CN116542507A - Process abnormality detection method, electronic device, computer storage medium, and program product - Google Patents

Process abnormality detection method, electronic device, computer storage medium, and program product Download PDF

Info

Publication number
CN116542507A
CN116542507A CN202310210030.4A CN202310210030A CN116542507A CN 116542507 A CN116542507 A CN 116542507A CN 202310210030 A CN202310210030 A CN 202310210030A CN 116542507 A CN116542507 A CN 116542507A
Authority
CN
China
Prior art keywords
flow
graph
nodes
directed graph
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310210030.4A
Other languages
Chinese (zh)
Inventor
刘毅
姚卓磊
倪伟军
张彦
陈润青
李昕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Alibaba China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd filed Critical Alibaba China Co Ltd
Priority to CN202310210030.4A priority Critical patent/CN116542507A/en
Publication of CN116542507A publication Critical patent/CN116542507A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0633Workflow analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Human Resources & Organizations (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Educational Administration (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Game Theory and Decision Science (AREA)
  • Development Economics (AREA)
  • Tourism & Hospitality (AREA)
  • Quality & Reliability (AREA)
  • Operations Research (AREA)
  • Marketing (AREA)
  • Health & Medical Sciences (AREA)
  • General Business, Economics & Management (AREA)
  • Artificial Intelligence (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the application provides a flow anomaly detection method, electronic equipment, a computer storage medium and a program product, wherein the flow anomaly detection method comprises the following steps: obtaining a flow directed graph comprising a plurality of flow nodes; performing feature extraction on the flow directed graph based on the features of the flow nodes and the features of the neighbor nodes associated with the flow nodes through a graph convolution neural network model to obtain graph vectors corresponding to the flow directed graph; and carrying out flow anomaly detection according to the graph vector to obtain an anomaly detection result.

Description

Process abnormality detection method, electronic device, computer storage medium, and program product
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a flow anomaly detection method, electronic equipment, a computer storage medium and a program product.
Background
The process anomaly detection has very wide application in various scenes, for example, in the field of cloud processing, a cloud end needs a large amount of physical machines to perform computation and other processes, and along with the occurrence of reinstallation, new installation, relocation and other conditions and the introduction of new models, the server scale of installation needs to be continuously enlarged, so that the workload of how to detect whether the installation process is abnormal is also very large.
The current implementation scheme of flow anomaly detection is that events occurring in a flow execution process are ordered according to time to obtain a flow sequence, then the flow sequence is input into a time sequence-based deep learning model, and the time sequence-based deep learning model can learn the time sequence characteristics of the events occurring in a normal execution flow, so that anomaly detection can be carried out according to the flow sequence.
However, in the process of executing the flow, there is a difference in the actual execution environment during the execution of the flow, which results in a large difference between the flow sequences, and thus, the "time-series-based deep learning model" cannot accurately detect the abnormality of the flow sequence.
Disclosure of Invention
In view of the foregoing, embodiments of the present application provide a flow anomaly detection scheme to at least partially solve the above-mentioned problems.
According to a first aspect of an embodiment of the present application, there is provided a method for detecting a flow anomaly, including:
obtaining a flow directed graph comprising a plurality of flow nodes; performing feature extraction on the flow directed graph based on the features of the flow nodes and the features of the neighbor nodes associated with the flow nodes through a graph convolution neural network model to obtain graph vectors corresponding to the flow directed graph; and carrying out flow anomaly detection according to the graph vector to obtain an anomaly detection result.
According to a second aspect of an embodiment of the present application, there is provided a training method of a graph roll-up neural network model for flow anomaly detection, including:
obtaining a graph training sample, wherein the graph training sample comprises a sample flow directed graph and a corresponding abnormal result thereof;
performing feature extraction on the sample flow directed graph based on features of sample flow nodes in the sample flow directed graph and features of neighbor nodes associated with the sample flow nodes through the graph convolution neural network model to obtain sample graph vectors corresponding to the sample flow directed graph;
performing flow anomaly detection according to the sample graph vector to obtain an anomaly detection prediction result;
and adjusting the graph convolution neural network model according to the difference between the abnormal result and the abnormal detection prediction result.
According to a third aspect of the embodiments of the present application, there is provided a method for detecting an abnormality in an installed flow, including: obtaining a flow directed graph for representing an installed flow, wherein the flow directed graph comprises a plurality of flow nodes corresponding to the installed flow; performing feature extraction on the flow directed graph based on the features of the flow nodes and the features of the neighbor nodes associated with the flow nodes through a graph convolution neural network model to obtain graph vectors corresponding to the flow directed graph; and carrying out installed flow abnormality detection according to the graph vector to obtain an abnormality detection result.
According to a fourth aspect of the embodiments of the present application, there is provided a method for detecting abnormality of a work order processing flow, including:
obtaining a flow directed graph for representing the work order processing flow, wherein the flow directed graph comprises a plurality of flow nodes corresponding to the work order processing flow;
performing feature extraction on the flow directed graph based on the features of the flow nodes and the features of the neighbor nodes associated with the flow nodes through a graph convolution neural network model to obtain graph vectors corresponding to the flow directed graph;
and carrying out work order processing flow abnormality detection according to the graph vector to obtain an abnormality detection result.
According to a fifth aspect of embodiments of the present application, there is provided an electronic device, including: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus; the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the method.
According to a sixth aspect of embodiments of the present application, there is provided a computer storage medium having stored thereon a computer program which, when executed by a processor, implements a method as described above.
According to a seventh aspect of embodiments of the present application, there is provided a computer program product comprising computer instructions that instruct a computing device to perform operations corresponding to the method as described above.
According to the flow anomaly detection scheme provided by the embodiment of the application, a flow directed graph comprising a plurality of flow nodes is obtained; and through a graph convolution neural network model, based on the characteristics of the flow nodes and the characteristics of neighbor nodes associated with the flow nodes, extracting the characteristics of the flow directed graph to obtain a graph vector corresponding to the flow directed graph, thereby performing anomaly detection based on the graph vector corresponding to the whole flow directed graph, enabling the flow anomaly detection process to be insensitive to the structure of the flow graph and higher in accuracy, further enabling the scheme provided by the embodiment to be applicable to various flow charts, and enabling the application range of the flow anomaly detection scheme to be wider without limiting the sequence length and the like corresponding to the flow charts.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following description will briefly introduce the drawings that are required to be used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present application, and other drawings may also be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a schematic diagram of an exemplary system to which a flow anomaly detection method of an embodiment of the present application is applied;
FIG. 2 is a flowchart illustrating steps of a method for detecting a process anomaly according to an embodiment of the present application;
FIG. 3 is a flow chart of steps of a method for detecting an installed flow anomaly according to an embodiment of the present application;
FIG. 4 is a schematic flow diagram of a method for detecting anomalies in work order processing flow according to an embodiment of the present application;
FIG. 5 is a flow chart of a method of training a graph roll-up neural network model according to an embodiment of the present application;
FIG. 6A is a schematic diagram of a training process and a use process of a graph roll-up neural network model according to an embodiment of the present application;
FIG. 6B is a schematic diagram of a flow directed graph according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to better understand the technical solutions in the embodiments of the present application, the following descriptions will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the embodiments of the present application shall fall within the scope of protection of the embodiments of the present application.
Embodiments of the present application are further described below with reference to the accompanying drawings of embodiments of the present application.
FIG. 1 illustrates an exemplary system to which the resource recommendation method of embodiments of the present application may be applied. As shown in fig. 1, the system 100 may include a cloud service 102, a communication network 104, and/or one or more user devices 106, which are illustrated in fig. 1 as a plurality of user devices.
Cloud server 102 may be any suitable device for storing information, data, programs, and/or any other suitable type of content, including, but not limited to, distributed storage system devices, server clusters, cloud computing server clusters, and the like. In some embodiments, cloud server 102 may perform any suitable functions. For example, in some embodiments, cloud server 102 may be used to deploy a mental computing cluster and a management platform for the mental computing cluster.
In some embodiments, the communication network 104 may be any suitable combination of one or more wired and/or wireless networks. For example, the communication network 104 can include any one or more of the following: the internet, an intranet, a wide area network (Wide Area Network, WAN), a local area network (Local Area Network, LAN), a wireless network, a digital subscriber line (Digital Subscriber Line, DSL) network, a frame relay network, an asynchronous transfer mode (Asynchronous Transfer Mode, ATM) network, a virtual private network (Virtual Private Network, VPN), and/or any other suitable communication network. The user device 106 can be connected to the communication network 104 via one or more communication links (e.g., communication link 112), and the communication network 104 can be linked to the cloud service 102 via one or more communication links (e.g., communication link 114). The communication link may be any communication link suitable for transferring data between the user device 106 and the cloud service 102, such as a network link, a dial-up link, a wireless link, a hardwired link, any other suitable communication link, or any suitable combination of such links.
User device 106 may comprise any one or more user devices adapted to receive application operations for computing tasks, receive deployment operations for a computing cluster, expose computing information for a computing cluster. In some embodiments, user device 106 may comprise any suitable type of device. For example, in some embodiments, user devices 106 may include mobile devices, tablet computers, laptop computers, desktop computers, wearable computers, game consoles, media players, vehicle entertainment systems, and/or any other suitable type of user device.
The cloud service 102 or the user device 106 in the above system may be used to execute a process, for example, a calculation process or an installation process, and may perform anomaly detection on the executed process.
The current implementation scheme of flow anomaly detection is that events occurring in a flow execution process are ordered according to time to obtain a flow sequence, then the flow sequence is input into a time sequence-based deep learning model, and the time sequence-based deep learning model can learn the time sequence characteristics of the events occurring in a normal execution flow, so that anomaly detection can be carried out according to the flow sequence.
Specifically, the deep learning model may be trained through a flow sequence corresponding to a normally executed flow, so that the deep learning model may learn a relationship between an event and a time feature, after training, the flow sequence corresponding to the flow required to perform anomaly detection may be input into the deep learning model, the anomaly detection may be performed by the deep learning model based on the flow sequence, and an anomaly detection result may be output.
However, in the process of executing the flow, because there may be a difference in the actual execution environment, there may be a large difference in the whole process execution process due to the influence of the environment, for example, there may be a plurality of sub-flows of loop nesting in some flows, and the loop nesting portions may be different, so that there may be a large difference in the flow sequences corresponding to the flows, which may further result in the feature learned by the deep learning model being inaccurate. In general, the sequence-based deep learning model has a limitation on the length of an input sequence, and the length of a flow varies, so that the sequence-based deep learning model is not suitable for flow anomaly detection.
In view of this, the embodiments of the present application provide a new anomaly detection scheme. The abnormality detection method proposed in the embodiment of the present invention is described below:
referring to fig. 2, a flow diagram of a method for detecting flow anomalies is shown, which includes:
s201, obtaining a flow directed graph comprising a plurality of flow nodes.
The flow anomaly detection scheme provided in this embodiment may be applicable to any flow procedure that can be represented as a directed graph for anomaly detection, which is not limited in this embodiment.
The directed graph refers to a graph comprising a plurality of nodes, and the nodes are connected through directed edges. In this embodiment, the flow nodes may be used as nodes of the directed graph, and the sequence of the flow nodes during specific execution may be used as directed edges between the flow nodes, so as to obtain the directed graph. In this embodiment, the specific structure of the directed graph is not limited, and the directed graph may include a directed ring, that is, there is a loop in the flow; the directed graph also does not include a directed loop, i.e., no loops exist in the flow; similarly, the flow corresponding to the directed graph may also include a plurality of nested loops, which is also within the scope of protection of the present application.
Optionally, in this embodiment, real-time data acquisition may be performed for a device that executes a flow, and specifically, flow execution progress data may be obtained in real time; and if the process execution is determined to be ended, generating the process directed graph according to the process execution progress data.
If the execution device is a program which can be run in the cloud server or the user equipment, the flow execution progress data can be obtained in real time through data transmission communication with the cloud server or the user equipment; if the executed flow is the installed flow of the cloud server or the user equipment, and the cloud server or the user equipment cannot perform data transmission, the flow execution progress data can be obtained in real time through the external equipment, and the flow execution progress data are all within the protection scope of the application.
The specific method for generating the flow directed graph may refer to related technology, and will not be described herein.
S202, extracting features of the flow directed graph based on the features of the flow nodes and the features of neighbor nodes associated with the flow nodes through a graph convolution neural network model, and obtaining a graph vector corresponding to the flow directed graph.
The graph convolution neural network model (Graph Convolutional Networks, GCN) is a convolution neural network that can work directly on the graph and use the structural information of the graph to perform convolution processing. In this embodiment, the detailed implementation of the graph roll-up neural network model may refer to the related art, and will not be described herein.
Specifically, in this embodiment, step S202 may include: carrying out vector initialization on the flow node according to the type of the flow node through the graph convolution neural network model to obtain a feature vector corresponding to the flow node; and carrying out feature extraction on the flow directed graph based on the feature vector of the flow node and the feature vector of the related neighbor node through the graph convolution neural network model to obtain the graph vector.
Specifically, through the graph convolutional neural network model, an adjacency graph corresponding to a flow node can be determined in a flow directed graph by taking any flow node as a center, the adjacency graph comprises a neighbor node associated with the flow node, the neighbor node can be connected with other flow nodes of the flow node through one edge in the directed graph, and can also be other flow nodes connected with two or more edges of the flow node, and the adjacency graph can be customized according to requirements by a person skilled in the art. The graph convolutional neural network model may perform feature extraction on the flow directed graph based on the determined adjacency graph and based on feature vectors of the flow nodes and feature vectors of the neighboring nodes associated therewith to obtain the graph vector. In addition, other schemes such as random walk and the like can also be used for extracting the characteristics of the flow directed graph based on the characteristic vector of the flow node and the characteristic vector of the related neighbor node, so as to obtain the graph vector, and the schemes are all within the protection scope of the application.
Specifically, in this embodiment, the feature extraction, by the graph convolution neural network model, on the basis of the feature vector of the flow node and the feature vector of the neighboring node associated with the feature vector, to obtain the graph vector includes: the characteristic extraction is carried out on the basis of the characteristic vector of the flow node and the characteristic vector of the related neighbor node through the graph convolution neural network model, and the characteristic vector of the flow node is updated according to the characteristic extraction result; and carrying out pooling operation on the feature vectors of the flow nodes in the flow directed graph to obtain the graph vectors.
Specifically, for any flow node, convolution operation can be performed on the flow directed graph through the graph convolution neural network model, and the feature vector of the flow node is updated according to the result of the convolution operation, so that the flow node obtains the information of the neighbor node, wherein the number of layers of convolution in the graph convolution neural network model can be regarded as a super-parameter.
After the updating is completed, the feature vectors of the flow nodes in the flow directed graph can be subjected to pooling operation to obtain the graph vectors, and for example, one or more of operations such as summation, mean calculation, max calculation and the like can be performed on the feature vectors of the flow nodes in the flow directed graph to obtain the image quantity corresponding to the flow directed graph.
Alternatively, the graph convolution model may be supervised or semi-supervised trained based on the flow directed graphs for which abnormal results have been determined. Specifically, the graph roll-up neural network model is obtained through training the following steps: obtaining a graph training sample, wherein the graph training sample comprises a sample flow directed graph and a corresponding abnormal result thereof; performing feature extraction on the sample flow directed graph based on features of sample flow nodes in the sample flow directed graph and features of neighbor nodes associated with the sample flow nodes through the graph convolution neural network model to obtain sample graph vectors corresponding to the sample flow directed graph; performing flow anomaly detection according to the sample graph vector to obtain an anomaly detection prediction result; and adjusting the graph convolution neural network model according to the difference between the abnormal result and the abnormal detection prediction result.
S203, performing flow anomaly detection according to the graph vector to obtain an anomaly detection result.
In this embodiment, the anomaly detection result may be obtained by performing flow anomaly detection on the map vector by the self-encoder. Specifically, the self-encoder may be constructed by using a back propagation algorithm so that an output value is equal to an input value, and when abnormality detection is performed, a graph vector may be input to the self-encoder, and differences between the vector output from the self-encoder and the graph vector are compared, and if the differences are greater than a set difference threshold, it is determined that the process-oriented graph has an abnormal risk. The specific implementation of the self-encoder may refer to the related art and will not be described in detail herein.
Of course, other schemes for anomaly detection are also within the scope of the present application, such as the isolated forest algorithm iforst or the single classification algorithm one-class svm.
According to the scheme provided by the embodiment, a flow directed graph comprising a plurality of flow nodes is obtained; and through a graph convolution neural network model, based on the characteristics of the flow nodes and the characteristics of neighbor nodes associated with the flow nodes, extracting the characteristics of the flow directed graph to obtain a graph vector corresponding to the flow directed graph, thereby performing anomaly detection based on the graph vector corresponding to the whole flow directed graph, enabling the flow anomaly detection process to be insensitive to the structure of the flow graph and higher in accuracy, further enabling the scheme provided by the embodiment to be applicable to various flow charts, and enabling the application range of the flow anomaly detection scheme to be wider without limiting the sequence length and the like corresponding to the flow charts.
The scheme provided by the present embodiment may be performed by any suitable electronic device having data processing capabilities, including but not limited to: servers, mobile terminals (such as mobile phones, PADs, etc.), and PCs, etc.
Referring to fig. 3, a flow diagram of an installation flow anomaly detection method provided in this embodiment is shown, including:
s301, obtaining a flow directed graph for representing an installed flow, wherein the flow directed graph comprises a plurality of flow nodes corresponding to the installed flow;
s302, extracting features of the flow directed graph based on the features of the flow nodes and the features of neighbor nodes associated with the flow nodes through a graph convolution neural network model to obtain graph vectors corresponding to the flow directed graph;
s303, carrying out installed flow abnormality detection according to the graph vector to obtain an abnormality detection result.
Optionally, in this embodiment, the flow node corresponding to the installed flow includes at least one of: the system comprises a data receiving node, an environment detecting node, an in-installation node and an installation delivery node.
According to the scheme provided by the embodiment, a flow directed graph comprising a plurality of flow nodes is obtained; the method and the system have the advantages that the characteristic extraction is carried out on the flow directed graph based on the characteristic of the flow node and the characteristic of the neighbor node associated with the flow node through the graph convolution neural network model, and the graph vector corresponding to the flow directed graph is obtained, so that the abnormality detection can be carried out on the basis of the graph vector corresponding to the whole flow directed graph, the flow abnormality detection process is insensitive to the structure of the flow graph and high in accuracy, the scheme provided by the embodiment is further applicable to various flow charts, the sequence length and the like corresponding to the flow chart are not required to be limited, the application range of the flow abnormality detection scheme is wider, and particularly in the installation process of a server, a large number of installation sheets can be generated in unit time in the operation process of the server, whether the installation process of various servers has abnormal risks can be accurately and efficiently detected through the scheme provided by the embodiment, and the operation efficiency of the server and the reliability of the server are improved.
The scheme provided by the present embodiment may be performed by any suitable electronic device having data processing capabilities, including but not limited to: servers, mobile terminals (such as mobile phones, PADs, etc.), and PCs, etc.
Referring to fig. 4, a flow diagram of a method for detecting abnormality in a work order processing flow provided in this embodiment is shown, including:
s401, obtaining a flow directed graph for representing the work order processing flow, wherein the flow directed graph comprises a plurality of flow nodes corresponding to the work order processing flow;
in this embodiment, the worksheet is generally created by a user and may be submitted to a related person for processing, where the related person may allocate a worker for processing the worksheet, and the worker may process the worksheet, and may generate a flow chart corresponding to a processing procedure of the worker for processing the worksheet.
S402, extracting features of the flow directed graph based on the features of the flow nodes and the features of neighbor nodes associated with the flow nodes through a graph convolution neural network model to obtain graph vectors corresponding to the flow directed graph;
s403, carrying out work order processing flow abnormality detection according to the graph vector to obtain an abnormality detection result.
According to the scheme provided by the embodiment, the flow directed graph used for representing the work order processing flow is obtained, and the flow directed graph comprises a plurality of flow nodes corresponding to the work order processing flow; and through a graph convolution neural network model, based on the characteristics of the flow nodes and the characteristics of neighbor nodes associated with the flow nodes, extracting the characteristics of the flow directed graph to obtain a graph vector corresponding to the flow directed graph, thereby performing anomaly detection based on the graph vector corresponding to the whole flow directed graph, enabling the flow anomaly detection process to be insensitive to the structure of the flow graph and higher in accuracy, further enabling the scheme provided by the embodiment to be applicable to various flow charts, and enabling the application range of the flow anomaly detection scheme to be wider without limiting the sequence length and the like corresponding to the flow charts.
Referring to fig. 5, a flowchart of a training method of a graph roll-up neural network model provided in this embodiment is shown, including:
s501, obtaining a graph training sample, wherein the graph training sample comprises a sample flow directed graph and a corresponding abnormal result thereof.
In this embodiment, the structure of the sample flow directed graph in the graph training sample is identical to that of the flow directed graph in the above embodiment, and will not be described here again.
The exception result corresponding to the sample flow directed graph may be a label used to characterize the absence of an exception or the presence of an exception.
S502, carrying out feature extraction on the sample flow directed graph based on features of sample flow nodes in the sample flow directed graph and features of neighbor nodes associated with the sample flow nodes through the graph convolution neural network model to obtain sample graph vectors corresponding to the sample flow directed graph;
s503, carrying out flow anomaly detection according to the sample graph vector to obtain an anomaly detection prediction result;
the specific implementation manner of steps S502 and S503 is referred to the above embodiment, and will not be described herein.
S504, adjusting the graph convolution neural network model according to the difference between the abnormal result and the abnormal detection prediction result.
In this embodiment, if the anomaly detection is implemented by the self-encoder in step S503, in this step, the self-encoder may be adjusted according to the difference between the anomaly result and the anomaly detection prediction result, and the adjustment of the graph convolution neural network model and the self-encoder may be performed simultaneously or not simultaneously, which are all within the protection scope of the present application.
According to the scheme provided by the embodiment, the graph convolution neural network model is trained by adopting the graph training samples comprising the sample flow directed graph and the corresponding abnormal results, so that the graph convolution neural network model can learn how to extract the graph vectors used for representing the abnormal conditions, and the accuracy of the abnormal detection is improved.
Referring to fig. 6A, a schematic diagram of a training process and an reasoning process of the graph roll-up neural network model in the present embodiment is shown. Fig. 6A illustrates the training phase and the reasoning phase taking the installed flow as an example.
In the training stage, as shown in fig. 6A, the installed flow data may be obtained from the historical installed flow database, and an installed flow chart may be generated, where the generated installed flow chart may specifically be a flow directed chart, and the flow directed chart is shown in fig. 6B.
After the flow directed graph is generated, the flow nodes in the installed flow graph can be vectorized (ebedding), in the vectorization process, vector initialization can be performed according to the flow nodes, and the same vector after the initialization of the flow nodes of the same type is ensured, as shown in fig. 6B, wherein the vector after the initialization of the environment detection nodes is the same vector, including an input node, an end node, an environment detection node, a reloading node, a pressure test node, a new loading node, a success node and the like.
The flow directed graph after vector initialization can be input into a graph rolling neural network model GCN, the GCN is used for extracting the characteristics of the flow directed graph based on the characteristics of the flow nodes and the characteristics of neighbor nodes related to the flow nodes, updating the vectors corresponding to the flow nodes in the flow directed graph, and carrying out pooling operation on the characteristic vectors of the flow nodes in the flow directed graph to obtain the graph vectors corresponding to the flow directed graph.
And then, the graph vector can be input into a self-encoder, and whether the directed graph of the flow has abnormal risks or not is judged according to the difference between the vector output from the self-encoder and the graph vector, so that a risk prediction result is obtained.
The historical installation flow data corresponds to a risk marking result, and parameters in the graph convolutional neural network model GCN and the self-encoder can be adjusted according to the difference between the risk prediction result and the risk marking result so as to train.
In the reasoning stage, as shown in fig. 6A, real-time installation flow data can be obtained from the real-time installation flow database, and an installation flow chart corresponding to the real-time installation flow is generated after the installation is finished, wherein the installation flow chart is a flow directed chart.
After the flow directed graph is generated, the flow nodes in the installed flow graph can be vectorized (ebedding), and in the vectorization process, vector initialization can be performed according to the flow nodes to ensure that the vectors initialized by the flow nodes of the same type are the same.
The process directed graph after vector initialization can be input into a graph rolling neural network model GCN, the trained GCN extracts the characteristics of the process directed graph based on the characteristics of the process nodes and the characteristics of the neighbor nodes related to the process nodes, updates the vectors corresponding to the process nodes in the process directed graph, and performs pooling operation on the characteristic vectors of the process nodes in the process directed graph to obtain the graph vectors corresponding to the process directed graph.
And then, the graph vector can be input into a self-encoder, and whether the directed graph of the flow has abnormal risks or not is judged according to the difference between the vector output from the self-encoder and the graph vector, so that a risk prediction result is obtained.
In the above embodiment, the vectors corresponding to the flow nodes in the flow directed graph are updated through the graph convolutional neural network model GCN, and then the pooling operation is performed to obtain the graph vectors corresponding to the flow directed graph; in other implementations of the present application, it is also within the scope of the present application to output the corresponding graph vector from the input flow directed graph through the graph roll neural network model GCN.
The scheme provided by the present embodiment may be performed by any suitable electronic device having data processing capabilities, including but not limited to: servers, mobile terminals (such as mobile phones, PADs, etc.), and PCs, etc.
Example five
Referring to fig. 7, a schematic structural diagram of an electronic device according to a fifth embodiment of the present application is shown, and specific embodiments of the present application do not limit specific implementations of the electronic device.
As shown in fig. 7, the electronic device may include: a processor 702, a communication interface (Communications Interface), a memory 706, and a communication bus 708.
Wherein:
processor 702, communication interface 704, and memory 706 perform communication with each other via a communication bus 708.
Communication interface 704 for communicating with other electronic devices or servers.
The processor 702 is configured to execute the program 710, and may specifically perform relevant steps in the foregoing embodiments of the method for detecting a flow anomaly.
In particular, program 710 may include program code including computer-operating instructions.
The processor 702 may be a CPU or a specific integrated circuit ASIC (Application Specific Integrated Circuit) or one or more integrated circuits configured to implement embodiments of the present application. The one or more processors comprised by the smart device may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
Memory 706 for storing programs 710. The memory 706 may comprise high-speed RAM memory or may further comprise non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 710 may include a plurality of computer instructions, and the program 710 may specifically enable the processor 702 to perform operations corresponding to the method for detecting a flow anomaly described in any one of the foregoing method embodiments through the plurality of computer instructions.
The specific implementation of each step in the program 710 may refer to the corresponding steps and corresponding descriptions in the units in the above method embodiments, and have corresponding beneficial effects, which are not described herein. It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus and modules described above may refer to corresponding procedure descriptions in the foregoing method embodiments, which are not repeated herein.
The present application also provides a computer storage medium having stored thereon a computer program which, when executed by a processor, implements the method described in any of the foregoing method embodiments. The computer storage media includes, but is not limited to: a compact disk read Only (Compact Disc Read-Only Memory, CD-ROM), random access Memory (Random Access Memory, RAM), floppy disk, hard disk, magneto-optical disk, or the like.
Embodiments of the present application also provide a computer program product including computer instructions that instruct a computing device to perform operations corresponding to any one of the foregoing method embodiments of a method for detecting a flow anomaly.
In addition, it should be noted that, the information related to the user (including, but not limited to, user equipment information, user personal information, etc.) and the data related to the embodiment of the present application (including, but not limited to, sample data for training the model, data for analyzing, stored data, presented data, etc.) are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide a corresponding operation entry for the user to select authorization or rejection.
It should be noted that, according to implementation requirements, each component/step described in the embodiments of the present application may be split into more components/steps, and two or more components/steps or part of operations of the components/steps may be combined into new components/steps, so as to achieve the purposes of the embodiments of the present application.
The above-described methods according to embodiments of the present application may be implemented in hardware, firmware, or as software or computer code storable in a recording medium such as a CD-ROM, RAM, floppy disk, hard disk, or magneto-optical disk, or as computer code originally stored in a remote recording medium or a non-transitory machine-readable medium and to be stored in a local recording medium downloaded through a network, so that the methods described herein may be processed by such software on a recording medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware such as an application specific integrated circuit (Application Specific Integrated Circuit, ASIC) or field programmable or gate array (Field Programmable Gate Array, FPGA). It is understood that a computer, processor, microprocessor controller, or programmable hardware includes a Memory component (e.g., random access Memory (Random Access Memory, RAM), read-Only Memory (ROM), flash Memory, etc.) that can store or receive software or computer code that, when accessed and executed by the computer, processor, or hardware, performs the methods described herein. Furthermore, when a general purpose computer accesses code for implementing the methods illustrated herein, execution of the code converts the general purpose computer into a special purpose computer for performing the methods illustrated herein.
Those of ordinary skill in the art will appreciate that the elements and method steps of the examples described in connection with the embodiments disclosed herein can be implemented as electronic hardware, or as a combination of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the embodiments of the present application.
The above embodiments are only for illustrating the embodiments of the present application, but not for limiting the embodiments of the present application, and various changes and modifications can be made by one skilled in the relevant art without departing from the spirit and scope of the embodiments of the present application, so that all equivalent technical solutions also fall within the scope of the embodiments of the present application, and the scope of the embodiments of the present application should be defined by the claims.

Claims (11)

1. A flow anomaly detection method comprising:
obtaining a flow directed graph comprising a plurality of flow nodes;
performing feature extraction on the flow directed graph based on the features of the flow nodes and the features of the neighbor nodes associated with the flow nodes through a graph convolution neural network model to obtain graph vectors corresponding to the flow directed graph;
and carrying out flow anomaly detection according to the graph vector to obtain an anomaly detection result.
2. The method of claim 1, wherein the feature extraction of the flow directed graph by the graph convolutional neural network model based on the features of the flow node and the features of neighboring nodes associated with the flow node comprises:
carrying out vector initialization on the flow node according to the type of the flow node through the graph convolution neural network model to obtain a feature vector corresponding to the flow node;
and carrying out feature extraction on the flow directed graph based on the feature vector of the flow node and the feature vector of the related neighbor node through the graph convolution neural network model to obtain the graph vector.
3. The method according to claim 2, wherein the feature extraction of the flow directed graph by the graph roll-up neural network model based on feature vectors of the flow nodes and feature vectors of the neighboring nodes associated therewith, to obtain the graph vector, includes:
the characteristic extraction is carried out on the basis of the characteristic vector of the flow node and the characteristic vector of the related neighbor node through the graph convolution neural network model, and the characteristic vector of the flow node is updated according to the characteristic extraction result;
and carrying out pooling operation on the feature vectors of the flow nodes in the flow directed graph to obtain the graph vectors.
4. A method according to any of claims 1-3, wherein said obtaining a flow directed graph comprising a number of flow nodes comprises:
acquiring flow execution progress data in real time;
and if the process execution is determined to be ended, generating the process directed graph according to the process execution progress data.
5. A training method of a graph roll-up neural network model for flow anomaly detection, comprising:
obtaining a graph training sample, wherein the graph training sample comprises a sample flow directed graph and a corresponding abnormal result thereof;
performing feature extraction on the sample flow directed graph based on features of sample flow nodes in the sample flow directed graph and features of neighbor nodes associated with the sample flow nodes through a graph convolution neural network model to obtain sample graph vectors corresponding to the sample flow directed graph;
performing flow anomaly detection according to the sample graph vector to obtain an anomaly detection prediction result;
and adjusting the graph convolution neural network model according to the difference between the abnormal result and the abnormal detection prediction result.
6. An installation flow anomaly detection method comprises the following steps:
obtaining a flow directed graph for representing an installed flow, wherein the flow directed graph comprises a plurality of flow nodes corresponding to the installed flow;
performing feature extraction on the flow directed graph based on the features of the flow nodes and the features of the neighbor nodes associated with the flow nodes through a graph convolution neural network model to obtain graph vectors corresponding to the flow directed graph;
and carrying out installed flow abnormality detection according to the graph vector to obtain an abnormality detection result.
7. The method of claim 6, wherein the flow node corresponding to an installed flow comprises at least one of: the system comprises a data receiving node, an environment detecting node, an in-installation node and an installation delivery node.
8. A work order processing flow abnormality detection method includes:
obtaining a flow directed graph for representing the work order processing flow, wherein the flow directed graph comprises a plurality of flow nodes corresponding to the work order processing flow;
performing feature extraction on the flow directed graph based on the features of the flow nodes and the features of the neighbor nodes associated with the flow nodes through a graph convolution neural network model to obtain graph vectors corresponding to the flow directed graph;
and carrying out work order processing flow abnormality detection according to the graph vector to obtain an abnormality detection result.
9. An electronic device, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the method of any one of claims 1-8.
10. A computer storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1-8.
11. A computer program product comprising computer instructions that instruct a computing device to perform operations corresponding to the method of any one of claims 1-8.
CN202310210030.4A 2023-03-03 2023-03-03 Process abnormality detection method, electronic device, computer storage medium, and program product Pending CN116542507A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310210030.4A CN116542507A (en) 2023-03-03 2023-03-03 Process abnormality detection method, electronic device, computer storage medium, and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310210030.4A CN116542507A (en) 2023-03-03 2023-03-03 Process abnormality detection method, electronic device, computer storage medium, and program product

Publications (1)

Publication Number Publication Date
CN116542507A true CN116542507A (en) 2023-08-04

Family

ID=87444180

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310210030.4A Pending CN116542507A (en) 2023-03-03 2023-03-03 Process abnormality detection method, electronic device, computer storage medium, and program product

Country Status (1)

Country Link
CN (1) CN116542507A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117493220A (en) * 2024-01-03 2024-02-02 安徽思高智能科技有限公司 RPA flow operation abnormity detection method, device and storage device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117493220A (en) * 2024-01-03 2024-02-02 安徽思高智能科技有限公司 RPA flow operation abnormity detection method, device and storage device
CN117493220B (en) * 2024-01-03 2024-03-26 安徽思高智能科技有限公司 RPA flow operation abnormity detection method, device and storage device

Similar Documents

Publication Publication Date Title
US10699195B2 (en) Training of artificial neural networks using safe mutations based on output gradients
US10963817B2 (en) Training tree-based machine-learning modeling algorithms for predicting outputs and generating explanatory data
CN111553488B (en) Risk recognition model training method and system for user behaviors
CN109886290B (en) User request detection method and device, computer equipment and storage medium
CN108229679A (en) Convolutional neural networks de-redundancy method and device, electronic equipment and storage medium
CN106682906B (en) Risk identification and service processing method and equipment
CN111523640A (en) Training method and device of neural network model
JP6870508B2 (en) Learning programs, learning methods and learning devices
CN116542507A (en) Process abnormality detection method, electronic device, computer storage medium, and program product
CN113946590A (en) Method, device and equipment for updating integral data and storage medium
CN111159481B (en) Edge prediction method and device for graph data and terminal equipment
CN112231416A (en) Knowledge graph ontology updating method and device, computer equipment and storage medium
CN112766421A (en) Face clustering method and device based on structure perception
CN117061322A (en) Internet of things flow pool management method and system
CN116245901A (en) Building rule vector contour extraction method and system based on edge learning
CN115296984A (en) Method, device, equipment and storage medium for detecting abnormal network nodes
US20240303148A1 (en) Systems and methods for detecting drift
CN110781410A (en) Community detection method and device
JP6835702B2 (en) Anomaly estimation device, anomaly estimation method and program
CN111815442B (en) Link prediction method and device and electronic equipment
CN111310794B (en) Target object classification method and device and electronic equipment
CN113642510A (en) Target detection method, device, equipment and computer readable medium
CN112784165A (en) Training method of incidence relation estimation model and method for estimating file popularity
CN112650741A (en) Abnormal data identification and correction method, system, equipment and readable storage medium
CN111767934A (en) Image identification method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination