CN117785615A - Method and system for detecting abnormality of key indexes of application system - Google Patents
Method and system for detecting abnormality of key indexes of application system Download PDFInfo
- Publication number
- CN117785615A CN117785615A CN202311832172.0A CN202311832172A CN117785615A CN 117785615 A CN117785615 A CN 117785615A CN 202311832172 A CN202311832172 A CN 202311832172A CN 117785615 A CN117785615 A CN 117785615A
- Authority
- CN
- China
- Prior art keywords
- key
- abnormality
- time
- real
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005856 abnormality Effects 0.000 title claims abstract description 79
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000001514 detection method Methods 0.000 claims abstract description 135
- 238000013528 artificial neural network Methods 0.000 claims abstract description 29
- 238000004364 calculation method Methods 0.000 claims abstract description 22
- 238000012549 training Methods 0.000 claims abstract description 16
- 238000004220 aggregation Methods 0.000 claims abstract description 10
- 230000002776 aggregation Effects 0.000 claims abstract description 10
- 230000002159 abnormal effect Effects 0.000 claims description 31
- 238000003860 storage Methods 0.000 claims description 15
- 238000012544 monitoring process Methods 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 11
- 230000015654 memory Effects 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 238000004140 cleaning Methods 0.000 claims description 3
- 238000010276 construction Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims 1
- 238000010801 machine learning Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 230000000295 complement effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000001788 irregular Effects 0.000 description 3
- 230000003044 adaptive effect Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013079 data visualisation Methods 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000007639 printing Methods 0.000 description 1
- 230000000306 recurrent effect Effects 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 238000012731 temporal analysis Methods 0.000 description 1
- 238000000700 time series analysis Methods 0.000 description 1
Abstract
The invention discloses a method and a system for detecting key index abnormality of an application system, comprising the following steps: collecting key index logs of different service application systems, forming corresponding key index log files, and pushing log information to a collecting platform and a message system; based on the requirement of the business key indexes, carrying out real-time calculation and aggregation on the cleaned log information to obtain the aggregated business key indexes, and pushing the aggregated business key indexes to a message system again; the time sequence database monitors the message system, receives and stores the aggregated business key indexes and forms time sequence data; constructing an anomaly detection model based on an LSTM neural network, and performing model training by adopting time sequence data; the abnormality detection program monitors and pulls real-time data in the information canceling system in real time, and a trained abnormality detection model is adopted to detect abnormality of the real-time data and carry out abnormality warning. The method can be self-adaptive to different key service characteristics of different service application systems, and the abnormality detection is more accurate.
Description
Technical Field
The invention relates to the technical fields of big data, machine learning and anomaly detection, in particular to a key index anomaly detection method and system of an application system.
Background
The key index anomaly detection refers to a process of monitoring key business indexes of enterprises or organizations to find abnormal conditions and take measures in time. The key index anomaly detection can help enterprises or organizations to find problems in the service in time, reduce service risks and improve service efficiency.
The traditional method uses the following method for key index anomaly detection: (1) statistical analysis: the key indicators are analyzed using statistical methods, such as calculating averages, medians, standard deviations, etc., to determine normal business ranges. If the value of the key index is out of the normal range, it can be regarded as an abnormal situation. (2) threshold monitoring: the threshold value of the key index is set, and if the value of the key index exceeds the threshold value, it can be regarded as an abnormal situation. The threshold may be set based on historical data or business requirements. (3) trend analysis: analyzing the trend of the key index, and if the trend of the key index changes suddenly, the key index can be regarded as an abnormal situation. A chart or data visualization tool may be used to show trends in key indicators.
However, in the internet financial service, due to the characteristics of the service itself, key indexes have the following characteristics: 1. strong time correlation, such as a large promotion for a specific time per week. 2. Irregular fluctuations, such as fluctuations in transaction volume caused by policy changes. 3. Longer periodic laws, such as 3 years of concentrated expiration of regular deposits. Due to the existence of the characteristics of the internet financial service, the traditional anomaly detection method is difficult to calculate reasonable statistical data, anomaly threshold values and trends when facing key indexes of the internet financial service, and the problems of unreported anomalies, high false alarm rate and the like of anomaly detection are caused.
In view of this, the present application is specifically proposed.
Disclosure of Invention
The technical problem to be solved by the invention is that based on the characteristics of strong time correlation, irregular volatility, longer period regularity and the like of the internet financial service, the traditional anomaly detection method is difficult to calculate reasonable statistical data, anomaly threshold values and trends when facing key indexes of the internet financial service, and the problems of unreported anomalies, high false alarm rate and the like of anomaly detection are caused.
The invention aims to provide a method and a system for detecting key indexes of an application system in an abnormal way, which are based on time sequence data, real-time calculation and machine learning to detect the key indexes, can receive the time sequence data of the key indexes generated by a service application system, adopts the real-time calculation to clean, complement and aggregate the time sequence data, then trains an abnormal detection model by utilizing a machine learning technology, and uses the model to detect the abnormal key indexes of the service application system. The method can be self-adaptive to different key service characteristics of different service application systems, and the abnormality detection is more accurate.
The invention is realized by the following technical scheme:
in a first aspect, the present invention provides a method for detecting abnormality of key indexes of an application system, where the method includes:
collecting key index logs of different service application systems, forming corresponding key index log files, and pushing log information in each key index log file to a collection platform; the collecting platform sends the cleaned log information to a message system;
based on the requirements of the business key indexes, carrying out real-time calculation and aggregation on the cleaned log information to obtain the aggregated business key indexes; pushing the aggregated business key indexes to the message system again;
the time sequence database monitors the message system, receives and stores the aggregated business key indexes and forms time sequence data;
constructing an anomaly detection model based on an LSTM neural network, and performing model training on the anomaly detection model based on the LSTM neural network by adopting time sequence data to obtain a trained anomaly detection model; the trained abnormality detection model is stored in an object storage;
the anomaly detection program monitors and pulls real-time data in the information canceling system in real time, and carries out anomaly detection on the real-time data by adopting a trained anomaly detection model to obtain a detection result; and sending the detection result to a message system and carrying out abnormal alarm.
Further, collecting key index logs of different service application systems, forming corresponding key index log files, and pushing log information in each key index log file to a collection platform; the collecting platform sends the cleaned log data to a message system, and the collecting platform comprises:
different service application systems print key index logs in a unified format by adopting a unified log component respectively, and correspondingly output the key index logs to a local key index log file;
the log agent monitors the key index log file and pushes log information in the key index log file to a log collection platform; each business application system corresponds to one log agent;
the log collection platform judges whether the received log information format is legal or not, and filters and washes out log information which does not meet the requirement to obtain washed log information;
the log collection platform sends the cleaned log information to the message system Kafka.
Further, the content of the key index log includes a timestamp, a service application name, a system name, a subsystem name, a service type, a product code, a channel code, an event code, an interface name, an application program IP address, a service response code, a service response description, and the like.
Further, the traffic critical indicators include the number of traffic Requests Per Second (RPS), the traffic success rate per second, and the minimum time required to satisfy ninety-nine percent of the traffic requests (TP 99).
Further, constructing an anomaly detection model based on the LSTM neural network, and performing model training on the anomaly detection model based on the LSTM neural network by adopting time sequence data to obtain a trained anomaly detection model; and saving the trained anomaly detection model to an object store, comprising:
a machine learning program for regularly extracting historical time sequence data from the time sequence database;
according to the configuration of the service application, extracting the characteristics of the historical time sequence data to obtain the characteristics of the service application; the service application characteristics are standardized and normalized, and the processed service application characteristics are obtained;
constructing an anomaly detection model based on an LSTM neural network, comprising: constructing a multi-layer linear stacking model neural network, defining an input layer for the multi-layer linear stacking model neural network, and setting the input dimension of the input layer according to time steps and feature numbers in different business key data;
based on the processed service application characteristics, performing model training on an anomaly detection model based on the LSTM neural network to obtain a trained anomaly detection model; the trained abnormality detection model is stored in an object storage;
and calling an abnormality checking program interface to inform an abnormality detecting program that an abnormality detecting model is updated.
Further, the business application features include average call volume, maximum call volume, minimum call volume, trend of call volume, periodicity, etc.
Further, the abnormality detection program monitors and pulls real-time data in the information canceling system in real time, and a trained abnormality detection model is adopted to detect abnormality of the real-time data, so that a detection result is obtained; sending the detection result to a message system and carrying out abnormal alarm, wherein the method comprises the following steps:
the abnormality detection program acquires a trained abnormality detection model from the object storage, loads the model into the memory and initializes the model object;
monitoring and pulling real-time data processed by real-time calculation in a message system Kafka, calling an anomaly detection method of a model object, and performing anomaly detection on the real-time data to obtain a detection result;
if the detection result is abnormal, transmitting the real-time data and the abnormal information to a message system Kafka;
the alarm program monitors and receives the abnormal information, and judges whether the abnormal information is restrained (avoiding repeated alarm from being sent continuously) after the abnormal information is received;
if not, notifying the desktop program and the mobile terminal program; if it is suppressed, no exception notification is made.
Further, the method further comprises: the timing updating abnormality detection model specifically comprises the following steps:
setting a timing update period for different business key indexes of each business application system according to the time sequence characteristics of the business key indexes and the characteristics of the corresponding business application systems;
when the update period is reached, the anomaly detection model is updated in accordance with the above steps using the new history data.
Further, the method further comprises: manually updating model characteristics, specifically:
when the alarm receiver receives the alarm notification, the alarm receiver selects whether the alarm is valid or invalid by clicking a button;
if the alarm is invalid, the machine learning program refreshes the model features to avoid false alarm again.
In a second aspect, the present invention further provides an application system key indicator anomaly detection system, where the system uses the above-mentioned method for detecting an application system key indicator anomaly; the system comprises:
the collecting and cleaning unit is used for collecting key index logs of different service application systems, forming corresponding key index log files and pushing log information in each key index log file to the collecting platform; the collecting platform sends the cleaned log information to a message system;
the real-time calculation and aggregation unit is used for carrying out real-time calculation and aggregation on the cleaned log information based on the requirements of the service key indexes to obtain the aggregated service key indexes; pushing the aggregated business key indexes to the message system again;
the time sequence data forming unit is used for receiving and storing the aggregated business key indexes and forming time sequence data by the time sequence database monitoring message system;
the model construction and training unit is used for constructing an anomaly detection model based on the LSTM neural network, and carrying out model training on the anomaly detection model based on the LSTM neural network by adopting time sequence data to obtain a trained anomaly detection model; the trained abnormality detection model is stored in an object storage;
the abnormality detection and alarm unit is used for monitoring and pulling real-time data in the information canceling system in real time by an abnormality detection program, and performing abnormality detection on the real-time data by adopting a trained abnormality detection model to obtain a detection result; and sending the detection result to a message system and carrying out abnormal alarm.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. the invention relates to a key index anomaly detection method and a key index anomaly detection system for an application system, which are based on time sequence data, real-time calculation and machine learning, can receive the time sequence data of key indexes generated by a service application system, adopt the real-time calculation to clean, complement and aggregate the time sequence data, then train an anomaly detection model by utilizing a machine learning technology, and use the model to perform anomaly detection on the key indexes of the service application system. The method can be self-adaptive to different key service characteristics of different service application systems, and the abnormality detection is more accurate.
2. The method and the system for detecting the key index abnormality of the application system have the function of manually updating the model characteristics by periodically updating the model, so that the model is more and more accurate in the using process.
Drawings
The accompanying drawings, which are included to provide a further understanding of embodiments of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention. In the drawings:
FIG. 1 is a flow chart of a method for detecting key index anomalies of an application system according to the present invention;
FIG. 2 is a general architecture diagram of a method for detecting anomalies in key indicators of an application system according to the present invention;
FIG. 3 is a block diagram of a system for detecting anomalies in key indicators of an application system according to the present invention.
Detailed Description
For the purpose of making apparent the objects, technical solutions and advantages of the present invention, the present invention will be further described in detail with reference to the following examples and the accompanying drawings, wherein the exemplary embodiments of the present invention and the descriptions thereof are for illustrating the present invention only and are not to be construed as limiting the present invention.
Based on the characteristics of strong time correlation, irregular volatility, long period law and the like of the internet financial service, the traditional anomaly detection method is difficult to calculate reasonable statistical data, anomaly threshold values and trends when facing key indexes of the internet financial service, and causes the problems of unreported anomalies, high false alarm rate and the like in anomaly detection.
Therefore, aiming at the problems, the invention designs an abnormality detection method and an abnormality detection system for key indexes of an application system, which are based on time sequence data, real-time calculation and machine learning, can receive the time sequence data of the key indexes generated by a service application system, adopts the real-time calculation to clean, complement and aggregate the time sequence data, trains an abnormality detection model by utilizing a machine learning technology, and uses the model to detect the abnormality of the key indexes of the service application system. The method can be adaptive to different key service characteristics of different service application systems, intelligently detect the abnormality and detect the abnormality more accurately.
Example 1
As shown in fig. 1 and fig. 2, the method for detecting the abnormality of the key indexes of the application system includes:
step 1, collecting key index logs of different service application systems, forming corresponding key index log files, and pushing log information in each key index log file to a collection platform; the collecting platform sends the cleaned log information to a message system;
the step 1 specifically comprises the following steps:
different service application systems print key index logs in a unified format by adopting a unified log component respectively, and correspondingly output the key index logs to a local key index log file;
the log agent monitors the key index log file and pushes log information in the key index log file to a log collection platform; each business application system corresponds to one log agent;
the log collection platform judges whether the received log information format is legal or not, and filters and washes out log information which does not meet the requirement to obtain washed log information;
the log collection platform sends the cleaned log information to the message system Kafka.
Specifically, different service application systems print key index logs in a unified format by adopting unified log components respectively; the process comprises the following steps: the log printing is modified by using a standard openrace log component, and a developer of a business system is required to manually call the log component and record key indexes at a place where the business key indexes are generated. The service response code and the service response code need to be specified by a developer, the rest of the information of the log is obtained automatically from the environment of the application system by a log component.
Specifically, the content of the key index log includes a timestamp, a service application name, a system name, a subsystem name, a service type, a product code, a channel code, an event code, an interface name, an application IP address, a service response code, a service response description, and the like.
The key index log format is:
datetime,application,system,subSystem,business_type,product_code,channel_code,event_code,api,ip,traceId,spanId,biz_status_code,biz_status_desc。
the content of the key index log is specifically shown in table 1.
TABLE 1 content of Key index Log
| Log segment name | Log segment meaning |
| datetime | Time stamp |
| application | Application name |
| system | System name |
| subSystem | Subsystem name |
| business_type | Service type |
| product_code | Product code |
| channel_code | Channel code |
| event_code | Event code |
| api | Interface name |
| ip | Application IP address |
| traceId | T of openraceraceId |
| spanId | Span of openrace |
| biz_status_code | Service response code |
| biz_status_desc | Business response description |
Specifically, log collection is uniformly performed by using a log stack (log agent), the log stack and related configuration are built in a virtual machine template and a container image, and when the application is applied to a server and a container is created, the components are automatically installed and configured.
Specifically, each portion of the log cannot be missing, but for various reasons incomplete log may occur, such data may affect the accuracy of subsequent machine learning, so the log platform is directly discarded at the time of collection.
Step 2, based on the requirements of the business key indexes, carrying out real-time calculation and aggregation on the cleaned log information by using a real-time calculation module to obtain the aggregated business key indexes; pushing the aggregated business key indexes to the message system again;
in particular, the traffic critical indicators include the number of traffic Requests Per Second (RPS), the traffic success rate per second, and the minimum time required to satisfy ninety-nine percent of the traffic requests (TP 99).
According to the technical scheme, different service key indexes are required to be processed from original log information in real time, such as RPS, service success rate per second and the like. The real-time calculation program obtains the configuration of different key indexes from the configuration service, and calculates and aggregates the original data in real time; the real-time calculation program pushes the calculated result to the message system Kafka after the calculation is completed. In particular implementations, this portion of functionality is implemented using the DataStream API and windowing of the link.
Step 3, the time sequence database monitors the message system, receives and stores the aggregated business key indexes and forms time sequence data;
specifically, the time sequence data is an aggregate or statistical value of a certain business key index of a certain business application system at a characteristic time point, such as loan request data and loan interface response time TP99 of loan business of a business application system A in a channel A of 2023-12-27:00:00:00.000.
Step 4, constructing an anomaly detection model based on the LSTM neural network, and performing model training on the anomaly detection model based on the LSTM neural network by adopting time sequence data to obtain a trained anomaly detection model; the trained abnormality detection model is stored in an object storage;
the step 4 specifically comprises the following steps:
step 41, a machine learning program, extracting historical time series data from a time series database at regular time;
step 42, data preprocessing: according to the configuration of the service application (the configuration of the service application is that the configuration information of each service key index of each service application system is obtained from a configuration service; the configuration information comprises the configuration of the range of the history data to be obtained, and corresponding data is obtained according to the configuration), the history time sequence data is subjected to feature extraction to obtain service application features; the business application features include average call volume, maximum call volume, minimum call volume, trend of call volume, periodicity, etc. And carrying out standardization and normalization processing on the service application characteristics to obtain processed service application characteristics so as to ensure that the service application characteristics are on the same scale.
Step 43, model training;
an LSTM neural network (Long Short-Term Memory network, LSTM) is a Recurrent Neural Network (RNN) that is suitable for sequence modeling and time series analysis. They can also be used for anomaly detection in time series data. Anomaly detection involves identifying patterns in data that do not conform to expected behavior.
Constructing an anomaly detection model based on an LSTM neural network, which specifically comprises the following steps: (1) An instance of the Sequential class is created, an input layer is added, and the dimension of the input layer is consistent with the dimension of the key index. (2) The LSTM layer is added and consists of memory units, so that the sequence data can be effectively processed, and gradient disappearance or explosion can be prevented. (3) And adding a full connection layer and a Dropout layer for improving the performance and the robustness of the model. The number of layers of the full connection layer is obtained from the configuration service, and can be adjusted at any time according to the accuracy of the model.
Based on the processed service application characteristics, performing model training on an anomaly detection model based on the LSTM neural network to obtain a trained anomaly detection model; the trained abnormality detection model is stored in an object storage;
and calling an abnormality checking program interface to inform an abnormality detecting program that an abnormality detecting model is updated.
Step 5, the abnormality detection program monitors and pulls real-time data in the information canceling system in real time, and abnormality detection is carried out on the real-time data by adopting a trained abnormality detection model to obtain a detection result; and sending the detection result to a message system and carrying out abnormal alarm.
The step 5 specifically comprises the following steps:
the anomaly detection program acquires a trained anomaly detection model from the object storage, loads the anomaly detection model into a memory and initializes the model object;
monitoring and pulling real-time data processed by real-time calculation in a message system Kafka, calling an anomaly detection method (a prefecte method) of the model object, and performing anomaly detection on the real-time data to obtain a detection result;
if the detection result is abnormal, transmitting the real-time data and the abnormal information to a message system Kafka;
the alarm program monitors and receives the abnormal information, and judges whether the abnormal information is restrained (avoiding repeated alarm from being sent continuously) after the abnormal information is received;
if not, notifying the desktop program and the mobile terminal program; if it is suppressed, no exception notification is made.
As a further implementation, the method further comprises: step 6, updating an abnormality detection model at regular time, which specifically comprises the following steps:
setting a timing update period for different business key indexes of each business application system according to the time sequence characteristics of the business key indexes and the characteristics of the corresponding business application systems;
when the update period is reached, the anomaly detection model is updated according to steps 1 to 4 described above using the new history data.
According to the technical scheme, the timing update time of each anomaly detection model is stored in the distributed timing scheduling program, and the timing scheduling program triggers model retraining and model updating at timing time points. After the model is updated, the machine learning program also needs to acquire the characteristics of the false alarm data from the false alarm database and update the model.
As a further implementation, the method further comprises: step 7, manually updating model characteristics, specifically:
when the alarm receiver receives the alarm notification, the alarm receiver selects whether the alarm is valid or invalid by clicking a button;
if the alarm is invalid, the machine learning program refreshes the model features to avoid false alarm again.
According to the technical scheme, the model generated by machine learning inevitably has errors, namely false alarm of the business key indexes in the current scene, so that a mechanism is needed to adjust the model. This mechanism is an anomaly confirmation function that is manually performed by the user. If the user considers that the abnormality is false alarm, false alarm confirmation can be carried out on the desktop or the mobile terminal. The back end can save and update the characteristics of the false alarm data into the model, so that the false alarm of the same type is avoided.
The invention relates to an abnormality detection method for key indexes of an application system, which is used for detecting key indexes based on time sequence data, real-time calculation and machine learning, can be adaptive to different key service characteristics of different systems, provides a more accurate abnormality detection function, and simultaneously has a manual model updating function, so that a model is more and more accurate in the use process.
Example 2
As shown in fig. 3, the difference between the present embodiment and embodiment 1 is that the present embodiment provides an application system key indicator anomaly detection system, which uses an application system key indicator anomaly detection method of embodiment 1; the system corresponds to the key index anomaly detection method of the application system in the embodiment 1 one by one; the system comprises:
the collecting and cleaning unit is used for collecting key index logs of different service application systems, forming corresponding key index log files and pushing log information in each key index log file to the collecting platform; the collecting platform sends the cleaned log information to a message system;
the real-time calculation and aggregation unit is used for carrying out real-time calculation and aggregation on the cleaned log information based on the requirements of the service key indexes to obtain the aggregated service key indexes; pushing the aggregated business key indexes to the message system again;
the time sequence data forming unit is used for receiving and storing the aggregated business key indexes and forming time sequence data by the time sequence database monitoring message system;
the model construction and training unit is used for constructing an anomaly detection model based on the LSTM neural network, and carrying out model training on the anomaly detection model based on the LSTM neural network by adopting time sequence data to obtain a trained anomaly detection model; the trained abnormality detection model is stored in an object storage;
the abnormality detection and alarm unit is used for monitoring and pulling real-time data in the information canceling system in real time by an abnormality detection program, and performing abnormality detection on the real-time data by adopting a trained abnormality detection model to obtain a detection result; and sending the detection result to a message system and carrying out abnormal alarm.
The execution process of each unit is performed according to the steps of the method for detecting the abnormality of the key index of the application system in embodiment 1, which is not described in detail.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. The method for detecting the abnormality of the key indexes of the application system is characterized by comprising the following steps:
collecting key index logs of different service application systems, forming corresponding key index log files, and pushing log information in each key index log file to a collection platform; the collecting platform sends the cleaned log information to a message system;
based on the requirements of the business key indexes, carrying out real-time calculation and aggregation on the cleaned log information to obtain the aggregated business key indexes; pushing the aggregated business key indexes to the message system again;
the time sequence database monitors the message system, receives and stores the aggregated business key indexes and forms time sequence data;
constructing an anomaly detection model based on an LSTM neural network, and performing model training on the anomaly detection model based on the LSTM neural network by adopting the time sequence data to obtain a trained anomaly detection model; the trained abnormality detection model is stored in an object storage;
monitoring and pulling real-time data in the information canceling system in real time, and carrying out anomaly detection on the real-time data by adopting a trained anomaly detection model to obtain a detection result; and sending the detection result to a message system and carrying out abnormal alarm.
2. The method for detecting the abnormality of the key indexes of the application system according to claim 1, wherein the key index logs of different service application systems are collected and corresponding key index log files are formed, and log information in each key index log file is pushed to a collection platform; the collecting platform sends the cleaned log data to a message system, and the collecting platform comprises:
different service application systems print key index logs in a unified format by adopting a unified log component respectively, and correspondingly output the key index logs to a local key index log file;
the log agent monitors the key index log file and pushes log information in the key index log file to a log collection platform; wherein, each business application system corresponds to a log agent;
the log collection platform judges whether the received log information format is legal or not, and filters and washes out log information which does not meet the requirement to obtain washed log information;
and the log collection platform sends the cleaned log information to the message system.
3. The method for detecting abnormality of key indicators of an application system according to claim 1 or 2, wherein the content of the key indicator log includes a time stamp, a service application name, a system name, a subsystem name, a service type, a product code, a channel code, an event code, an interface name, an application IP address, a service response code, and a service response description.
4. The method for detecting anomalies in key indicators of an application system according to claim 1, wherein said key indicators of traffic include a number of traffic requests per second, a traffic success rate per second, and a minimum time consuming TP99 required to satisfy ninety-nine percent of traffic requests.
5. The method for detecting the abnormality of the key indexes of the application system according to claim 1, wherein an abnormality detection model based on an LSTM neural network is constructed, and the abnormality detection model based on the LSTM neural network is subjected to model training by adopting the time sequence data to obtain a trained abnormality detection model; and saving the trained anomaly detection model to an object store, comprising:
a machine learning program that periodically extracts historical time series data from the time series database;
according to the configuration of the service application, extracting the characteristics of the historical time sequence data to obtain service application characteristics; the service application characteristics are standardized and normalized, and the processed service application characteristics are obtained;
constructing an anomaly detection model based on an LSTM neural network, comprising: constructing a multi-layer linear stacking model neural network, defining an input layer for the multi-layer linear stacking model neural network, and setting the input dimension of the input layer according to time steps and feature numbers in different business key data;
based on the processed service application characteristics, performing model training on the anomaly detection model based on the LSTM neural network to obtain a trained anomaly detection model; the trained abnormality detection model is stored in an object storage;
and calling an abnormality checking program interface to inform an abnormality detecting program that the abnormality detecting model is updated.
6. The method for detecting abnormal key indexes of an application system according to claim 5, wherein the service application characteristics include average call volume, maximum call volume, minimum call volume, trend of call volume, and periodicity.
7. The method for detecting the key index abnormality of the application system according to claim 1, wherein real-time data in an information system is monitored and pulled in real time, and abnormality detection is carried out on the real-time data by adopting a trained abnormality detection model to obtain a detection result; sending the detection result to a message system and carrying out abnormal alarm, wherein the method comprises the following steps:
the abnormality detection program acquires a trained abnormality detection model from the object storage, loads the model into the memory and initializes the model object;
monitoring and pulling real-time data subjected to real-time calculation processing in the information canceling system, calling an anomaly detection method of the model object, and performing anomaly detection on the real-time data to obtain a detection result;
if the detection result is abnormal, sending the real-time data and the abnormal information to a message system;
the alarm program monitors and receives the abnormal information, and judges whether the abnormal information is restrained or not after the abnormal information is received;
if not, notifying the desktop program and the mobile terminal program; if it is suppressed, no exception notification is made.
8. The method for detecting the abnormality of the key indexes of the application system according to claim 1, further comprising: the anomaly detection model is updated regularly, specifically:
setting a timing update period for different business key indexes of each business application system according to the time sequence characteristics of the business key indexes and the characteristics of the corresponding business application systems;
when the update period is reached, the anomaly detection model is updated in accordance with the steps described above using the new history data.
9. The method for detecting the abnormality of the key indexes of the application system according to claim 1, further comprising: manually updating model characteristics, specifically:
when the alarm receiver receives the alarm notification, the alarm receiver selects whether the alarm is valid or invalid by clicking a button;
if the alarm is invalid, the machine learning program refreshes the model features to avoid false alarm again.
10. An application system key index abnormality detection system, characterized in that the system uses an application system key index abnormality detection method according to any one of claims 1 to 9; the system comprises:
the collecting and cleaning unit is used for collecting key index logs of different service application systems, forming corresponding key index log files and pushing log information in each key index log file to the collecting platform; the collecting platform sends the cleaned log information to a message system;
the real-time calculation and aggregation unit is used for carrying out real-time calculation and aggregation on the cleaned log information based on the requirements of the service key indexes to obtain the aggregated service key indexes; pushing the aggregated business key indexes to the message system again;
the time sequence data forming unit is used for monitoring the message system by the time sequence database, receiving and storing the aggregated business key indexes and forming time sequence data;
the model construction and training unit is used for constructing an anomaly detection model based on the LSTM neural network, and carrying out model training on the anomaly detection model based on the LSTM neural network by adopting the time sequence data to obtain a trained anomaly detection model; the trained abnormality detection model is stored in an object storage;
the abnormality detection and alarm unit is used for monitoring and pulling real-time data in the information canceling system in real time by an abnormality detection program, and carrying out abnormality detection on the real-time data by adopting a trained abnormality detection model to obtain a detection result; and sending the detection result to a message system and carrying out abnormal alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311832172.0A CN117785615A (en) | 2023-12-27 | 2023-12-27 | Method and system for detecting abnormality of key indexes of application system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311832172.0A CN117785615A (en) | 2023-12-27 | 2023-12-27 | Method and system for detecting abnormality of key indexes of application system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117785615A true CN117785615A (en) | 2024-03-29 |
Family
ID=90385233
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311832172.0A Pending CN117785615A (en) | 2023-12-27 | 2023-12-27 | Method and system for detecting abnormality of key indexes of application system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117785615A (en) |
-
2023
- 2023-12-27 CN CN202311832172.0A patent/CN117785615A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2020147480A1 (en) | Stream processing-based monitoring index abnormality detection method, device and equipment | |
| CN111339175B (en) | Data processing method, device, electronic equipment and readable storage medium | |
| CN107391335B (en) | Method and equipment for checking health state of cluster | |
| WO2011017955A1 (en) | Method for analyzing alarm data and system thereof | |
| CN110569166A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and medium | |
| WO2023071761A1 (en) | Anomaly positioning method and device | |
| CN108306997B (en) | Domain name resolution monitoring method and device | |
| CN114780810A (en) | Data processing method, data processing device, storage medium and electronic equipment | |
| CN112256548B (en) | Abnormal data monitoring method and device, server and storage medium | |
| CN112712606B (en) | Automatic inspection management method and system based on operation and maintenance service | |
| CN117785615A (en) | Method and system for detecting abnormality of key indexes of application system | |
| CN110659270A (en) | Data processing and transmitting method and device | |
| CN103067901B (en) | A kind of charging method for early warning and system | |
| CN110633165B (en) | Fault processing method, device, system server and computer readable storage medium | |
| CN113254313A (en) | Monitoring index abnormality detection method and device, electronic equipment and storage medium | |
| CN113656452A (en) | Method and device for detecting abnormal index of call chain, electronic equipment and storage medium | |
| JP2005284357A (en) | Log analyzing program and log analyzing device | |
| CN110457194A (en) | Electronic equipment stability method for early warning, system, device, equipment and storage medium | |
| CN117130851B (en) | High-performance computing cluster operation efficiency evaluation method and system | |
| JP2013164668A (en) | Fault monitoring system, incident tabulation method, and program | |
| CN116136684B (en) | Vehicle fault diagnosis method, device, electronic equipment and storage medium | |
| CN114138620B (en) | Cloud platform log explosion detection method, device, equipment and storage medium | |
| CN113590427B (en) | Alarm method, device, storage medium and equipment for monitoring index abnormality | |
| CN117472658A (en) | Method, system and storage medium for detecting server idle degree based on Flink | |
| CN114721906A (en) | Abnormal data monitoring method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |