Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The terms referred to in this application are explained first:
the alarm data means that when the alarm system fails, the monitoring unit gives an alarm signal according to the failure condition. In general, an alarm may be represented by one or more of an alarm occurrence time, a name of a device in which the alarm occurs, an alarm type or alarm name, and an alarm elimination time.
Item sets, single item sets, k item sets, and frequent item sets, wherein a set of items is referred to as an item set. A set of items that contains k items may be referred to as a k-item set. When k=1, the item set may also be referred to as a single item set. A frequent item set is a set of items that occur frequently in a database. In this application, the items in the item set are alarms, so the item set may also be referred to as an alarm item set or an event item set.
Support, which refers to the proportion of a certain item set in the whole dataset.
Confidence, which is defined for a certain association rule. Given that a occurs, the probability of B occurrence is deduced from the association rule "a- > B".
Association rules, which are derived on the basis of frequent item sets. Association rules refer to the fact that from item set a, item set B can be deduced with some confidence.
Network topology, which refers to the physical layout of the various devices interconnected by a transmission medium, is a specific physical (i.e., real) or logical (i.e., virtual) arrangement of the devices that make up the network. If the connection structures of two networks are identical we say that their network topologies are identical, although the physical connections, inter-node distances within each may be different.
With the development and popularization of virtualized networks, network architecture is evolving more and more. The alarm generated by the network equipment is evolved from the original hardware equipment to the complex alarm of the interaction of the hardware equipment and the virtual equipment. In this context, the alarm volume increases by a multiple. The network operation and maintenance personnel still use the traditional monitoring mode facing millions of mass alarms, and have the following problems: the alarm quantity is too large to monitor the whole quantity; important alarms are covered by a large number of alarms and are easy to miss; the manual experience accumulation is insufficient under the new network architecture, and the full association rules are difficult to comb; the network topology is complex, any node on the network structure fails, other nodes can be affected, and the root cause of a large number of alarms is manually combed, so that the network is more difficult. Under the background, how to acquire accurate and practical association rules aiming at a new network architecture, compresses alarms and reduces the fault dispatching quantity is particularly important.
The generation of the main association rules is currently focused mainly on two aspects. Firstly, all alarms in a certain time period are acquired, and the alarms are used as input of an association rule algorithm through the association rule algorithm, so that association rules among the alarms are generated. For example, in a related art, information between alarms is converted into a relationship between vectors, approximate frequent items are obtained according to the relationship between vectors, and then an alarm association rule is generated according to the approximate frequent items. In another related technology, an alarm genealogy is constructed according to standardized alarm data and feature fields corresponding to each type of alarm data; and mining the alarm association rule according to the preset alarm rule mining parameters based on the alarm genealogy to obtain the mined alarm association rule.
In still another related art, a network element topology constraint model is added on the basis of the related art, and the constraint model is utilized to locate faults. For example, by constructing a network element topology constraint model; detecting the running state of each network element device in the managed network to find out fault events; collecting fault events; and carrying out time layer association and space layer association on the collected fault events by using a network element topology constraint model, and determining the fault position.
In summary, in the related art, the alarm association is mostly related to the algorithm but not to the logic, so that there are many invalid association rules, resulting in lower closed loop efficiency. In the network element topology constraint which is added to the alarm, a topology model is constructed by adopting a simple network management protocol (Simple Network Management Protocol, SNMP) protocol, an Internet control message protocol (Internet Control Message Protocol, ICMP) and other protocols, and in the virtualized network, only the protocols are adopted to construct the topology, so that the method is not applicable any more; if the topology of the virtualized network cannot be built, the constraints are no longer true. In addition, in all the current schemes, the mining of the association rule is completed through offline training, and then the mining is judged through manual experience and then is applied to the production environment.
The method for determining the associated data of the alarm data aims to solve the technical problems in the prior art.
The following describes the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
FIG. 1 is a diagram illustrating a method of determining associated data of alert data according to an exemplary embodiment, as shown in FIG. 1, the method of determining associated data of alert data may include:
110. and acquiring alarm data and a network topological graph, wherein the network topological graph comprises an association relation between alarm devices generating the alarm data, and the alarm devices comprise physical devices and virtual devices.
The execution body of the present embodiment may be, for example, an electronic device, or a terminal device, or a processing apparatus or device that may execute the association data determining method of alert data, or other apparatus or device that may execute the present embodiment, without limitation. The present embodiment describes an electronic device as an execution body.
In some embodiments, the electronic device may be coupled to a database of alert data, which may store alert data generated over a period of time as well as alert data generated in real-time. The electronic device may call the alert data occurring within a specified time period from the database of alert data, thereby obtaining alert data. Wherein the number of the alarm data is a plurality. Alternatively, the alert data may include an alert occurrence time, a name of a device in which the alert occurs, an alert type, an alert identification, an alert name, and the like.
In some implementations, an electronic device may connect to a cloudized network to generate a network topology map in conjunction with cloudized network resources. Illustratively, as shown in fig. 2, the network topology map may be a vertical clouding network topology map, where the vertical clouding network topology map may include a network element layer, a virtual layer, a host layer, a TOR layer, an EOR layer, and a routing layer, and the network element layer, the virtual layer, the host layer, the TOR layer, the EOR layer, and the routing layer are sequentially connected from top to bottom, each layer may include a plurality of nodes, for example, the network element layer may include a node a1, the virtual layer may include a node b1 to a node bn, the host layer may include a node c1 to a node cn, and the TOR layer may include a node d1 to a node dn. The nodes of different layers may be connected to each other, for example, the node c1 of the host layer is connected to the node d1 of the TOR layer, which may indicate that there is an association relationship between the device corresponding to the node c1 and the device corresponding to the node d1, or may be regarded as that there is a logical relationship between the device corresponding to the node c1 and the device corresponding to the node d 1. Wherein some of the plurality of nodes represent physical devices and some represent virtual devices.
As an example, the network element layer may be a network function virtualization (Network Functions Virtualization, NFV) lateral clouding network topology generated in connection with clouding network resources, in which the base network elements are all down-hanging on a bus, so that an overview of the overall situation of the network elements may be made. The specific reference may be made to a network topology diagram of a 5GC network element in the prior art, and thus will not be described herein. The network element layer mainly comprises physical equipment corresponding to the nodes. The alarm data may occur in a device corresponding to any node in the network topology. Optionally, the electronic device may store the network topology map in its cache after generating the network topology map by clouding the network resources.
In the embodiment, the network topology of the horizontal and vertical integration of the virtualized network is introduced into the data mining process of the alarm association rule. Under the virtual network background, different devices are connected with the novel network topological relation from the logical relation, so that the alarm entering the association rule is ensured to be data with relation in physical and logical relation, the accuracy of the association rule is ensured, and the association efficiency is improved.
120. Mining the alarm data based on a preset mining rule to obtain a plurality of initial association rules, wherein the initial association rules comprise two alarm data which are associated with each other.
In some embodiments, the preset mining rule may include an FP-growth algorithm, and for the obtained alarm data, the mining of the association rule is performed by using the FP-growth algorithm, so that a plurality of initial association rules may be obtained. Illustratively, the resulting plurality of initial association rules may include an initial association rule u1, an initial association rule u2, an initial association rule u3., for example, wherein the initial association rule u1 may be expressed as: { network management alarm ID1, network management alarm ID2, support degree S, confidence degree D }, wherein the network management alarm ID1 and the network management alarm ID2 respectively represent alarm identifications of two alarm data. Similarly, the representation of an initial association rule, such as initial association rule u2, initial association rule u3, etc., may refer to initial association rule u1.
130. According to the network topology graph, determining an initial association rule with an association relation between alarm devices corresponding to two alarm data in a plurality of initial association rules as a target association rule.
Taking the initial association rule u1 as an example, the electronic device may find the device that generates the alarm data in the network topology map through the network management alarm ID1, find the device that generates the alarm data in the network topology map through the network management alarm ID2, and determine whether the two devices have an association relationship in the network topology map, that is, whether the two devices have a connection in the network topology map, if so, determine that the initial association rule u1 is a target association rule. And so on, each initial association rule in the plurality of initial association rules is traversed in the mode, and the target association rule can be screened from the plurality of initial association rules.
140. And determining association data associated with the alarm data to be analyzed according to the target association rule.
In some embodiments, the electronic device may apply the association rule obtained above to an actual production system to perform mining of association data. Along with the above example, for example, in an actual production system, alarm data corresponding to the network management alarm ID1 is generated, and by using the obtained target association rule, alarm data corresponding to the network management alarm ID2 can be extracted as the associated data. The actual production system can generate alarm data in real time.
It can be seen that, in this embodiment, by acquiring the alarm data and the network topology map, the network topology map includes an association relationship between alarm devices where the alarm data occurs, and the alarm devices include physical devices and virtual devices; mining the alarm data based on a preset mining rule to obtain a plurality of initial association rules, wherein the initial association rules comprise two alarm data which are associated with each other; according to the network topology graph, determining an initial association rule with an association relation between alarm devices corresponding to two alarm data in a plurality of initial association rules as a target association rule; and determining association data associated with the alarm data to be analyzed according to the target association rule. Because the network topology graph comprises the association relation between the alarm devices generating the alarm data, the logic relation between the alarm data can be determined through the network topology graph, namely, after a plurality of initial association rules are obtained by mining the alarm data through a preset mining rule, whether the logic relation exists in the plurality of initial association rules or not is verified through the network topology graph, and after the initial association rules which are not passed through verification are filtered, the association rules with the existing algorithm and the logic association can be obtained, so that the accuracy of the obtained target association rule is ensured, and the accuracy of the association data corresponding to the alarm data to be analyzed, which is determined through the target association rule, is further improved.
Fig. 3 is a diagram illustrating a method of determining association data of alarm data according to another exemplary embodiment, and as shown in fig. 3, the method of determining association data of alarm data may include:
210. and acquiring alarm data and a network topological graph, wherein the network topological graph comprises an association relation between alarm devices generating the alarm data, and the alarm devices comprise physical devices and virtual devices.
220. Mining the alarm data based on a preset mining rule to obtain a plurality of initial association rules, wherein the initial association rules comprise two alarm data which are associated with each other.
230. According to the network topology graph, determining an initial association rule with an association relation between alarm devices corresponding to two alarm data in a plurality of initial association rules as a target association rule.
The specific embodiments of step 210 to step 230 can refer to step 110 to step 130, and are not described herein.
240. Mining a plurality of first association rules from a plurality of alarm data generated by a pre-production system according to preset mining rules; the pre-production system is used for generating a plurality of alarm data in a specified scene.
In some embodiments, the electronic device may mine the plurality of alert data generated by the pre-production system by using a preset mining rule for mining the initial association rule, so as to obtain the first association rule.
It will be appreciated that since the mining environment of the pre-production system may be different than the mining environment corresponding to the initial association rule, the first association rule mined in the production system may be different from the initial association rule, e.g., the device is designated as on in the mining environment corresponding to the initial association rule and the device is designated as off in the mining environment corresponding to the first association rule.
Optionally, the specified scene may be a payment scene, a network about car playing scene, a take-away platform ordering scene, etc., which is not limited herein, and the user may set the specified scene according to his own needs.
250. A second association rule corresponding to the target association rule is determined from the plurality of first association rules.
In some embodiments, the network topology map includes a network element topology map, the network element topology map includes a network element name corresponding to the alarm data, the alarm data of the first association rule includes main alarm data and sub alarm data, and the specific embodiment of step 250 may include:
for each first association rule of the plurality of first association rules, if the first association rule is determined to meet a specified condition, the first association rule is determined to be a second association rule, wherein the specified condition comprises:
The alert identification of the primary alert data of the first association rule is the same as the first alert identification of the target association rule.
The alert identification of the sub-alert data of the first association rule is the same as the second alert identification of the target association rule.
The network element names in the network topology map corresponding to the main alarm data are the same as the network element names in the network topology map corresponding to the sub alarm data, and the alarm level of the main alarm data is the same as the alarm level of the sub alarm data.
Illustratively, the specified conditions pre-stored in the electronic device may include: the main alarm condition, the sub-alarm condition and the anchor point relation condition between the main alarm and the sub-alarm.
As an example, for example, the main alarm condition is: the alarm identifier (i.e., the network management alarm ID) of one alarm data in the first association rule is equal to the value of the network management alarm ID1 in the target association rule u 1. The conditions of the sub-alarms are: the alarm identifier of the other alarm data in the first association rule is equal to the value of the network management alarm ID2 in the target association rule u 1. The anchor point relation between the main alarm and the sub alarm is as follows: the network element name of the main alarm in the first association rule is equal to the network element name & & the alarm level of the main alarm is equal to the alarm level of the sub alarm. The electronic device may determine the first association rule as the second association rule that satisfies the specified condition. Wherein & & means that both are satisfied.
Optionally, the electronic device may preset an adaptive period T, and each time the adaptive period T passes in the process of mining the association rule in the pre-production system by using the preset mining rule, the second association rule corresponding to the target association rule may be determined from the plurality of first association rules by using the specific embodiment of step 250.
260. And acquiring a corresponding alarm data set of the second association rule, and grouping the alarm data sets according to the alarm identifications corresponding to each alarm data in the alarm data set to obtain alarm data sets corresponding to each alarm identification.
For example, the electronic device may group according to the network management alarm ID pair, and the group G is obtained as follows: { network management alarm ID1: { master alarm 1_1{ sub alarm 1_1_1, sub alarm 1_1_2. }, master alarm 1_2{ child alarm 1_2_1, sub-alarms 1_2—2. Network management alarm ID2: { master alarm 2_1{ sub alarm 2_1_1, sub alarm 2_1_2..the main alarm 2_2{ sub alarm 2_2_1, sub alarm 2_2..the main alarm 2_2.}), it can be seen that the network management alarm ID1 corresponds to one alarm data set, and the network management alarm ID2 corresponds to one alarm data set.
270. And calculating the association coefficient of the alarm data group aiming at the alarm data group corresponding to each alarm identifier, determining the alarm identifier corresponding to the alarm data group as a target alarm identifier and determining the second association rule corresponding to the target alarm identifier as a third association rule under the condition that the association coefficient is larger than or equal to the coefficient threshold. Wherein the association coefficient characterizes the degree of association between the main alarm data and the sub alarm data in the alarm data group.
In some embodiments, where the alert data set includes a plurality of primary alert data including a plurality of secondary alert data, a specific embodiment of step 270 may include:
271. and aiming at the alarm data group corresponding to each alarm identifier, if the fact that the association relation between the main alarm data and the sub alarm data does not exist is determined according to the network topological graph, deleting the sub alarm data from the alarm data group to obtain a new alarm data group.
The specific embodiment of determining whether the association relationship exists between the main alarm data and the sub alarm data according to the network topology map may refer to step 130, and will not be described herein.
Along the above example, the alarm data group { network management alarm ID 1) corresponding to the network management alarm ID1: { master alarm 1_1{ sub alarm 1_1_1, sub alarm 1_1_2..for example, if it is determined that there is no association between the master alarm 1_1 and the child alarms 1_1_2 according to the network topology, the sub-alarm 1_1_2 may be deleted from the alarm data set corresponding to the network management alarm ID 1. A new alarm data set { network management alarm ID1: { master alarm 1_1{ sub-alarm 1_1_1..the main }.
272. And determining the association coefficient of the alarm data group according to the new alarm data group and the alarm data group.
In some embodiments, the specific implementation of step 272 may include:
calculating the association coefficient of the alarm data group by the following formula:
wherein R is the association coefficient of the alarm data group, n is the number of association relations between the main alarm corresponding network topology graph of the new alarm data group and other alarm data, m is the number of association relations between the main alarm corresponding network topology graph of the alarm data group and other alarm data, cnt is the number of association relations between the main alarm data and the sub alarm data,
for alarm data set->
Is a new alarm data set. Where i represents the ith alarm data set.
It can be understood that the above-mentioned association relationships may be equivalent to the connection lines in the network topology, so the number of association relationships is equivalent to the number of connection lines.
Along with the above example, after the association coefficient of each alarm data set is calculated through the above formula, the association coefficient of each alarm data set may be compared with a coefficient threshold, and if the association coefficient is greater than the coefficient threshold, the alarm identifier of the alarm data set corresponding to the association coefficient may be determined as the target alarm identifier, and the second association rule corresponding to the target alarm identifier may be determined as the third association rule. For example, the coefficient threshold is 0.7, if the association coefficient of the alarm data set is greater than 0.7, the association rule corresponding to the alarm data set may be reserved and determined as a third association rule, otherwise, the association rule corresponding to the alarm data set is deleted.
In some embodiments, after step 271, this step 270 can further comprise:
and if the number of the deleted sub alarms in the new alarm data set is greater than or equal to the number threshold, deleting the new alarm data set from the alarm data set.
Using the example above, if a new alarm data set is determined according to step 271
The number of the alarms removed from the alarm data set is 50% of the number of the alarms in the original alarm data set, and the electronic equipment can send the new alarm data set
And (5) removing.
280. And returning to execute the operation of mining a plurality of first association rules from a plurality of alarm data generated by the pre-production system according to the preset mining rules until the execution times reach the designated times, obtaining a plurality of third association rules, and updating the target association rules according to the plurality of third association rules. Wherein the specified times correspond to the specified scene.
For example, the designated scenes may be classified into high frequency scenes, low frequency scenes, etc. according to the frequency of use of the pre-production system, for example, scenes of reserved cars, property may be determined as low frequency scenes, and scenes of net-bound cars, spot take-out, etc. may be determined as high frequency scenes. The designated times corresponding to the high-frequency scene are larger than the designated times corresponding to the low-frequency scene.
As an example, the designated number of times may be 20, and the electronic device may repeatedly perform the operations of steps 240 to 270 20 times, so that a plurality of third association rules may be obtained, and update the target association rule according to the plurality of third association rules. Alternatively, the original target association rule may be replaced with a plurality of third association rules, thereby updating the target association rule. A plurality of third association rules may be added to the set of original target association rules, so as to update the target association rules.
290. And determining association data associated with the alarm data to be analyzed according to the target association rule.
The specific embodiment of step 290 can refer to step 140, and thus is not described herein.
For example, as shown in fig. 4, the implementation flow of steps 210 to 290 may be implemented by the electronic device, where the alarm management system includes a database, an association rule management module, and a message platform, where the database includes alarm data, the association rule management module is used to manage association rules obtained by mining, and the message platform is used to provide data required by the pre-production system. As an example, the electronic device may call alert data from a database and compress the alert data to obtain compressed alert data.
Then, the compressed alarm data is subjected to preliminary association rule mining, so that preliminary association rules can be obtained, a horizontal and vertical clouded network topology (i.e. a network topology diagram in the embodiment) can be generated through clouding network resources while the preliminary association rules are obtained, and the preliminary association rules are verified by combining the network topology diagram, so that the association rules 1 passing verification (i.e. target association rules in the embodiment) can be obtained. And providing a pre-production system through relevant data of the message platform, applying a target association rule to the pre-production system, carrying out rule tuning in combination with a network topology graph to obtain an association rule 2 (namely a third association rule in the embodiment), and finally sending the association rule 2 to an association rule management module for storage, so that the association rule management module can apply the association rule 2 to a real production system to carry out association data mining on alarm data generated in real time.
In consideration of the above target association rule, the rule is not applied to the required scene for tuning, resulting in low accuracy and poor practicality of the associated result.
Fig. 5 is a diagram illustrating a method of determining association data of alarm data according to still another exemplary embodiment, and as shown in fig. 5, the method of determining association data of alarm data may include:
310. and acquiring alarm data and a network topological graph, wherein the network topological graph comprises an association relation between alarm devices generating the alarm data, and the alarm devices comprise physical devices and virtual devices.
320. Mining the alarm data based on a preset mining rule to obtain a plurality of initial association rules, wherein the initial association rules comprise two alarm data which are associated with each other. The initial association rule includes a first alert identification of the first alert data and a second alert identification of the second alert data.
In some embodiments, a specific implementation of step 320 may include:
mining alarm data through preset mining parameters and an FP-growth algorithm to obtain a plurality of initial association rules; the mining parameters comprise an occurrence time period, a sliding window duration, a sliding step length, a minimum support degree and a minimum confidence degree of the alarm data.
Illustratively, the electronic device may set the mining parameters: { alarm occurrence time period T [ T1, T2], sliding window duration TW, sliding step length TL, minimum support S, minimum confidence D }, carrying out association rule mining based on an FP-growth algorithm to obtain mining rules U { U1, U2, u3.. }, wherein U1 is { network management alarm ID1, network management alarm ID2, support S, confidence D }.
The FP tree is built based on the FP-growth algorithm, and the process of finding the frequent pattern set F (i.e., a plurality of initial association rules) is as follows:
and scanning the alarm data set, counting all the alarm data as element items, and removing the data set (hereinafter called item set) which does not accord with the preset minimum support degree. And filtering and sorting each item set, wherein the filtering is to remove the element items which do not meet the minimum support, the sorting is performed based on the absolute appearance frequency of the element items, and the sorting of the element items with higher appearance frequency is more advanced. Creating a root node containing only empty sets, adding each item set after filtering and sorting to the tree in turn, and increasing the value on the corresponding element item if the path already exists in the tree. If the path does not exist, a new path is created. Thereby obtaining an FP-tree and further obtaining the frequent item set F.
It can be understood that the above network management alarm ID1 and network management alarm ID2 can map out readability rules. For example, the network management alarm ID mined by the association rule may map alarm data such as vendor, specialty, equipment type, alarm level, alarm type, alarm title, etc.
In some embodiments, a specific implementation of step 320 may include:
321. and compressing the alarm data to obtain compressed alarm data.
In some embodiments, specific embodiments of step 321 may comprise:
and filtering appointed alarm data in the alarm data to obtain compressed alarm data, wherein the appointed alarm data comprises alarm data which is not uploaded to the cloud and/or engineering alarms.
The alarm generated by the fact that the cloud is not in the cloud is mostly in the adjustment stage, and important attention is not needed, so that the electronic equipment can filter alarm data which are not uploaded to the cloud in the alarm equipment. In addition, because the alarms generated in the engineering do not need to be concerned, the electronic equipment can filter the engineering alarms in the alarm data at the same time.
In other embodiments, specific embodiments of step 321 may comprise;
carrying out standardized processing on the alarm data to obtain an alarm identifier corresponding to the alarm data, wherein the alarm identifier comprises a plurality of fields, each field in the plurality of fields corresponds to one type of alarm information in the alarm data, and the alarm information comprises an alarm level, an alarm title, an alarm type, alarm interpretation and equipment information for generating the alarm data; and determining the alarm identification as compressed alarm data.
Optionally, the specific implementation manner of performing standardization processing on the alarm data may further include field dimension compression, where there are hundreds of field attribute values in the existing network management alarm, for example { manufacturer alarm unique identifier, time of occurrence, specialty, manufacturer, device type, alarm object type, alarm title, alarm type......... }. Firstly, the alarm is standardized, and each alarm has network management alarm ID attribute after being standardized. Network management alarm ID: the unified code of standardized alarms of manufacturers can determine the same type of alarms, such as the same alarms of profession, manufacturers, equipment types, alarm titles, manufacturer alarm levels and the like. The alarm standardized by the network management alarm ID has the information of standard alarm name, alarm level, alarm interpretation and the like. Taking the network management alarm ID shown in table 1 as an example:
TABLE 1
As shown in table 1, the left side of table 1 is original alarm information which is not subjected to standardization processing, wherein the expression modes of the factory alarm IDs are different, the expression modes of the alarm levels are also different, and after the standardization processing, the alarm IDs are uniformly represented by the network management alarm IDs of a plurality of fields, and the alarm levels are also represented by a uniform format, so that the association rule mining of the alarm data can be conveniently carried out subsequently. After normalization, the network management alarm ID represents the related alarm, only the network management alarm ID and time are needed to enter an excavation algorithm, a plurality of field attribute values are mapped in the form of key and value, and are mapped into one attribute value, so that the memory matching consumption is reduced, and the association excavation efficiency is improved, wherein the key can be the network management alarm ID (namely the alarm identifier), and the value can represent the alarm level, the alarm interpretation and the like corresponding to the network management alarm ID.
In some embodiments, the alarm data is normalized and may further include an alarm classification packet. Specifically, the electronic device can classify and group the homogeneous alarms through the network management alarm IDs, and the subsequent association rules are also associated according to the network management alarm IDs, so that the association accuracy can be greatly improved. As an example, the network management alarm ID may be marked as a series of alarms having some identical characteristics, such as: the alarm data corresponding to the alarm identification with the network management alarm ID 2005-001-125-10-000001 comprises: and (3) profession: virtualization-VEPC, manufacturer: ericsson, device type: PCRF, alert object type: PCRF, alarm header: a Fallback Operation will soon be started, alarm type: a series of alarms of the original alarm of the device.
Optionally, the method may further include streaming the alarm data, and specifically, the electronic device may acquire the alarm data within a specified time range, and input the alarm data into the processing engine in a streaming input manner as data input of association rule mining.
322. And mining the compressed alarm data based on a preset mining rule to obtain a plurality of initial association rules.
The specific embodiment of step 322 may refer to step 120, and thus is not described herein.
330. For each initial association rule of the plurality of initial association rules, determining a first alarm device corresponding to the first alarm data according to the first alarm identification, and determining a second alarm device corresponding to the second alarm data according to the second alarm identification.
Taking an initial association rule u1 as an example, the initial association rule u1 is represented as { network management alarm ID1, network management alarm ID2, support degree S, and confidence degree D }, where the network management alarm ID1 is a first alarm identifier, and the network management alarm ID2 is a second alarm identifier. Because different fields of the alarm identifier map different alarm data information, the corresponding field of the alarm identifier can map the first alarm device generating the network management alarm ID1 according to the first alarm identifier. And the second alarm equipment generating the network management alarm ID2 can be mapped according to the corresponding field of the second alarm identification.
340. And if the first alarm device and the second alarm device are determined to have the association relation in the network topology image, determining the initial association rule as a target association rule.
Along with the above example, the electronic device may determine whether a connection exists between the first alarm device and the second alarm device in the network topology map, and if so, may determine that an association exists between the first alarm device and the second alarm device, and may determine the initial association rule u1 as the target association rule.
350. And determining association data associated with the alarm data to be analyzed according to the target association rule.
The specific embodiment of step 350 may refer to step 140, and thus is not described herein.
In consideration of the fact that in the process of mining association rules, the attribute of the alarm data is too much, so that more hardware resources and time are needed in the mining process, and association mining efficiency is reduced.
Fig. 6 is an associated data determining apparatus of alarm data, according to an exemplary embodiment, as shown in fig. 6, the apparatus 400 may include:
the information obtaining module 410 is configured to obtain alarm data and a network topology map, where the network topology map includes an association relationship between alarm devices that generate the alarm data, and the alarm devices include a physical device and a virtual device.
The rule mining module 420 is configured to mine the alarm data based on a preset mining rule, so as to obtain a plurality of initial association rules, where the initial association rules include two alarm data that are associated with each other.
The target association rule determining module 430 is configured to determine, according to the network topology graph, an initial association rule having an association relationship between alert devices corresponding to two alert data in the plurality of initial association rules as a target association rule.
The association data determining module 440 is configured to determine association data associated with the alarm data to be analyzed according to the target association rule.
In some embodiments, the initial association rule includes a first alarm identifier of first alarm data and a second alarm identifier of second alarm data, and the target association rule determining module 430 is specifically configured to determine, for each initial association rule of the plurality of initial association rules, a first alarm device corresponding to the first alarm data according to the first alarm identifier, and determine a second alarm device corresponding to the second alarm data according to the second alarm identifier; and if the first alarm device and the second alarm device are determined to have the association relation in the network topology image, determining the initial association rule as the target association rule.
In some embodiments, the apparatus 400 may further include: a target association rule update module, the target association rule update module comprising:
The first association rule determining submodule is used for mining a plurality of first association rules from a plurality of alarm data generated by the pre-production system according to the preset mining rules; the pre-production system is used for generating a plurality of alarm data under a specified scene.
And the second association rule determining submodule is used for determining a second association rule corresponding to the target association rule from the plurality of first association rules.
And the alarm data set determining submodule is used for acquiring a corresponding alarm data set of the second association rule, and grouping the alarm data sets according to alarm identifications corresponding to each alarm data in the alarm data sets to obtain an alarm data set corresponding to each alarm identification.
A second association rule determining sub-module, configured to calculate, for each alarm data set corresponding to the alarm identifier, an association coefficient of the alarm data set, determine, when the association coefficient is greater than or equal to a coefficient threshold, an alarm identifier corresponding to the alarm data set as a target alarm identifier, and determine, as a third association rule, a second association rule corresponding to the target alarm identifier; wherein the association coefficient characterizes the association degree between the main alarm data and the sub alarm data in the alarm data group.
And the return execution sub-module is used for returning to execute the operation of mining the plurality of first association rules from the plurality of alarm data generated by the pre-production system according to the preset mining rules until the execution times reach the designated times, so as to obtain a plurality of third association rules, wherein the designated times correspond to the designated scenes.
And the updating sub-module is used for updating the target association rule according to the plurality of third association rules.
In some embodiments, the network topology graph includes a network element topology graph, the network element topology graph includes a network element name corresponding to alarm data, the alarm data of the first association rule includes main alarm data and sub alarm data, and the second association rule determining submodule is specifically configured to determine, for each first association rule of the plurality of first association rules, the first association rule as the second association rule if it is determined that the first association rule meets a specified condition, where the specified condition includes: the alarm identification of the main alarm data of the first association rule is the same as the first alarm identification of the target association rule; the alarm identification of the sub alarm data of the first association rule is the same as the second alarm identification of the target association rule; the network element name of the main alarm data corresponding to the network topological graph is the same as the network element name of the sub alarm data corresponding to the network topological graph, and the alarm level of the main alarm data is the same as the alarm level of the sub alarm data.
In some embodiments, the alarm data set includes a plurality of main alarm data, the main alarm data includes a plurality of sub alarm data, and the second association rule determining sub-module is specifically further configured to determine, for each alarm identifier, an alarm data set corresponding to the alarm identifier, and if it is determined that there is no association between the main alarm data and the sub alarm data according to the network topology map, delete the sub alarm data from the alarm data set, to obtain a new alarm data set; and determining the association coefficient of the alarm data group according to the new alarm data group and the alarm data group.
In some embodiments, the second association rule determining submodule is specifically further configured to calculate an association coefficient of the alarm data set according to the following formula:
wherein R is the association coefficient of the alarm data group, n is the number of association relations between the main alarm of the new alarm data group and other alarm data in the network topological graph, m is the number of association relations between the main alarm of the alarm data group and other alarm data in the network topological graph, cnt is the number of association relations between the main alarm data and the sub alarm data,
For alarm data set->
Is a new alarm data set.
In some embodiments, the target association rule updating module is further configured to delete the new alarm data set from the alarm data set if it is determined that the number of deleted sub-alarms in the new alarm data set is greater than or equal to a number threshold.
In some embodiments, the rule mining module 420 is specifically configured to mine the alarm data through a preset mining parameter and FP-growth algorithm, so as to obtain a plurality of initial association rules; the mining parameters include the occurrence time period of the alarm data, the duration of the sliding window, the sliding step length, the minimum support degree and the minimum confidence degree.
In some embodiments, the rule mining module 420 is specifically configured to compress the alert data to obtain compressed alert data; and mining the compressed alarm data based on a preset mining rule to obtain a plurality of initial association rules.
In some embodiments, the rule mining module 420 is specifically further configured to filter specified alarm data in the alarm data to obtain the compressed alarm data, where the specified alarm data includes alarm data and/or engineering alarms that are not uploaded to the cloud.
In some embodiments, the rule mining module 420 is specifically further configured to perform a normalization process on the alert data to obtain an alert identifier corresponding to the alert data, where the alert identifier includes a plurality of fields, each field of the plurality of fields corresponds to one type of alert information in the alert data, and the alert information includes an alert level, an alert title, an alert type, an alert interpretation, and device information on which the alert data occurs; and determining the alarm identifier as the compressed alarm data.
Fig. 7 is a schematic diagram of an electronic device, which may be a computer, a server, or the like, according to an exemplary embodiment. The electronic device may be equivalent to the server in the above embodiment, or the electronic device may be equivalent to the server client in the above embodiment.
Electronic device 800 may include one or more of the following components: a processing component 802, a memory 804, a power component 806, a multimedia component 808, an audio component 810, an input/output (I/O) interface 812, a sensor component 814, and a communication component 816.
The processing component 802 generally controls overall operation of the electronic device 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing component 802 may include one or more processors 820 to execute instructions to perform all or part of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interactions between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.
The memory 804 is configured to store various types of data to support operations at the electronic device 800. Examples of such data include instructions for any application or method operating on the electronic device 800, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 804 may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
The power supply component 806 provides power to the various components of the electronic device 800. The power components 806 may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the electronic device 800.
The multimedia component 808 includes a screen that provides an output interface between the electronic device 800 and the user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only a boundary of a touch or a sliding action but also a duration and a pressure related to the touch or the sliding operation. In some embodiments, the multimedia component 808 includes a front camera and/or a rear camera. When the electronic device 800 is in an operational mode, such as a shooting mode or a video mode, the front camera and/or the rear camera may receive external multimedia data. Each front camera and rear camera may be a fixed optical lens system or have focal length and optical zoom capabilities.
The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the electronic device 800 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may be further stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 further includes a speaker for outputting audio signals.
The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be a keyboard, click wheel, buttons, etc. These buttons may include, but are not limited to: homepage button, volume button, start button, and lock button.
The sensor assembly 814 includes one or more sensors for providing status assessment of various aspects of the electronic device 800. For example, the sensor assembly 814 may detect an on/off state of the electronic device 800, a relative positioning of the components, such as a display and keypad of the electronic device 800, the sensor assembly 814 may also detect a change in position of the electronic device 800 or a component of the electronic device 800, the presence or absence of a user's contact with the electronic device 800, an orientation or acceleration/deceleration of the electronic device 800, and a change in temperature of the electronic device 800. The sensor assembly 814 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscopic sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 816 is configured to facilitate communication between the electronic device 800 and other devices, either wired or wireless. The electronic device 800 may access a wireless network based on a communication standard, such as WiFi,2G, or 3G, or a combination thereof. In one exemplary embodiment, the communication component 816 receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component 816 described above further includes a Near Field Communication (NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the electronic device 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic elements for executing the methods described above.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as memory 804 including instructions executable by processor 820 of electronic device 800 to perform the above-described method. For example, the non-transitory computer readable storage medium may be ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, which when executed by a processor of a terminal device, causes the terminal device to perform the above-described associated data determination method of alert data of an electronic device.
In an exemplary embodiment, a computer program product is also provided, comprising a computer program which, when executed by a processor, performs the method of determining associated data of alarm data in the above-described embodiments.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the present application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.