EP1627494A1

EP1627494A1 - Method for the machine learning of frequent chronicles in an alarm log for the monitoring of dynamic systems

Info

Publication number: EP1627494A1
Application number: EP04785574A
Authority: EP
Inventors: Christophe Dousson; Fabrice Clerot; Françoise FESSANT
Original assignee: France Telecom SA
Current assignee: Orange SA
Priority date: 2003-05-27
Filing date: 2004-05-25
Publication date: 2006-02-22
Also published as: WO2004107652A1; FR2855634A1; US20060208870A1; US7388482B2; FR2855634B1

Abstract

The invention relates to a method for the machine learning of frequent chronicles in a log of alarms from a dynamic system, for the monitoring of said system, and a learning system which is used to carry out the method in a monitoring system. According to the invention, sequences of alarms (51) are selected S1, S2,..., Sp from an alarm log J (50) and reorganised (52) into groups of similar sequences G1, G2,..., Gr. The alarms from the groups are then used to produce (53) partial logs J1, J2, , Jr. Subsequently, chronicle learning is performed (54) on each transmitted partial log Ji, and the partial set Ei of the frequent chronicles from Ji is determined (55). Finally, a set E of chronicles from log J is formed (56) with chronicles from different partial sets Ei.

Description

METHOD FOR AUTOMATIC LEARNING OF CHRONICLES

FREQUENT IN AN ALARM JOURNAL FOR THE

SUPERVISION OF DYNAMIC SYSTEMS

DESCRIPTION

TECHNICAL AREA

The present invention relates to a method and a system for automatic learning of frequent chronicles of an alarm log of a dynamic system for the supervision of the latter.

The dynamic systems concerned by the invention are, for example, telecommunication networks, computer networks or any other industrial installations whose equipment is supervised such as nuclear power plants, assembly lines, automated factories, etc.

The supervision of a dynamic system consists in monitoring its good functioning, in collecting information on its state or that of the components of the system, in detecting and identifying the malfunctions which can occur. This supervision is most often carried out by a computer system which centralizes information sent over time by components of the dynamic system. The information received by the supervision system can be very diverse: for example information on the progress of procedures, alert messages; they are often linked to measurements by physical sensors. The supervision system receives information in the form of alarms, each alarm being formed by an event of a given type, for example such electrical equipment of the dynamic system is switched off (in the form of a coded message), associated with its date of occurrence (often as an integer number of time units). In the case of a telecommunications network, examples of types of alarm are “loss of signal” or “loss of transmission frame”, which can also be grouped under the more general type of “transmission failure”. .

The alarms received by the supervision system are stored in an alarm log which corresponds to a list of received alarms ordered in time according to the occurrence dates between a start date and an end date of the log.

A supervision system can receive a considerable number of alarms, with large variations over time: for example, it can go from several hundred messages per second to a few tens or less. Some of the alarms received are not independent but result from “cascades” of alarms due to the interdependence of certain components of the supervised dynamic system. Analyzing the alarm log, in particular to search for the real causes of malfunctions in order to propose an appropriate reaction (preventive or corrective), is a difficult task because it is necessary to isolate from the mass of log information the relevant groups of alarms. Possible representation for these groups alarms uses sets of events linked by time constraints (in the form of graphs): these are the chronicles. Knowledge about the evolution of a dynamic system can be represented by such chronicles because we can consider that each chronicle constitutes a possible scenario for the evolution of the system. This knowledge acquired via chronicles therefore makes it possible to anticipate the behavior of the dynamic system and thus allows better control of it.

In the case of a telecommunications network for example, the alarms are generated automatically by the various equipment of the network (switches, multiplexers, cross-connects, ...) and are transmitted to a central supervisor. The flow of alarms then contains alarms due to network automatisms, which can be described as normal, and alarms linked to malfunctions; if a column corresponds to a malfunction then its alarms will be analyzed to find the cause of this malfunction and remedy it. Most supervision and control systems have an architecture in three modules, 14, 16 and 15, as illustrated in FIG. 1: a supervision system 17 is connected to a dynamic system 10, interacting with the exterior 11, components of which are fitted with sensors 12 and which can be controlled by actuators 13; the sensors 12 send signals to a detection module 14 which generates alarms from these signals and transmits them to a diagnostic module 16 which interprets the alarms, identifies the characteristic situations of the evolution of 10, which locates the components of 10 involved in these situations, which determines the causes of possible malfunctions and which transmits this information to a decision module 15 which then determines the actions to be performed (for aim at a given objective or to bring the supervised system back to a normal situation) on the components of 10 and transmit commands accordingly to the actuators 13 of the dynamic system.

The chronicles are learned at the level of the diagnostic module and makes it possible to identify the relevant information which is dispersed in the alarm log. The identification of the characteristic situations encountered during the evolution of the dynamic system, in particular those related to anomalies, and the detection of the causes of these situations for diagnostic purposes are based on the chronicles discovered during learning. Chronicles can also be used to anticipate certain behaviors of the dynamic system.

The discovery of the chronicles of an alarm log is therefore an essential step for the supervision of a dynamic system. If an alarm is represented as a pair (A, t _A ), where A designates a type of event and t _At its date of occurrence, then the time constraint "from A to B" between two alarms (A, t _A ) and (B, t _B ) (or the constraint "from t _A to t _B "), represented by a time interval [t ^" , t ⁺ ] placed between events A and B, signifies that we have the following relation on the dates of occurrence: t ^" <(t _B - t _A ) <t ⁺ , the absence of constraint between two times being represented by the constraint [-∞, + ∞].

A chronicle (or scenario or even temporal pattern) of the alarm log is made up of the data of k elements, k being the size of the chronicle, i.e. k types of events of the log (or associated alarms) and time constraints between the k corresponding occurrence dates. We can say that a chronicle is a set of types of events whose dates of occurrence are constrained, and these constraints can be represented in the form of a temporal graph.

A time constraint graph is an oriented graph whose vertices are the dates and whose arcs are labeled by the constraints between these dates; for example, for two dates ti and t ₂ , the arc from ti to t ₂ is labeled by the constraint "from ti to t ₂ ".

There can be many examples of the creation of a chronicle C given in the alarm log, it is said that there are several instances of chronicle C; an instance of a chronicle therefore corresponds to a list of chronicle alarms (or of the events associated with these alarms), ordered in time, extracted from the log.

An example of a chronicle is illustrated in Figure 2, this chronicle involves events of types a (in 1 or 4), b (in 2) and c (in 3) with indications of time intervals relating to time constraints (for example 5): an event of type a (in 1) occurs at an initial time, it precedes an event of type c (in 3) which occurs between 2 and 5 time units later, then a type b event occurs between 3 and 10 time units later as well as another type a event which occurs between 2 and 10 time units later (after the initial event ), subsequent events of types b and a occurring respectively between 1 and 6 time units and between 0 and 8 units of time after the type c event (in 3).

Let us then consider, by way of example and with regard to the chronicle of Figure 2, a 'following list of events el to e8 in which, for example, the event el corresponding to the occurrence of a type alarm a at a date t = 4 time units is noted el (a, t = 4): el (a, t = 4), e2 (d, t = 5), e3 (a, t = 6), e4 ( c, t = 8), e5 (b, t = 10), e6 (e, t = ll), e7 (a, t = 12), e8 (b, t = 14), list which shows eight alarms ( linked to the eight events el to e8) of five different types denoted a, b, c, d, and e. We can, in this example, recognize four instances of the chronicle of Figure 2, namely {el, e4, e5, e7}, {e3, e4, e5, e7}, {e3, e4, e7, e8} and {el, e4, e7, e8} which bring into play the three types of alarms a, b and c and verify well the relationships between dates of occurrence of the chronicle.

The frequency of a chronicle is called the number of instances of this chronicle in the alarm log. It is therefore a number of occurrences of the chronicle in reality rather than a real frequency; however, a real frequency (or average appearance rate) is trivially obtained by dividing this number of occurrences by the duration of the alarm log, i.e. the difference between its end and start dates, because the log analysis is done on a given end date. The size of the alarm log (or its length) is the number of alarms it contains. The size of a chronicle is the number of events from which it is formed, that is to say the size of its instances.

A chronicle is said to be frequent in a journal, when its frequency in the journal exceeds a given threshold frequency f _m i _n .

The process of learning frequent chronicles in an alarm log corresponds to exploring and analyzing the log in order to discover chronicles whose frequency of instances in the log exceeds a given threshold frequency. It is indeed a matter of exploring sequences of alarms both in terms of events and in terms of time constraints between their dates of occurrence to find the chronicles, but also to recognize identified chronicles, through their instances, within the newspaper (the number of times a column is recognized in the newspaper being equal to its frequency).

STATE OF THE PRIOR ART

There are several algorithms [1,2,3,4] capable of constructing and discovering all the frequent chronicles present in a journal alarms, many variants of these algorithms have been developed, in particular the FACE system [4, 6] (acronym for "Frequency Analyzer for Chronicle Extraction"). The automatic learning of chronicles on a computer is however very costly in computing time and in memory occupation, moreover, reducing the threshold frequency too much (to find rarer chronicles) can lead to a phenomenon of combinatorial explosion which saturates the computer. This significant cost reflects the complexity of the process, which is mainly linked to two factors: (i) the number of alarms present in the log (the size of the log to be processed) and, (ii) the threshold frequency f _mln , set by the user, which sets the minimum frequency of the chronicles to look for in the journal.

It will be noted that with regard to the management of time constraints, a graph of time constraints may have several equivalent representations (there are therefore as many equivalent representations of a corresponding chronicle) but that there is only one minimal representation (at sense of a partial relationship); the calculation of this last representation, as well as the verification of its global consistency, is generally carried out by a well-known algorithm of Floyd-Warshall type of complexity in 0 (n ³ ) where n is the number of instants (or dates ) of the graph [5] and is therefore linked to the number of alarms. In practice, a person skilled in the art fixes both the maximum size L _max of the time constraints, that is to say the maximum duration between the dates of occurrence of the alarms of a chronicle (or duration of the chronicle). , and the threshold frequency f _m i _n for carrying out, in a reasonable time, learning of chronicles on a given alarm log J. This "reasonable time" will obviously not be the same if the supervision and control of the dynamic system are done in real time or if the analysis of the log is done offline, for the purpose of acquiring expertise for example.

The learning result is then the set E of chronicles from the journal E = {C], ..., C _M } of frequencies greater than or equal to f _m i _n and of durations less than or equal to L _max as indicated in Figure 3.

Figure 3 on which are indicated the learning stages typical of the prior art: an alarm log 30 is transmitted to a module for learning frequent chronicles 31, at threshold frequency f _m j. _n and at maximum size of the time constraints L _max 30, which then produces the frequent chronicles of J: Cl, ..., CM in 32.

It often happens that a person skilled in the art cannot reduce the threshold frequency f _m i _n (the second complexity factor (ii) mentioned above) below a relatively high level because of the time constraints of the process d learning, in this case the important risk is to miss chronicles rare ', of frequencies lower than f _m i _n , but which can be very important for the good supervision of a dynamic system. Such cases particularly concern epiphenomena. An epiphenomenon being the appearance of a pattern in an alarm log at a high rate but over short time intervals compared to the duration of the log, on average the rate of appearance of the pattern is however very low and therefore also its frequency, in particular if it is compared to f _min , such a case is illustrated in FIG. 4. The prior art does not make it possible to learn the chronicles associated with epiphenomena by decreasing, for example by a factor of ten, the threshold frequency without considerably increasing the calculation times. In an attempt to resolve this problem of detecting chronicles of low frequencies, those skilled in the art, playing on the first factor (i) of complexity, reduce the size of the alarm log based on the fact that, statistically, the division by a given factor of the size of the log leads to the division of the threshold frequency by a factor of the same order of magnitude (for a similar processing time). However, this technique is very difficult to implement and can have serious drawbacks: if blocks of alarms are deleted from the log without care, the risk of deleting chronicles, including high frequencies, is very great, which degrades supervision and is hardly acceptable; as for epiphenomena, their frequencies will drop statistically even faster than the size of the newspaper, which will not allow more to discover them; if selected alarms are removed from the log it is generally on the basis of a prior analysis of this log (most often by experts), for example by eliminating the alarms from certain chronicles, in this case the total time of processing increases significantly and, in particular, may prohibit real-time supervision.

These difficulties encountered by a person skilled in the art illustrate the considerable practical importance of the time factor for learning and it is clear that there is a need to be able to reduce the time for learning chronicles, even when one is not looking for epiphenomena, for the supervision of dynamic systems or for the acquisition of knowledge (expertise) on these systems.

STATEMENT OF THE INVENTION

The invention thus aims to improve the processing speed of an application for learning chronicles of an alarm log so as, in particular, to allow a reduction in the threshold frequency, for the search for chronicles corresponding to epiphenomena, while maintaining acceptable treatment times.

The invention implements data analysis techniques such as those relating to data classification (or “clustering” in English), that is to say data grouping methods. There are very many algorithms that calculate such aggregates or groups or data clusters (“clusters” in English).

The invention relates to a machine learning method comprising a preprocessing of the alarm log, not having the drawbacks of the prior art, which makes it possible to manufacture partial alarm logs (of reduced sizes), from the log original alarms, on each of which learning is then carried out. This * automatic 'division into partial logs must be intelligent', in fact a systematic or random division of the alarm log into alarm blocks does not improve anything from the point of view of frequencies if the distribution of patterns is random: this kind cutting does not allow learning at low frequency ^' because the frequency of an epiphenomenon will drop faster than the size of the newspaper.

The automatic cutting preprocessing according to the invention makes it possible to ensure that the partial logs will be rich in alarm sequences which are similar, or are similar, from the point of view of the alarms produced.

In particular, with regard to epiphenomena, this pretreatment tends to select the zones of the alarm log corresponding to the peaks of rate of appearance (see in Figure 4, the peaks 41,42,43) while reducing the size of the log to be analyzed, which makes it possible to increase the effective frequency of an epiphenomenon in the new log and makes it detectable as soon as this last frequency reaches or exceeds the threshold frequency, whereas with a learning done directly on the original journal 1 the epiphenomenon would have been too low a frequency: by reducing the size, by proceeding according to the invention, the frequency of the rare chronicle is passed, corresponding to the type of similarity of the partial journal, above the threshold.

The essential phenomenon which is the basis of the invention is that if two parts, or sequences of alarms, of the original alarm log contain instances of the same chronicles then these parts must be relatively similar in the sense that they must contain several elements in common and in a more or less similar order: if each of these parts is described by a set of parameters (constituting a representation of the part), associated with various aspects of its alarm content, then the similarity of parts is expressed by the similarity (or proximity) of the sets of parameters, representative of these parts, in the space of parameters. On the other hand, if these parts do not have chronicles in common, then the division into parts according to the invention will bring nothing more compared to a direct learning: however, in this case, the advantage of the invention is that it doesn't allow you to learn by mistake.

More specifically, in a so-called general mode, the invention is a method for automatic learning of frequent chronicles of an alarm log of a dynamic system, for the supervision of this system, the alarms being associated with a plurality of events of the system of a plurality of types, characterized in that it comprises the following steps: a) automatic selection and grouping of alarm sequences from the alarm log so as to form groups of sequences of 'similar alarms; and b) automatically generating a partial alarm log for each group of similar alarm sequences obtained in step a), from the alarms belonging to the sequences of this group; and c) automatic learning of frequent chronicles of each partial alarm log obtained in step b) so as to generate a partial set of frequent chronicles for each partial alarm log obtained in step b), and manufacturing a set of frequent chronicles from the alarm log from the frequent chronicles of each of the partial sets of frequent chronicles obtained.

It is possible, for example, to form the set of frequent chronicles from the alarm log by the set union of chronicles from the partial sets of frequent chronicles, which has the advantage of not eliminating any of the chronicles obtained during each learning partial newspaper.

Other choices are of course possible, the person skilled in the art can, for example, decide to eliminate chronicles whose frequency is less than a given frequency (in particular when the threshold frequency is not the same for learning the various partial logs), or to eliminate chronicles containing certain types of alarms, etc.

This general mode is represented in FIG. 5: in an alarm log J 50, alarm sequences 51 are selected Si, S ₂ , ..., S _p and then grouped 52 into groups of similar sequences Gi, G ₂ , .., G _r , thus performing step a) of the general mode. The group alarms are then used to manufacture 53 the partial logs Ji, J ₂ , ..., J _r according to step b) of the general mode. Then, in accordance with step c) of the general mode, learning of frequent chronicles 54 is carried out on each partial journal Ji transmitted and the partial set Ε _± of frequent chronicles of Ji is determined 55; finally a set E of journal chronicles J is constituted 56 from the chronicles of the various partial sets Ei.

The comparison with Figure 3 clearly highlights the differences in learning chronicles according to the prior art and according to the invention: direct learning of the journal J, in 30 and 31, to obtain the totality of frequent chronicles in 32 , is replaced by a sequencing of J, in 51, followed by a grouping of similar sequences, in 52, making it possible to manufacture partial journals 53 on which as many partial learnings are carried out,, in 54 and 55, to then determine the frequent chronicles of the original J journal from the chronicles of the partial journals 56. The automatic grouping of similar sequences is a essential point of the invention because it is it which makes it possible to obtain partial newspapers potentially rich in frequent chronicles.

The invention also relates to a device for implementing the new method described above, that is to say a system for automatic learning of frequent chronicles from an alarm log of a dynamic system, for the supervision of this system, comprising means for acquiring alarms of the dynamic system and for generating an alarm log from the acquired alarms, each alarm being associated with an event of the dynamic system among a plurality of events d '' a plurality of types and on a date of occurrence, means of transmission of the alarm log as well as means of learning chronicles capable of implementing a method of automatic learning of chronicles of a log of alarms, of frequencies greater than or equal to a threshold of adjustable minimum frequency fo and of adjustable maximum duration T, and capable of transmitting the chronicles obtained, characterized in that it further comprises:

- a module for selecting and grouping alarm sequences capable of receiving an alarm log and capable of selecting and grouping alarm sequences from the alarm log, and capable of forming a group of alarm sequences similar and to transmit this group; - a module for manufacturing a partial alarm log from the alarms of a group of similar alarm sequences received from the module for selecting and grouping alarm sequences from the alarm log, the module being capable of transmitting the partial alarm log obtained to the chronicle learning means; a module for manufacturing a set of frequent chronicles from the alarm log, from chronicles transmitted by the chronicle learning means, the module being able to transmit the chronicles from the set of frequent chronicles.

This learning system according to the invention is illustrated in FIG. 6: the learning system 66 is here represented in connection with the diagnostic module 16 of a supervision system 17 of a dynamic system 10. Alarms 60 are transmitted to means 61 for acquiring alarms and for generating an alarm log J. The log J is transmitted to a module M2 for selecting and grouping tear sequences 62. The module selects sequences Si, S ₂ ,. ”, S _p (in variable number p) and forms groups of similar sequences Gi, G ₂ , .., G _r (in variable number r); it transmits each group G _k , for k varying from 1 to r, to a module M3 for manufacturing a partial alarm log 63. Each partial log J _k , for 1 ≤ k ≤ r, is generated from the alarms sequences of the corresponding group G _k . The module M3 transmits each partial journal J to the means M4 for learning frequent chronicles 64, of minimum frequency fo and of duration adjustable maximum T, which then produce a partial set Ek of frequent chronicles of J containing a number M (k), variable according to the index k, of chronicles designated by Ci ( _k> , ..., C _M <k). Finally, a module M5 for manufacturing a set of chronicles 65 generates a set E of chronicles of J from the chronicles of all the partial sets E transmitted by the module M4. The module M5 then transmits the chronicles Ci, ..., C _M of E for their exploitation by the supervision system. Those skilled in the art will note that, in the learning systems of the supervision systems of the prior art, the modules M2, M3 are absent and that the module M1 directly transmits the log J to the learning means M4 which directly manufacture the set E (the module M5 is therefore also absent).

BRIEF DESCRIPTION OF THE DRAWINGS

The characteristics and advantages of the invention set out above, as well as others which will emerge from the following description of particular embodiments, given by way of examples, appear more with reference to the appended drawings, in which: - Figure 1 is a logic diagram of a supervision system of a dynamic system as indicated above.

- Figure 2 shows an example of a chronicle involving events of three types a, b and c. Figure 3 is a block diagram showing the learning of frequent chronicles of the prior art. FIG. 4 represents a curve of the rate of appearance σ (on the ordinate) of a pattern, as a function of time t (on the abscissa), typical of an epiphenomenon. Characteristic peaks 41, 42 and 43 are indicated. Figure 5 is a block diagram showing the learning of frequent chronicles according to the invention in its general mode.

- Figure 6 is a block diagram showing a learning system according to the invention, in a supervision system of a dynamic system.

DETAILED PRESENTATION OF PARTICULAR EMBODIMENTS

The automatic selection of alarm sequences in the alarm log, in step a) of the general mode of the invention, is an important step in the process which can be carried out in many ways: for example, it is it is possible to take as many sequences as there are alarms in the log, each sequence therefore containing an alarm, but in this case the number of sequences to be grouped is then considerable. Advantageously, in a so-called split mode, in step a) of the chronicle learning method according to the invention, the automatic selection of alarm sequences is carried out by means of an automatic split of the alarm log into parts, each part being composed of alarms from the alarm log whose occurrence dates are ordered in time and are between a start date and an end date associated with this part of the log, each part of the alarm log defining a selected alarm sequence of which the alarms are those which belong to this part. This mode can therefore be implemented to carry out the selection of sequences from step a) of the general mode.

The division of the alarm log into parts, or by time slices, can be carried out according to many different methods: by way of nonlimiting examples, the parts can be of different sizes (in number of alarms contained) or else identical, they can have the same duration or variable durations, they can be separate or have alarms in common, they can constitute as a whole a partition of the alarm log or, on the contrary, do not take into account some alarms, etc. Advantageously, the set union of the parts of the alarm log will reconstitute the log so as not to lose alarms which may belong to chronicle instances at this stage of the learning process: any alarm of the log will then belong to at least one parts of the newspaper.

According to a particular mode of the invention, known as a complete breakdown mode, the previous breakdown of the alarm log into parts is such that any alarm in the alarm log belongs to at least one of the parts of the alarm log. This mode has the advantage of not eliminating any alarm from the log alarms during cutting. This mode, implemented with the cutting mode, can be used to carry out the selection of sequences in step a) of the general mode.

The grouping, in step a), of the selected sequences which have similarities can be carried out using a similarity measurement on a space in which each sequence of alarms is described by a set of parameters which can be seen as defining coordinates of a point in this space called sequence representation space. Each parameter of a sequence, or coordinate of the point representative of the sequence in the representation space, is associated with the description of the alarm content of the sequence in terms of a given type of alarm. Thus, if there are A distinct types of alarms to describe the content of the alarm sequences, the space for representing the sequences is A dimensional. The value of a sequence coordinate corresponds to the weight of the sequence in alarms of the type associated with this coordinate.

The importance of choosing a representation of the data, prior to the operations of grouping this data, is well known to specialists in data classification. There are a very large number of possible representations for data, depending on the characteristics attached to them: this variety of representations is reflected in particular by different dimensions of the representation space. One of the particular modes of the invention uses a so-called weighted representation in which each sequence of alarms selected in step a) of the method is represented, in the representation space of dimension A, by a point having At coordinates, the coordinate of rank j, where j denotes any integer index between 1 and A, is equal to the number of times the type of alarm associated with the index j appears in the sequence of alarms.

Those skilled in the art know that the similarity measure, mentioned above, used to calculate the grouping of sequences from the proximity measures of the sequences in the representation space, in particular in the grouping algorithms of the classification methods. , is to be taken in the mathematical sense, that is to say that this measure is not necessarily a distance (it may not respect triangular inequality and we then speak of semi-metric, for example the cosine measure which measures the cosine of the angle between two vectors whose components are the coordinates, respectively, of the representative points of two sequences considered). However, most often, this measure of similarity is a distance and therefore makes it possible to provide the representation space with a metric. By way of nonlimiting examples of metrics, let us quote Minkowski's metric (or distance)

(which contains as special cases the Euclidean distance and the distance ^λ City-block 'also called distance from Manhattan), distance from Mahalanobis, distance from Chebychev, etc.

The points, representing the alarm sequences, closest to each other in the sequence representation space form clusters and each cluster corresponds to a group of so-called similar sequences. The criterion of proximity of two points of the representation space being that if the measure of similarity of these points is less than or equal to a given threshold value then the two points belong to the same cluster, and if the measure of similarity of these points is greater than the threshold value so the two points belong to separate clusters.

To date, there are very many data grouping algorithms, some even ensuring the invariance (by linear transformations) of the clusters thanks to a prior normalization of the data.

In an advantageous embodiment of the invention, known as sequence grouping mode, in step a) of the method, the automatic grouping of alarm sequences, to form groups of similar alarm sequences, is carried out at using a grouping method. This mode can therefore be implemented to carry out the grouping in step a) of the general mode, and it can also be used jointly either with the mode with cutting or with the mode with complete cutting for carrying out step a ) of the general mode. The choice of the representation of alarm sequences conditions both the relevance of the grouping of sequences and the complexity of the calculations of similarity measures to be performed (due to the number of dimensions of the associated representation space). The content of an alarm sequence in the alarm log can be described in a more or less exhaustive way: for example if the log contains N distinct types of alarms, it is possible to describe the alarm content of the sequence on the basis of these N types of alarms, but one can also choose to describe this content on the basis of a lower number of types of alarms and in this case certain alarms (although still appearing in the sequence), corresponding to types absent from the representation, will not be described; in the latter case, however, the size of the representation space is reduced, which is advantageous from the point of view of the complexity of the grouping calculations.

Thus, in a particular mode of the learning method according to the invention, called mode with selection of types, in step a), the formation of groups of sequences of similar alarms is carried out by means of the following steps consisting in: represent each of the alarm log alarm sequences by its content, based on a set of alarm types with A elements taken from the distinct alarm types of the alarm log, in greater or equal number to A, in a space for representing the alarm sequences of dimension A; and - automatically group alarm sequences from the alarm log in the representation of alarm sequences, so as to form groups of similar alarm sequences. This mode is dependent on the general mode or the mode with cutting or the mode with complete cutting or the mode with grouping of sequences.

In particular, this mode with selection of types can advantageously use the weighted representation of the alarm sequences described above. This mode with selection of types can therefore be implemented to carry out the formation of groups in step a) of the general mode, and it can also be used jointly either with the mode with cutting or with the mode with complete cutting or even with the mode with grouping of sequences, possibly combined with one of the two preceding modes, for carrying out step a) of the general mode.

The simple elimination of some of the types of alarms present in the alarm log has the disadvantage that certain alarms (of the types eliminated) are not described. To describe all the alarms while reducing the number of dimensions of the representation space of the alarm sequences, it is for example possible to first group together types of alarms from the alarm log which are similar, in particular using a grouping method, to make groups of types of alarms (the number S of groups being less than or equal to the initial number N of types of alarms), then to describe the content of the sequences of alarms based on these S groups of alarm types. So the number of dimensions of the representation space is reduced to S, which is advantageous for grouping calculations, and, moreover, any alarm of any sequence can always be described since its type appears in at least one of the S groups of types.

A simple example of reducing the number of types has been given above for a telecommunications network: the two types of alarms “loss of signal” and “loss of transmission frame” can be described by a type of higher level (resulting , most often, of a functional link between the types considered) which is "transmission failure". As in the general case of data processing (here the data are types of alarms in the alarm log), a description space is associated with the description of the types.

Those skilled in the art will note that everything presented on the alarm sequences and the breakdown of an alarm log as well as the various treatments of these entities can be transposed, by analogy, to the types of alarms as soon as we have a representation of these types or sequences of types.

It is also possible to eliminate some of the previous S groups to retain only a reduced number S ', the representation space then being of dimension S'. These methods of reducing the representation space by grouping of types are then combined with a subsequent grouping of the alarm sequences to form groups of sequences. similar alarms making it possible to generate the partial logs of step b) of the learning method according to the invention.

Thus in a particular embodiment of the learning method according to the invention, known as type with grouping of types, in step a), the formation of groups of similar alarm sequences is carried out by means of the following steps consisting in: - automatically grouping types of alarms from the alarm log so as to form groups of similar types of alarms, the result of the grouping being a number S of groups of types of alarms; and - represent each sequence of alarms in the alarm log by its content, based on groups of types of alarms, in number S 'less than or equal to S, obtained in the previous step, in a space of representation of alarm sequences of dimension S '; and

- automatically group alarm sequences from the alarm log in the representation of alarm sequences so as to form groups of similar alarm sequences. The mode with grouping of types can therefore be implemented to carry out the formation of groups in step a) of the general mode, and it can also be used in conjunction either with the mode with cutting or with the mode with complete cutting or even with the mode with grouping of sequences, possibly combined with one of the two modes above, for carrying out step a) of the general mode.

In particular, the automatic grouping of the alarm sequences of the mode with grouping of types can consist in automatically forming groups of similar sequences from the alarm log, each group of similar sequences being associated with a group of alarm types and resulting the selection of alarm sequences from the alarm log, the alarm content of the same types as those of the type group considered exceeds a given threshold for this group. This grouping method has the advantage of being very simple to implement.

In a particular embodiment of the learning method according to the invention, said mode with grouping of types with thresholds, in step a), the formation of groups of similar alarm sequences is carried out by means of the following steps consisting to: - automatically group types of alarms from the alarm log so as to form groups of similar types of alarms, the result of the grouping being a number S of groups of types of alarms; and - represent each sequence of alarms in the alarm log by its content, based on groups of types of alarms, in number S 'less than or equal to S, obtained in the previous step, in a space of representation of alarm sequences of dimension S '; and automatically form groups of similar sequences from the alarm log, each group of similar sequences being associated with a group of types of alarms and resulting from the selection of alarm sequences from the alarm log including the same alarm content types than those of the type group considered exceeds a given threshold for this group.

The grouping mode of types with thresholds can therefore be implemented to carry out the formation of groups in step a) of the general mode, and it can also be used jointly either with the cutting mode or with the complete cutting mode. for carrying out step a) of the general mode.

It is also possible, in a particular mode called mode with grouping of types, to carry out the grouping of types of alarms, in the mode with grouping of types or in the mode with grouping of types with thresholds, by implementing a method grouping of alarm log types of alarms to form groups of similar alarm types. For this, it is sufficient for a person skilled in the art to choose a space for representing these types of alarms, of which he can moreover reduce the number of dimensions by various methods described above but applied to the types, and a measure of similarity to then be able to use one of the many existing grouping algorithms (let us quote, by way of nonlimiting examples, the algorithms of: Grouping Ascending hierarchy, “K-Means” or K-means, “Fuzzy K-Means” or fuzzy K-means, Gaussian mixture, GTM “Generative Topography Mapping”, GSOM “Generative Self Organizing Map” [7], Kohonen Map [9], Self-organizing maps of Kohonen [8,9], etc.).

In particular modes of the learning method according to the invention, this automatic grouping of the types of alarms by means of a grouping method mentioned above (in the mode with grouping of types) is advantageously carried out either by a grouping method based on a semantic map of the types of alarms (that is to say, each alarm is treated as a series of symbols, or text, and grouping is carried out) or by a grouping method based on the accumulation profile over time (normalized or not), in the alarm log, of each type of alarm.

In all of the embodiments of the invention, it is of course possible to perform, in step c) of the method, learning chronicles on the partial alarm logs obtained at the end of the step b) the process by a series of operations executed in series on a computer.

However, in an advantageous embodiment of the invention making it possible to further reduce the processing time and compatible with the various modes described, these learning operations of step c) are executed in parallel on a computer. It is, in fact, these learning operations of chronicles which take the most time among all the operations linked to the other steps of the method according to the invention; however, it is clear that these latter operations can also be carried out in parallel to save time.

The preferred embodiment of the invention, developed and used for the supervision of a telecommunications system, implements on a computer, for step a) of the general mode, a breakdown of the alarm log according to the mode with division in which the parts or ^ time slots' cut all have the same duration σ = 2 * T, where T indicates the maximum duration of the chronicles to be learned which is fixed for the execution of stage c) of the process, the division being such that any two consecutive parts have a temporal overlap of value T. This particular division is such that if, statistically, any instance of a chronicle (of maximum length T) is present in J then it is present in at least part of J.

The alarm log J on which the method according to the invention is applied is divided into p parts covering all of the alarms in the log, which can be assumed to be consecutive without limiting the generality; note σ _± , for 1 ≤ i ≤ p, the i-th part of the log, then the start and end dates associated with this part, respectively Di and Fi, verify: Di = D + T * (i-1)

Fi = Di + σ, where D denotes the start date of the alarm log J, and for the (i + l) th next part, start and end dates, respectively, Di ₊ i and Fι ₊ ι verify:

D _{i +} ι = D + T * i ≈ Di + TF _{i +} ι = D _{i +} ι + σ = Fi + T.

This division is therefore also in accordance with the mode with complete division as can be easily verified.

We then proceed to classify the set of σi, i varying from 1 to p, into r groups G _k , 1 ≤ k ≤ r, using a grouping method based on Kohonen maps; each group G (with: 1 ≤ k ≤ r) of similar parts (or alarm sequences) comprising a variable number of parts (or alarm sequences). This last classification step is therefore a mode with grouping of sequences. In an advantageous variant of the preferred embodiment, the weighted representation is used to describe parts of BC J ^'ec a performance space with as many dimensions as the newspaper J includes distinct types of alarms.

In step b), a partial alarm log Jk is produced for each corresponding group Gk from the set union of the parts, or corresponding alarm sequences, of the group. Thus, no alarm sequence of any group is omitted. Finally in step c), automatic learning of frequent chronicles is carried out by means of the FACE learning software on each of the partial alarm logs J _k , 1 ≤ k ≤ r, obtained previously. For each partial journal Jk we therefore obtain a partial set E _k made up of the frequent M (k) chronicles distinct from J: E = {Cι <), ..., C _M (k)} (where C _{m (} k), l≤m (k) ≤M (k), denotes a chronicle of J _k ). The final result being the set E of the frequent chronicles of J, E being formed by the set set of all the partial sets E _k , for k = X, ..., r

The FACE software [4,6] is a learning tool particularly well adapted to alarms and chronicles produced by telecommunication systems; in variants of the preferred mode, however, other learning software is implemented in step c).

The chronicles obtained will then be used for the diagnostic module of a supervision system for the identification of the characteristic situations of the behavior of the supervised dynamic system.

In general, in the method of learning frequent chronicles from an alarm log according to the preferred mode: a maximum duration T of the chronicles to be learned in step c) is fixed; and,

- in step a), the difference between the end date and the start date of any part of the alarm log is equal to 2 * T; and, the parts are cut out from the alarm log so that, for any given part of the start date D ', the part whose subsequent start date D''is closest to D', if it exists , is such that its start date D '' is equal to the date D 'increased by T; and, the automatic regrouping of all the alarm sequences of the alarm log obtained is carried out by means of an algorithm based on self-organizing maps of Kohonen; and in step b), for each group of similar alarm sequences obtained in step a), a partial alarm log is produced from the set union of alarm sequences of the group of sequence d 'similar alarms; and

- in step c), automatic chronicle learning is carried out using the FACE learning system. The preferred mode is a mode dependent on the mode with complete cutting and on the mode with grouping of sequences.

REFERENCES

[1]: H. Mannila, H. Toivonen, AIVerkamo: ^Λ Discovering frequent épisodes in sequences', in Proc.l ^st International Conférence on Knowledge Discovery and Data Mining, pages 210-215, Montreal, Quebec,

Canada (1995).

[2]: H. Mannila, H. Toivonen: ^ Multiple uses of frequent sets and condensed representations', in

Proc.2 ^nd International Conference on Knowledge

Discovery and Data Mining, pages 189-194,

Portland, Oregon, USA (1996). [3]: R.Agrawal, H. Mannila, R.Srikant, H.Toivonen, AIVerkamo: ^Λ Fast discovery of association rules' in Advances in Knowledge Discovery and Data Mining, pages 307-328, AAAI Press / the MIT Press ( 1996).

[4]: T.Vu Duong: ^λ Discovery of chronicles from alarm logs. Application to the supervision of telecommunications networks', Thesis in computer science and telecommunications, Institut National Polytechnique de Toulouse, publicly defended on March 28, 2001.

[5]: R.Dechter, I. Meiri, J. Pearl: ^Λ Temporal constraint networks', in Artificial Intelligence, Special Volume on Knowledge Representation, 49 (1-3), 61-95 (1991). Elsevier.

[6]: C. Dousson, T. Vu Duong: ^λ Discovering chronicles with numerical time constraints from alarm logs for monitoring dynamic Systems', in Proc. Of the

6 ^th International Joint Conférence on Artificial

Intelligence (IJCAI 99), pp. 620-626, (1999).

[7]: JJVerbeek, N. Vlassis, and BJAKrôse: ^λ The Generative Self-Organizing Map ', IAS technical report IAS-UVA-02-03, May 2002 (website: http: // ww. Science. Uva. Nl / research / ias / publications / reports /). [8]: M. Dittenbach, D. Merkl, A. Rauber: The growing hierarchical self-organizing map ', in International Joint Conférence on Neural Networks (IJCNN 2000), volume vi, pages 15-19, Como,

Italy, IEEE Computer Society (2000).

[9]: T. Kohonen: Self-Organizing Map ', third edition (2002), Springer-Verlag.

Claims

1. Method for automatic learning of frequent chronicles from an alarm log, the alarms being associated with a plurality of events of a plurality of types, characterized in that it comprises the following steps: a) selection and automatically grouping alarm sequences from the alarm log to form groups of similar alarm sequences; and b) automatically generating a partial alarm log for each group of similar alarm sequences obtained in step a), from the alarms belonging to the sequences of this group; and c) automatic learning of frequent chronicles of each partial alarm log obtained in step b) so as to generate a partial set of frequent chronicles for each partial alarm log obtained in step b), and manufacturing a set of frequent chronicles from the alarm log from the frequent chronicles of each of the partial sets of frequent chronicles obtained.

2. Method according to claim 1 wherein, in step a), the automatic selection of alarm sequences is carried out by means of an automatic division of the alarm log into parts, each part being formed of alarms from the alarm log whose occurrence dates are ordered in time and are between a start date and an end date associated with this part of the log, each part of the alarm log defining a selected alarm sequence of which the alarms are those which belong to this part.

3. The method of claim 2 wherein the division of the alarm log into parts is such that any alarm in the alarm log belongs to at least one of the parts of the alarm log.

4. Method according to any one of claims 1 to 3 wherein, in step a), the automatic grouping of alarm sequences, to form groups of similar alarm sequences, is carried out by means of a grouping method.

5. Method according to any one of claims 1 to 4 wherein, in step a), the formation of groups of similar alarm sequences is carried out by means of the following steps consisting in:

- represent each sequence of alarms in the alarm log by its content, on the basis of a set of types of alarms with A elements taken from the types of alarms distinct from the alarm log, in greater number or equal to A, in a space for representing alarm sequences of dimension A; and - automatically group alarm sequences from the alarm log in the representation of alarm sequences, so as to form groups of similar alarm sequences.

6. Method according to claim 5 in which each sequence of alarms selected in step a) is represented, in the representation space of dimension A, by a point having A coordinates, the coordinate of rank j, where j denotes any integer index between 1 and A, is equal to the number of times the type of alarm associated with the index j appears in the sequence of tears.

7. Method according to any one of claims 1 to 4 wherein, in step a), the formation of groups of similar alarm sequences is carried out by means of the following steps consisting in:

- automatically group types of alarms from the alarm log so as to form groups of similar types of alarms, the result of the grouping being a number S of groups of types of alarms; and

- represent each sequence of alarms in the alarm log by its content, on the basis of groups of types of alarms, in number S 'less than or equal to S, obtained in the previous step, in a representation space alarm sequences of dimension S '; and

- automatically group alarm sequences from the alarm log in the representation of alarm sequences, so as to form groups of similar alarm sequences.

8. Method according to any one of claims 1 to 3 wherein, in step a), the formation of groups of similar alarm sequences is carried out by means of the following steps consisting in:

- represent each sequence of alarms in the alarm log by its content, on the basis of groups of alarm types, in number, S 'less than or equal to S, obtained in the previous step, in a space of representation of alarm sequences of dimension S '; and - automatically forming groups of similar sequences from the alarm log, each group of similar sequences being associated with a group of types of alarms and resulting from the selection of alarm sequences from the alarm log, including the alarm content of the same types as those of the group of types considered exceeds a given threshold for this group.

9. Method according to any one of claims 7 or 8 in which, in step a), the step of automatic grouping of types of alarms, to form groups of similar types of alarms, is performed using a grouping method.

10. The method of claim 9 wherein, in step a), the automatic grouping of similar alarm types from the alarm log is carried out by means of a grouping method based on semantic map of the types of alarms.

11. The method of claim 9 wherein, in step a), the automatic grouping of similar alarm types from the alarm log is performed by means of a grouping method based on the accumulation profile in the time, in the alarm log, of each type of alarm.

12. Method according to any one of claims 1 to 11 wherein, in step c), learning on the partial alarm logs obtained in step b) is carried out in series.

13. Method according to any one of claims 1 to 11 wherein, in step c), learning on the partial alarm logs obtained in step b) is carried out in parallel.

14. Method according to claims 3 and 4 in which:

- a maximum duration T of the chronicles to be learned in step c) is fixed; and, - in step a), the difference between the end date and the start date of any part of the alarm log is equal to 2 * T; and, the parts are split in the alarm log so that, for any given part of start date D ', the part whose subsequent start date D''is closest to D', if it exists, is such that its start date D '' is equal to the date D 'increased by T; and, the automatic regrouping of all the alarm sequences of the alarm log obtained is carried out by means of an algorithm based on self-organizing maps of Kohonen; and,

- in step b), for each group of similar alarm sequences obtained in step a), a partial alarm log is produced from the set of alarm sequences of the sequence group d 'similar alarms; and,

- in step c), automatic chronicle learning is carried out using the FACE learning system.

15. Automatic learning system for frequent chronicles of an alarm log, comprising means for acquiring alarms and for generating an alarm log from acquired alarms, each alarm being associated with an event among a plurality of events of a plurality of types and on a date of occurrence, means for transmitting the alarm log as well as means for learning chronicles capable of implementing a method for automatic learning of frequent chronicles from an alarm log, of frequencies greater than or equal to a threshold of adjustable minimum frequency f ₀ and of maximum duration T adjustable, and capable of transmitting the chronicles obtained, characterized in that '' it also includes:

- a module for selecting and grouping alarm sequences capable of receiving an alarm log and capable of selecting and grouping alarm sequences from the alarm log, and capable of forming a group of alarm sequences similar and to transmit this group; and,

a module for manufacturing a partial alarm log from the alarms of a group of similar alarm sequences received from the module for selecting and grouping alarm sequences from the alarm log, the module being suitable transmitting the partial alarm log obtained to the chronicle learning means; and, a module for manufacturing a set of frequent chronicles from the alarm log, from chronicles transmitted by the chronicle learning means, the module being able to transmit the chronicles from the set of frequent chronicles.