JP2008191839A - Abnormality sign detection system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an abnormality sign detection system of a computer for surely detecting an abnormal behavior which cannot be fully captured by failure monitoring using a threshold, that is, the sign of abnormality which has not yet become any failure, and for preventing erroneous detection such as monthly processing or term-end processing by grasping a cycle of a change pattern of operation data, and for reducing erroneous detection by automatically learning a prediction mistake. <P>SOLUTION: This abnormality sign detection system is provided with a monitoring system 10 for monitoring a connected customer computer 3 and collecting operation data. The system normalizes the past operation data of a customer computer 3, obtains a change pattern of the operation data and the cycle of the change pattern, grasps the obtained change pattern and a cycle as a usual state of the customer computer 3, and detects an abnormal state which has not yet become any failure as an abnormality sign as a result of the comparison of the change pattern with the current change pattern. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a system for detecting a sign of a computer system abnormality, and more particularly to a computer abnormality sign detection system capable of reliably detecting a sign of an abnormality that has not led to a failure in the computer.

In a business using a computer, since the abnormality detection in the computer is realized by the following method, the detection is performed after the abnormality occurs in the computer.
(1) When an abnormal message from the computer business is matched (2) When the computer business is terminated abnormally (3) The thresholds of resources and computer business (for example, utilization rate, business delay, etc.) exceed predetermined values When an abnormality is detected

On the other hand, Patent Document 1 discloses a technique for detecting a sign of a computer system abnormality. In this technology, failure cases that have occurred in the past are stored in a database (DB) as failure case graph data that is graphed, and this DB is created using failure occurrence state graph data that is also graphed in the same way. To access. As a result, measures that have been effective against similar failure cases that have occurred in the past are studied and utilized in the current failure situation.
JP 2005-222377 A

However, the technique disclosed in Patent Document 1 has the following problems.
(1) Since only data at the time of the occurrence of a failure in the past is graphed, it is not possible to detect an abnormal operation in which the computer system has not failed.
(2) Since the graph data of different customer systems are used for comparison, there is a possibility that normal operation is erroneously detected as a sign of failure.
(3) Since the system processing cycle is not conscious, a change in graph data due to processing executed at relatively long intervals such as monthly processing or period-end processing may be erroneously detected as a failure sign.

  The present invention can reliably detect abnormal behavior of a computer that cannot be detected by failure monitoring using a threshold value, that is, a sign of an abnormality that has not led to a computer failure. It is an object of the present invention to provide an abnormal sign detection system that can reduce erroneous detection by automatically learning misprediction by preventing misdetection such as monthly processing and period-end processing.

  The present invention includes a monitoring system that monitors a connected customer computer and collects operation data, the monitoring system normalizes past operation data of the customer computer, and changes the operation data change pattern and the change pattern cycle. An abnormal sign that detects the abnormal state that has not led to a fault as an abnormal sign by comparing the obtained change pattern and the cycle as the usual state of the customer computer and comparing the change pattern with the current change pattern. It is a detection system.

  Further, the present invention is an abnormal sign detection system in which a part of the operation data is cut out while extending an extraction size, the repeated change pattern is automatically detected, and the cycle is automatically detected. .

  And this invention is an abnormal sign detection system which calculates | requires the said change pattern for every said period and hold | maintains it in a change pattern database, when the said period exists in multiple numbers.

  Furthermore, the present invention is an abnormal sign detection system that uses an average of the operation data from 3 to 10 cycles before creating the change pattern.

  In addition, the present invention searches for a similar pattern similar to the current change pattern from the past operation data and indicates failure information that has occurred immediately thereafter, thereby predicting a failure that may occur in the near future, and a failure prediction result It is an abnormal sign detection system to report as.

  In the present invention, when a failure does not actually occur after the failure prediction, the change pattern is registered in the exception pattern database as a false detection change pattern, and thereafter the false detection change pattern is used to store the change pattern. This is an abnormal sign detection system that prevents erroneous detection of an abnormal state.

  According to the present invention, it is possible to reliably detect abnormal behavior that cannot be detected by failure monitoring using a threshold value, that is, an abnormality sign that has not led to a failure, and erroneous detection such as monthly processing or period-end processing. And false positives can be reduced.

The best mode for carrying out the present invention will be described.
Embodiments of the abnormality sign detection system of the present invention will be described with reference to the drawings. FIG. 1 shows an embodiment of the abnormal sign detection system of the present invention.

  FIG. 1 shows a customer (customer) system (computer system) 1 that is a detection target of abnormal signs and a monitoring system 10 on the maintenance service company 2 side. The monitoring system 10 monitors the customer system and detects abnormal signs. To do. The customer system 1 has, for example, a plurality of customer computers 3. The customer computer 3 supplies information such as operation data to the information collecting unit 11 of the monitoring system 10. The connection between the customer computer 3 and the information collecting unit 11 may be a direct connection or may be connected through a communication network such as the Internet.

  The monitoring system 10 installed in the maintenance service company 2 includes an information collection unit 11, a DB (database) 12, and a management unit 13. Information such as operation data of the customer computer 3 obtained by the information collecting unit 11 is sent to the DB 12. The DB 12 stores failure data 20, operation data 21, period data 22, and an exception pattern 23. The management unit 13 includes a failure monitoring unit 30, an abnormal sign monitoring unit 31, and a past failure matching unit 32.

  The monitoring system 10 detects an abnormal behavior that cannot be detected by the failure monitoring using the detected threshold value that is normally performed, that is, an abnormality sign that has not led to the failure. The client computer 3 is notified as an abnormal sign notification 40 and a predicted event notification 41. The administrator 5 can find the proactive action 42 before an abnormality occurs in the customer computer 3. As a result, the administrator 5 can grasp the sign of abnormality before the operation of the customer computer 3 is stopped or the abnormality occurs in the processing, and can respond in advance. FIG. 4 shows an example of change in the operation data 21DT of the operation data DB 21, and shows the units in months and weeks.

  Next, an example of a procedure for detecting an abnormality sign of the customer computer 3 in the present embodiment will be described. FIG. 2 is a flow of a procedure for detecting a sign of abnormality of the customer computer 3 in the present embodiment. This detection procedure includes steps S1 to S13. In step S1, the management unit 13 is on standby until the information collection unit 11 of the monitoring system 10 receives the operation data 21DT of the customer computer 3. In step S <b> 2, the failure monitoring unit 30 obtains the “type” and “cycle” of the pattern represented repeatedly from the operation data 21 </ b> DT of the customer computer 3. The “type” and “period” of the repeated pattern are illustrated in FIG.

  FIG. 5A illustrates an example in which the failure monitoring unit 30 normalizes the operation data 21DT. By normalizing the operation data 21DT, the normalized operation data is obtained, and the numerical subtlety is obtained. The fluctuation is rounded and converted into a form that can be easily compared with a computer. The normalization granularity (rounding) of the normalized operation data is fine for a narrow cycle pattern and rough for a wide cycle pattern, thereby adjusting the matching accuracy. FIG. 5B shows an example of a change pattern automatic detection performed by the failure monitoring unit 30. A part of the operation data is cut out while expanding the extraction size, and the repeated pattern is automatically detected. The operation data extraction sizes (1) to (3) are a part of the extraction size (4), and thus are not regarded as repetitive patterns. Since the extraction size (5) is repeated twice the extraction size (4), the extraction size (4) is adopted as the repeated pattern, and the detection of the repeated pattern in a wider range is continued.

  FIG. 5C shows an example in which the failure monitoring unit 30 obtains a pattern and a cycle that are repeated at regular intervals. At this time, for example, by using relatively new information from the previous 3 to 10 cycles, It will be possible to follow a gradual change in operating conditions. FIG. 5D shows an example of a 7-day cycle pattern and an example of a 30-day cycle pattern, and these repeated patterns are registered as cycle data 22.

  Returning to step S3 in FIG. 2, the current operation data is patterned and collated with all the repeated patterns as in the second specific example shown in FIG. That is, the current operation status shown in FIG. 6 is normalized to create normalized data, and the normalized data is compared with, for example, the 7-day cycle pattern 47 of the cycle data. If there is a match as a result of the comparison, the abnormality sign monitoring unit 31 determines that it is the same as usual in step S4, and returns to step S1. Otherwise, if none of the comparison results in matching, that is, if there is an abnormal operation pattern in the normalized data, the abnormal sign monitoring unit 31 in FIG. 1 determines that there is an abnormality, and proceeds to step S5.

  In step S5, the normalization data pattern of the current operation data is collated with the exception pattern 23 of FIG. 1 in the manner of the specific example 3 shown in FIG. The normalized data and the exception pattern 23 are collated, and if there is a match, it is determined that the normal pattern has been erroneously detected in the past in step S6 and the current operation data is not abnormal, and the process returns to step S1. Otherwise, if there is no match between the normalized data pattern and the exception pattern 23 in step S5, the current operation data is regarded as an abnormal operation pattern, and the process proceeds to step S7.

  In step S7, as shown in the specific example 4 of FIG. 8, the past failure matching unit 32 in FIG. 1 stores the current failure data from the past operation data 21 and the failure data in the current failure data DB 20. Look for similar patterns similar to the pattern. In step S8, if there is a pattern of failure data 20 similar to the past and a failure occurrence record, the process moves to step S10, the failure content that may occur near the customer computer 3, the past countermeasures, and the scheduled failure occurrence time. Is notified to the administrator 5 as the failure prediction mail 39, and the process proceeds to step S11. In step S7, if the current failure data 20 has no similar pattern in the past or there is a similar pattern but no failure has occurred, in step S9, the customer computer 3 is operating abnormally. The administrator 5 is notified by the warning mail 39 and the process proceeds to step S11.

  In step S11, when a failure has occurred by the scheduled failure occurrence time or when a normal pattern is returned as a result of taking countermeasures, it is determined in step S12 that failure prediction has been successful and the process returns to step S1. If no failure occurs even after the scheduled failure time has passed even though no countermeasure has been taken, and then the normal pattern is restored, then in step S13, as shown in FIG. A miss pattern is automatically registered as an exception pattern 23, and this exception pattern 23 is used for preventing false detection thereafter.

  Next, a procedure for automatically detecting an abnormality sign of the customer computer 3 will be described with reference to the flow of FIG. The flow in FIG. 3 includes steps S20 to S29. In step S20, “extraction size” is set to zero. If “extraction size” is set to +1 in step S21, “extraction size” is extracted from the position of the latest data of the operation data 21 in the past and normalized in step S22. This normalized data is referred to as a “temporary change pattern”.

  In step S23, the operation data 21 is normalized retroactively and compared with the “provisional change pattern” to obtain a pattern repetition period. If the repetition is recognized in step S24, the “temporary change pattern” is expanded and the process returns to step S21 to retry. Otherwise, if the repetition is not recognized, the “temporary change pattern” at which the repetition is finally recognized in step S26 is registered as the “change pattern” as the periodic data 22. If the “extraction size” does not exceed the size of the operation data 21 in step S27, the process returns to step S21 in order to detect a pattern having another period in step S28. If the “extraction size” exceeds the size of the operation data 21, the detection of the periodic pattern is terminated in step S29.

  Incidentally, computer systems include batch processing systems that execute processing based on an execution schedule. In the embodiment of the monitoring system of the present invention, focusing on this batch processing system, the so-called “change pattern” of operation data is changed in the following manner in accordance with its characteristics.

(1) Daily operation data (CPU (central processing unit) usage rate, number of accesses, number of transactions, etc.) of customer computers is recorded.

(2) Normalize the operation data and capture the “change pattern” of the operation data and the “cycle” of the change pattern. At this time, when there are a plurality of change pattern cycles due to monthly processing or the like, a change pattern is obtained for each cycle and stored in the change pattern DB. Further, when creating the change pattern, it is preferable to use the average of the operation data from 3 to 10 cycles before, so that the change state of the operation data that gradually changes can be dealt with.

(3) If the change pattern of the current operation data is different from the contents of the change pattern DB, it is considered that “unusual operation” = abnormal operation. However, as described above, when a similar pattern is recorded in the “exception pattern DB 23”, no abnormal operation is performed.

(4) When an abnormal operation of the customer computer 3 is detected, a past similar change pattern and failure data that occurred immediately after that are searched and notified to the administrator 5 as a failure that may occur in the near future.

(5) If the customer computer 3 is determined to be in an abnormal state but no failure has occurred thereafter, it is registered as the exception pattern 23 in FIG. 1 as a false detection change pattern. Used for prevention purposes.

  As described above, in the abnormal sign detection system of the embodiment, the past operation data of the customer computer 3 is normalized, the change pattern of the operation data and the cycle of the change pattern are obtained, and the obtained change pattern and cycle are obtained. 3, and a failure monitoring unit 30 that detects the abnormal state as a result of comparing the change pattern and the current change pattern as an abnormality sign. This makes it possible to reliably detect abnormal behavior that cannot be detected by fault monitoring using a threshold value, that is, abnormal behavior that is not detected as a fault (a sign of abnormality that has not led to a fault). Further, by detecting the cycle of the change pattern of the operation data, erroneous detection such as monthly processing and end-of-period processing is eliminated, and erroneous detection can be reduced by automatically learning a prediction error.

  Further, in the abnormal sign detection system of the embodiment, a part of the operation data is cut out while extending the extraction size, the repeated change pattern is automatically detected, and the period is automatically detected. As a result, by capturing the cycle of the change pattern of the operation data, for example, monthly processing or period-end processing is not erroneously detected.

  In the abnormal sign detection system of the embodiment, the change pattern and cycle of the operation data are automatically detected, and when there are a plurality of cycles, the change pattern is obtained for each cycle and stored in the change pattern database. deep. As a result, even when there are a plurality of periods due to, for example, monthly processing, a change pattern can be held for each period, and an abnormality sign can be detected more reliably.

  Furthermore, the abnormal sign detection system according to the embodiment uses the average of the operation data up to 3 to 10 cycles before creating a change pattern. Thereby, it becomes possible to cope with the operating state of the customer computer 3 that gradually changes.

  In addition, the abnormal sign detection system according to the embodiment searches for a similar pattern similar to the current change pattern from past operation data and indicates failure information that has occurred immediately thereafter, thereby predicting a failure that may occur in the near future. Report as a failure prediction result. Thereby, the administrator can be surely notified of a failure that may occur in the near future.

  In the abnormal sign detection system of the embodiment, when no failure actually occurs after the failure prediction, the change pattern is registered in the exception pattern database as a false detection change pattern, and thereafter the false detection change pattern is used. To prevent false detection of abnormal conditions. Thereby, the erroneous detection of the abnormal state in the customer computer 3 can be avoided.

  In conventional monitoring systems and other monitoring systems, it is possible to detect abnormalities after a computer business abnormality has occurred or by exceeding the threshold, but when the business is operating normally, there are indications that may lead to an abnormality. It could not be detected. On the other hand, the present invention grasps the operating status of the computer business, stores it as a normal operating status, and compares the past operating status with the current operating status, so that the administrator stops the business. Or, before an abnormality occurs in the process, it is possible to grasp the sign of the abnormality and cope with it in advance.

  The present invention is not limited to the above-described embodiment, and various modifications can be employed without departing from the scope of the claims.

Explanatory drawing of the abnormal sign detection system of an Example. Explanatory drawing of the sign detection procedure in an Example. Explanatory drawing of the automatic detection procedure in an Example. Explanatory drawing of the pattern in an Example. Explanatory drawing of the specific example 1 in the abnormal sign detection system of an Example. Explanatory drawing of the specific example 2 in the abnormal sign detection system of an Example. Explanatory drawing of the specific example 3 in the abnormal sign detection system of an Example. Explanatory drawing of the specific example 4 in the abnormal sign detection system of an Example. Explanatory drawing of the example 5 in the abnormal sign detection system of an Example.

Explanation of symbols

1 Customer System 2 Maintenance Service Company 3 Customer Computer 10 Monitoring System 11 Information Collection Unit 12 Database (DB)
20 Failure data 21 Operation data 22 Periodic data 23 Exception pattern 30 Failure monitoring unit 31 Abnormal sign monitoring unit 32 Past failure checking unit 40 Abnormal sign notification 41 Predictive event notification 5 Administrator

Claims (6)

  A monitoring system that monitors connected customer computers and collects operation data, wherein the monitoring system normalizes past operation data of the customer computers, obtains a change pattern of the operation data and a period of the change pattern, An abnormal condition characterized by detecting an abnormal state that has not led to a failure as an abnormal sign by comparing the change pattern and the cycle as a normal state of the customer computer and comparing the change pattern with a current change pattern. Sign detection system.   The abnormal sign detection system according to claim 1, wherein a part of the operation data is cut out while extending an extraction size, the repeated change pattern is automatically detected, and the period is automatically detected.   The abnormality symptom detection system according to claim 2, wherein when there are a plurality of periods, the change pattern is obtained for each period and stored in a change pattern database.   The abnormal sign detection system according to claim 2 or 3, wherein an average of the operation data from 3 to 10 cycles before is used when the change pattern is created.   5. A similar pattern that is similar to the current change pattern is searched from the past operation data, and fault information that occurs immediately after that is indicated, so that a fault that may occur soon is predicted and reported as a fault prediction result. Abnormal sign detection system described in.   When a failure does not actually occur after the failure prediction, the change pattern is registered in the exception pattern database as a false detection change pattern, and the false detection change pattern is used to detect false detection of the abnormal state thereafter. The abnormal sign detection system according to claim 5 to prevent.

Images