficiency is very high.
To demonstrate the robustness of SBD distance in this algorithm compared to other time series distance metric algorithms (cDTW), a portion of the time series in the UCR dataset was tested. Firstly, some interference is manually injected into data, whether the distance calculated between time sequences after interference is close to the distance calculated before interference is tested, the result is represented by a real number, and the closer to 0, the more robustness the algorithm is to the type of interference is. The interference modes include two modes, namely timing drift and random deletion, wherein the timing drift refers to shifting the time sequence to the left or to the right, and the random deletion refers to randomly deleting a part of data in the middle of the time sequence. The experimental results are shown below:
table 1: faceUCR dataset
| Interference mode \ measurement method | greedy_DTW | SBD | cDTW |
| Timing offset | 1.1237876534793514 | 1.0715528206750529 | 1.9410307632900048 |
| Random deletion | 19.18779569050136 | 0.5173799638343591 | 2.5605029239861303 |
Table 2: herring data set
| Interference mode \ measurement method | greedy_DTW | SBD | cDTW |
| Timing offset | 0.06402471641454363 | 0.0034511234318959 | 0.039979718534509 |
| Random deletion | 0.07261358715770445 | 0.0051969571994645 | 0.015921448609801 |
Combining tables 1 and 2, it can be seen that the SBD distance in the present application is more robust than the DTW algorithm variation.
In summary, the embodiments of the present application have the following advantages: (1) Since changes in the clustering results at different times are used to reflect changes in the time-series correlation, correlation-type anomalies can be explicitly detected. (2) Detection can be performed based on real data generated during the operation of the device, so that training data do not need to be collected in advance, and training is not needed. (3) The change of the clustering result obviously reveals the change of the association relationship, and the large change amplitude can be directly considered as that the system is abnormal, so that the interpretability of the association type abnormality is strong, and the interpretation of the relationship between the input and the output is not fuzzy like the neural network training. (4) When the problem of excessive data volume is faced, only a part of data can be selected for clustering, and the efficiency of the algorithm cannot be reduced even if the data set is increased, so that the expandability is strong, and the workload of single-index abnormal detection is reduced by using the time series shape extraction technology. (5) The SBD distance measurement time sequence incidence relation is used, and the robustness on data containing noise and timing sequence offset is strong.
The method of the embodiments of the present application is set forth above in detail and the apparatus of the embodiments of the present application is provided below.
Referring to fig. 16, fig. 16 is a schematic structural diagram of an abnormality detection apparatus 160 according to an embodiment of the present disclosure, the abnormality detection apparatus 160 may be the second device or a component in the second device, and the abnormality detection apparatus 160 may include an obtaining unit 1601, a clustering unit 1602, and a first analyzing unit 1603, where details of each unit are described below.
An obtaining unit 1601, configured to obtain multiple time sequences of a first device in a first time period and multiple time sequences of a second time period, where the time sequences are used to represent a time-varying relation of operation data of the first device;
a clustering unit 1602, configured to perform clustering processing based on the multiple time sequences of the first time period to obtain a first clustering result;
the clustering unit 1602 is further configured to perform clustering processing based on the multiple time sequences of the second time period to obtain a second clustering result;
a first analyzing unit 1603, configured to determine a first state of the first device according to a difference between the first clustering result and the second clustering result, where the first state is used to characterize whether a correlation type anomaly exists in a time series of the first device.
It should be noted that, after analyzing a large amount of test data, the inventor of the present application finds that a clustering result obtained after clustering two time series with a large difference also has a large difference, that is, a strong correlation exists between the difference between the two time series and the difference after clustering, so that, by comparing the first clustering result with the second clustering result, it is possible to reflect whether there is a large difference between a plurality of time series of the first time period and a plurality of time series of the second time period, thereby accurately determining whether there is an association type abnormality in the time series of the first device.
In one possible implementation: in terms of performing clustering processing on the plurality of time sequences based on the first time period to obtain a first clustering result, the clustering unit is specifically configured to: smoothing the plurality of time sequences of the first time period by using a self-adaptive index average algorithm based on kurtosis change to obtain a plurality of first noise reduction sequences, and clustering the plurality of first noise reduction sequences to obtain a first clustering result; in the aspect of performing clustering processing on the plurality of time sequences based on the second time period to obtain a second clustering result, the clustering unit is specifically configured to: and smoothing the plurality of time sequences in the second time period by using a self-adaptive exponential averaging algorithm based on kurtosis variation to obtain a plurality of second noise reduction sequences, and clustering the plurality of second noise reduction sequences to obtain a second clustering result.
It can be understood that the self-adaptive exponential averaging algorithm based on the kurtosis change can smooth the multiple time sequences of the first time period, so that the noise interference can be eliminated on the premise of keeping the original characteristics of the time sequences, and the clustering effect can be improved.
In yet another possible implementation, the apparatus 160 further includes:
the second analysis unit is used for carrying out analysis based on the plurality of time sequences of the second time period to obtain a second state of the first equipment, wherein the second state is used for representing whether single-index abnormity exists in the plurality of time sequences of the second time period on the first equipment;
and the comprehensive unit is used for determining the final state of the first equipment according to the first state and the second state.
It should be noted that, in the embodiment of the present application, a second state of a single-index abnormal condition representing a time sequence is further determined, and then the state of the first device is comprehensively considered according to the second state and the first state, and this determination manner can more comprehensively determine the abnormal condition of the first device, which is beneficial to better operation and maintenance of the first device.
In another possible implementation, in terms of analyzing a plurality of time series based on the second time period to obtain the second state of the first device, the second analyzing unit is specifically configured to:
generating a simulation sequence according to a plurality of time sequences of the second time period, wherein the simulation sequence is used for highlighting the common characteristic of the partial time sequences of the second time period;
and analyzing the simulation sequence to obtain a second state of the first equipment.
It is understood that when determining the second state, the second state is not determined on the basis of each time series, and the amount of calculation can be significantly reduced; meanwhile, since the analog sequence is used to highlight the common characteristic of the partial time series that is the second period, the second state of the first device can be determined relatively accurately based on the analog sequence as it is.
In a further possible implementation, in generating the simulation sequence according to the plurality of time series of the second time period, the second analysis unit is specifically configured to:
and generating a simulation sequence corresponding to the same type according to the time sequence which is clustered into the same type in the plurality of time sequences of the second time period, wherein each type obtained on the basis of clustering of the plurality of time sequences corresponds to one simulation sequence.
It can be understood that the corresponding second state is generated for each type, so that the single-index abnormal condition of the first equipment can be relatively comprehensively covered.
It should be noted that the implementation of each unit may also correspond to the corresponding description of the method embodiment shown in fig. 8.
Referring to fig. 17, fig. 17 is a diagram of an abnormality detection device 170 according to an embodiment of the present application, where the device 170 may be the aforementioned second device, and the device 170 includes a processor 1701, a memory 1702, and a communication interface 1703, where the processor 1701, the memory 1702, and the communication interface 1703 are connected to each other through a bus.
The memory 1702 includes, but is not limited to, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), or a portable read-only memory (CD-ROM), and the memory 1702 is used for related computer programs and data. The communication interface 1703 is used to receive and transmit data.
The processor 1701 may be one or more Central Processing Units (CPUs), which may be single core CPUs or multi-core CPUs in the case where the processor 1701 is one CPU.
The processor 1701 in the device 170 is adapted to read the computer program code stored in said memory 1702 and perform the following operations:
acquiring a plurality of time sequences of first equipment in a first time period and a plurality of time sequences of second time periods, wherein the time sequences are used for reflecting the change relation of the running data of the first equipment along with time;
clustering is carried out on the basis of the plurality of time sequences of the first time period to obtain a first clustering result;
clustering processing is carried out on the basis of the plurality of time sequences of the second time period to obtain a second clustering result;
and determining a first state of the first device according to the difference of the first clustering result and the second clustering result, wherein the first state is used for representing whether the correlation type abnormity exists in the time sequence of the first device.
It should be noted that, after analyzing a large amount of test data, the inventor of the present application finds that a clustering result obtained after clustering two time series with a large difference also has a large difference, that is, a strong correlation exists between the difference between the two time series and the difference after clustering, so that, by comparing the first clustering result with the second clustering result, it is possible to reflect whether there is a large difference between a plurality of time series of the first time period and a plurality of time series of the second time period, thereby accurately determining whether there is an association type abnormality in the time series of the first device.
In one possible implementation:
in the aspect of obtaining a first clustering result by clustering the plurality of time sequences based on the first time period, the processor is specifically configured to: and smoothing the plurality of time sequences of the first time period by using a self-adaptive index average algorithm based on kurtosis change to obtain a plurality of first noise reduction sequences, and clustering the plurality of first noise reduction sequences to obtain a first clustering result. The processor is specifically configured to, in the aspect of performing clustering processing on the plurality of time sequences based on the second time period to obtain a second clustering result: and smoothing the plurality of time sequences in the second time period by using a self-adaptive exponential averaging algorithm based on the kurtosis change to obtain a plurality of second noise reduction sequences, and clustering the plurality of second noise reduction sequences to obtain a second clustering result.
It can be understood that the self-adaptive exponential averaging algorithm based on the kurtosis change can smooth the multiple time sequences of the first time period, so that the noise interference can be eliminated on the premise of keeping the original characteristics of the time sequences, and the clustering effect can be improved.
In yet another possible implementation, the processor is further configured to:
analyzing based on the plurality of time sequences of the second time period to obtain a second state of the first equipment, wherein the second state is used for representing whether single-index abnormity exists in the plurality of time sequences of the second time period on the first equipment; determining a final state of the first device from the first state and the second state.
It should be noted that, in the embodiment of the present application, a second state of a single-index abnormal condition representing a time sequence is further determined, and then the state of the first device is comprehensively considered according to the second state and the first state, and this determination manner can more comprehensively determine the abnormal condition of the first device, which is beneficial to better operation and maintenance of the first device.
In another possible implementation, the analyzing based on the plurality of time series of the second time period yields a second status aspect of the first device, and the processor is specifically configured to: generating a simulation sequence according to a plurality of time sequences of the second time period, wherein the simulation sequence is used for highlighting the common characteristics of the partial time sequences of the second time period; and analyzing the simulation sequence to obtain a second state of the first equipment.
It is understood that when determining the second state, the second state is not determined on the basis of each time series, and the amount of calculation can be significantly reduced; meanwhile, since the analog sequence is used to highlight the common characteristic of the partial time series that is the second period, the second state of the first device can be determined relatively accurately based on the analog sequence as it is.
In yet another possible implementation, in the aspect of generating the simulation sequence according to the plurality of time sequences of the second time period, the processor is specifically configured to: and generating a simulation sequence corresponding to the same class according to the time sequence which is clustered into the same class in the plurality of time sequences of the second time period, wherein each class obtained by clustering based on the plurality of time sequences corresponds to one simulation sequence.
It can be understood that the corresponding second state is generated for each class, so that the single-index abnormal condition of the first device can be relatively comprehensively covered.
It should be noted that, the implementation of each operation may also correspond to the corresponding description of the method embodiment shown in fig. 8.
The embodiment of the present application further provides a chip system, where the chip system includes at least one processor, a memory and an interface circuit, where the memory, the transceiver and the at least one processor are interconnected by a line, and the at least one memory stores a computer program; when executed by the processor, the computer program implements the method flow shown in fig. 8.
An embodiment of the present application further provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed on a processor, the method flow shown in fig. 8 is implemented.
Embodiments of the present application further provide a computer program product, which when executed on a processor implements the method flow illustrated in fig. 8.
One of ordinary skill in the art will appreciate that all or part of the processes in the methods of the above embodiments can be implemented by hardware associated with a computer program that can be stored in a computer-readable storage medium, and when executed, can include the processes of the above method embodiments. And the aforementioned storage medium includes: various media that can store computer program code, such as ROM or RAM, magnetic or optical disks, etc.
Claims (12)
1. An abnormality detection method characterized by comprising:
acquiring a plurality of time sequences of first equipment in a first time period and a plurality of time sequences of second time periods, wherein the time sequences are used for reflecting the change relation of the running data of the first equipment along with time;
clustering is carried out on the basis of the plurality of time sequences of the first time period to obtain a first clustering result;
clustering processing is carried out on the basis of the plurality of time sequences of the second time period to obtain a second clustering result;
and determining a first state of the first device according to the difference between the first clustering result and the second clustering result, wherein the first state is used for representing whether the time series of the first device has correlation type abnormity.
2. The method of claim 1,
the clustering process is performed on the plurality of time sequences based on the first time period to obtain a first clustering result, and the clustering process includes:
smoothing the plurality of time sequences of the first time period by using a self-adaptive index average algorithm based on kurtosis change to obtain a plurality of first noise reduction sequences, and clustering the plurality of first noise reduction sequences to obtain a first clustering result;
the clustering processing is performed on the plurality of time sequences based on the second time period to obtain a second clustering result, and the clustering processing comprises the following steps:
and smoothing the plurality of time sequences in the second time period by using a self-adaptive exponential averaging algorithm based on kurtosis variation to obtain a plurality of second noise reduction sequences, and clustering the plurality of second noise reduction sequences to obtain a second clustering result.
3. The method of claim 1 or 2, further comprising:
analyzing based on the plurality of time sequences of the second time period to obtain a second state of the first equipment, wherein the second state is used for representing whether single-index abnormity exists in the plurality of time sequences of the second time period on the first equipment;
determining a final state of the first device from the first state and the second state.
4. The method of claim 3, wherein analyzing based on the plurality of time series of second time periods to derive the second state of the first device comprises:
generating a simulation sequence according to a plurality of time sequences of the second time period, wherein the simulation sequence is used for highlighting the common characteristic of the partial time sequences of the second time period;
and analyzing the simulation sequence to obtain a second state of the first equipment.
5. The method of claim 4, wherein generating a simulation sequence from the plurality of time sequences of the second time period comprises:
and generating a simulation sequence corresponding to the same class according to the time sequence which is clustered into the same class in the plurality of time sequences of the second time period, wherein each class obtained by clustering based on the plurality of time sequences corresponds to one simulation sequence.
6. An abnormality detection device characterized by comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a plurality of time sequences of first equipment in a first time period and a plurality of time sequences of a second time period, and the time sequences are used for embodying the change relationship of the running data of the first equipment along with time;
the clustering unit is used for clustering processing based on the plurality of time sequences of the first time period to obtain a first clustering result;
the clustering unit is further configured to perform clustering processing based on the plurality of time sequences of the second time period to obtain a second clustering result;
and the first analysis unit is used for determining a first state of the first equipment according to the difference between the first clustering result and the second clustering result, wherein the first state is used for representing whether the time sequence of the first equipment has correlation type abnormity.
7. The apparatus of claim 6,
in terms of performing clustering processing on the plurality of time sequences based on the first time period to obtain a first clustering result, the clustering unit is specifically configured to: smoothing the plurality of time sequences of the first time period by using a self-adaptive index average algorithm based on kurtosis change to obtain a plurality of first noise reduction sequences, and clustering the plurality of first noise reduction sequences to obtain a first clustering result;
in terms of performing clustering processing based on the plurality of time sequences of the second time period to obtain a second clustering result, the clustering unit is specifically configured to: and smoothing the plurality of time sequences in the second time period by using a self-adaptive exponential averaging algorithm based on the kurtosis change to obtain a plurality of second noise reduction sequences, and clustering the plurality of second noise reduction sequences to obtain a second clustering result.
8. The apparatus of claim 6 or 7, further comprising:
the second analysis unit is used for carrying out analysis based on the plurality of time sequences of the second time period to obtain a second state of the first equipment, wherein the second state is used for representing whether single-index abnormity exists in the plurality of time sequences of the second time period on the first equipment;
and the comprehensive unit is used for determining the final state of the first equipment according to the first state and the second state.
9. The apparatus according to claim 8, wherein the second analyzing unit is specifically configured to, in analyzing a plurality of time series based on the second time period to derive the second state of the first device:
generating a simulation sequence according to a plurality of time sequences of the second time period, wherein the simulation sequence is used for highlighting the common characteristics of the partial time sequences of the second time period;
and analyzing the simulation sequence to obtain a second state of the first equipment.
10. The apparatus according to claim 9, wherein the second analysis unit is configured to, in generating the simulation sequence from the plurality of time series of the second time period:
and generating a simulation sequence corresponding to the same class according to the time sequence which is clustered into the same class in the plurality of time sequences of the second time period, wherein each class obtained by clustering based on the plurality of time sequences corresponds to one simulation sequence.
11. An anomaly analysis device comprising a processor and a memory, wherein the memory is for storing a computer program and the processor is for invoking the computer program to perform the method of any one of claims 1-5.
12. A computer-readable storage medium, in which a computer program is stored which, when run on a processor, carries out the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110834259.6A CN115700553A (en) | 2021-07-22 | 2021-07-22 | Anomaly detection method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110834259.6A CN115700553A (en) | 2021-07-22 | 2021-07-22 | Anomaly detection method and related device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115700553A true CN115700553A (en) | 2023-02-07 |
Family
ID=85120474
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110834259.6A Pending CN115700553A (en) | 2021-07-22 | 2021-07-22 | Anomaly detection method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115700553A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117195008A (en) * | 2023-11-08 | 2023-12-08 | 山东神光航天科技有限公司 | Abnormal data processing method for air quality monitoring |
-
2021
- 2021-07-22 CN CN202110834259.6A patent/CN115700553A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117195008A (en) * | 2023-11-08 | 2023-12-08 | 山东神光航天科技有限公司 | Abnormal data processing method for air quality monitoring |
| CN117195008B (en) * | 2023-11-08 | 2024-03-12 | 山东神光航天科技有限公司 | Abnormal data processing method for air quality monitoring |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2401685C (en) | Complex signal decomposition and modeling | |
| US9122273B2 (en) | Failure cause diagnosis system and method | |
| CN108667856B (en) | Network anomaly detection method, device, equipment and storage medium | |
| CN113518011B (en) | Abnormality detection method and apparatus, electronic device, and computer-readable storage medium | |
| US20180006900A1 (en) | Predictive anomaly detection in communication systems | |
| CN111562108A (en) | Rolling bearing intelligent fault diagnosis method based on CNN and FCMC | |
| US20150142414A1 (en) | Proactive information technology infrastructure management | |
| CN111680725B (en) | Gas sensor array multi-fault isolation algorithm based on reconstruction contribution | |
| CN109257383B (en) | BGP anomaly detection method and system | |
| CN110083507B (en) | Key performance index classification method and device | |
| CN114861788A (en) | Load abnormity detection method and system based on DBSCAN clustering | |
| US20180115465A1 (en) | Inferring a network topology | |
| CN112217650A (en) | Network blocking attack effect evaluation method, device and storage medium | |
| CN115700553A (en) | Anomaly detection method and related device | |
| Perry | Identifying the time of polynomial drift in the mean of autocorrelated processes | |
| CN111260024A (en) | Fault detection method and system based on combination of long-term and short-term memory and typical correlation | |
| CN114584377A (en) | Flow anomaly detection method, model training method, device, equipment and medium | |
| CN116684878B (en) | 5G information transmission data safety monitoring system | |
| CN111008673A (en) | Method for collecting and extracting malignant data chain in power distribution network information physical system | |
| CN111858699A (en) | Time series correlation detection method, equipment and storage medium | |
| Yang et al. | Analysing business process anomalies using discrete-time markov chains | |
| CN111654327A (en) | Service feature extraction method for optical cable fiber core remote management control | |
| CN117540325B (en) | Business database anomaly detection method and system based on data variation capture | |
| CN116346506B (en) | Intelligent protection method for network security data | |
| CN112529035B (en) | Intelligent identification method for identifying individual types of different radio stations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |