JP2018028778A - Pattern extraction and rule generation device, and method thereof - Google Patents

Abstract

PROBLEM TO BE SOLVED: To automatically generate and correct a rule by which it is possible to determine a place that caused a fault.SOLUTION: A pattern extraction and rule generation device of the present invention comprises: a database in which cause of fault information that includes a place that caused a fault and the cause of the fault, a fault event generated by the fault, and a rule ID corresponding to a rule that includes a condition part and a conclusion part are registered in association; a unique determination unit for generating all of possible combinations of fault events of new fault and extracting, for each fault, a unique pattern which is found to be a least occurred combination from a combination of fault events of new fault and a combination of fault events of old fault; and a rule generation and correction unit for generating or correcting the rule in accordance with a unique pattern that corresponds for each fault.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a pattern extraction and rule generation apparatus and method.

  There is a technique related to creation of an IF-THEN rule for determining a failure factor based on an event (hereinafter referred to as a failure event) that occurs due to a certain failure in a monitoring target device. For example, Patent Literature 1 and Patent Literature 2 are known as documents of this technology.

  In Patent Document 1, the system receives a condition part (IF part) to be defined in a rule and a cause event (THEN part) of a fault by a maintenance person having knowledge about the fault, and the system creates a rule.

  On the other hand, in Patent Document 2, one rule event is defined as a conclusion part in a rule condition part in rule creation.

International Publication No. 2014/068659 Pamphlet Japanese Patent No. 5684946

  However, when a wide variety of types of failure events have occurred in a given failure, the maintenance person should examine and narrow down the failure events that should be defined in the rule condition part (IF unit) from a huge number of failure events. Since it is necessary to input, there is a problem that knowledge and experience regarding the failure event are necessary, and even if knowledge and experience are involved, it takes time and effort. In addition, since humans consider narrowing down failure events, there is always the possibility of human error. In addition, under conditions where various patterns of failures occur every day, it is assumed that it will be necessary not only to create a new rule, but also to modify a rule that has been created in the past. There is a problem that it is difficult for the rule creator to review and review the condition part of the existing rule.

  Further, in the case of a failure in which the failure factor does not appear directly in the failure event, there is a problem that the cited document 2 cannot create a rule.

  The present invention has been made paying attention to the above circumstances, and an object thereof is to provide a pattern extraction and rule generation apparatus and method for automatically creating and correcting a rule capable of determining a failure factor location. There is.

  In order to achieve the above object, an aspect of the present invention includes the following components. That is, the pattern extraction and rule generation device includes failure factor information including a failure factor location and a failure factor, a failure event caused by the failure, and a rule ID associated with a rule including a condition part and a conclusion part. Generate all the combinations of the fault events of the new fault, which is the new fault, and the database registered in association with each other, and from the combination of the fault events of the new fault and the fault events of the past fault, which is the past fault, A unique determination unit that extracts, for each failure, a unique pattern that is determined to be a combination that has not occurred, and a rule generation and correction unit that generates or corrects the rule according to the unique pattern corresponding to each failure.

  According to the present invention, it is possible to provide a pattern extraction device, a rule generation device, and a method for automatically creating and correcting a rule that can determine a failure factor location.

The block diagram of the pattern extraction and rule production | generation apparatus which concerns on 1st Embodiment. The flowchart which shows the method of the pattern extraction and rule production | generation apparatus of FIG. The block diagram containing the pattern extraction and rule production | generation apparatus of FIG. 1, and a rule engine. The class diagram in the block of FIG. The flowchart in the block of FIG. FIG. 5B is a flowchart following FIG. 5A. The flowchart following FIG. 5B. The figure which shows an example of an IF-THEN rule. The figure which shows an example in step SD4 and SD5 in FIG. 5B. The figure which shows an example in step SD4 and SD5 in FIG. 5B. The figure which shows an example in step SD4 and SD5 in FIG. 5B. The block diagram of the pattern extraction and rule production | generation apparatus which concerns on 2nd Embodiment. FIG. 11 is a flowchart showing a method of the pattern extraction and rule generation device of FIG. 10. FIG. 11 is a block diagram including the pattern extraction and rule generation device and rule engine of FIG. 10. The class diagram in the block of FIG. FIG. 14 is a flowchart in the block of FIG. 13. FIG. 14B is a flowchart following FIG. 14A. FIG. 14B is a flowchart following FIG. 14B. The figure which shows an example in step SD21 and SD22 in FIG. 14B. The figure which shows an example in step SD4 and SD5 in FIG. 14B. The figure which shows an example in step SD4 and SD5 in FIG. 14B. The figure which shows an example in step SD4 and SD5 in FIG. 14B.

A pattern extraction and rule generation apparatus and method according to an embodiment of the present invention will be described below with reference to the drawings. Note that, in the following embodiments, the same numbered portions are assumed to perform the same operation, and repeated description is omitted.
[First Embodiment]
As shown in FIG. 1, the pattern extraction and rule generation apparatus 100 according to the first embodiment includes a failure event registration unit 101, a unique determination unit 102, a rule generation and correction unit 103, a past failure re-verification unit 104, and a failure example. A database 105 is provided. This will be described with reference to the block diagram of FIG. 1 and the flowchart of the pattern extraction and rule generation device 100 of FIG.

  The failure event registration unit 101 identifies one or more failure events corresponding to a newly occurring failure (this failure, also referred to as a new failure), the failure ID of the failure, the true cause, and the location thereof. The failure cause information and the corresponding rule ID are associated and registered in the failure case database 105. A failure ID is assigned to each failure that has occurred. A rule ID is assigned to each rule. The failure event is associated with the failure ID and indicates an event that occurs due to the failure corresponding to the failure ID. The failure factor information includes failure factor location information and failure factor information. The failure factor indicates the cause of the failure, the failure factor location indicates the location (for example, device ID) where the failure occurred, and the failure event includes, for example, an alarm, log information, and threshold value monitoring information from a certain monitoring target device. The failure factor is a certain monitoring target device.

  One or more failure events are also referred to as failure event groups. One or more rules are also referred to as a rule set. For example, a rule engine has a rule set, and the rule includes a condition part and a conclusion part. In the embodiment, the condition part is a failure event, for example, a device ID and an alarm type, and the conclusion part is failure factor information, which includes a device ID and a failure factor type.

  The unique determination unit 102 generates a combination of failure events including one or more failure events that are candidates for unique patterns that characterize the failure from the failure event group of the failure, and stores all the failures of the failure in the failure example database 105. In addition to registering a combination of events, reference is made to combinations of fault events in all past faults registered in the fault case database 105, and from these all combinations, combinations of fault events characterizing each fault are set as a unique pattern. Each fault (ie, fault ID) is extracted, and a unique pattern is registered in the fault case database 105 in association with the fault ID. The combination of failure events is a combination of all failure events associated with the failure ID for each failure ID. A unique pattern is calculated by a predetermined method from a combination of failure events for each failure ID, and one unique pattern is calculated for each failure ID. The unique pattern has a one-to-one correspondence with the rule ID. In addition, there is a case where one rule ID is registered in a plurality of failure IDs so that there is a failure event registration when the determination result is correct in handling a failure (see FIG. 2). Furthermore, since one rule ID corresponds to one or more failure events, it may correspond to many failure events. An example of the unique pattern calculation method will be described later with reference to FIGS. 7, 8, 9, 16, 17, and 18.

  The rule generation and correction unit 103 adopts the unique pattern extracted by the unique determination unit 102 as a condition unit for this failure, and generates a new rule set by using the failure factor information registered by the maintenance person as a conclusion unit. Revise and register the new rule ID in the failure case database 105 in association with the failure ID.

  On the other hand, the unique pattern extracted by the unique determination unit 102 corresponding to one past failure registered in the failure case database 105 is defined in the condition part of the rule registered corresponding to this failure ID. If the combination is different from the failure event combination, the rule generation and correction unit 103 determines that the rule needs to be corrected. The unique pattern extracted by the rule generation / correction unit 103 is used as a condition part to overwrite and correct the existing rule, and is registered in the failure case database 105.

  The past failure re-verification unit 104 performs re-determination by the rule engine based on the information of the failure event group registered in the failure case database 105 for each failure ID, and the failure factor information as a result of the determination and the failure case If the failure cause information registered in the database 105 (this information has been registered by the maintainer in the past) is collated, and the collation matches (if collation is OK), a new rule is added. If it succeeds, and if the existing rule is overwritten and corrected, the rule is also corrected and the processing is terminated. On the other hand, the past failure re-verification unit 104 returns to the unique determination unit 102 and extracts a different unique pattern again when collation does not match (in the case of collation NG). The past failure re-verification unit 104 is re-verification, and the verification is OK in almost all cases. However, the past failure re-verification unit 104 is provided to cope with a case where the data is rarely modified or the verification results in a verification NG.

  The failure case database 105 registers a failure ID, one or more failure events, failure factor information, a combination of failure events, a unique pattern among the combinations, and a rule ID in association with each other. The failure case database 105 normally stores the above information in association with a number of failure IDs.

Next, the operation of the pattern extraction and rule generation device 100 will be described with reference to FIG.
When a failure occurs, the rule engine acquires one or more failure events (for example, device ID and alarm type) corresponding to the failure, makes a rule determination with reference to the network configuration information and the rule set, and where the failure occurs. Displays the judgment result indicating whether the failure occurred and the cause of the failure.

  Thereafter, the maintenance person compares the determination result determined by the rule engine with the failure handling result that is the true cause, and determines whether or not the determination result is correct. If it is determined that the determination result is correct, the failure event is registered in the failure case database 105 in association with other information (see the above “failure case database 105”). On the other hand, if it is determined that the determination result is not correct, the failure event registration unit 101 causes the failure cause information that the maintenance person has identified the true cause and its position by handling the failure to correspond to the failure event, and the failure case It is newly registered in the database 105 in association with other information (step S201).

  After step S201, the unique determination unit 102 generates all combinations including one or more failure events associated with the failure ID of the failure, as described with reference to FIG. One unique pattern is combined for each failure ID from a combination of failure events corresponding to this failure and a combination of failure events corresponding to all past failures (the past is already registered in the failure case database 105). Extract (step S202). The extracted unique pattern is registered in the failure case database 105 in association with other information. On the other hand, if this unique pattern cannot be extracted, the process proceeds to step S205.

  If a unique pattern is extracted in step S202, the rule generation and correction unit 103 adopts the unique pattern in this fault as a condition part, and generates a new rule using the fault factor information input by the maintenance person as a conclusion part. Then, it is registered in the failure case database 105 (step S203). The rule generation and correction unit 103 registers the generated rule ID in the failure case database. In addition, in the case of a past failure registered in the failure case database, if the combination of failure events defined in the condition part of the registered rule is different from the unique pattern extracted in step S202, the corresponding failure Are corrected and registered in the failure case database 105 (step S203).

  The past failure re-verification unit 104 re-determines whether the determination result is correctly determined for all failures registered in the failure case database 105 using the rule engine, and the determination accuracy is reduced by updating the rule set It is verified whether it is not done (step S204). If the determination result is incorrect for any of the past failures, the process returns to step S202, and the unique determination unit 102 extracts another failure event combination. If any rule generated from the unique pattern in step S204 is collated NG in the past failure re-verification unit 104, the process proceeds to step S205. On the other hand, when the past failure re-verification unit 104 verifies and the verification result is OK, and the determination result is correct, the process ends, assuming that a new rule has been successfully added or modified.

  In step S205, the unique determination unit 102 indicates that the failure event characterizing this failure cannot be extracted, presents that the failure cannot be ruled, and rolls back the data. That is, in this case, the registration of the failure event corresponding to the failure ID of the failure and the failure factor information registered by the maintenance person corresponding to the unique determination unit 102 is canceled (step S205).

Next, the processing flow of the pattern extraction and rule generation device 100, the monitoring target device 300, the rule engine 330, and the maintenance person 360 of the present embodiment is shown in FIGS. 3, 4, 5A, 5B, and 5C. The description will be given with reference. Note that “*” shown in FIG. 4 indicates the number of instances and means a numerical value of zero or more.
Assume that a failure occurs in one or more of the n monitoring target devices 300 (step SA1). Thereafter, the monitoring target device 300 inputs a failure event to the rule engine 330 (step SA2). The failure event here includes, for example, an IP address, a device type, and an alarm type. Here, the alarm type is a kind of event type and is used as a subordinate concept thereof.

  The rule engine 330 notifies the failure extraction event to the pattern extraction and rule generation device 100 (step SB1). At this stage, for example, the device ID and the alarm type are notified, and the failure event registration unit 101 registers this failure event in the failure case database 105 (step SD1).

  In the rule engine 330, the network configuration information database 332 acquires the network configuration information from the outside and synchronizes with the external information. The network configuration information includes monitoring target device information and monitoring target device connection information. As shown in FIG. 4, the monitoring target device information includes, for example, a device ID, a device name, an IP address, and a device type of the monitoring target device. As shown in FIG. 4, the monitoring target device connection information includes, for example, a connection source device ID, a connection destination device ID, and an identifier of this set. In the example of FIGS. 3 and 4, there are n pieces of monitoring target device information, which is the number of monitoring target devices. Note that the monitoring target device connection information is not limited to n pieces.

  Further, in the rule engine 330, the failure event transmission / reception unit 331 acquires a failure event from the monitoring target device 300. Further, the rule engine 330 stores a set of IF-THEN rules for associating a failure event group with failure factor information. The IF-THEN rule includes an “if” part representing a premise or condition and a “then” part representing a conclusion or an operation when the “if” part is true (see the description of FIG. 6 for more details). Further, the rule engine 330 includes a determination logic unit 333. The determination logic unit 333 receives the network configuration information, the failure event, and the rule set, and based on these, the determination result indicating where the failure has occurred (failure location) and for what cause the failure has occurred (failure factor). Obtain (step SB2). Thereafter, the determination logic unit 333 sends the determination result (for example, the corresponding rule ID, device ID and / or device name, failure factor type) to the pattern extraction and rule generation device 100, and the determination result (for example, the device name, failure factor type). ) Is sent to the maintenance person 360 (step SB3).

  In the pattern extraction and rule generation device 100, the failure event registration unit 101 registers the determination result (for example, the corresponding rule ID, device ID and / or device name, failure factor type) from the determination logic unit 333 in the failure case database 105. (Step SD2).

  The maintenance person 360 receives the determination result determined by the rule engine 330 and confirms the content (step SC1). After that, the maintenance person 360 compares the determination result determined by the rule engine 330 with the failure handling result that is the true cause to determine whether the determination result is correct (step SC2). If it is determined that the determination result is correct, the maintenance person 360 does nothing and ends. On the other hand, if it is determined that the determination result is not correct, the maintenance event is registered in the failure case database 105 in the failure event database 105 by associating the failure cause information that specifies the true cause and its location by handling the failure. Is registered (step S201). The pattern extraction and rule generation device 100 registers the specified failure factor information in the failure case database 105 in association with the failure event (step SD3).

  Thereafter, the pattern extraction and rule generation apparatus 100 continues processing. The unique determination unit 102 generates a combination of failure events including one or more failure events from the failure event group of this failure and registers it in the failure case database 105 (step SD4). The unique determination unit 102 extracts a unique pattern characterizing each failure from combinations of failure events in all failures registered in the failure case database 105 and registers them in the failure case database 105. If the past failure re-verification unit 104 re-verifies the determination result for each failure and the result is collation NG, the next unique failure event combination for the corresponding failure is registered as a unique pattern in the failure case database 105 (step SD5). The rule generation / correction unit 103 has registered the failure event combination defined in the condition part of the registered rule and the processing so far in the past failure registered in the failure case database 105 If it is different from the unique pattern, it is determined that the rule needs to be corrected (step SD6). The rule generation and correction unit 103 adopts a unique pattern as a condition part for this fault, generates a new rule using the failure factor information registered by the maintenance person 360 as a conclusion part, and corrects the existing rule by extracting the unique The pattern is overwritten and corrected as a condition part (step SD7). Thereafter, the rule generation and correction unit 103 overwrites and registers the rule ID of the generated rule in the failure case database 105 (step SD8). The rule generation / correction unit 103 feeds back the generated and corrected rules to the rule engine 330 (step SD9). The rule engine 330 takes in the generated and modified rules and updates the rule set (step SB4).

  The pattern extraction and rule generation device 100 passes all failure events registered in the failure case database 105 to the rule engine in units of failure IDs (step SD10). The rule engine 330 receives all the failure events, and determines a failure factor and a failure factor location based on the failure event group, network configuration information, and rule set input for each failure ID (step SB5). Then, the rule engine 330 notifies the pattern extraction and rule generation device 100 of the determination result (for example, device ID and failure factor type) for each failure ID (step SB6).

  In the pattern extraction and rule generation device 100, the past failure re-verification unit 104 is registered for each failure ID in the determination result (for example, device ID and failure factor type) notified from the rule engine 330 and the failure case database 105. The failure factor information is collated (step SD11). If there is a failure ID whose collation is NG, the process returns to step SD5, where the unique determination unit 102 extracts a unique pattern and performs rule generation or correction. On the other hand, if all failure events are collation OK, this process ends.

Here, the IF-THEN rule used in the rule engine 330 will be briefly described with reference to FIG.
The IF-THEN rule describes inference knowledge such as a conclusion derived from a certain fact and knowledge about an action performed when a certain condition is satisfied. Generally described in the form of “α → β” and “if α then β”, and is composed of an “if” portion representing a premise or condition and a “then” portion representing a conclusion or an action to be executed when the “if” portion is true. . The example shown in FIG. 6 is a rule for determining a failure factor location. When the failure event a occurs in the device A and the failure event c occurs in the device C, the device B sets “device fail”. It shows that it has become.

Next, steps SD4 and SD5 in the pattern extraction and rule generation device 100 will be described with specific examples. This will be described with reference to FIGS. 7, 8, and 9. FIG.
A process in which the unique determination unit 102 extracts a unique failure event for each failure from all failure events registered in the failure case database 105 will be described with reference to FIG.
In the failure case database 105, failure events are registered in association with each failure ID as shown in the upper left diagram. In this example, the failure event includes a device ID and an event type. First, the unique determination unit 102 generates a combination of failure events that can be taken by each failure. In this example, when the failure ID = 1, there are (device ID, event type) = (sw1, a), (sw2, b), there are three combinations, and only (sw1, a) (“ sw1a "), (sw2, b) only (" sw2b "in the figure), (sw1, a) and (sw2, b) (" sw1a, sw2b "in the figure). For failure ID = 2, there are (device ID, event type) = (sw1, a), (sw3, c), and there are three combinations of sw1a, sw3c, and sw1a and sw3c.

  Thereafter, the unique determination unit 102 extracts a unique pattern from the combination of these failure events according to the unique pattern extraction logic. The unique pattern extraction logic first calculates the registration rate for other failure IDs for each failure event combination for all other failure IDs, and then registers the registration rate for each failure event combination (there are multiple other failure IDs). The maximum registration rate is determined. Next, the unique pattern extraction logic extracts a combination corresponding to the minimum value among the maximum registration rates of all the failure event combinations as a unique pattern.

  Here, the registration rate is calculated by using the number of events of a combination of failure events as a denominator and the number registered in another failure event group of the combination as a numerator. According to this, the registration rate takes a value from 0 to 1, and indicates how much one combination of failure events of a certain failure ID is registered in another certain failure ID. For example, when the registration rate is 1, it indicates that one combination of failure events of the failure ID of interest is registered in the failure event group of another failure ID, and the registration rate is 0.5 Indicates that only one half of the combination of the failure event of the failure ID of interest is registered in another failure ID. If the registration rate is 0, one of the failure events of the failure ID of interest is Indicates that the combination is not registered at all for some other fault ID. Further, the unique pattern is a combination of failure events of the failure ID of interest that is least generated by a combination of failure events of other failure IDs (in other words, a combination of the failure event combination of the most other failure ID and It can be said that the combination is not unique, that is, a unique combination).

Next, extraction of a unique pattern will be described with reference to a specific example below in FIG.
In the example of FIG. 7, there are three combinations of failure events with failure ID = 2, sw1a, sw3c, and sw1a and sw3c as described above. In this example, since there are only two failure IDs 1 and 2, only ID = 1 is the other failure with ID = 2.

      In the case of sw1a, the other failure ID = 1 and the event groups are sw1a and sw2b. Therefore, since the number of failure events is only sw1a, the denominator is 1, and sw1a is registered in the event group of other failure ID = 1, so the numerator is 1, and the registration rate is 1/1 = 1.0.

      In the case of sw3c, the other failure ID = 1 and the event groups are sw1a and sw2b. Therefore, since the number of failure events is only sw3c, the denominator is 1, and sw3c is not registered in the other event group of failure ID = 1, so the numerator is 0, and the registration rate is 0/1 = 0.0.

      In the case of sw1a and sw3c, the other failure ID = 1 and the event group is sw1a and sw2b. Accordingly, since the number of failure events is sw1a and sw3c, the denominator is 2, and only one sw1a and sw3c are registered in the event group of other failure ID = 1, so the numerator is 1, and the registration rate is 1/2 = 0. 5

  As described above, since the minimum registration rate is 0.0, the combination is sw3c, and the unique pattern with the failure ID = 2 in the example of FIG. 7 is sw3c.

  Next, a case where failure IDs 1 and 2 are already registered in the failure case database 105 and a new failure ID = 3 occurs (a case where the unique pattern of the already registered failure ID is changed) is illustrated. Explanation will be made with reference to FIG. The lower part of FIG. 8 shows the contents of the failure case database 105 when a new failure occurs.

  When one failure ID increases in this way, a combination of failure events is newly calculated for the added failure ID. The combination does not change for each previous failure ID. However, since the unique pattern of a certain failure ID is affected by all other failure IDs, the unique pattern of a certain failure ID may change as the number of failure IDs increases. For example, in the example of FIG. 8, the unique pattern with the failure ID = 2 changes from sw3c to sw1a and sw3c, while the unique pattern with the failure ID = 1 does not change with sw2b.

The calculation of the unique pattern when there are three failure IDs described at the bottom of FIG. 8 will be described with reference to FIG.
In the example described in the lower part of FIG. 8 (FIG. 9 is the same), there are three combinations of failure events of failure ID = 2, sw1a, sw3c, and sw1a and sw3c. In this example, since there are three failure IDs 1, 2, and 3, ID = 1 and 3 are the other failures with ID = 2.

      When sw1a and other failure ID = 1, the event groups are sw1a and sw2b. Therefore, since the number of failure events is only sw1a, the denominator is 1, and sw1a is registered in the event group of other failure ID = 1, so the numerator is 1, and the registration rate is 1/1 = 1.0.

In the case of sw1a and another failure ID = 3, the event group is sw3c and sw4d. Accordingly, since the number of failure events is only sw1a, the denominator is 1, and sw1a is not registered in the other failure ID = 3 event group, so the numerator is 0, and the registration rate is 0/1 = 0.0.
Therefore, when the combination of failure events is sw1a, the maximum registration rate is 1.0.

      When sw3c and other failure ID = 1, the event groups are sw1a and sw2b. Accordingly, since the number of failure events is only sw3c, the denominator is 1, and sw3c is not registered in the event group of other failure ID = 1, so the numerator is 0, and the registration rate is 0/1 = 0.0.

When sw3c and other failure ID = 3, the event groups are sw3c and sw4d. Therefore, since the number of failure events is only sw3c, the denominator is 1, and sw3c is registered in the event group of other failure ID = 3, so the numerator is 1, and the registration rate is 1/1 = 1.0.
Therefore, when the combination of failure events is sw3c, the maximum registration rate is 1.0.

      When sw1a and sw3c and other failure IDs = 1, the event groups are sw1a and sw2b. Accordingly, since the number of failure events is sw1a and sw3c, the denominator is 2, and only one sw1a and sw3c are registered in other failure ID = 1 event groups, so the numerator is 1, and the registration rate is 1/2 = 0.5.

When sw1a and sw3c and other failure ID = 3, the event group is sw3c and sw4d. Therefore, since the number of failure events is sw1a and sw3c, the denominator is 2, and only one sw1a and sw3c are registered in other failure ID = 3 event groups, so the numerator is 1, and the registration rate is 1/2 = 0.5.
Therefore, when the combination of failure events is sw1a and sw3c, the maximum registration rate is 0.5.

  As described above, since the maximum registration rate is 0.5, the combination is sw1a and sw3c, and the unique pattern of failure ID = 2 in the example of FIG. 9 is sw1a and sw3c.

  According to the first embodiment described above, rules can be automatically created and modified only by inputting failure factor information that has been clarified as a result of failure handling, regardless of the maintenance person's knowledge and experience regarding failures. become. This greatly reduces the time and effort required to create and modify rules. Further, since the maintenance person is only concerned with input for rule creation, human error in rule creation is reduced.

  Furthermore, according to the first embodiment, every time a failure is handled, not only a new rule is generated but also an existing rule is modified based on all failure events held by the system, so that the rule is optimized. . Further, by inputting the failure factor information separately from the failure event, the maintenance person inputs a rule that can determine the failure factor even in a case where the failure factor does not appear directly in the failure event.

[Second Embodiment]
As shown in FIG. 10, the pattern extraction and rule generation apparatus 1000 according to the second embodiment includes a rule generation and correction unit 1001 instead of the rule generation and correction unit 103, and a failure case database instead of the failure case database 105. The second embodiment is different from the first embodiment in that a correlation alarm registration unit 1003 is further provided. Description will be made with reference to the block diagram of FIG. 10 and the flowchart of the pattern extraction and rule generation apparatus 1000 of FIG.

  The correlation alarm registration unit 1003 is detected from a correlated device based on the information on the connection relationship defined in the inter-component connection relationship, starting from information on the cause of the failure identified as the true cause by the maintenance person The failure event is extracted, and the failure event group data in the failure case database 1002 is overwritten. Further, the correlation alarm registration unit 1003 stores the connection relation of the inter-component connection relation used when extracting the fault event in the fault case database 1002 in a form linked to each fault event. The inter-component connection relationship is information indicating a causal relationship between a failure event occurrence location and a failure factor location.

  The network configuration information includes monitoring target device information (IP address, device type, etc.) and connection information between the monitoring target devices.

  The rule generation / correction unit 1001 adopts a unique pattern in this failure as a condition part, and newly generates a rule using the failure factor information input by the maintenance person as a conclusion part. In addition, the rule generation / correction unit 1001 defines a connection relation between components associated with the failure event of the unique pattern as the condition part in the rule, and registers the generated rule ID in the failure case database 1002. If there is a failure in the past registered in the failure case database 1002 and the combination of failure events defined in the condition part of the registered rule is different from the unique pattern extracted by the unique determination unit 102, the rule The generation and correction unit 1001 determines that the rule needs to be corrected. The unique pattern extracted by the rule generation and correction unit 1001 is adopted as a condition unit, and the existing rule is overwritten and corrected together with the connection relation between components linked to the adopted failure event, and is registered in the failure case database 1002.

  The failure case database 1002 includes failure events that occurred in the past, failure factor information and corresponding rule IDs for each failure. This failure event includes a failure event that has occurred due to this failure. The failure case database 1002 associates the connection relationship between the components used when the failure event is extracted in addition to the data accumulated in the failure case database 105 with each failure factor information. The inter-component connection relationship includes, for example, a connection source device type, a connection destination device type, their connection relationship, and an identifier. The failure case database 1002 registers a failure ID, one or more failure events, failure factor information, a combination of failure events, a unique pattern among the combinations, a rule ID, and an inter-component connection relationship. doing. The failure case database 1002 normally stores the above information in association with a number of failure IDs.

  Next, the operation of the pattern extraction and rule generation apparatus 1000 will be described with reference to FIG. Since the process up to step S201 is the same as that of the first embodiment, the process will be described from the next step S1101.

  The correlation alarm registration unit 1003 is detected from a correlated device based on the information on the connection relationship defined in the inter-component connection relationship, starting from information on the cause of the failure identified as the true cause by the maintenance person The failure event is extracted, and the failure event group data in the failure case database 1002 is overwritten. Further, the correlation alarm registration unit 1003 registers the connection relation of the inter-component connection relation used for extracting the fault event in the fault case database 1002 in a form linked to each fault information (step S1101). Following step S1101 is step S202, which is the same as in the first embodiment.

  If a unique pattern is extracted in step S202, the rule generation and correction unit 1001 adopts the unique pattern in this fault as a condition part, and generates a new rule using the fault factor information input by the maintenance person as a conclusion part. (Step S1102 (same as Step S203)). At the same time, the rule generation and correction unit 1001 defines the connection relation between components associated with the failure event of the unique pattern adopted as the condition unit in the rule, and registers the generated rule ID in the failure case database (step S1102). In the case of a past failure registered in the failure case database, if the combination of failure events defined in the condition part of the registered rule is different from the unique pattern extracted by the unique determination unit 102, the corresponding failure Are corrected and registered in the failure case database 1002 (step S1102 (same as step S203)). The following steps are the same as those in the first embodiment (for example, see FIG. 2).

Next, the processing flow of the pattern extraction and rule generation apparatus 1000, the monitoring target apparatus 300, the rule engine 330, and the maintenance person 360 according to this embodiment is shown in FIGS. 12, 13, 14A, 14B, and 14C. The description will be given with reference. Note that “*” described in FIG. 13 indicates the number of instances and means a numerical value of zero or more. Steps SA1 and SA2, steps SB1 to SB6, steps SC1 and SC2, steps SD1 to SD6, and SD8 to SD11 are the same as those in the first embodiment, and a description thereof will be omitted.
In step SD3, the pattern extraction and rule generation apparatus 1000 registers the specified failure factor information in the failure case database 1002 in association with the failure event, and then the correlation alarm registration unit 1003 stores the failure registered in the failure case database 1002. A failure event detected from a correlated device is extracted based on the connection relationship information defined in the component connection relationship, starting from the failure factor location included in the factor information (step SD21). Then, the failure event group extracted by the correlation alarm registration unit 1003 and the inter-component connection relationship used for extracting each failure event are overwritten and registered in the failure case database 1002 (step SD22).

  The unique determination unit 102 generates a combination of failure events including one or more failure events from the failure event group of this failure, registers the combination in the failure case database 1002 (step SD4), and sets all the failure events registered in the failure case database 1002 A combination of failure events unique to the failure is registered in the failure case database 1002 as a unique pattern (step SD5). Then, the rule generation and correction unit 1001 determines whether or not the rule needs to be corrected (step SD6).

  The rule generation and correction unit 1001 adopts a unique pattern as a condition part for this failure, and newly generates a rule using the failure factor information registered by the maintainer as a conclusion part. The rule generation and correction unit 1001 also defines, in the rule, the inter-component connection relationship associated with the unique pattern failure event adopted as the condition unit. For the modification of the existing rule, the unique pattern extracted by the rule generation and modification unit 1001 is adopted as a condition part, and overwritten and corrected together with the inter-component connection relation associated with the adopted failure event (step SD23). The subsequent steps SD8 and thereafter are the same as those in the first embodiment.

Steps SD21 and SD22 of FIG. 14B will be described with a specific example with reference to FIG.
The correlation alarm registration unit 1003 refers to the failure factor information registered in the failure case database 1002 and determines a failure factor location that is a starting point for the failure event extraction. In FIG. 15, the failure factor location corresponds to the device B. In this example, the device that is the failure factor and the device adjacent to the device are extracted as a failure event group (corresponding to the failure ID = x) (step SD21), and the failure ID of FIG. The failure event information is overwritten and registered (step SD22). In this example, a device having a correlation with a failure factor indicates a device adjacent to the device that is the failure factor. Therefore, in this example, (device ID, event type) = (D, d), (H, d) is not registered in the failure case database 1002.

Next, steps SD4 and SD5 in the pattern extraction and rule generation apparatus 1000 will be described with specific examples. This will be described with reference to FIGS. 16, 17 and 18.
A process in which the unique determination unit 102 extracts unique fault events for each fault from all fault events registered in the fault case database 1002 will be described with reference to FIG.
In the failure case database 1002, failure events are registered in association with each failure ID as shown in the upper left diagram. In this example, the failure event includes a device ID and an event type. First, the unique determination unit 102 generates a combination of failure events that can be taken by each failure. In this example, when the failure ID = 1, there are (device ID, event type) = (sw1, a), (sw2, b).

In the second embodiment, the failure case database 1002 associates the connection relationship of the inter-component connection relationship used for extraction with each failure event, and uses the failure event and the connection relationship associated with the failure event as a condition part. Rules are defined. Therefore, in the unique determination, if the event type of the failure event included in the unique pattern to be extracted is determined, the determination based on the rule using the failure factor information including the failure factor location as a conclusion part can be performed.
In the second embodiment, there are three combinations of failure events, only event type a (“a” in the figure), only event type b (“b” in the figure), event type a and event type b ( In the figure, “a, b”). For failure ID = 2, there are (device ID, event type) = (sw1, a), (sw3, c), and there are three combinations of a, c, and a and c.

  In other cases, when the failure event combination is failure ID = 1, sw1a, sw2b, and sw1a and sw2b in FIG. 7 are replaced with three pairs a and b, and a and b in FIG. Then, sw1a, sw3c, and three sets of sw1a and sw3c in FIG. 7 are replaced with three sets of a, c, and a and c in FIG. 16, respectively. Therefore, when the subsequent unique determination unit 102 extracts a unique pattern from the combination of failure events, as described with reference to FIG. 7, when the combination of failure events is a, the event group is set with other failure ID = 1. Becomes a and b, and the registration rate becomes 1/1 = 1.0. When the combination of failure events is c, the other failure ID = 1, the event groups are a, b, and the registration rate is 0/1 = 0.0. When the combination of failure events is a and c, the other failure ID = 1, the event groups are a and b, and the registration rate is 1/2 = 0.5.

  As described above, since the maximum registration rate is 0.0, the combination is c, and the unique pattern of failure ID = 2 in the example of FIG. 16 is c.

  Next, a case where failure IDs 1 and 2 are already registered in the failure case database 1002 and a failure ID = 3 newly occurs will be described with reference to FIG. The lower part of FIG. 17 shows the contents of the failure case database 1002 when a new failure occurs.

  Since the failure case database 1002 associates the connection relationship of the inter-component connection relationships used for the extraction with each failure event, the failure event database 1002 is similar to the case of the process of extracting a unique failure event in FIG. What is necessary is just to convert a combination as follows. That is, when failure ID = 1, three sets of sw1a, sw2b, and sw1a and sw2b are converted into three sets of a, b, and a and b, respectively, and when failure ID = 2, sw1a, sw3c, and sw1a and sw3c 3 What is necessary is just to convert a set into three sets of a, c, and a and c, respectively. Then, in the example of FIG. 17 as in the example of FIG. 8, even if a failure ID is newly added, the combination of previous failure IDs does not change. However, since the unique pattern of a certain failure ID is affected by all other failure IDs, the unique pattern of a certain failure ID may change as the number of failure IDs increases. For example, in the example of FIG. 17, the unique pattern with failure ID = 2 changes from c to a and c, while the unique pattern with failure ID = 1 remains b and does not change.

  The calculation of the unique pattern when there are three failure IDs described in the lower part of FIG. 17 will be described with reference to FIG. Also in this case, as in the case of FIGS. 16 and 17, the failure case database 1002 associates the connection relationship of the inter-component connection relationship used for extraction with each failure event. Similar to the process of extracting events, the combination of failure events may be converted as follows. That is, when failure ID = 1, three sets of sw1a, sw2b, and sw1a and sw2b are converted into three sets of a, b, and a and b, respectively, and when failure ID = 2, sw1a, sw3c, and sw1a and sw3c 3 Each set is converted into 3 sets of a, c, and a and c. When failure ID = 3, 3 sets of sw1c and sw3d, and sw1c and sw3d are converted into 3 sets of c, d, and c and d, respectively. That's fine.

  Then, since the maximum registration rate is 0.5, the combination is a and c, and the unique pattern of failure ID = 2 in the example of FIG. 18 is a and c.

  According to the second embodiment described above, the same effects as those of the first embodiment can be obtained. Further, in the pattern extraction and rule generation device of the second embodiment, the components used when extracting the failure event The inter-component connection relation associated with the failure event of the unique pattern that is registered in the fault case database in the form of linking the inter-connection relation to the respective fault events, and that is adopted as the condition part by the rule generation and correction unit 1001 The rule ID defined in the rule is registered in the failure case database. As described above, in the second embodiment, the connection relationship between the components is associated with each failure event, so that the combination of failure events can be expressed sufficiently only by the event type.

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Further, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, you may combine suitably the component covering different embodiment.

DESCRIPTION OF SYMBOLS 100, 1000 ... Pattern extraction and rule production | generation apparatus, 101 ... Failure event registration part, 102 ... Unique determination part, 103, 1001 ... Rule production | generation and correction part, 104 ... Past failure re-verification part, 105, 1002 ... Failure case database, 300 ... Monitoring target device, 330 ... Rule engine, 331 ... Fault event transmission / reception unit, 332 ... Network configuration information database, 333 ... Determination logic unit, 360 ... Maintenance person, 1003 ... Correlation alarm registration unit.

Claims (8)

For each failure, failure factor information including a failure factor location and a failure factor, a failure event caused by the failure, and a rule ID associated with a rule including a condition part and a conclusion part are registered in association with each other. A database,
All combinations of fault events for new faults that are new faults are generated, and it is determined that the combination is the least occurring from the combinations of fault events for new faults and past faults that are past faults. A unique judgment unit that extracts a unique pattern for each fault;
A pattern extraction and rule generation device comprising: a rule generation and correction unit that generates or corrects the rule according to a unique pattern corresponding to each failure.   The rule generation and correction unit adopts the unique pattern from which the new fault is extracted as a condition part of the rule, and adopts fault factor information specifying the true cause and its position as a conclusion part of the rule. The pattern extraction and rule generation device according to claim 1 which generates a rule.   For each failure, the failure factor information that is the result of re-determination by the rule engine for each failure based on the information of one or more failure events registered in the database does not match the failure factor information included in the database. 2. The pattern extraction and rule generation device according to claim 1, wherein a unique pattern different from the unique pattern extracted by the unique determination unit is extracted again, and the rule generation and correction unit adopts the unique pattern.   The rule generation and correction unit includes a combination of failure events defined in a condition part of a rule corresponding to the failure, wherein the unique pattern extracted by the unique determination unit corresponding to the failure registered in the database. The pattern extraction and rule generation device according to claim 1, wherein if different, the rule is corrected by overwriting a condition part of the rule with the unique pattern. For each failure, the failure factor information including the failure factor location and the failure factor, the failure event caused by this failure, and the rule ID associated with the rule including the condition part and the conclusion part are registered in association with the database. ,
All combinations of fault events are generated for each new fault that is a new fault, and the combination of fault events of a new fault and a fault event of a past fault that is a past fault is determined as the least occurring combination. Unique patterns are extracted for each fault,
A pattern extraction and rule generation method comprising: generating or correcting the rule according to a unique pattern corresponding to each failure.   Generating or modifying the rule adopts the extracted unique pattern of the new fault as a condition part of the rule, and uses fault factor information specifying the true cause and its position as a conclusion part of the rule. 6. The pattern extraction and rule generation method according to claim 5, wherein a new rule is generated.   For each failure, the failure factor information that is the result of re-determination by the rule engine for each failure based on the information of one or more failure events registered in the database does not match the failure factor information included in the database. 6. The pattern extraction and rule generation method according to claim 5, wherein a unique pattern different from the extracted unique pattern is extracted again, and the unique pattern is adopted in generating or correcting the rule.   The generation or modification of the rule means that the unique pattern extracted corresponding to the fault registered in the database is different from the combination of fault events defined in the condition part of the rule corresponding to the fault. 6. The pattern extraction and rule generation method according to claim 5, wherein the rule is corrected by overwriting a condition part of the rule with the unique pattern.