CN116450137A - System abnormality detection method and device, storage medium and electronic equipment - Google Patents
System abnormality detection method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN116450137A CN116450137A CN202310177421.0A CN202310177421A CN116450137A CN 116450137 A CN116450137 A CN 116450137A CN 202310177421 A CN202310177421 A CN 202310177421A CN 116450137 A CN116450137 A CN 116450137A
- Authority
- CN
- China
- Prior art keywords
- event
- parameter
- abnormality detection
- log
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 223
- 230000005856 abnormality Effects 0.000 title claims abstract description 146
- 239000013598 vector Substances 0.000 claims abstract description 64
- 238000000034 method Methods 0.000 claims abstract description 62
- 238000012549 training Methods 0.000 claims abstract description 49
- 230000002159 abnormal effect Effects 0.000 claims description 46
- 230000015654 memory Effects 0.000 claims description 26
- 238000012795 verification Methods 0.000 claims description 18
- 238000004458 analytical method Methods 0.000 claims description 7
- 238000007635 classification algorithm Methods 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 6
- 238000004422 calculation algorithm Methods 0.000 claims description 5
- 238000012937 correction Methods 0.000 claims description 5
- 230000000694 effects Effects 0.000 description 7
- 238000010801 machine learning Methods 0.000 description 7
- 230000008859 change Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 239000007787 solid Substances 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/42—Syntactic analysis
- G06F8/427—Parsing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/35—Clustering; Classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/205—Parsing
- G06F40/216—Parsing using statistical methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/279—Recognition of textual entities
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a method and a device for detecting system abnormality, a storage medium and electronic equipment, wherein the method comprises the following steps: analyzing the system log to obtain a plurality of log entries, and events and parameters corresponding to each log entry; carrying out semantic vectorization on the event of each log entry to obtain an event semantic vector of each log entry; carrying out event abnormality detection on event semantic vectors of each log entry by adopting an event abnormality detection model obtained based on event semantic vector sequence training to obtain event abnormality detection results; and when the event abnormality detection result is normal, carrying out parameter abnormality detection on the parameters of each log entry by adopting a parameter abnormality detection model obtained based on parameter sequence training, so as to obtain a parameter abnormality detection result. By implementing the method and the device, the event information and the parameter information in the log are fully utilized, and the problem that the judgment is inaccurate because the existing anomaly detection method does not utilize all parts of the log is avoided. The accuracy of detection is improved.
Description
Technical Field
The present invention relates to the field of log detection technologies, and in particular, to a method and apparatus for detecting system anomalies, a storage medium, and an electronic device.
Background
The system anomaly detection is an indispensable important task for detecting system faults, debugging machine performance, maintaining system safety and the like, and as the types of malicious behaviors such as loopholes, illegal invasion and the like encountered in the system operation become diversified, the types of log data generated by the system are more and more, so that the system anomaly detection also faces more and more challenges. The system log file records the running states and the events occurring in the system at different moments, and is important data for fault analysis, performance detection and system abnormality detection.
Existing system log-based anomaly detection efforts can be broadly classified into the following categories: experience-based log abnormality detection method and naive machine learning-based log abnormality detection method. The log abnormality detection method based on experience mainly comprises the step that an engineer carries out abnormality detection according to a logic programming program designed by experience of long-term abnormality detection. This is the primary method of anomaly detection for a considerable period of time. The method has the advantages that the method can fully utilize the experience of engineers in anomaly detection for a long time, and has very good effect on a plurality of obvious anomalies. In addition, such a manner conforms to human thinking logic, facilitating modification and updating. However, such a method also has disadvantages: is labor intensive and has no effect on anomalies that have never been seen.
The log abnormality detection method based on the naive machine learning method adopts a traditional machine learning method, and a machine learning model is trained from log data to detect abnormality. Such methods overcome some of the above problems: less labor intensive and also has some effect on new anomalies. However, since the method is relatively naive, some abnormalities cannot be detected, and the effect achieved is not so satisfactory.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a method, an apparatus, a storage medium, and an electronic device for detecting a system anomaly, so as to solve the technical problem in the prior art that the anomaly detection effect is poor due to the adoption of a system log.
The technical scheme provided by the invention is as follows:
an embodiment of the present invention provides a method for detecting a system anomaly, including: analyzing the system log to obtain a plurality of log entries, and events and parameters corresponding to each log entry; carrying out semantic vectorization on the event of each log entry to obtain an event semantic vector of each log entry; carrying out event abnormality detection on event semantic vectors of each log entry by adopting an event abnormality detection model obtained based on event semantic vector sequence training to obtain event abnormality detection results; and when the event abnormality detection result is normal, carrying out parameter abnormality detection on the parameters of each log entry by adopting a parameter abnormality detection model obtained based on parameter sequence training, so as to obtain a parameter abnormality detection result.
Optionally, the method for detecting system abnormality further includes: when the current system is abnormal, calculating importance between any two events based on the occurrence frequency of the any two events within a preset time distance; forming an event stream from any two events based on the importance between any two events and the magnitude of a preset threshold; accurately identifying whether the formed event stream is based on the identification result of the event stream , And judging whether to update the event abnormality detection model.
Optionally, the two events include a first event and a second event, and the importance of the two events is the importance of the second event to the first event, and the importance of the second event to the first event is determined by the ratio of the frequency of occurrence of the first event and the second event within a preset time distance to the product of the preset time distance and the frequency of the first event.
Optionally, forming any two events into an event stream based on the importance between any two events and the magnitude of the preset threshold, including: when the importance between any two events is greater than a preset threshold value, the first event and the second event form a first event stream; expanding the first event stream to include the first event, the second event and the third event when the importance of the third event to the first event and the importance of the third event to the second event are both greater than a preset threshold; if the importance of the third event to the first event is greater than a preset threshold value and the importance of the third event to the second event is less than or equal to the preset threshold value, forming a second event stream by the first event and the third event; and if the importance of the third event to the first event is smaller than or equal to a preset threshold value, keeping the first event flow unchanged.
Optionally, identifying whether the formed event stream is accurate, and based on the identification result of the event stream, determining whether to update the event anomaly detection model includes: outputting the event stream to a user so that the user can identify the event stream; if the identification result of the user on the event stream is wrong, acquiring the identification result of the user on the event stream after correction; generating a new event semantic vector sequence according to the corrected recognition result; and retraining the event abnormality detection model by using the new event semantic vector sequence to obtain an updated event abnormality detection model.
Optionally, performing semantic vectorization on the event of each log entry to obtain an event semantic vector of each log entry, including: preprocessing each log entry event; acquiring a semantic vector of a word in an event of each log entry based on a quick text classification algorithm; and calculating the semantic vector of the word in the event of each log entry by adopting a TF-IDF algorithm to obtain the event semantic vector of each log entry.
Optionally, when the result of the abnormal detection of the event is normal, performing the abnormal detection of the parameter of each log entry by using a parameter abnormal detection model obtained based on the training of the parameter sequence, and before obtaining the result of the abnormal detection of the parameter, including: dividing a parameter sequence formed by parameters of each log entry into a training set and a verification set; training by adopting parameter sequences corresponding to different types of events in the training set to obtain different parameter anomaly detection models; and verifying different parameter anomaly detection models by adopting a verification set, and generating Gaussian distribution based on a model preset result and an actual result in the verification set.
Optionally, when the result of the abnormal detection of the event is normal, the parameter abnormality detection is performed on the parameter of each log entry by using a parameter abnormality detection model obtained based on the parameter sequence training, so as to obtain the result of the abnormal detection of the parameter, including: when the event abnormality detection result is normal, carrying out parameter sequence prediction on the parameters of each log entry by adopting a parameter abnormality detection model corresponding to the current system log event to obtain a prediction result; comparing the predicted result with a parameter sequence corresponding to a current system log event, and judging whether the compared result falls in a high confidence interval of the Gaussian distribution, wherein the high confidence interval is a confidence interval larger than a first threshold value; and when the parameter is in the high confidence interval, the result of abnormal parameter detection is normal, and otherwise, the parameter is abnormal.
A second aspect of an embodiment of the present invention provides a system anomaly detection apparatus, including: the analysis module is used for analyzing the system log to obtain a plurality of log entries and events and parameters corresponding to each log entry; the vectorization module is used for carrying out semantic vectorization on the event of each log entry to obtain the event semantic vector of each log entry; the first detection module is used for carrying out event abnormality detection on the event semantic vector of each log entry by adopting an event abnormality detection model obtained based on event semantic vector sequence training to obtain an event abnormality detection result; the second detection module is used for carrying out parameter anomaly detection on the parameters of each log entry by adopting a parameter anomaly detection model obtained based on parameter sequence training when the event anomaly detection result is normal, so as to obtain a parameter anomaly detection result; and the abnormality judging module is used for determining the abnormality of the current system when the event abnormality detection result is abnormal or the parameter abnormality detection result is abnormal.
Optionally, the system abnormality detection device further includes: the importance calculating module is used for calculating the importance between any two events based on the occurrence frequency of the any two events within a preset time distance when the current system is abnormal; the event stream forming module is used for forming any two events into an event stream based on the importance between any two events and the magnitude of a preset threshold value; the identification updating module is used for accurately identifying whether the formed event stream is accurate or not, and based on the identification result of the event stream , And judging whether to update the event abnormality detection model.
Optionally, the two events include a first event and a second event, and the importance of the two events is the importance of the second event to the first event, and the importance of the second event to the first event is determined by the ratio of the frequency of occurrence of the first event and the second event within a preset time distance to the product of the preset time distance and the frequency of the first event.
Optionally, the event stream forming module is specifically configured to: when the importance between any two events is greater than a preset threshold value, the first event and the second event form a first event stream; expanding the first event stream to include the first event, the second event and the third event when the importance of the third event to the first event and the importance of the third event to the second event are both greater than a preset threshold; if the importance of the third event to the first event is greater than a preset threshold value and the importance of the third event to the second event is less than or equal to the preset threshold value, forming a second event stream by the first event and the third event; and if the importance of the third event to the first event is smaller than or equal to a preset threshold value, keeping the first event flow unchanged.
Optionally, the identification update module is specifically configured to: outputting the event stream to a user so that the user can identify the event stream; if the identification result of the user on the event stream is wrong, acquiring the identification result of the user on the event stream after correction; generating a new event semantic vector sequence according to the corrected recognition result; and retraining the event abnormality detection model by using the new event semantic vector sequence to obtain an updated event abnormality detection model.
Optionally, the vectorization module is specifically configured to: preprocessing each log entry event; acquiring a semantic vector of a word in an event of each log entry based on a quick text classification algorithm; and calculating the semantic vector of the word in the event of each log entry by adopting a TF-IDF algorithm to obtain the event semantic vector of each log entry.
Optionally, the apparatus further comprises: the Gaussian distribution construction module is specifically used for dividing a parameter sequence formed by parameters of each log entry into a training set and a verification set; training by adopting parameter sequences corresponding to different types of events in the training set to obtain different parameter anomaly detection models; and verifying different parameter anomaly detection models by adopting a verification set, and generating Gaussian distribution based on a model preset result and an actual result in the verification set.
Optionally, the second detection module is specifically configured to: when the event abnormality detection result is normal, carrying out parameter sequence prediction on the parameters of each log entry by adopting a parameter abnormality detection model corresponding to the current system log event to obtain a prediction result; comparing the predicted result with a parameter sequence corresponding to a current system log event, and judging whether the compared result falls in a high confidence interval of the Gaussian distribution, wherein the high confidence interval is a confidence interval larger than a first threshold value; and when the parameter is in the high confidence interval, the result of abnormal parameter detection is normal, and otherwise, the parameter is abnormal.
A third aspect of the embodiment of the present invention provides a computer readable storage medium, where computer instructions are stored, where the computer instructions are configured to cause the computer to execute the method for detecting a system anomaly according to any one of the first aspect and the first aspect of the embodiment of the present invention.
A fourth aspect of an embodiment of the present invention provides an electronic device, including: the system comprises a memory and a processor, wherein the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions so as to execute the system abnormality detection method according to any one of the first aspect and the first aspect of the embodiment of the invention.
The technical scheme provided by the invention has the following effects:
according to the method, the device, the storage medium and the electronic equipment for detecting the system abnormality, the event abnormality detection model and the parameter abnormality detection model are adopted to detect the abnormality of the system log, so that event information and parameter information in the log can be fully utilized, and the problem that the conventional abnormality detection method does not utilize all parts of the log and is inaccurate in judgment is solved. The detection accuracy is improved by adopting the detection method of the system abnormality. In addition, semantic vectorization is performed before model training is performed, so that the method can adapt to log entry formats which change at any time.
The method, the device, the storage medium and the electronic equipment for detecting the system abnormality fully utilize the event information and the parameter information in the log and train the corresponding model to detect the abnormality; in order to ensure the distinction degree and compatibility of semantic vectors, a semantic vectorization method of log events based on word embedding and TF-IDF weighting is provided; meanwhile, in order to facilitate engineers to locate and analyze the monitored anomalies, an event stream model building method is also provided, the engineers can specifically check the log event stream with problems, so that the anomalies are located and analyzed, and incorrect detection results can be corrected; finally, an incremental updating method of the anomaly detection model based on user feedback is adopted, so that the key ideas of people in a loop are reflected, and the effectiveness of the user feedback in anomaly detection is maximized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method of detecting a system anomaly in accordance with an embodiment of the present invention;
FIG. 2 is a flow chart of a method of detecting a system anomaly in accordance with another embodiment of the present invention;
FIG. 3 is a block diagram of a system anomaly detection apparatus according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a computer-readable storage medium provided according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
The terms first, second, third, fourth and the like in the description and in the claims and in the above drawings are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an embodiment of the present invention, there is provided a method of detecting a system abnormality, it being noted that the steps shown in the flowcharts of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that herein.
In this embodiment, a method for detecting system anomalies is provided, which may be used in electronic devices, such as computers, mobile phones, tablet computers, etc., fig. 1 is a flowchart of a method for detecting system anomalies according to an embodiment of the present invention, as shown in fig. 1, where the method includes the following steps:
step S101: analyzing the system log to obtain a plurality of log entries, and events and parameters corresponding to each log entry. Specifically, when abnormality detection is required for the system, a system log may be obtained from the system, and analysis detection is performed on the system log to obtain a plurality of log entries in the system log, and an event and a parameter of each log entry. The obtained system log includes a historical system log and a current system log. For the system log, the text parsing and regular expression matching mode can be adopted to separate the event and the parameter of each log entry from the system log. It should be noted that, each log entry corresponds to an event, each log entry corresponds to 0 to n parameters, and n is greater than or equal to 1.
Step S102: carrying out semantic vectorization on the event of each log entry to obtain the event semantic vector of each log entry. In particular, the purpose of semantic vectorization is to enable models obtained by subsequent training to adapt to the variations of log entries. Thus, semantic vectorization needs to satisfy differentiation and compatibility. The degree of distinction refers to that the semantic vector can represent different log entries with high degree of distinction, and event semantic vectors obtained by different log entries are as far as possible different. Compatibility means that the semantic vectors are used for representing slightly changed log entries by similar vectors, and event semantic vectors obtained by similar log entries are as similar as possible to ensure the compatibility of the system.
Step S103: and carrying out event abnormality detection on the event semantic vector of each log entry by adopting an event abnormality detection model obtained based on the event semantic vector sequence training to obtain an event abnormality detection result. Specifically, when model training is performed, according to the time sequence of log entries, event semantic vectors corresponding to the log entries in the historical system log are ordered to obtain an event semantic vector sequence. And training an LSTM (long short-term memory) model by adopting an event semantic vector sequence, so that the model learns the characteristics of a normal log event sequence, and an event anomaly detection model is obtained.
When abnormality detection is carried out, the event abnormality detection model obtained through training is adopted to predict the probability that the current event and the preamble event are continuous events. For example, the event corresponding to the log entry in the current system log is k 0 The events corresponding to the log entries in the system logs are { k } 1 ,k 2 ,k 3 Prediction of { k } using a trained event anomaly detection model 1 ,k 2 ,k 3 ,k 0 The probability of a consecutive event is assumed to be p. If p is smaller than the threshold delta, the event corresponding to the log entry in the current system log is regarded as an abnormal event, namely, the event abnormality detection result is abnormal. If p is greater than or equal to the threshold delta, the event abnormality detection result is normal.
Step S104: and when the event abnormality detection result is normal, carrying out parameter abnormality detection on the parameters of each log entry by adopting a parameter abnormality detection model obtained based on parameter sequence training, so as to obtain a parameter abnormality detection result. Specifically, if the event abnormality detection result is normal, the log parameter abnormality detection may be further performed. And similar to the detection of the abnormal log event, training the LSTM model by adopting a parameter sequence formed according to a time sequence to obtain a parameter abnormal detection model. And then predicting the current system log parameters by adopting a parameter anomaly detection model, and determining a parameter anomaly detection result based on comparison of the prediction result and the actual parameters.
Step S105: and when the event abnormality detection result is abnormal or the parameter abnormality detection result is abnormal, determining that the current system is abnormal. Specifically, when either the result of abnormality detection of an event or the result of abnormality detection of a parameter is abnormal, it is determined that the current system is abnormal.
The system abnormality detection method provided by the embodiment of the invention adopts the event abnormality detection model and the parameter abnormality detection model to carry out abnormality detection on the system log, can fully utilize the event information and the parameter information in the log, and avoids the problem that the conventional abnormality detection method does not utilize each part of the log and judges inaccurately. The detection accuracy is improved by adopting the detection method of the system abnormality. In addition, semantic vectorization is performed before model training is performed, so that the method can adapt to log entry formats which change at any time.
In one embodiment, performing semantic vectorization on events of each log entry to obtain event semantic vectors of each log entry, including the following steps:
step S201: preprocessing each log entry event; specifically, the preprocessing is mainly used for removing non-literal characters in the log entry event, so that subsequent semantic vectorization is facilitated.
Step S202: acquiring a semantic vector of a word in an event of each log entry based on a quick text classification algorithm; specifically, the fast text classification algorithm FastText may be employed to derive a semantic vector of words within each log entry event, which may represent L= [ v 1 ,v 2 ,…,v N ]Wherein v is i Semantic vectors representing the i-th word.
Step S203: and calculating the semantic vector of the word in the event of each log entry by adopting a TF-IDF algorithm to obtain the event semantic vector of each log entry. In particular, if a word occurs more frequently in a journal entry, this means that the word is more representative of the journal entry. Thus, the Term Frequency (TF) is used to describe its importance, as follows:
where #word is the number of target words in the journal entry and #total is the total number of words in the journal entry.
If a word occurs very frequently in all log entries, this means that the word is not representative for a certain log entry. Therefore Inverse Document Frequency (IDF) is used to describe its importance, the formula is as follows:
where #L is the total number of log entries, #L word Is the number of journal entries that contain the target word.
For each word, the coefficient w is formulated as follows:
w(word)=TF(word)×IDF(word)
where #word is the number of target words in the journal entry and #total is the total number of words in the journal entry.
Whereby the event semantic vector for a certain log entry is as follows:
wherein N represents the number of words in the event of the log entry, w i Representing v i Is a coefficient of (a).
In one embodiment, when the result of the abnormal detection of the event is normal, the abnormal detection of the parameter of each log entry is performed by using a parameter abnormal detection model trained based on a parameter sequence, so as to obtain the result of the abnormal detection of the parameter, including the following steps:
step S301: dividing a parameter sequence formed by parameters of each log entry into a training set and a verification set; specifically, when training the parameter anomaly detection model, each log entry parameter obtained by historical system log analysis is adopted. The verification set obtained by dividing is applied to subsequent parameter anomaly detection.
Step S302: and training by adopting parameter sequences corresponding to different types of events in the training set to obtain different parameter anomaly detection models. Specifically, when training the parameter anomaly detection model, training parameters corresponding to different types of events to obtain a plurality of parameter anomaly detection models. Firstly, classifying the events obtained by analyzing the historical system logs, and then arranging the parameters corresponding to the events in each classified category according to a time sequence to obtain a parameter sequence corresponding to each classified category. And then training a parameter anomaly detection model by adopting a parameter sequence corresponding to each category. Therefore, by training a plurality of parameter anomaly detection models, the accuracy of subsequent parameter detection can be improved. Wherein the parameter sequence is expressed in such a way that, for example, for an event of the k1 class, the parameter sequence thereof is { [ t ] 2 -t 1 ,0.61],[t′ 2 -t′ 1 ,1],…},[t 2 -t 1 ,0.61]The parameter sequence representing the first k 1 The event occurs at t 2 At the moment of time, the last event (not necessarily k 1 ) Occurs at t 1 Time, k 1 One parameter in the event is 0.61; [ t ]' 2 -t′ 1 ,1]Representing the second k 1 The event occurs at t' 2 The parameter is 1 at the moment.
Step S303: and verifying different parameter anomaly detection models by adopting a verification set, and generating Gaussian distribution based on a model preset result and an actual result in the verification set. Specifically, during verification, based on a parameter sequence in a verification set, if the parameter sequence at a first moment is input into a model, a parameter sequence at a second moment is predicted, wherein the second moment is the next moment of the first moment. And then, the predicted result and the actual parameter sequence at the corresponding moment are subjected to difference, and Gaussian distribution is generated according to the difference.
When the result of the event abnormality detection is normal, carrying out parameter abnormality detection on the parameters of each log entry by adopting a parameter abnormality detection model obtained based on parameter sequence training to obtain the result of the parameter abnormality detection, and comprising the following steps:
step S304: when the event abnormality detection result is normal, carrying out parameter sequence prediction on the parameters of each log entry by adopting a parameter abnormality detection model corresponding to the current system log event to obtain a prediction result; specifically, if the event abnormality detection result is normal, performing parameter abnormality detection by using a trained parameter abnormality detection model. Because the trained parameter anomaly detection model comprises a plurality of models corresponding to various events, after the event of each log entry in the current system log is acquired, the category of the event is judged, so that the corresponding parameter anomaly detection model is determined, and the parameter anomaly detection model is adopted to predict and acquire the parameter corresponding to the event of each log entry in the current system log.
Step S305: and comparing the predicted result with a parameter sequence corresponding to the current system log event, and judging whether the compared result falls in a high confidence interval of the Gaussian distribution, wherein the high confidence interval is a confidence interval larger than a first threshold value. Specifically, the predicted parameters and the parameters corresponding to the current system log obtained by actual analysis are compared and differenced, and whether the difference value falls in a high confidence interval of Gaussian distribution is judged.
Step S306: and when the parameter is in the high confidence interval, the result of abnormal parameter detection is normal, and otherwise, the parameter is abnormal.
In one embodiment, the method for detecting system anomalies further includes the steps of:
step S401: when the current system is abnormal, the importance between any two events is calculated based on the frequency of occurrence of any two events within a preset time distance.
Wherein when a current system anomaly is detected based on the current system log, an event stream may be established for facilitating a user or engineer to locate and analyze log entries of the detected anomaly. When the event stream is established, the log entries with close relations are divided into a cluster according to the occurrence frequency among the log entries, and the log entries with not close relations are separated. When the event stream is established, the importance of any two events can be calculated based on the occurrence frequency of any two events, so as to judge whether the event stream can be formed between any two events.
Specifically, the arbitrary two events include a first event and a second event, and the importance of the arbitrary two events is the importance of the second event to the first event, and the importance of the second event to the first event is determined by the ratio of the frequency of occurrence of the first event and the second event within a preset time distance to the product of the preset time distance and the frequency of the first event. That is, the importance of the second event to the first event is calculated using the following formula:
Wherein k is i Represents a first event, k j Representing a second event, f d (k i ,k j ) Is (k) i ,k j ) For frequencies occurring within a time distance d, d.f (k i ) Representing the product of the distance d and the frequency of the first event.
Step S402: and forming any two events into an event stream based on the importance between any two events and the magnitude of a preset threshold.
Wherein, based on the importance between any two events and the magnitude of a preset threshold, forming any two events into an event stream, including: when the importance between any two events is greater than a preset threshold value, the first event and the second event form a first event stream; expanding the first event stream to include the first event, the second event and the third event when the importance of the third event to the first event and the importance of the third event to the second event are both greater than a preset threshold; if the importance of the third event to the first event is greater than a preset threshold value and the importance of the third event to the second event is less than or equal to the preset threshold value, forming a second event stream by the first event and the third event; and if the importance of the third event to the first event is smaller than or equal to a preset threshold value, keeping the first event flow unchanged.
Specifically, after calculating the importance between any two events, if the importance is greater than a preset threshold, it is indicated that the two events can form an event stream, i.e. k i ,k j Are joined together to form T 1 =[k i ,k j ]The method comprises the steps of carrying out a first treatment on the surface of the Then expanding the event stream, judging whether other events can be filled into the event stream, namely calculating the importance of the other events and the events in the event stream set; if the other events are third events, judging whether the importance of the third events to the first event and the importance of the third events to the second event are both larger than a preset threshold value, and if so, judging that the importance of the third events to the first event is larger than the preset threshold value tau, namely p 1 (k i ,k x )>And p is 2 (k j ,k x )>T is then 1 Can be extended to k x ,k i ,k j ]. If the importance of the third event to the first event is greater than the preset threshold and the importance of the third event to the second event is less than or equal to the preset threshold, namely p 1 (k i ,k x )>But p is 2 (k j ,k x ) And (T) generating a second event stream T 2 =[k i ,k x ]. If the importance of the third event to the first event is less than or equal to a preset threshold, namely p 1 (k i ,k x ) And τ, then keep the first event stream T 1 Is unchanged. And then judging other events, such as a fourth event, a fifth event and the like, wherein the judging mode is the same as the judging mode of the third event, and finally the formed event stream forms an event stream set.
Step S403: accurately identifying whether the formed event stream is based on the identification result of the event stream , And judging whether to update the event abnormality detection model.
The method for judging whether the formed event stream is accurately identified, and based on the identification result of the event stream, whether the event abnormality detection model is updated or not comprises the following steps: outputting the event stream to a user so that the user can identify the event stream; if the identification result of the user on the event stream is wrong, acquiring the identification result of the user on the event stream after correction; generating a new event semantic vector sequence according to the corrected recognition result; and retraining the event abnormality detection model by using the new event semantic vector sequence to obtain an updated event abnormality detection model.
Specifically, the event stream is output to the user for recognition, so that the incremental updating method of the event abnormality detection model based on user feedback is realized, the idea of a person in a loop is embodied, and the utility of the user feedback in abnormality detection can be maximized. It should be noted that Human-in-the-loop (Human-in-the-loop) refers to the fact that during the machine learning model landing process, the user can participate in the iteration and update of the machine learning model, thereby maximizing the utility of the user-provided Human experience in machine learning model landing.
For the event stream set formed in step S402, it may be presented to the user, who determines whether there is an error. If the result is wrong, the correct result is put into the model again for training. The model is updated and the erroneous results are corrected. Specifically, the history sequence { k ] is input in the event abnormality detection model 1 ,k 2 ,k 3 And determines that the event of the next log entry should be k 1 ,k 2 The probability of (2) is p respectively 1 ,p 2 . While the event of the next log entry is actually k 3 The probability is 0. The event anomaly detection model marks the sequence as anomalous and the resulting event stream is fed back to the user. If the user informs the model that the feedback result is wrong. Model will { k 1 ,k 2 ,k 3 →k 3 Adding to the training data. The next encounter { k 1 ,k 2 ,k 3 The model will be updated with the updated probability p 1 ,p 2 ,p 3 Simultaneously output k 1 ,k 2 And k 3 。
According to the system anomaly detection method provided by the embodiment of the invention, event information and parameter information in the log are fully utilized, and the corresponding LSTM model is trained to detect anomalies; in order to ensure the distinction degree and compatibility of semantic vectors, a semantic vectorization method of log events based on word embedding and TF-IDF weighting is provided; meanwhile, in order to facilitate engineers to locate and analyze the monitored anomalies, an event stream model building method is also provided, the engineers can specifically check the log event stream with problems, so that the anomalies are located and analyzed, and incorrect detection results can be corrected; finally, an incremental updating method of the anomaly detection model based on user feedback is adopted, so that the key ideas of people in a loop are reflected, and the effectiveness of the user feedback in anomaly detection is maximized.
In one embodiment, as shown in fig. 2, the method for detecting the system abnormality is implemented by the following flow: a system log is obtained, and is analyzed to obtain a plurality of log entries, and events and parameters corresponding to each log entry; carrying out semantic vectorization on the event of each log entry to obtain an event semantic vector sequence; respectively training an LSTM model for the obtained event semantic vector sequence and parameters of the log entries to obtain a corresponding event abnormality detection model and a parameter abnormality detection model, and adopting the two models to detect and judge whether the current system is abnormal for the current system log; if the event is abnormal, an event stream is constructed and fed back to the user, the user identifies a specific abnormal event, and the LSTM model is retrained by adopting the updated event sequence to realize incremental updating of the model.
The embodiment of the invention also provides a device for detecting system abnormality, as shown in fig. 3, the device comprises:
the analysis module is used for analyzing the system log to obtain a plurality of log entries and events and parameters corresponding to each log entry; the specific content refers to the corresponding parts of the above method embodiments, and will not be described herein.
The vectorization module is used for carrying out semantic vectorization on the event of each log entry to obtain the event semantic vector of each log entry; the specific content refers to the corresponding parts of the above method embodiments, and will not be described herein.
The first detection module is used for carrying out event abnormality detection on the event semantic vector of each log entry by adopting an event abnormality detection model obtained based on event semantic vector sequence training to obtain an event abnormality detection result; the specific content refers to the corresponding parts of the above method embodiments, and will not be described herein.
The second detection module is used for carrying out parameter anomaly detection on the parameters of each log entry by adopting a parameter anomaly detection model obtained based on parameter sequence training when the event anomaly detection result is normal, so as to obtain a parameter anomaly detection result; the specific content refers to the corresponding parts of the above method embodiments, and will not be described herein.
And the abnormality judging module is used for determining the abnormality of the current system when the event abnormality detection result is abnormal or the parameter abnormality detection result is abnormal. The specific content refers to the corresponding parts of the above method embodiments, and will not be described herein.
The system abnormality detection device provided by the embodiment of the invention adopts the event abnormality detection model and the parameter abnormality detection model to carry out abnormality detection on the system log, can fully utilize the event information and the parameter information in the log, and avoids the problem that the conventional abnormality detection method does not utilize each part of the log and judges inaccurately. The detection accuracy is improved by adopting the detection method of the system abnormality. In addition, semantic vectorization is performed before model training is performed, so that the method can adapt to log entry formats which change at any time.
The functional description of the system abnormality detection device provided by the embodiment of the invention refers to the description of the system abnormality detection method in the embodiment.
Optionally, the system abnormality detection device further includes: the importance calculating module is used for calculating the importance between any two events based on the occurrence frequency of the any two events within a preset time distance when the current system is abnormal; event stream forming module for based on arbitrary twoThe importance among the events and the size of a preset threshold value form an event stream from any two events; the identification updating module is used for accurately identifying whether the formed event stream is accurate or not, and based on the identification result of the event stream , And judging whether to update the event abnormality detection model.
Optionally, the two events include a first event and a second event, and the importance of the two events is the importance of the second event to the first event, and the importance of the second event to the first event is determined by the ratio of the frequency of occurrence of the first event and the second event within a preset time distance to the product of the preset time distance and the frequency of the first event.
Optionally, the event stream forming module is specifically configured to: when the importance between any two events is greater than a preset threshold value, the first event and the second event form a first event stream; expanding the first event stream to include the first event, the second event and the third event when the importance of the third event to the first event and the importance of the third event to the second event are both greater than a preset threshold; if the importance of the third event to the first event is greater than a preset threshold value and the importance of the third event to the second event is less than or equal to the preset threshold value, forming a second event stream by the first event and the third event; and if the importance of the third event to the first event is smaller than or equal to a preset threshold value, keeping the first event flow unchanged.
Optionally, the identification update module is specifically configured to: outputting the event stream to a user so that the user can identify the event stream; if the identification result of the user on the event stream is wrong, acquiring the identification result of the user on the event stream after correction; generating a new event semantic vector sequence according to the corrected recognition result; and retraining the event abnormality detection model by using the new event semantic vector sequence to obtain an updated event abnormality detection model.
Optionally, the vectorization module is specifically configured to: preprocessing each log entry event; acquiring a semantic vector of a word in an event of each log entry based on a quick text classification algorithm; and calculating the semantic vector of the word in the event of each log entry by adopting a TF-IDF algorithm to obtain the event semantic vector of each log entry.
Optionally, the apparatus further comprises: the Gaussian distribution construction module is specifically used for dividing a parameter sequence formed by parameters of each log entry into a training set and a verification set; training by adopting parameter sequences corresponding to different types of events in the training set to obtain different parameter anomaly detection models; and verifying different parameter anomaly detection models by adopting a verification set, and generating Gaussian distribution based on a model preset result and an actual result in the verification set.
Optionally, the second detection module is specifically configured to: when the event abnormality detection result is normal, carrying out parameter sequence prediction on the parameters of each log entry by adopting a parameter abnormality detection model corresponding to the current system log event to obtain a prediction result; comparing the predicted result with a parameter sequence corresponding to a current system log event, and judging whether the compared result falls in a high confidence interval of the Gaussian distribution, wherein the high confidence interval is a confidence interval larger than a first threshold value; and when the parameter is in the high confidence interval, the result of abnormal parameter detection is normal, and otherwise, the parameter is abnormal.
The embodiment of the present invention also provides a storage medium, as shown in fig. 4, on which a computer program 601 is stored, which when executed by a processor, implements the steps of the system anomaly detection method in the above embodiment. The storage medium also stores audio and video stream data, characteristic frame data, interactive request signaling, encrypted data, preset data size and the like. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
It will be appreciated by those skilled in the art that implementing all or part of the above-described embodiment method may be implemented by a computer program to instruct related hardware, where the program may be stored in a computer readable storage medium, and the program may include the above-described embodiment method when executed. Wherein the storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
The embodiment of the present invention further provides an electronic device, as shown in fig. 5, where the electronic device may include a processor 51 and a memory 52, where the processor 51 and the memory 52 may be connected by a bus or other means, and in fig. 5, the connection is exemplified by a bus.
The processor 51 may be a central processing unit (Central Processing Unit, CPU). The processor 51 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 52 serves as a non-transitory computer readable storage medium that may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as corresponding program instructions/modules in embodiments of the present invention. The processor 51 executes various functional applications of the processor and data processing by running non-transitory software programs, instructions, and modules stored in the memory 52, that is, implements the method of detecting a system abnormality in the above-described method embodiment.
The memory 52 may include a memory program area that may store an operating device, an application program required for at least one function, and a memory data area; the storage data area may store data created by the processor 51, etc. In addition, memory 52 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 52 may optionally include memory located remotely from processor 51, which may be connected to processor 51 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 52 and when executed by the processor 51 perform the method of detecting a system anomaly in the embodiment shown in fig. 1-2.
The specific details of the electronic device may be understood correspondingly with reference to the corresponding related descriptions and effects in the embodiments shown in fig. 1 to 2, which are not repeated here.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.
Claims (11)
1. A method for detecting a system anomaly, comprising:
analyzing the system log to obtain a plurality of log entries, and events and parameters corresponding to each log entry;
carrying out semantic vectorization on the event of each log entry to obtain an event semantic vector of each log entry;
carrying out event abnormality detection on event semantic vectors of each log entry by adopting an event abnormality detection model obtained based on event semantic vector sequence training to obtain event abnormality detection results;
when the event abnormality detection result is normal, parameter abnormality detection is carried out on the parameters of each log entry by adopting a parameter abnormality detection model obtained based on parameter sequence training, and a parameter abnormality detection result is obtained;
And when the event abnormality detection result is abnormal or the parameter abnormality detection result is abnormal, determining that the current system is abnormal.
2. The method for detecting a system anomaly according to claim 1, further comprising:
when the current system is abnormal, calculating importance between any two events based on the occurrence frequency of the any two events within a preset time distance;
forming an event stream from any two events based on the importance between any two events and the magnitude of a preset threshold;
accurately identifying whether the formed event stream is based on the identification result of the event stream , And judging whether to update the event abnormality detection model.
3. The method for detecting a system anomaly according to claim 2, wherein the arbitrary two events include a first event and a second event, the importance of the arbitrary two events being the importance of the second event to the first event, the importance of the second event to the first event being determined by a ratio of the frequency of occurrence of the first event and the second event within a preset time distance to a product of the preset time distance and the frequency of the first event.
4. The method for detecting system anomalies according to claim 3, wherein forming any two events into an event stream based on the importance between any two events and the magnitude of a preset threshold, comprises:
When the importance between any two events is greater than a preset threshold value, the first event and the second event form a first event stream;
expanding the first event stream to include the first event, the second event and the third event when the importance of the third event to the first event and the importance of the third event to the second event are both greater than a preset threshold;
if the importance of the third event to the first event is greater than a preset threshold value and the importance of the third event to the second event is less than or equal to the preset threshold value, forming a second event stream by the first event and the third event;
and if the importance of the third event to the first event is smaller than or equal to a preset threshold value, keeping the first event flow unchanged.
5. The method for detecting system anomalies according to claim 2, wherein identifying whether the formed event stream is accurate, and determining whether to update the event anomaly detection model based on the identification result of the event stream, comprises:
outputting the event stream to a user so that the user can identify the event stream;
if the identification result of the user on the event stream is wrong, acquiring the identification result of the user on the event stream after correction;
generating a new event semantic vector sequence according to the corrected recognition result;
And retraining the event abnormality detection model by using the new event semantic vector sequence to obtain an updated event abnormality detection model.
6. The method for detecting system anomalies according to claim 1, wherein semantically vectorizing events of each log entry, to obtain event semantic vectors of each log entry, includes:
preprocessing each log entry event;
acquiring a semantic vector of a word in an event of each log entry based on a quick text classification algorithm;
and calculating the semantic vector of the word in the event of each log entry by adopting a TF-IDF algorithm to obtain the event semantic vector of each log entry.
7. The method for detecting system anomalies according to claim 1, wherein when the result of the event anomaly detection is normal, the parameter anomaly detection model based on the parameter sequence training is adopted to perform the parameter anomaly detection on the parameters of each log entry, and before the result of the parameter anomaly detection is obtained, the method comprises:
dividing a parameter sequence formed by parameters of each log entry into a training set and a verification set;
training by adopting parameter sequences corresponding to different types of events in the training set to obtain different parameter anomaly detection models;
And verifying different parameter anomaly detection models by adopting a verification set, and generating Gaussian distribution based on a model preset result and an actual result in the verification set.
8. The method for detecting system anomalies according to claim 7, wherein when the result of the event anomaly detection is normal, the parameter anomaly detection is performed on the parameters of each log entry using a parameter anomaly detection model trained based on a parameter sequence to obtain a result of the parameter anomaly detection, comprising:
when the event abnormality detection result is normal, carrying out parameter sequence prediction on the parameters of each log entry by adopting a parameter abnormality detection model corresponding to the current system log event to obtain a prediction result;
comparing the predicted result with a parameter sequence corresponding to a current system log event, and judging whether the compared result falls in a high confidence interval of the Gaussian distribution, wherein the high confidence interval is a confidence interval larger than a first threshold value;
and when the parameter is in the high confidence interval, the result of abnormal parameter detection is normal, and otherwise, the parameter is abnormal.
9. A system abnormality detection device, comprising:
the analysis module is used for analyzing the system log to obtain a plurality of log entries and events and parameters corresponding to each log entry;
The vectorization module is used for carrying out semantic vectorization on the event of each log entry to obtain the event semantic vector of each log entry;
the first detection module is used for carrying out event abnormality detection on the event semantic vector of each log entry by adopting an event abnormality detection model obtained based on event semantic vector sequence training to obtain an event abnormality detection result;
the second detection module is used for carrying out parameter anomaly detection on the parameters of each log entry by adopting a parameter anomaly detection model obtained based on parameter sequence training when the event anomaly detection result is normal, so as to obtain a parameter anomaly detection result;
and the abnormality judging module is used for determining the abnormality of the current system when the event abnormality detection result is abnormal or the parameter abnormality detection result is abnormal.
10. A computer-readable storage medium storing computer instructions for causing the computer to execute the method of detecting a system abnormality according to any one of claims 1 to 8.
11. An electronic device, comprising: a memory and a processor, said memory and said processor being communicatively coupled to each other, said memory storing computer instructions, said processor executing said computer instructions to perform the method for detecting a system anomaly as claimed in any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310177421.0A CN116450137A (en) | 2023-02-23 | 2023-02-23 | System abnormality detection method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310177421.0A CN116450137A (en) | 2023-02-23 | 2023-02-23 | System abnormality detection method and device, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116450137A true CN116450137A (en) | 2023-07-18 |
Family
ID=87132696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310177421.0A Pending CN116450137A (en) | 2023-02-23 | 2023-02-23 | System abnormality detection method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116450137A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116633767A (en) * | 2023-07-20 | 2023-08-22 | 科大讯飞股份有限公司 | Inter-machine communication abnormality detection method, device, equipment and storage medium |
-
2023
- 2023-02-23 CN CN202310177421.0A patent/CN116450137A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116633767A (en) * | 2023-07-20 | 2023-08-22 | 科大讯飞股份有限公司 | Inter-machine communication abnormality detection method, device, equipment and storage medium |
| CN116633767B (en) * | 2023-07-20 | 2023-12-01 | 科大讯飞股份有限公司 | Inter-machine communication abnormality detection method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111967571B (en) | Abnormality detection method and device based on MHMA | |
| US10795753B2 (en) | Log-based computer failure diagnosis | |
| US11120127B2 (en) | Reconstruction-based anomaly detection | |
| US11294754B2 (en) | System and method for contextual event sequence analysis | |
| Vodenčarević et al. | Identifying behavior models for process plants | |
| US20160369777A1 (en) | System and method for detecting anomaly conditions of sensor attached devices | |
| CN108460397B (en) | Method and device for analyzing equipment fault type, storage medium and electronic equipment | |
| CN111190804A (en) | Multi-level deep learning log fault detection method for cloud native system | |
| CN111026653B (en) | Abnormal program behavior detection method and device, electronic equipment and storage medium | |
| US20200334578A1 (en) | Model training apparatus, model training method, and program | |
| CN113282461A (en) | Alarm identification method and device for transmission network | |
| CN111625516A (en) | Method and device for detecting data state, computer equipment and storage medium | |
| KR20200072169A (en) | Method and system for anomaly behavior detection using machine learning | |
| CN113760670A (en) | Cable joint abnormity early warning method and device, electronic equipment and storage medium | |
| CN116450137A (en) | System abnormality detection method and device, storage medium and electronic equipment | |
| CN114118295A (en) | Anomaly detection model training method, anomaly detection device and medium | |
| CN116743637B (en) | Abnormal flow detection method and device, electronic equipment and storage medium | |
| CN113282920A (en) | Log abnormity detection method and device, computer equipment and storage medium | |
| CN110704614B (en) | Information processing method and device for predicting user group type in application | |
| US20230376758A1 (en) | Multi-modality root cause localization engine | |
| CN112882898A (en) | Anomaly detection method, system, device and medium based on big data log analysis | |
| CN115617614A (en) | Log sequence anomaly detection method based on time interval perception self-attention mechanism | |
| CN115278757A (en) | Method and device for detecting abnormal data and electronic equipment | |
| EP3686812A1 (en) | System and method for context-based training of a machine learning model | |
| CN114610613A (en) | Online real-time micro-service call chain abnormity detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |