CN116610524A

CN116610524A - Information system risk early warning method, device, equipment and medium

Info

Publication number: CN116610524A
Application number: CN202310584043.8A
Authority: CN
Inventors: 楼闯宇; 张蕊; 李吉; 孙杰
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2023-05-23
Filing date: 2023-05-23
Publication date: 2023-08-18

Abstract

The disclosure provides an information system risk early warning method and device, which can be applied to the technical fields of artificial intelligence and information security. The method comprises the following steps: collecting a window in a first time interval in a risk prompt window period, and collecting values of n indexes of the information system to obtain first time sequence data corresponding to the risk prompt window period, wherein n is an integer greater than or equal to 2; converting the first time-series data into first gray scale image data; and inputting the first gray image data to a trained risk detection model, and obtaining a classification result output by the risk detection model, wherein the classification result is used for indicating that the information system has or has not an abnormality in the risk prompt window period. The disclosure also provides a training method and device of the risk detection model, and corresponding electronic equipment, storage medium and program product.

Description

Information system risk early warning method, device, equipment and medium

Technical Field

The disclosure relates to the technical field of artificial intelligence and information security, in particular to an information system risk early warning method and device, a risk detection model training method and device, an electronic device, a storage medium and a program product.

Background

The information system operation and maintenance refers to a series of activities such as monitoring, managing, maintaining and optimizing the information system of an enterprise or an organization to ensure the normal operation and the efficient operation of the information system. In recent years, as the requirements of enterprises or organizations on the operation efficiency and reliability of information systems are higher and higher, the use of data analysis and machine learning techniques to predict and reduce the operation and maintenance risks has become an important application direction.

The operation and maintenance risk prediction of the information system is mainly performed by application of time series data. Time series data refers to a series of data arranged in time series, for example, operation data of a certain system per hour. Analysis of the time series data can help enterprises or organizations predict future trends and behaviors, and take corresponding measures to reduce operation and maintenance risks, so that automation of operation and maintenance work is realized, production efficiency is improved, downtime is reduced, and operation and maintenance cost is reduced.

Due to the limitation of a machine learning algorithm, the problems of data dimension reduction, feature selection, data fusion, overfitting, dimensional explosion and the like can be generated when the multidimensional data is processed, and the complexity of data preprocessing and data calculation is increased. Therefore, currently, when performing operation and maintenance risk prediction by means of a machine learning algorithm, a single index (such as CPU utilization) of a single node is mainly used, and there is a great limitation.

Disclosure of Invention

In view of the foregoing, the present disclosure provides an information system risk early warning method and apparatus that can perform information system risk recognition sensing and pre-warning through performance data of multiple dimensions in an information system, and a training method and apparatus of a risk detection model, an electronic device, a storage medium, and a program product.

In a first aspect of the disclosed embodiments, an information system risk early warning method is provided. The method comprises the following steps: collecting a window in a first time interval in a risk prompt window period, and collecting values of n indexes of the information system to obtain first time sequence data corresponding to the risk prompt window period; the values of the n indexes acquired in the same unit acquisition window form multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp; wherein n is an integer greater than or equal to 2; converting the first time series data into first gray image data according to a preset conversion mode, wherein in the conversion mode, pixel areas corresponding to different multi-dimensional index data are arranged in sequence according to time stamps, gray values of pixels in the pixel areas corresponding to each multi-dimensional index data are mapped by values of each index in the multi-dimensional index data; and inputting the first gray image data to a trained risk detection model, and obtaining a classification result output by the risk detection model, wherein the classification result is used for indicating that the information system has or has not an abnormality in the risk prompt window period.

According to an embodiment of the present disclosure, the converting the first time-series data into the first grayscale image data according to the predetermined conversion manner includes: in the two-dimensional image area, n equal-length intervals divided on the x-axis correspond to the n indexes respectively, and each coordinate on the y-axis corresponds to a time stamp; for the value of each index in the first time sequence, adopting a standardized processing method corresponding to each index, wherein the standardized processing method is used for obtaining a value with a value range of [0, 255 ]; and filling the two-dimensional image area by taking the value of each index obtained after the normalization processing as the gray value of the corresponding pixel in the two-dimensional image area so as to obtain the first gray image data.

According to an embodiment of the present disclosure, the training process of the risk detection model includes: collecting values of the n indexes in a preset time range by taking a second time interval as a unit collection window to obtain original time sequence data corresponding to the preset time range; based on the state of the information system in a unit acquisition window corresponding to each piece of multidimensional index data in the original time sequence data, recording whether the state of each piece of multidimensional index data in the original time sequence data is abnormal or normal; dividing the original time sequence data by using a second time window based on the time stamp of the multidimensional index data, wherein the multidimensional index data divided into the same second time window forms a sample; when the sample contains multidimensional index data with abnormal states, marking the sample as a negative sample, otherwise marking the sample as a positive sample; converting the sample into second gray image data according to the conversion mode; and training the risk detection model by taking the second gray level image data and the marks of the samples as training data.

According to an embodiment of the present disclosure, the dividing the original time-series data using a second time window based on the time stamp of the multidimensional index data includes: and dividing the original time sequence data according to two modes of time proximity sampling and time periodicity sampling respectively.

According to an embodiment of the present disclosure, slicing the raw time series data according to the temporal proximity sampling includes: and taking the time stamp of the multidimensional index data with each state as an abnormal state as the cut-off time of a second time window, and cutting the multidimensional index data and other multidimensional index data with the time stamp positioned in the second time window together to form a sample.

According to an embodiment of the present disclosure, slicing the raw time-series data according to the time-periodic sampling includes: and sequentially dividing the original time sequence data by using the second time window with the duration of the second time window as a period.

According to an embodiment of the present disclosure, the dividing the original time-series data with the second time window further includes: when samples containing identical multidimensional index data exist in samples cut out according to the time proximity sampling and the time periodicity sampling, only one of the samples is reserved.

According to an embodiment of the disclosure, the recording the state of each multi-dimensional index data in the original time series data as abnormal or normal based on the state of the information system in the unit acquisition window corresponding to each multi-dimensional index data in the original time series data includes: when the information system starts to have an abnormal state in a unit acquisition window corresponding to any first multi-dimensional index data, recording that the states of the first multi-dimensional index data and at least one multi-dimensional index data acquired before the first multi-dimensional index data are abnormal; and when the information system is changed from the previous abnormal state to the normal state in the unit acquisition window corresponding to any second multidimensional index data, recording that the states of the second multidimensional index data and at least one multidimensional index data acquired after the second multidimensional index data are abnormal.

According to an embodiment of the disclosure, the n metrics include at least one of: CPU usage, memory usage, disk usage, storage IO latency, network traffic, or number of network connections.

According to an embodiment of the disclosure, the risk detection model comprises a residual network model.

In a second aspect of the embodiments of the present disclosure, a method for training a risk detection model is provided. The training method comprises the following steps: collecting values of n indexes of an information system in a preset time range by taking a second time interval as a unit collection window to obtain original time sequence data corresponding to the preset time range, wherein the values of the n indexes collected in the same unit collection window form multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp; based on the state of the information system in a unit acquisition window corresponding to each piece of multidimensional index data in the original time sequence data, recording whether the state of each piece of multidimensional index data in the original time sequence data is abnormal or normal; dividing the original time sequence data by using a second time window based on the time stamp of the multidimensional index data, wherein the multidimensional index data divided into the same second time window forms a sample; when the sample contains multidimensional index data with abnormal states, marking the sample as a negative sample, otherwise marking the sample as a positive sample; converting the sample into second gray image data according to a preset conversion mode; in the conversion mode, pixel areas corresponding to different multi-dimensional index data are arranged according to time stamp sequences, and gray values of pixels in the pixel areas corresponding to each multi-dimensional index data are mapped by values of each index in the multi-dimensional index data; and training the risk detection model with the second gray scale image data and the indicia of the sample as one training data.

According to an embodiment of the present disclosure, the converting the original time-series data into the second gray-scale image data according to a predetermined conversion manner includes: in the two-dimensional image area, n equal-length intervals divided on the x-axis correspond to the n indexes respectively, and each coordinate on the y-axis corresponds to a time stamp; for the value of each index in the original time sequence, adopting a standardized processing method corresponding to each index, wherein the standardized processing method is used for obtaining a value with a value range of [0, 255 ]; and filling the two-dimensional image area by taking the value of each index obtained after the normalization processing as the gray value of the corresponding pixel in the two-dimensional image area so as to obtain the second gray image data.

In a third aspect of the disclosed embodiments, an information system risk early warning device is provided. The information system risk early warning device comprises: the system comprises a data acquisition unit, an input processing unit and a risk judgment unit. The data acquisition unit is used for acquiring windows in a first time interval in a risk prompt window period, acquiring values of n indexes of the information system, and obtaining first time sequence data corresponding to the risk prompt window period; the values of the n indexes acquired in the same unit acquisition window form multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp; wherein n is an integer greater than or equal to 2. And the input processing unit is used for converting the first time series data into first gray image data according to a preset conversion mode, wherein in the conversion mode, pixel areas corresponding to different multi-dimensional index data are arranged according to time stamp sequences, and gray values of pixels in the pixel areas corresponding to each multi-dimensional index data are mapped by values of each index in the multi-dimensional index data. The risk judging unit is used for inputting the first gray image data to the trained risk detection model and obtaining a classification result output by the risk detection model, wherein the classification result is used for indicating that the information system has or has no abnormality in the risk prompt window period.

In a fourth aspect of the embodiments of the present disclosure, a training apparatus for a risk detection model is provided. The training device comprises a data acquisition unit, a data preprocessing unit, a sample segmentation unit, an input processing unit and a model training unit. The data acquisition unit is used for acquiring values of n indexes of the information system in a preset time range by taking a second time interval as a unit acquisition window to obtain original time sequence data corresponding to the preset time range, wherein the values of the n indexes acquired in the same unit acquisition window form multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp. The data preprocessing unit is used for recording whether the state of each multi-dimensional index data in the original time sequence data is abnormal or normal based on the state of the information system in the unit acquisition window corresponding to each multi-dimensional index data in the original time sequence data; the sample segmentation unit is used for: dividing the original time sequence data by using a second time window based on the time stamp of the multidimensional index data, wherein the multidimensional index data divided into the same second time window forms a sample; and when the sample contains multidimensional index data with abnormal states, marking the sample as a negative sample, otherwise marking the sample as a positive sample. An input processing unit for converting the sample into second gray image data according to a predetermined conversion mode; in the conversion mode, pixel areas corresponding to different multi-dimensional index data are arranged according to time stamp sequences, and gray values of pixels in the pixel areas corresponding to each multi-dimensional index data are mapped by values of each index in the multi-dimensional index data. And the model training unit is used for training the risk detection model by taking the second gray level image data and the marks of the samples as training data.

According to an embodiment of the present disclosure, the sample slicing unit is configured to slice the original time-series data according to two modes of time proximity sampling and time periodicity sampling, respectively.

In a fifth aspect of embodiments of the present disclosure, an electronic device is provided. The electronic device includes one or more processors and memory. The memory is configured to store one or more programs that, when executed by the one or more processors, cause the one or more processors to perform the information system risk early warning method or the training method of the risk detection model described above.

A fourth aspect of the disclosed embodiments also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described information system risk early warning method or training method of a risk detection model.

A fifth aspect of the disclosed embodiments also provides a computer program product, including a computer program, which when executed by a processor implements the above-mentioned information system risk early warning method or training method of a risk detection model.

One or more of the above embodiments have the following advantages or benefits: the correlation problem of the multi-dimensional data is solved by converting time series data consisting of the multi-dimensional data collected from the information body system into visualized gray image data. And the problem of predicting the risk of the information system based on the time sequence data is converted into the problem of image processing for classifying the gray image data, so that the dimension of the usable index is increased, and the operation and maintenance risk control efficiency of the information system is remarkably improved.

Drawings

The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:

FIG. 1 schematically illustrates an application scenario diagram of a training method and apparatus of an information system risk early warning method and apparatus or risk detection model according to an embodiment of the present disclosure;

FIG. 2 schematically illustrates a flow chart of an information system risk early warning method according to an embodiment of the disclosure;

FIG. 3 schematically illustrates a flow chart of a training method of a risk detection model according to an embodiment of the present disclosure;

FIG. 4 schematically illustrates a workflow diagram of an apparatus that may implement an information system risk early warning method according to an embodiment of the present disclosure;

FIG. 5 schematically illustrates a workflow diagram of a data acquisition and preprocessing module in the device shown in FIG. 4;

FIG. 6 schematically illustrates a workflow diagram of a model training and risk prediction module in the apparatus illustrated in FIG. 4;

FIG. 7 schematically illustrates a schematic diagram of a ResNet-50 pre-trained neural network;

FIG. 8 schematically illustrates a workflow diagram of a risk handling module in the apparatus illustrated in FIG. 4;

FIG. 9 schematically illustrates a flow chart of an information system risk early warning method of another embodiment of the present disclosure;

FIG. 10 schematically illustrates a block diagram of an information system risk early warning device according to another embodiment of the present disclosure;

FIG. 11 schematically illustrates a block diagram of a training apparatus of a risk detection model according to an embodiment of the present disclosure; and

fig. 12 schematically illustrates a block diagram of an electronic device adapted to implement an information system risk early warning method or a training method of a risk detection model according to an embodiment of the present disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first," "second," and the like, herein are used solely for distinguishing, and not as a limitation, and any number of elements in the figures are used for illustration, and not as a limitation.

In view of the problems of dimension reduction, feature selection, data fusion, overfitting, dimension explosion and the like of data generated when multidimensional data are processed when the operation and maintenance risks of an information system are predicted through time series data and a machine learning algorithm in the related art, the embodiment of the disclosure provides an information system risk early warning method and an information system risk early warning device, wherein the time series data which are acquired from the information system in a period of time and comprise n (n is an integer greater than or equal to 2) indexes can be converted into visualized gray image data, and then the visualized gray image data are analyzed and predicted through the machine learning algorithm.

In the time sequence data, n index values acquired in the same unit acquisition window form a structured multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp. In this way, in the process of converting the multi-dimensional index data into the gray image data, pixel areas of different multi-dimensional index data in the time series data can be arranged according to the sequence of the time stamps, and then the gray value of the corresponding pixel is obtained according to the value mapping of each index, for example, the value of each index is processed to be a value between 0 and 255.

In this way, the disclosed embodiments solve the correlation problem of multi-dimensional data by converting time series data composed of the collected multi-dimensional data of the information system into visualized grayscale image data. And the problem of predicting the risk of the information system based on the time sequence data is converted into the problem of image processing for classifying the gray image data, so that the dimension of the usable index is increased, and the operation and maintenance risk control efficiency of the information system is remarkably improved.

The embodiment of the disclosure also provides a training method and device of the risk detection model. The risk detection model can be applied to the information system risk early warning method and the information system risk early warning device.

It should be noted that "multidimensional index data" is used herein to refer to a data set composed of values of n indexes acquired at a time. The multidimensional index data may have a particular data structure including a time stamp (Timestamp). Wherein, a plurality of multidimensional index data which are arranged in sequence according to the acquisition time are included in one time sequence data.

Fig. 1 schematically illustrates an application scenario diagram of an information system risk early warning method and apparatus or a training method and apparatus of a risk detection model according to an embodiment of the present disclosure.

As shown in fig. 1, an application scenario 100 according to this embodiment may include an operation and maintenance terminal 101, a server 102, and an information system 103. The server 102 may communicate with the operation terminal 101 and the information system 103, respectively. Information system 103 may be any type of information system.

The risk detection model may be deployed in the server 102, and the information system risk early warning method of the embodiment of the present disclosure may be executed, so as to monitor and risk prompt the information system 103, and may send the monitoring result to the operation and maintenance terminal 101 for display.

The operation and maintenance personnel can also configure information such as which indexes are collected by the server 102 from the information system 103 through the operation and maintenance terminal 101, the collection frequency (for example, the duration of a unit collection window in this document), the risk prompt frequency (for example, the duration of a risk prompt window in this document) of the information system 103, the time range (for example, one month, or working day) of monitoring the information system 103, and the like, and can start or shut down the monitoring of the information system 103 by the server 102 through instructions.

It can be seen that, in the application scenario 100, the information system risk early warning method provided by the embodiments of the present disclosure may be executed by the server 102. Accordingly, the risk early warning device of the information system provided in the embodiments of the present disclosure may also be disposed in the server 102.

In some embodiments, the risk detection model deployed in server 102 may be a trained risk detection model downloaded from other locations (e.g., server or cloud). In other embodiments, the risk detection model may be trained in the server 102, and after the risk detection model is trained to meet the use requirement, the risk detection model may be used for risk early warning by the information system 103, and the risk detection model may be iteratively trained by using the data acquired in the early warning process. Thus, the training method of the risk detection model provided by the embodiments of the present disclosure may also be performed by the server 103. Accordingly, the training device of the risk detection model provided in the embodiments of the present disclosure may also be provided in the server 103.

It should be appreciated that fig. 1 illustrates only an example of a system architecture in which embodiments of the present disclosure may be employed to assist those skilled in the art in understanding the teachings of the present disclosure, but is not meant to imply that embodiments of the present disclosure may not be employed in other devices, systems, environments, or scenarios.

It should be noted that, the risk early warning method for the information system provided by the embodiment of the present disclosure may be used in the financial field, and may also be used in any field other than the financial field, and the application field is not limited by the present disclosure.

The method and apparatus of the embodiments of the present disclosure will be described in detail below based on the scenario depicted in fig. 1. It should be noted that the sequence numbers of the respective operations in the following methods are merely representative of the operations for the purpose of description, and should not be construed as representing the order of execution of the respective operations. The method need not be performed in the exact order shown unless explicitly stated.

Fig. 2 schematically illustrates a flow chart of an information system risk early warning method according to an embodiment of the disclosure.

As shown in fig. 2, the information system risk early warning method may include operations S201 to S203.

First, in operation S201, a window is acquired in units of a first time interval (e.g., 5S) during a risk prompting window period (e.g., 30 min), and values of n indexes of the information system 103 are acquired, so as to obtain first time-series data corresponding to the risk prompting window period.

The values of n indexes acquired in the same unit acquisition window form multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp; wherein n is an integer greater than or equal to 2. In one embodiment, the n metrics include, but are not limited to: CPU usage, memory usage, disk usage, storage IO latency, network traffic, or number of network connections.

Then, in operation S202, the first time-series data is converted into first gray-scale image data in a predetermined conversion manner. In the preset conversion mode, pixel areas corresponding to different multi-dimensional index data are arranged in sequence according to a time stamp, and gray values of pixels in the pixel areas corresponding to each multi-dimensional index data are mapped by values of each index in the multi-dimensional index data.

For example, in one embodiment, n equal-length intervals may be divided on the x-axis in a two-dimensional image area to correspond to n indices, respectively, and each coordinate on the y-axis corresponds to a time stamp. Meanwhile, for the value of each index in the first time sequence, a normalization processing method corresponding to each index is adopted, the normalization processing is carried out to obtain a value with a value range of [0, 255], and then the value of each index obtained after the normalization processing is used as a gray value of a corresponding pixel in the two-dimensional image area, and the two-dimensional image area is filled to obtain gray image data.

Next, in operation S203, the first gray-scale image data is input to the trained risk detection model, and a classification result output by the risk detection model is obtained, where the classification result is used to indicate that the information system 103 has an abnormality or has no abnormality during the risk prompting window period.

The risk detection model may be a machine learning algorithm model constructed based on a neural network of image processing.

In one embodiment, the risk detection model may be a ResNet residual network model. The residual neural network ResNet can efficiently process the problems of data dimension reduction, feature selection, data fusion, overfitting and the like possibly caused by multi-dimensional data, and has higher accuracy and robustness. Compared with a convolutional neural network, the residual neural network solves the problems of gradient disappearance and performance degradation after the deep lifting of the neural network. The ResNet provides a pre-training model at the same time, so that the training speed and generalization capability of the model are enhanced, and meanwhile, the problem of over-fitting caused by uneven performance capacity data samples of an information system is solved. The ResNet residual network model can reduce model training and iteration cost and improve model optimization efficiency.

According to the embodiment of the disclosure, risk identification sensing and pre-warning of daily operation and maintenance of the information system 103 can be performed through the multidimensional performance indexes in the information system 103, so that accuracy and timeliness of operation and maintenance risk prediction and risk investigation positioning of the information system 103 are improved, and vulnerability of the information system 103 is reduced.

Fig. 3 schematically illustrates a flowchart of a method of training a risk detection model according to an embodiment of the present disclosure.

As shown in fig. 3, the training method of the risk detection model may include operations S301 to S306.

First, in operation S301, a window is acquired in a predetermined time range at a second time interval, and values of n indexes are acquired, so as to obtain original time-series data corresponding to the predetermined time range.

The duration of the second time interval may be the same as or different from the duration of the first time interval. The predetermined time range depends on the size of the data amount required for model training, for example, one month.

Similarly, in the original time series data, values of n indexes acquired in the same unit acquisition window form multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp.

Next, in operation S302, the status STATE of each multi-dimensional index data in the original time series data is recorded as abnormal or normal based on the status of the information system 103 in the unit acquisition window corresponding to each multi-dimensional index data in the original time series data.

In one embodiment, in order for the risk detection model to predict anomalies in advance and to cover the duration of the entire anomaly, at the time of recording the anomaly, the partial acquisition data before the anomaly occurs and after the anomaly has ended may also be recorded as an anomaly (e.g., state=1). For example, when the information system 103 starts to be in an abnormal state in the unit acquisition window corresponding to any of the first multi-dimensional index data, the states of the first multi-dimensional index data and the at least one multi-dimensional index data acquired before the first multi-dimensional index data are recorded to be abnormal, and when the information system 103 transitions from a previous abnormal state to a normal state in the unit acquisition window corresponding to any of the second multi-dimensional index data, the states of the second multi-dimensional index data and the at least one multi-dimensional index data acquired after the second multi-dimensional index data are recorded to be abnormal.

Then, in operation S303, the original time-series data is sliced using a second time window based on the time stamps of the multi-dimensional index data, wherein the multi-dimensional index data sliced into the same second time window constitutes one sample.

The duration of the second time window may be comparable to the duration of the risk alert window period, for example, may be equal to the duration of the risk alert window period (e.g., both set to 30 minutes), or may be less than or greater than the duration of the risk alert window period.

The duration of the original time series data is the above predetermined time range (for example, may be as long as one month), the sliced sample is still the time series data, and the corresponding duration is the duration of the second time window (for example, may be only 30 minutes), so as to facilitate training and early warning of the risk detection model.

Next, in operation S304, when the multi-dimensional index data whose state is abnormal is contained in the sample, the marked sample is a negative sample (for example, marked label=1), otherwise the marked sample is a positive sample (for example, marked label=0).

For example, the raw time series data collected for 1 month may be cut into one sample every 30 minutes. And classifying the samples into positive samples or negative samples according to whether the samples contain multidimensional index data with abnormal states.

The above-described manner of slicing the acquired 1 month raw time series data into one sample every 30 minutes may be referred to herein as time periodic sampling. Correspondingly, the multi-dimensional index data in the time sequence data, which is closest to the time point (including the time t) and is within a second time window, are segmented together to form a sample.

In one embodiment, the original time series data can be segmented according to two modes of time proximity sampling and time periodicity sampling respectively to obtain samples, so that the diversity of the samples is increased.

In the process of splitting the original time series data according to the time proximity sampling, the time stamp of the multidimensional index data with each state being abnormal is taken as the cut-off time of a second time window, and the multidimensional index data and other multidimensional index data with the time stamp positioned in the second time window are split together to form a sample. The samples cut out in this way are all negative samples, so that the number of the negative samples can be increased, and the problem that the number of the negative samples is too small and the under fitting is generated in model training due to the fact that the number of the multi-dimensional index data of the abnormal state in the original time sequence data is too small is avoided.

The process of sampling and slicing the original time series data according to the time periodicity may be to sequentially slice the original time series data by using the second time window with the duration of the second time window as a period, so as to obtain a large number of samples.

In one embodiment, when the original time-series data is segmented according to two modes of time proximity sampling and time periodicity sampling, it may also be checked whether the same sample exists in the obtained samples, that is, the two samples contain identical multidimensional index data. If so, only one of the samples is reserved, and the problem of over fitting in model learning caused by repeated samples is avoided.

Next, in operation S305, the sample is converted into second gray scale image data in a similar manner to the conversion in operation S202 described above.

Then, in operation S306, the risk detection model is trained with the second gray scale image data and the mark of the sample as one training data. That is, the training risk detection model performs two classifications on the training data, and determines whether the information system 103 has an abnormal state.

According to the embodiment of the disclosure, the model training and iteration cost can be reduced, and the model optimization efficiency is improved. By converting the time sequence data with the multi-dimensional index into the visualized gray image data, the machine algorithm model can efficiently process the multi-dimensional data, so that the problems of data dimension reduction, feature selection, data fusion, overfitting and the like which are possibly caused are avoided, and the accuracy and the robustness are higher.

Fig. 4 schematically illustrates a workflow diagram of an apparatus that may implement an information system risk early warning method according to an embodiment of the present disclosure.

The apparatus 400 may perform an information system risk early warning method according to an embodiment of the present disclosure. The following detailed description of the processing of the various parts of the apparatus 400 will help those skilled in the art to more accurately understand the implementation of the information system risk early warning method of the embodiments of the present disclosure through fig. 4-8. It is to be understood that such below is by way of example only and is not limiting of the present disclosure.

As shown in fig. 4, the apparatus 400 may include a data acquisition and preprocessing module 1, a model training and risk prediction module 2, and a risk treatment module 3.

The main function of the data acquisition and preprocessing module 1 is to acquire performance data from a service application host platform of the information system 103 by deploying a special data acquisition tool and a monitoring tool, store the performance data in a database and perform data preprocessing operations such as data cleaning.

The main function of the model training and risk prediction module 2 is to receive the data sample preprocessed by the data acquisition and preprocessing module 1, extract the visual image characteristics, convert the visual image characteristics into gray scale image data, output a risk prediction result through the steps of model training, model evaluation, model iteration and the like, and realize optimization iteration of the prediction effect.

The main function of the risk treatment module 3 is to perform pre-monitoring and early warning based on the model training and the prediction result output by the risk prediction module 2, and start the manual operation and maintenance observation prompt.

Fig. 5 schematically shows a flow chart of the operation of the data acquisition and pre-processing module 1 in the device shown in fig. 4.

With reference to fig. 4 and 5, the data collection and preprocessing module 1 mainly implements collection and standardization processing on performance and capacity index data of the information system 103, and may implement data structure construction through Pandas (a data structure and data analysis tool) program library of Python, and perform data preprocessing, data sampling and data classification. The data acquisition and preprocessing module 1 may include a data acquisition unit 11, a data preprocessing unit 12, and a sample segmentation unit 13.

A data acquisition unit 11: the n indexes of the host system of the information system 103 and the time series data can be collected by using monitoring tools such as performance management (Application manager, abbreviated as APM) and baseboard management controller (Baseboard Manager controller, abbreviated as BMC), and preprocessing operations such as data cleaning and data standardization can be performed on the collected data information. In one embodiment, the n metrics may include, but are not limited to, CPU utilization, memory utilization, disk utilization, storage IO latency, network traffic, and network connection number.

The data acquisition time can be set as a unit acquisition window at 5 second intervals, and indexes in the unit acquisition window are averaged (namely, 720 time stamps are arranged on 1 hour data).

The data standardization method can comprise Min-Max and decimal scaling, so that the value range of various indexes after being processed is between 0 and 255.

In one embodiment, performance metrics and data normalization examples of the post-acquisition processing information system 103 are shown in table 1 below, where 6 metrics (i.e., n=6) are illustrated in table 1.

TABLE 1

Index name	Short for short	Normalization method [0, 255]
			CPU utilization	CPU	Decimal scaling
Memory utilization rate	MEM	Decimal scaling
			Disk usage rate	DISK	Decimal scaling
Storage IO delay (ms)	IO	Min-Max
			Network traffic (KB/s)	TRAF	Min-Max
Network connection number (number)	CONN	Min-Max

When the value of each index is normalized, each index can select one normalization processing method, and the normalization processing methods used by different indexes can be the same or different. For example, the CPU usage collected in FIG. 1 (e.g., 50%) may be scaled by a decimal scale to a value of 0.5 and then multiplied by 255, thereby processing the CPU usage to the value in [0, 255 ]. For another example, the memory IO delay in Table 1 may be a number between 0 and 1 obtained by Min-Max method, and then multiplied by 255 to be rounded, and then processed to the value of [0, 255 ].

A data preprocessing unit 12: the performance data collected by the data collection unit 11 may be recorded according to whether the operation of the information system 103 is abnormal or not when the performance data is collected. If there is a system abnormality, state=1 is recorded, and if there is no abnormality, state=0 is recorded. Abnormal state determination conditions for information system 103 include, but are not limited to: business applications have transaction response time, transaction volume, abnormal batch execution time, or unavailable host system services. The data structure of the multi-dimensional index data obtained after the state recording is shown in table 2.

TABLE 2

Timestamp

CPU

MEM

DISK

IO

TRAF

CONN

STATE

dd:hh:mm:ss

[0，255]

0 or 1

In one embodiment, the exception flag may begin at a time stamp before the exception state occurrence time point m and end at a time stamp after the exception state end time point n. In this way, the overall process of covering abnormal states is ensured.

Each of the time-series data acquired within a predetermined time range (e.g., 1 month) may be processed into the multidimensional index data shown in table 2 and then supplied to the sample slicing unit 13 for processing.

Sample segmentation unit 13: the time-series data processed by the data preprocessing unit 12 may be subjected to data sampling fusion. In particular, the sample fusion may be based on a timestamp of the multi-dimensional index data, slicing the time series data with a second time window (e.g., 30 min). The multi-dimensional index data segmented into the same second time window form a sample. When the sample contains multidimensional index data with abnormal states, the marked sample is a negative sample, otherwise, the marked sample is a positive sample.

Table 3 illustrates one sample obtained by slicing at 30min intervals.

TABLE 3 Table 3

Timestamp	CPU	MEM	DISK	IO	TRAF	CONN	STATE
								00:00:05:00	181	42	113	44	15	164	0
00:00:10:00	178	35	111	18	13	153	0
								...	...	...	...	...	...	...	...
00:00:30:00	82	33	113	25	6	50	0

Wherein, there are 360 pieces of multi-dimensional index data in the samples in table 3, wherein, when there is multi-dimensional index data with state=1, the sample is a negative sample, for example, may be marked as label=1, otherwise, the sample is a positive sample marked as label=0.

In one embodiment, the sample slicing unit 13 may slice the time-series data transmitted from the data preprocessing unit 12 according to two modes of time proximity sampling and time periodicity sampling, respectively.

1) Time proximity sampling: in the time series data, the timestamp of the multidimensional index data with each abnormal state (i.e., state=1) is taken as the ending time of a second time window, and the multidimensional index data and other multidimensional index data with the previous timestamp in the second time window are sliced together to form a sample. In the time proximity sampling, the multi-dimensional index data with the time interval within the second time window is combined into one sample, which is closest to the time t (for example, the time determined by the timestamp of the multi-dimensional index data with the abnormal state) in the time sequence data, so that the performance index change rule of the information system 103 in a short period can be represented. Specifically, the time proximity sampling may sample data with state=1, and the multidimensional index data with a time stamp sampling interval of a second time window from each abnormal STATE is combined into one sample, and label=1; and then, moving the acquisition point backwards by a time stamp to segment a sample again until the multi-dimensional index data of all abnormal states are segmented. Thus, for example, when there are 60 pieces of multidimensional index data in an abnormal state, 60 samples with label=1 can be obtained by slicing. In this way the number of negative samples can be increased, avoiding under-fitting in model training.

2) Time periodic sampling: the time series data may be sequentially segmented using the second time window with the duration of the second time window as a period. In the time sequence data, each of the time periodic samples can be divided into one sample according to the time interval between the time stamps, so as to reflect the periodic variation rule of the performance index of the information system 103. In one embodiment, the time periodic sampling may be performed on the full-scale data according to the slicing interval period, and a sample including multi-dimensional index data with state=1 is marked as label=1, and the remaining marks are marked as label=0.

After the samples are split in both the time-adjacent sampling and the time-periodic sampling, in one embodiment, it is necessary to de-duplicate the samples of Label=1, avoiding duplication of sample data of Label=1. That is, when there are samples containing identical multidimensional index data, only one of the samples is retained. And then fusing all the samples into a final data set for model training.

Fig. 6 schematically shows a workflow diagram of the model training and risk prediction module 2 in the apparatus shown in fig. 4.

With reference to fig. 4 and 6, the main function of the model training and risk prediction module 2 is to convert the samples processed by the data acquisition and preprocessing module 1 into visualized gray scale image data, and then output risk prediction results through steps of model training, model evaluation, model iteration and the like, and realize optimization iteration of the prediction effect. As shown in fig. 6, the model training and risk prediction module 2 may include an input processing unit 21, a model training unit 22, and a risk decision unit 23.

An input processing unit 21: samples in the data set output by the data acquisition and pre-processing module 11 may be processed. For example, the training set and the test set may be divided according to a ratio of 4:1, and each sample is converted into gray image data.

In one embodiment, when each sample is converted into gray image data, n indexes are respectively corresponding to n equal-length intervals divided on the x axis in a two-dimensional image area, and a timestamp is corresponding to each coordinate on the y axis; and filling the two-dimensional image area with the value of each index of each sample as the gray value of the corresponding pixel in the two-dimensional image area to obtain gray image data.

Taking the sample shown in table 3 as an example, the sample shown in table 3 contains 360 pieces of multidimensional index data, and correspondingly contains 360 time stamps. The X-axis pixels of the image can be set to be 360, each 60 pixels corresponds to a region corresponding to a scale value, and the number of the performance indexes is 6; the Y-axis pixel may be divided into 360 coordinates corresponding to the number of time stamps of the samples. The gray scale of each pixel in the image is then filled in accordance with the value of each index in the samples shown in table 3, thereby converting the samples shown in table 3 into visualized gray scale image data. And the label of the gray image data coincides with the sample shown in table 3.

Model training unit 22: in one embodiment, resNet model training may be performed using the gray image dataset output by the input processing unit 21 and outputting model instances.

The training of the two-class image sample set was performed using a pre-training model with ResNet-50 and the training model results were instantiated with a final model accuracy of 94%. The ResNet model is described below.

1. ResNet algorithm idea.

1. ResNet contains a total of 5 convolution groups, each containing 1 or more basic convolution calculation processes (Conv- > BN- > ReLU).

2. Each convolution group comprises 1 downsampling operation, so that the size of the feature map is halved, and downsampling is realized in the following two ways:

a) Maximum pooling, step size of 2, only for the 2 nd convolution group (Conv2_x)

b) Convolution, step length 2, for 4 convolution groups other than the 2 nd convolution group

3. The 1 st convolution group only contains 1 convolution operation, the convolution kernel is 7x7, and the step length is 2. The 2 nd to 5 th convolution groups all contain a plurality of identical residual units, and are generally called Stage1, stage2, stage3, stage4, respectively.

2. ResNet-50 pretraining model referring to FIG. 7, wherein FIG. 7 schematically illustrates a schematic diagram of a ResNet-50 pretraining neural network.

1. Stage is from top to bottom Stage 1 (conv2_x), stage2 (conv3_x), stage3 (conv4_x), stage4 (conv5_x).

2. Standard residual units, the left-hand value indicates the number of residual unit cascades. The residual unit of ResNet-50 consists of 3 convolutional layers, 1x1,3x3 and 1x1 in sequence.

3. Channel number variation: the number of channels in the input channels of 3,4 Stage varies from 64 to 2048 with the residual unit so as to reduce the number of parameters in the deep network.

4. Calculating the number of layers: the number of residual units contained in each Stage is 3,4, 6 and 3 in sequence, each residual unit contains 2 convolution layers, and the first 7x7 convolution layer and the 3x3 maximum pooling layer are calculated, and the total layer number= (3+4+6+3) 2+1+1=34.

5. Downsampling: the purple part in the yellow rectangular box represents that the downsampling operation occurs, namely the size of the feature map is halved, and the right arrow mark is the size of the feature map after downsampling (input 224x224 is an example); the orange rectangle within the first green rectangle represents the maximum pooling where the first downsampling occurs.

6. Interpretation of convolutional layer parameters: taking Conv 3x3, c512, s2, p1 as an example, 3x3 represents the convolution kernel size, c512 represents the number of convolution kernels/the number of output channels 512, s2 represents the convolution step size 2, and p1 represents the padding of the convolution to take 1.

7. Pooling layer parameter interpretation: max_pool 3x3, c64, s2, p1,3x3 denote the pooled region size (similar to the convolution kernel size), c64 denotes the input output channel 64, s2 denotes the pooled step size 2, and p1 denotes the padding 1.

3. Training parameters and evaluation index

1. Training image adjustment: the ResNet-50 pre-training model requires an input image size of 224x224, a transform Cheng Xuku of torchvision is used to randomly crop the gray image samples to 224x224 and randomly flip half of the image.

2. Super parameter setting: batch size was set to 128, epochs was set to 160, learning rate was set to 0.01, learning rate reduction factor was set to 0.1, the number of rounds of learning primary reduction was set to 80, and the number of rounds of learning secondary reduction was set to 120.

3. Evaluation index: the accuracy was used as the main evaluation index to evaluate the percent correctness of the model instance classification (acc=number of correctly classified samples/total number of samples). The accuracy of the training model is 86%.

Reference is next continued to fig. 6.

Risk decision unit 23: after the ResNet model which can be used for prediction is output by the model training unit 22, the data acquisition and preprocessing module 1 is used for acquiring the performance index data acquired in real time, the input processing 21 is called to form gray image data which can be input into the ResNet model, then the ResNet model output by the model training unit 22 is used for carrying out example analysis, a classification judgment result is output, and meanwhile, a returned marking result is treated for carrying out model iteration. Specific functions include normal acquisition and priority acquisition.

And (3) common collection: the performance index data of the managed information system 103 can be collected by adopting a unit collection window (for example, 30 min) with the same duration as that of the ResNet model training, and the performance index data is processed into gray image data and then is input into a ResNet model example to obtain a risk judgment result.

If the classification judgment result given by the ResNet model is Label=1, transmitting the judgment result to the risk early warning module 3; if the classification judgment result given by the res net model is label=0, no treatment is performed.

Priority collection: the performance index data of the specific system can be acquired, input and risk pre-judged in real time according to the acquisition instruction given by the risk treatment module 3 and the acquisition frequency and the acquisition time length specified by the instruction, and all the judgment results are transmitted to the risk early warning module 3.

Fig. 8 schematically shows a workflow diagram of the risk handling module 3 in the apparatus shown in fig. 4.

With reference to fig. 4 and fig. 8, the risk treatment module 3 may show the model training and the operation and maintenance risk determination result output by the risk prediction module 2 to the operation and maintenance control center of the information system 103, and the relevant host computer will enter the observation window period as a risk early-warning observation object, and return the observation and treatment result to the model training and risk prediction module 2 after the risk is over. As shown in fig. 8, the risk treatment module 3 may include a risk early warning presentation unit 31 and a result treatment unit 32.

Risk early warning prompting unit 31: the risk judgment result output by the model training and risk prediction module 2 can be obtained and displayed in an operation and maintenance control center (such as Edge Control Center, or ECC) of the information system 103, and at this time, the related risk enters a risk prompt window period:

conventional prompting: the default hint window period coincides with the unit acquisition window duration of the data acquired when training the risk monitoring model, e.g., 30 minutes.

Priority prompt: the operation and maintenance personnel can manually configure the duration of the risk prompting window period, require the risk judging unit 23 of the model training and risk predicting module 2 to collect preferentially, and designate the collection frequency and the duration of the risk prompting window period. If the operation and maintenance personnel set the duration=1 hour of the risk prompt window period and the unit acquisition window period is 1 minute, the risk judgment unit 23 will acquire performance data at intervals of 1 minute and output a judgment result in the future 1 hour.

The result handling unit 32: and after the risk prompt window period and the risk treatment are finished, marking the actual treatment result of the risk early warning prompt and returning to the input processing unit 21 for model iterative optimization. When the operation and maintenance control center observes the operation and maintenance abnormality of the information system 103, the early warning result received by the risk early warning prompting unit 31 may be marked as a true negative type sample, and returned to the input processing unit 21. When the operation and maintenance control center does not observe the operation and maintenance abnormality of the information system 103, the early warning result received by the risk early warning prompting unit 31 may be marked as a false negative type sample and returned to the input processing unit 21.

Fig. 9 schematically illustrates a flowchart of an information system risk early warning method according to another embodiment of the present disclosure.

As shown in fig. 9, the information system risk early warning method according to the embodiment may include steps S901 to S908.

Step S901: the data acquisition unit 11 of the data acquisition and preprocessing module 1 acquires the performance capacity data from the information system 103 to obtain time series data, and performs data standardization processing on the value of each index in the time series data.

Step S902: the data preprocessing unit 12 of the data acquisition and preprocessing module 1 performs exception marking on the performance data corresponding to each time stamp in the time series data acquired by the data acquisition unit 11, so as to generate structured multidimensional index data.

Step S903: the data sample segmentation unit 13 of the data acquisition and preprocessing module 1 segments the time series data into samples, performs sample data fusion, comprises time proximity sampling and time periodicity sampling, and classifies the samples into positive samples or negative samples.

Step S904: the training set and the test set are divided for the samples by the input processing unit 21 of the model training and risk prediction module 2, and the samples are mapped into gray image data to obtain a gray image data set.

Step S905: the gray image data set output by the unit 21 is periodically used to perform res net model training by the model training unit 22 of the model training and risk prediction module 2, and a trained risk detection model is output.

Step S906: the risk judgment unit 23 of the model training and risk prediction module 2 uses the risk detection model output by the model training unit 22 to call the input processing unit 21 to predict the abnormal risk of the information system 103 in real time, and outputs a prediction result.

Step S907: the risk early warning prompting unit 31 of the risk treatment module 3 collects the risk judgment result output by the model training and risk prediction module 2 and prompts the risk judgment result at the operation and maintenance control center, and a risk prompting window period is opened.

Step S908: the actual treatment result of the risk early warning prompt is marked by the result treatment unit 32 of the risk treatment module 3 and returned to the input processing unit 21.

Therefore, the embodiment of the disclosure can apply the residual network in the convolutional neural network to the abnormal risk sensing and pre-early warning fields of the information system 103, provide risk identification sensing and pre-early warning of daily operation and maintenance of the information system 103 based on the operation and maintenance data and performance data chart of the information system 103, improve the accuracy and timeliness of operation and maintenance risk prediction and risk investigation positioning of the information system 103, and reduce the vulnerability of the information system 103.

Compared with the existing information system risk prediction method, the method has the advantages that the data dimension is wide, the prediction result is not influenced by random fluctuation of the information system load, and the prediction accuracy is higher. Specifically, the traditional information system risk early warning mainly uses historical operation and maintenance data of an information system with a single dimension, and carries out risk early warning through an upper threshold, a lower threshold and a real-time prediction deviation value; the traditional machine learning method is difficult to process the association relation between multidimensional data, and the influence of randomness and fluctuation of machine operation load is easy to be caused due to single data dimension. According to the embodiment of the disclosure, any number of performance capacity index data of the information system can be collected, the difficult problem of data relevance among multi-dimensional indexes is solved by using chart mapping in a mode of converting the performance capacity index data into a visualized gray data chart, and the influence of temporary load fluctuation of the system on a prediction result is reduced through a multi-dimensional data training model.

In addition, the solution of the embodiment of the present disclosure is not sensitive to the device of the information system 103 itself, and can be applied to any information system. The system performance capacity data is processed and analyzed, and is an essential item for monitoring the operation of the information system, and the embodiment of the disclosure does not need to be updated and modified by a detection system, does not occupy system resources additionally, and has wide collection range of the performance capacity data and wide usable index dimension.

According to the method and the device for controlling the risk of the information system, the operation and maintenance risk control efficiency of the information system can be remarkably improved, and the cost for monitoring various system states and controlling the risk is greatly reduced through automatic risk pre-judging and pre-warning.

Fig. 10 schematically illustrates a block diagram of an information system risk early warning device 1000 according to another embodiment of the present disclosure.

As shown in fig. 10, the information system risk early warning device 1000 includes a data acquisition unit 11, an input processing unit 21, and a risk decision unit 23. The apparatus 1000 may perform the information system risk early warning method of the embodiments of the present disclosure.

The data collection unit 11 is configured to collect values of n indexes of the information system 103 in a first time interval in a risk prompting window period to obtain first time sequence data corresponding to the risk prompting window period, where the values of n indexes collected in the same unit collection window form a multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding timestamp; wherein n is an integer greater than or equal to 2.

The input processing unit 12 is configured to convert the first time-series data into first gray-scale image data according to a predetermined conversion manner, where in the conversion manner, pixel regions corresponding to different multi-dimensional index data are arranged in sequence according to a time stamp, and gray values of pixels in the pixel region corresponding to each multi-dimensional index data are mapped from values of each index in the multi-dimensional index data. In one embodiment, the input processing unit 12 may be configured to fill the two-dimensional image area with n indexes respectively corresponding to n equal-length intervals divided on the x-axis, and with a timestamp corresponding to each coordinate on the y-axis, and with a value of each index normalized in the first time sequence to a value range of [0, 255] as a gray value of a corresponding pixel in the two-dimensional image area, so as to obtain the first gray image data.

The risk judging unit 23 is configured to input the first gray image data to the trained risk detection model, and obtain a classification result output by the risk detection model, where the classification result is used to indicate that the information system 103 has an abnormality or has no abnormality in the risk prompting window period.

Fig. 11 schematically illustrates a block diagram of a training apparatus 1100 of a risk detection model according to an embodiment of the present disclosure.

As shown in fig. 11, the training apparatus 1100 may include a data acquisition unit 11, a data preprocessing unit 12, a sample segmentation unit 13, an input processing unit 21, and a model training unit 22. The training apparatus 1100 may be used to perform the training method of the risk detection model of the embodiments of the present disclosure.

The data collection unit 11 is configured to collect values of n indexes of the information system 103 in a predetermined time range in units of a second time interval to obtain original time sequence data corresponding to the predetermined time range, where the values of n indexes collected in the same unit of collection window form a multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding timestamp.

The data preprocessing unit 12 is configured to record that the state of each multi-dimensional index data in the original time series data is abnormal or normal based on the state of the information system 103 in the unit acquisition window corresponding to each multi-dimensional index data in the original time series data.

The sample slicing unit 13 is configured to: and splitting the original time sequence data by using a second time window based on the time stamp of the multi-dimensional index data, wherein the multi-dimensional index data split into the same second time window forms a sample. And when the sample contains multidimensional index data with abnormal states, marking the sample as a negative sample, otherwise marking the sample as a positive sample.

An input processing unit 21, configured to convert the samples cut by the sample cutting unit 13 into second gray level image data according to a predetermined conversion manner, where in the conversion manner, pixel regions corresponding to different multi-dimensional index data are arranged in sequence according to a time stamp, and gray values of pixels in the pixel region corresponding to each multi-dimensional index data are mapped from values of each index in the multi-dimensional index data.

The model training unit 22 is configured to train the risk detection model with the second gray level image data and the mark of the sample as one training data.

In some embodiments, the training apparatus 1100 may be integrated into an information system risk early warning apparatus 1000, such as the apparatus 400 described above.

According to an embodiment of the present disclosure, any of the data acquisition and preprocessing module 1, the model training and risk prediction module 2, the risk handling module 3, the data acquisition unit 11, the data preprocessing unit 12, the sample segmentation unit 13, the input processing unit 21, the model training unit 22, the risk decision unit 23, the risk early warning prompting unit 31, and the result handling unit 32 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. At least one of the data acquisition and preprocessing module 1, the model training and risk prediction module 2, the risk handling module 3, the data acquisition unit 11, the data preprocessing unit 12, the sample segmentation unit 13, the input processing unit 21, the model training unit 22, the risk decision unit 23, the risk early warning prompting unit 31 and the result handling unit 32 according to embodiments of the present disclosure may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging the circuitry, or in any one of or in any suitable combination of three implementations of software, hardware and firmware. Alternatively, at least one of the data acquisition and pre-processing module 1, the model training and risk prediction module 2, the risk handling module 3, the data acquisition unit 11, the data pre-processing unit 12, the sample segmentation unit 13, the input processing unit 21, the model training unit 22, the risk decision unit 23, the risk early warning presentation unit 31 and the result handling unit 32 may be at least partially implemented as a computer program module, which, when run, may perform the respective functions.

As shown in fig. 12, an electronic device 1200 according to an embodiment of the present disclosure includes a processor 1201, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1202 or a program loaded from a storage section 1208 into a Random Access Memory (RAM) 1203. The processor 1201 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 1201 may also include on-board memory for caching purposes. The processor 1201 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.

In the RAM 1203, various programs and data required for the operation of the electronic apparatus 1200 are stored. The processor 1201, the ROM 1202, and the RAM 1203 are connected to each other through a bus 1204. The processor 1201 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1202 and/or RAM 1203. Note that the program may be stored in one or more memories other than the ROM 1202 and the RAM 1203. The processor 1201 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the disclosure, the electronic device 1200 may also include an input/output (I/O) interface 1205, the input/output (I/O) interface 1205 also being connected to the bus 1204. The electronic device 1200 may also include one or more of the following components connected to the I/O interface 1205: an input section 1206 including a keyboard, a mouse, and the like; an output portion 1207 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 1208 including a hard disk or the like; and a communication section 1209 including a network interface card such as a LAN card, a modem, or the like. The communication section 1209 performs communication processing via a network such as the internet. The drive 1210 is also connected to the I/O interface 1205 as needed. A removable medium 1211 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 1210 so that a computer program read out therefrom is installed into the storage section 1208 as needed.

The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include the ROM 1202 and/or the RAM 1203 and/or one or more memories other than the ROM 1202 and the RAM 1203 described above.

Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.

The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1201. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program can also be transmitted, distributed over a network medium in the form of signals, and downloaded and installed via a communication portion 1209, and/or from a removable medium 1211. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1209, and/or installed from the removable media 1211. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1201. The systems, devices, apparatus, modules, units, etc. described above in accordance with embodiments of the disclosure may be implemented by computer program modules.

According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be combined in various combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.

The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims

1. An information system risk early warning method, comprising:

collecting a window in a first time interval in a risk prompt window period, and collecting values of n indexes of the information system to obtain first time sequence data corresponding to the risk prompt window period; the values of the n indexes acquired in the same unit acquisition window form multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp; wherein n is an integer greater than or equal to 2;

Converting the first time series data into first gray image data according to a preset conversion mode, wherein in the conversion mode, pixel areas corresponding to different multi-dimensional index data are arranged in sequence according to time stamps, gray values of pixels in the pixel areas corresponding to each multi-dimensional index data are mapped by values of each index in the multi-dimensional index data; and

and inputting the first gray image data to a trained risk detection model, and obtaining a classification result output by the risk detection model, wherein the classification result is used for indicating that the information system has or has not an abnormality in the risk prompt window period.

2. The method of claim 1, wherein the converting the first time-series data into first grayscale image data in a predetermined conversion manner includes:

in the two-dimensional image area, n equal-length intervals divided on the x-axis correspond to the n indexes respectively, and each coordinate on the y-axis corresponds to a time stamp;

for the value of each index in the first time sequence, adopting a standardized processing method corresponding to each index, wherein the standardized processing method is used for obtaining a value with a value range of [0, 255 ]; and

And filling the two-dimensional image area by taking the value of each index obtained after the standardization processing as the gray value of the corresponding pixel in the two-dimensional image area so as to obtain the first gray image data.

3. The method of claim 1, wherein the training process of the risk detection model comprises:

collecting values of the n indexes in a preset time range by taking a second time interval as a unit collection window to obtain original time sequence data corresponding to the preset time range;

based on the state of the information system in a unit acquisition window corresponding to each piece of multidimensional index data in the original time sequence data, recording whether the state of each piece of multidimensional index data in the original time sequence data is abnormal or normal;

dividing the original time sequence data by using a second time window based on the time stamp of the multidimensional index data, wherein the multidimensional index data divided into the same second time window forms a sample;

when the sample contains multidimensional index data with abnormal states, marking the sample as a negative sample, otherwise marking the sample as a positive sample;

converting the sample into second gray image data according to the conversion mode; and

And training the risk detection model by taking the second gray level image data and the marks of the samples as training data.

4. A method according to claim 3, wherein the dividing the original time series data using a second time window based on the time stamp of the multidimensional metric data comprises:

and dividing the original time sequence data according to two modes of time proximity sampling and time periodicity sampling respectively.

5. A method according to claim 3, wherein slicing the raw time series data according to the temporal proximity samples comprises:

and taking the time stamp of the multidimensional index data with each state as an abnormal state as the cut-off time of a second time window, and cutting the multidimensional index data and other multidimensional index data with the time stamp positioned in the second time window together to form a sample.

6. A method according to claim 3, wherein slicing the raw time series data by the time periodic sampling comprises:

and sequentially dividing the original time sequence data by using the second time window with the duration of the second time window as a period.

7. The method of claim 4, wherein the dividing the original time series data with the second time window further comprises:

When samples containing identical multidimensional index data exist in samples cut out according to the time proximity sampling and the time periodicity sampling, only one of the samples is reserved.

8. The method according to claim 3, wherein the recording the status of each multi-dimensional index data in the original time series data as abnormal or normal based on the status of the information system in the unit acquisition window corresponding to each multi-dimensional index data in the original time series data comprises:

when the information system starts to have an abnormal state in a unit acquisition window corresponding to any first multi-dimensional index data, recording that the states of the first multi-dimensional index data and at least one multi-dimensional index data acquired before the first multi-dimensional index data are abnormal; and

when the information system is changed from the previous abnormal state to the normal state in the unit acquisition window corresponding to any second multidimensional index data, recording that the states of the second multidimensional index data and at least one multidimensional index data acquired after the second multidimensional index data are abnormal.

9. The method of claim 1, wherein the n metrics comprise at least one of: CPU usage, memory usage, disk usage, storage IO latency, network traffic, or number of network connections.

10. The method of claim 1, wherein the risk detection model comprises a residual network model.

11. A method of training a risk detection model, comprising:

collecting values of n indexes of an information system in a preset time range by taking a second time interval as a unit collection window to obtain original time sequence data corresponding to the preset time range, wherein the values of the n indexes collected in the same unit collection window form multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp;

Converting the sample into second gray image data according to a preset conversion mode; in the conversion mode, pixel areas corresponding to different multi-dimensional index data are arranged according to time stamp sequences, and gray values of pixels in the pixel areas corresponding to each multi-dimensional index data are mapped by values of each index in the multi-dimensional index data; and

12. An information system risk early warning device, comprising:

the data acquisition unit is used for acquiring windows in a first time interval in a risk prompt window period, acquiring values of n indexes of the information system, and obtaining first time sequence data corresponding to the risk prompt window period; the values of the n indexes acquired in the same unit acquisition window form multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp; wherein n is an integer greater than or equal to 2;

an input processing unit, configured to convert the first time-series data into first gray-scale image data according to a predetermined conversion manner, where in the conversion manner, pixel areas corresponding to different multi-dimensional index data are arranged in sequence according to a time stamp, and gray values of pixels in the pixel area corresponding to each multi-dimensional index data are mapped by values of each index in the multi-dimensional index data; and

The risk judging unit is used for inputting the first gray image data to the trained risk detection model and obtaining a classification result output by the risk detection model, wherein the classification result is used for indicating that the information system has or has no abnormality in the risk prompt window period.

13. A training device of a risk detection model, comprising:

the data acquisition unit is used for acquiring values of n indexes of the information system in a preset time range by taking a second time interval as a unit to acquire original time sequence data corresponding to the preset time range, wherein the values of the n indexes acquired in the same unit acquisition window form multi-dimensional index data, and each multi-dimensional index data is provided with a corresponding time stamp;

the data preprocessing unit is used for recording whether the state of each multi-dimensional index data in the original time sequence data is abnormal or normal based on the state of the information system in the unit acquisition window corresponding to each multi-dimensional index data in the original time sequence data;

a sample segmentation unit for: dividing the original time sequence data by using a second time window based on the time stamp of the multidimensional index data, wherein the multidimensional index data divided into the same second time window forms a sample; when the sample contains multidimensional index data with abnormal states, marking the sample as a negative sample, otherwise marking the sample as a positive sample;

An input processing unit for converting the sample into second gray image data according to a predetermined conversion mode; in the conversion mode, pixel areas corresponding to different multi-dimensional index data are arranged according to time stamp sequences, and gray values of pixels in the pixel areas corresponding to each multi-dimensional index data are mapped by values of each index in the multi-dimensional index data;

and the model training unit is used for training the risk detection model by taking the second gray level image data and the marks of the samples as training data.

14. An electronic device, comprising:

one or more processors;

a memory for storing one or more programs,

wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-11.

15. A computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the method of any of claims 1 to l 1.

16. A computer program product comprising computer program instructions which, when executed by a processor, implement the method of any one of claims 1 to 11.