JP2021135541A - Model generator, model generation method, and model generation program - Google Patents

Abstract

To provide a model generator, a model generation method and a model generation program for generating a model to detect a point that is "different from a usual trend" in the time series of a business index that behaves unsteadily.SOLUTION: Provided is a model generator for generating a model to detect abnormality of business that is realized by a program that an analysis object system executes. The model generator: holds operation history information that indicates the program executed by the analysis object system and a time point when the program was executed, and starting work information that indicates starting work which can be a starting point of one or more programs, among the programs executable by the analysis object system, that execute a series of processes; divides the programs rearranged in sequence of time points indicated by the operation history information into program groups that begin with starting work; and calculates, for at least some of the program groups, the time-series data of statistical quantity in the operation history information that indicates an operating state, as said model.SELECTED DRAWING: Figure 4

Description

The present invention relates to a model generator, a model generator, and a model generator.

Companies have introduced IT systems to promote their business efficiently. Businesses often change according to the internal and external environment of the company, and if there is a gap between the business and the IT system, the system can become a hindrance to the business. As an example of this gap, because the IT system can only output the form in the old format, the staff manually posted it to the new format, and the required input items that are no longer used due to changes in the legal system etc. remain in the old format. There is an example of being there. Therefore, the system engineer who operates and maintains the system needs to grasp the change in the business by performing the business analysis and make the system follow the business.

As a technique for analyzing the operation history information of an IT system in business analysis, there are Japanese Patent Application Laid-Open No. 2008-225814 (Patent Document 1) and Japanese Patent Application Laid-Open No. 2008-146591 (Patent Document 2). The technique described in Patent Document 1 visualizes the work flow based on the update history information of the business database, and also visualizes the work amount of each work after designating the analysis period. The technique described in Patent Document 2 detects an abnormality in a computer from time-series data of monitoring items of the computer.

Japanese Unexamined Patent Publication No. 2008-225814 Japanese Unexamined Patent Publication No. 2008-146591

In the technique described in Patent Document 1, it is left to the user of the apparatus described in Patent Document 1 to capture changes such as "different from the usual tendency" from the visualized time series graph of the amount of work. In addition, as the number of operations to be analyzed increases, the number of time-series graphs that users read naturally increases, but Patent Document 1 does not disclose measures for efficiently performing analysis. In addition, update history information of a general business database is output at the program level. Preprocessing such as identifying the processing directly derived from the work of the system user and the internal processing of the application associated with the work and extracting only the former in advance is actually required. Pretreatment is not considered.

The technique described in Patent Document 2 implicitly assumes that the time series data of each monitoring item is stationary. In general, time-series data such as the amount of work of various operations in a company often shows non-stationary behavior because it has time-series characteristics such as seasonality. Therefore, the technique described in Patent Document 2 cannot appropriately detect a portion "different from the usual tendency", that is, an abnormality in such time series data.

Therefore, one aspect of the present invention is to generate a model for detecting a portion "different from the usual tendency" in the time series of the business index having non-stationary behavior.

In order to solve the above problems, one aspect of the present invention adopts the following configuration. A model generator that generates a model for detecting business abnormalities realized by a program executed by the analysis target system, including a processor and a memory, and the memory is a program executed by the analysis target system. And the operation history information indicating the time when the program was executed, and the start work which is a program that can be the starting point of one or more programs that execute a series of processes among the programs that can be executed by the analysis target system. Retaining the start work information shown, the processor divides the programs rearranged in the order of the time indicated by the operation history information into a program group starting with the start work, and includes the programs in the program group. A model generator that calculates time-series data of business indicators, which are statistics indicating the operation status in the operation history information, as the model for at least a part of the program group.

According to one aspect of the present invention, it is possible to generate a model for detecting a portion "different from the usual tendency" in a time series graph of a business index having non-stationary behavior.

Issues, configurations and effects other than those described above will be clarified by the following description of the embodiments.

It is a block diagram which shows the configuration example of the business abnormality detection system in Example 1. FIG. It is a block diagram which shows the functional structure example of the business abnormality detection apparatus in Example 1. FIG. This is an example of operation history information in the first embodiment. It is a flowchart which shows an example of the operation history information abstraction process in Example 1. FIG. It is a flowchart which shows an example of the start work information extraction processing in Example 1. FIG. This is an example of the transition information in the table format in the first embodiment. This is an example of transition information in graph format in the first embodiment. This is an example of information related to the execution programs in the first embodiment. This is an example of start work information in the first embodiment. It is explanatory drawing which shows an example of the process of dividing the sorted record group in Example 1. FIG. This is an example of abstract operation history information in the first embodiment. It is a flowchart which shows an example of the business index time series data generation processing in Example 1. FIG. It is a table which shows the daily average of the working hours of the practical work "B" in Example 1. It is a table which shows the daily total of the number of times of work of the practical work "B" in Example 1. It is a flowchart which shows an example of the estimated time series data generation processing in Example 1. FIG. It is a flowchart which shows an example of the abnormality determination processing in Example 1. FIG. This is an example of a business abnormality display screen in the first embodiment.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In the present embodiment, in principle, the same components are designated by the same reference numerals, and the repeated description will be omitted. It should be noted that the present embodiment is merely an example for realizing the present invention and does not limit the technical scope of the present invention.

FIG. 1 is a block diagram showing a configuration example of a business abnormality detection system. The business abnormality detection system includes an analysis target system 100 and a business abnormality detection device 300. The analysis target system 100 is an IT (Information Technology) system that is a target of business analysis, and is, for example, an ordering management system, an invoicing system, a sales management system, an inventory management system, an accounting / financial system, or a store management system. And so on.

The analysis target system 100 includes a plurality of terminals 102 and a server 104 operated by the user. Each of the terminals 102 is communicably connected to the server 104 via a communication network 103 (for example, the Internet, a public communication network, or a dedicated line). The server 104 executes a program and provides a service (business) to the terminal 102 via the communication network 103.

The server 104 manages the operation history information 200 indicating the operation history of the server 104, which is generated when the service is provided. The business abnormality detection device 300 analyzes the analysis target system 100 based on the operation history information 200 generated by the server 104, and acquires information on changes in business in the analysis target system 100.

The business abnormality detection device 300 includes, for example, a computer including a processor 11, a memory 12, an auxiliary storage device 13, an input device 14, an output device 15, and a communication device 16. Although not shown, these are connected to each other so as to be able to communicate with each other via a communication means such as a bus.

The processor 11 is composed of, for example, a CPU (Central Processing Unit) and an MPU (Micro Processing Unit). When the processor 11 executes the program stored in the memory 12, various functions of the business abnormality detection device 300 are realized.

The memory 12 stores programs and data. The memory 12 includes, for example, a ROM (Read Only Memory) which is a non-volatile storage element, a non-volatile semiconductor memory (NVRAM (Non Volatile RAM)), a RAM (Random Access Memory) which is a volatile storage element, and the like. ..

The ROM stores an invariant program (for example, BIOS (Basic Input / Output System)) and the like. The RAM is a high-speed and volatile storage element such as a DRAM (Dynamic Random Access Memory), and temporarily stores a program executed by the processor 11 and data used when the program is executed.

The auxiliary storage device 13 includes, for example, a hard disk drive, an SSD (Solid State Drive), an optical storage device (CD (Compact Disc), DVD (Digital Versaille Disc), etc.), a storage system, an IC card, an SD memory card, or an optical type. It is a large-capacity, non-volatile storage device such as a reading / writing device for a recording medium such as a recording medium and a storage area for a cloud server, and stores a program executed by the processor 11 and data used when the program is executed.

That is, the program is read from the auxiliary storage device 13, loaded into the memory 12, and executed by the processor 11. The auxiliary storage device 13 may be connected to the business abnormality detection device 300 via a communication means such as network storage.

The business abnormality detection device 300 may have an input interface and an output interface, and the input interface is an input that is a user interface that accepts external inputs such as a keyboard, a mouse, a touch panel, and a reader of a portable recording medium. The device 14 is connected.

The output interface outputs various information such as program execution progress and execution results of, for example, a screen display device (LCD (Liquid Crystal Display), graphic card, etc.), a printing device, a writing device for a portable recording medium, and the like. The output device 15 which is the user interface to be used is connected.

The business abnormality detection device 300 may input / output information to / from another device via the communication device 16, that is, the communication device 16 functions as an input device 14 or an output device 15. May be good. The communication device 16 is a wired or wireless communication interface that controls communication with another device according to a predetermined protocol, and is, for example, a NIC (Network Interface Card), a wireless communication module, or the like.

The program executed by the processor 11 is provided to the business abnormality detection device 300 via a removable medium (CD-ROM, flash memory, etc.) or a network, and is stored in the non-volatile auxiliary storage device 13 which is a non-temporary storage medium. NS. Therefore, the business abnormality detection device 300 may have an interface for reading data from the removable media.

Although not shown, the terminal 102 and the server 104 are also configured by a computer including, for example, a processor, a memory, an auxiliary storage device, an input device, an output device, and a communication device, similarly to the business abnormality detection device 300. Will be done.

Each device included in the business abnormality detection system is a computer system composed of physically one computer or a plurality of computers logically or physically configured, and is on the same computer. It may run in a separate thread, or it may run on a virtual computer built on multiple physical computer resources.

FIG. 2 is a block diagram showing a functional configuration example of the business abnormality detection device 300. The business abnormality detection device 300 is, for example, a functional unit, and includes an operation history information abstraction unit 310, a business index time series data generation unit 320, an estimated time series data generation unit 340, and an abnormality included in the processor 11. It has a determination unit 350 and.

The operation history information abstraction unit 310 abstracts the operation history information 200 output at the granularity of the execution program for the operation history information 200 of the analysis target system 100 to the granularity of the work of the user of the analysis target system 100.

The business index time-series data generation unit 320 generates time-series data of the business index, which is an index indicating the business operation status, based on the operation history information abstracted by the operation history information abstraction unit 310. The estimated time series data generation unit 340 generates the estimated time series data of the business index based on the business index time series data. The abnormality determination unit 350 compares the estimated time series data generated by the estimated time series data generation unit 340 with the business index time series data generated by the business index time series data generation unit 320 to determine the presence or absence of a business abnormality. do.

For example, the processor 11 functions as the operation history information abstraction unit 310 by operating according to the operation history information abstraction program loaded in the memory 12, and operates according to the business index time series data generation program loaded in the memory 12. By doing so, it functions as a business index time-series data generation unit 320. The same applies to the relationship between the program and other functional units included in the processor 11.

In addition, a part or all of the functions by the functional part included in the business abnormality detection apparatus 300 may be realized by hardware such as ASIC (Application Specific Integrated Circuit) and FPGA (Field-Programmable Gate Array).

It also holds business index time series data 330. The business index time series data 330 is stored in the memory 12 or the auxiliary storage device 13. The business index time series data 330 holds the business index time series data generated by the business index time series data generation unit 320.

FIG. 3 is an example of the operation history information 200. In the present embodiment, the information used by the business abnormality detection system may be represented by any data structure regardless of the data structure. In this embodiment, the information is expressed in a table format, but for example, a data structure appropriately selected from a list, a database, or a queue can store the information.
The operation history information 200 shows the execution history of the program executed in the server 104 starting from the operation by the user of the analysis target system 100 using the terminal 102.

FIG. 3 is an example of the operation history information 200. The operation history information 200 includes, for example, a user column 201, a session column 202, an execution program column 203, and a time column 204. The user field 201 holds an identifier that identifies the user who operated the terminal 102 when the session was executed. The session field 202 holds an identifier that identifies the session that was executed. The execution program column 203 holds the identifier of the executed program. The time field 204 holds the time 204 when the program indicated by the execution program field 203 is executed.

A session consists of a program executed by a series of operations by the same user. That is, a session consists of one or more programs that are executed consecutively based on the operation of the same user. Therefore, if the input user that is the starting point for executing the session is different, the session identifier will be different. The session identifier is assigned by the server 104 when the user requests the server 104 to provide a service by using the terminal 102. A session is generally used as a mechanism for managing service provision requests of individual users in a service used by a plurality of users at the same time, such as a Web application system.

FIG. 4 is a flowchart showing an example of the operation history information abstraction process. The operation history information abstraction process may be started at an arbitrary timing, and specifically, for example, it may be started periodically (for example, daily before the start of the analysis target system 100), or a business abnormality. It may be started at the timing when the user of the detection device 300 starts using it.

First, the operation history information abstraction unit 310 extracts start work information from the operation history information 200 transmitted from the server 104 (S110). The start work is an execution program (which can be the starting point of one or more programs for executing a series of processes) that is a break between the works, and examples thereof include a program that calls a business menu.

FIG. 5 is a flowchart showing an example of the start work information extraction process in step S110. The operation history information abstraction unit 310 selects one unselected session from the sessions included in the operation history information 200, and extracts a record in which the value in the session column 202 is the selected session (S111).

The operation history information abstraction unit 310 sorts the records extracted in step S111 in ascending order of the time indicated by the time 204 column (S112), extracts the transition information, and updates it (S113). The transition information is an execution order obtained by sorting in step S112 of the program indicated by the execution program column 203 in the record group.

6A and 6B are examples of transition information. FIG. 6A is an example of transition information in a table format, and FIG. 6B is an example of transition information in a graph format. It is assumed that the program B is executed next to the program A in the record group sorted in step S112. At this time, if the transition information is stored in the table format of FIG. 6A, the operation history information abstraction unit 310 transitions the program A as the execution program before the transition as in the first row of the table of FIG. 6A. Program B is associated and stored as a later execution program. Further, at this time, if the transition information is stored in the graph format of FIG. 6A, the operation history information abstraction unit 310 generates a node indicating the program A and a node indicating the program B, and indicates the program A. Generate an edge from the node to the node showing program B.

The operation history information abstraction unit 310 determines whether or not there is an unselected session in the operation history information 200 (S114). When the operation history information abstraction unit 310 determines that there is an unselected session (S114: YES), the operation history information abstraction unit 310 returns to step S111 and executes the processes of steps S112 and S113 for the newly selected session.

When all the sessions of the operation history information 200 have been selected (S114: NO), the operation history information abstraction unit 310 indicates the number of types of execution programs before the transition and the transition for each execution program included in the transition information. The number of types of execution programs to be executed later and the number of types are totaled (S115). Hereinafter, this information indicating the number of types of execution programs before the transition and the number of types of execution programs after the transition for each execution program is also referred to as inter-execution program-related information.

FIG. 7 is an example of information related to the execution programs. According to the transition information of FIG. 6B, for example, the transition from the program A to the program B, the program C, or the program D is possible. Therefore, in the inter-execution program-related information in FIG. 7, the number of program types after the transition of the program A is 3.

Further, according to the transition information of FIG. 6B, the programs that can transition to the program A are the program S and the program G. Therefore, in the inter-execution program-related information in FIG. 7, the number of program types before the transition of the program A is 2.

Returning to the description of FIG. Following step S115, the operation history information abstraction unit 310 extracts an execution program in which the number of types of execution programs before and after the transition is greater than 1 from the information related to the execution programs (S116). Finally, the operation history information abstraction unit 310 adds order information to the execution program extracted in step S116 from the appearance order and process (processing) model of the execution program extracted in step S116 (S117).

The method of estimating the process model from the operation history data such as the log of the IT system is called process mining, and for example, the α (alpha) algorithm is well known. Since the operation history information abstraction unit 310 can clarify the processing structure (processed in parallel, branched, etc.) of the execution program extracted in step S116 by using the above process model, step S116 The order relationship of the execution programs extracted in step 3 can be extracted.

FIG. 8 is an example of start work information obtained as a result of the processing in step S110. The start work information in FIG. 8 shows a program indicating the start work and an order relationship between the programs. For example, in step S116, the operation history information abstraction unit 310 extracts execution programs “R”, “A”, and “H” as start work from the inter-execution program-related information of FIG. 7.

Then, since the operation history information abstraction unit 310 can specify that "R" and "A" and "R" and "H" are processed in this order by the above process model, FIG. In the start work information of, a record in which "R" is the first place and "A" is the second place, and a record in which "R" is the first place and "H" is the second place are added. Since the operation history information abstraction unit 310 has identified that there is no order relationship between "A" and "H" by the above process model, the start work information in FIG. 8 is "A" and "H". Does not include records indicating the order of.

For example, in order to execute the start work having a lower rank in the order relation, it is necessary to execute the start work having a higher rank in the order relation. That is, in the example of FIG. 8, since there is an order relation in which "R" is the first place and "A" is the second place, "A" may not be executed without "R" being executed. No.

In the example of FIG. 8, the order indicated by the start work information consists of only two ranks, the first rank and the second rank, but the ranks of the third rank and below may be defined, and only the first rank may be defined. It may consist of (ie, an order relationship is not defined). Further, the number of ranks may be different for each record of start work information. The start work information may be stored in the auxiliary storage device 13 or may be temporarily stored in the memory 12. Further, since the start work information may be identifiable from the information described in the specifications of the analysis target system 100, for example, the start work information may be directly input by the user of the business abnormality detection device 300 or the business abnormality detection device. The start work information may be generated by the 300 reading the information in the specifications.

Returning to the description of FIG. Following the process in step S110, the operation history information abstraction unit 310 selects one unselected session in step S120, and extracts a record from the operation history information 200 in which the value in the session column 202 is the selected session. (S120).

The operation history information abstraction unit 310 sorts the records extracted in step S120 in ascending order of the time in the time 204 column (S130). The operation history information abstraction unit 310 divides the record group obtained in the process S130 in order from the execution program higher in the start work information obtained in step S110 (S140). The operation history information abstraction unit 310 generates abstract operation history information from the record string divided in step S140 (S150). The abstract operation history information may be stored in the auxiliary storage device 13 or may be temporarily stored in the memory 12.

The operation history information abstraction unit 310 determines whether or not there is an unselected session in step S120 (S160). When the operation history information abstraction unit 310 determines that there is an unselected session (S160: YES), the process proceeds to step S120, and when it is determined that all the sessions have been selected (S160: NO), the operation history information abstraction unit 310 operates. End the history information abstraction process.

FIG. 9 is an explanatory diagram showing an example of a process of dividing the sorted record group. The table shown in FIG. 9 contains only the records for session "S001", and these records are sorted in ascending order of time. According to the start work information of FIG. 8, the programs "R", "A", and "H" are start work, and the order in which "R" is the first place and "A" is the second place, and "R" There is an order in which the first place "H" is the second place.

For example, in step S140, the operation history information abstraction unit 310 divides the record group at the first start operation. That is, the operation history information abstraction unit 310 divides the record group so that the record group starting with the start work "R" is created. Then, the operation history information abstraction unit 310 divides the record group by the start work of the second place, which is lower than the first place. That is, the operation history information abstraction unit 310 further divides the record group starting with the start work "R" so that the record group starting with the start work "A" or "H" can be formed.

FIG. 10 is an example of abstract operation history information. The abstract operation history information 250 includes, for example, a practical work column 251, a start time column 252, a user column 253, and a work time column 254. The practical work column 251 shows a representative program of the record group divided in step S140. Specifically, for example, the record next to the start work (that is, the second record) in the record group divided in step S140 is stored in the work work column 251 as the work work in the record group.

In step S150, the operation history information abstraction unit 310 has the lowest order in the start work information (however, if the number of ranks is different for each record of the start work information, the order in each record is the lowest. ) Only the record group The record next to the start work may be stored in the work work column 251 as the work work in the record group.

The start time field 252 holds the time of the first record of the record group divided in step S140. The user field 253 holds the user of the first record. The work time column 254 holds the difference between the time of the first record of the record group divided in step S140 and the time of the last record of the record group (that is, the program immediately before the next start work). ..

In the example of FIG. 9, there are three record groups starting with the program "A" as the start work of the second place (lowest rank). Since the programs executed after "A" in the three record groups are "B", "C", and "D", respectively, "B" is displayed in the practical work column 251 of the abstract operation history information 250. , "C", "D" are stored.

Then, for example, for the practical work "B", the time of the start work "A" executed immediately before "B" is in the start time column 252, and the user name for executing "B" is in the user column 253. , The difference between the time of "A" executed immediately before "B" and the time of "G" which is the last program of the record group including this "B" is stored in the working time column 254, respectively. NS.

FIG. 11 is a flowchart showing an example of business index time series data generation processing. The business index time-series data generation process starts when the operation history information abstraction process of FIG. 4 is completed. First, the business index time series data generation unit 320 selects one unselected practical work included in the abstract operation history information 250, and abstracts the record in which the value in the practical work column 251 is the selected practical work. Extract from information 250 (S210).

The business index time-series data generation unit 320 calculates the daily total of the number of operations (that is, the total number of records by day) for the record group extracted in step S210, and stores it in the business index time-series data 330 ( S220). The business index time-series data generation unit 320 calculates the daily average of the work hours shown in the work time column 254 for the record group extracted in step S210, and stores it in the business index time-series data 330 (S230).

The daily total of the number of work operations and the daily average of the work hours are both statistics showing the operating status of the practical work, and are therefore examples of business indicators. In addition to or in place of the business index calculated in steps S220 and S230, other statistics of practical work included in the abstract operation history information 250 may be calculated.

The business index time series data generation unit 320 determines in step S210 whether or not there is unselected practical work (S240). When the business index time series data generation unit 320 determines that there is unselected practical work (S240: YES), it transitions to step S210 and determines that all the practical work has been selected (S240: NO). ), End the operation history information abstraction process.

12A and 12B are both examples of business index time series data 330. The business index time series data 330 may be represented by a plurality of tables as shown in FIGS. 12A and 12B, or may be represented by one table, as long as it can be managed for each combination of the business work and the business index.

The business index time-series data 330 of FIG. 12A is a table showing the daily average of the work hours of the practical work “B”, and the business index time-series data 330 of FIG. 12B is the number of work of the practical work “B”. It is a table showing the daily total of.

FIG. 13 is a flowchart showing an example of the estimated time series data generation process. The estimated time-series data generation process may be started at an arbitrary timing, for example, it may be started at the timing when the user of the business abnormality detection device 300 starts using the data.

The estimation time series data generation unit 340 acquires the business index time series data 330, and estimates the parameters of the time series model from the acquired business index time series data (S310). For example, an auto-regressive model or a statistical model called a state-space model, which can handle time-series data, can be used as the time-series model.

The estimation time series data generation unit 340 determines whether or not there are a plurality of time series model candidates (S320). The time series model candidate is stored in the auxiliary storage device 13 in advance, or is described in advance in the estimated time series data generation program, for example. When the estimation time series data generation unit 340 determines that there are a plurality of time series model candidates (S320: YES), the estimation time series data generation unit 340 estimates the parameters for the time series models other than the time series model for which the parameters were estimated in step S310. (S330).

The estimated time-series data generation unit 340 calculates an information criterion for each of the plurality of time-series models whose parameters have been estimated in steps S310 and S320, and represents the time-series model having the smallest calculated information criterion. Determined as a series model (S340). The information criterion is an index for evaluating the goodness of the statistical model, and for example, there is Akaike Information criterion.

Next, the estimated time series data generation unit 340 calculates the estimated time series data by setting the estimated parameters of the representative time series model in the representative time series model, and the calculated estimated time series data is used as the abnormality determination unit. It is transmitted to 350 (S350), and the estimated time series data generation process is completed.

When the estimation time series data generation unit 340 determines that there is only one time series model candidate, that is, only the time series model whose parameters are estimated in step S310 exists as a candidate (S320: NO), the said time series data generation unit 340. After deciding the time series model as the representative time series model, the process proceeds to step S350.

FIG. 14 is a flowchart showing an example of the abnormality determination process. The abnormality determination process starts when the estimated time series data generation process ends (that is, the abnormality determination unit 350 receives the estimated time series data).

The abnormality determination unit 350 acquires the actual time series data X (t) corresponding to the received estimated time series data X'(t) from the business index time series data 330 (S410). Here, the actual time-series data X (t) corresponding to X'(t) is the actual time-series data of the abnormality determination target in which the practical work of X'(t) and the business index are the same.

Next, the abnormality determination unit 350 calculates the difference between the estimated time series data X'(t) and the actual time series data X (t) (hereinafter referred to as residual and referred to as R (t)) ( S420). The abnormality determination unit 350 calculates the average value of the residuals (hereinafter referred to as μ) and the standard deviation (hereinafter referred to as σ) calculated in step S420 (S430).

The abnormality determination unit 350 normalizes the residual using μ and σ (S440). For example, the normalized residual is a (t) = (R (t) −μ) / σ, which is also referred to as an abnormality degree. The abnormality determination unit 350 determines that there is a business abnormality when it is determined that there is a time t in which the absolute value of the degree of abnormality exceeds a predetermined threshold value (for example, 3 is often set by convention, but is not limited to this). (S450), and the abnormality determination process is terminated. When the abnormality determination unit 350 determines in step S450 that there is a business abnormality, the abnormality determination unit 350 displays the display screen shown in FIG. 15 on the output device 15.

By the above processing, the business abnormality detection device 300 can present a part "different from the usual tendency" in the time series of the business index showing the non-stationary behavior of the analysis target system 100, and by extension, the analysis target system 100. The system engineer who operates and maintains the system can notice the change in the business executed by the analysis target system 100, and can efficiently carry out the business analysis.

FIG. 15 is an example of a business abnormality display screen. The display screen 900 includes, for example, a work time tab 901 and a work count tab 906. That is, the display screen 900 includes a tab of the business index used for the estimated time series data received by the abnormality determination unit 350, and the business abnormality of the business index can be displayed by switching the tab. In the example of FIG. 15, the working time tab 901 is selected.

The display screen 900 displays the processing results of the estimated time-series data generation processing and the abnormality determination processing for the time-series data of the combination of all the practical work and the business index stored in the business index time-series data 330. Further, the display screen 900 includes, for example, a practical work column 902, a maximum abnormality degree column 903, an abnormality detection number column 904, and a check box 905. In the practical work column 902, the practical work in which the abnormality determination unit 350 has detected a business abnormality is displayed.

In the maximum abnormality degree column 903, the maximum abnormality degree of the business abnormality calculated by the abnormality determination unit 350 is displayed for each practical work. In the abnormality detection number column 904, the number of detections of business abnormalities detected by the abnormality determination unit 350 (that is, the number of times the abnormality degree exceeds a predetermined threshold value) is displayed for each practical work. When the check box 905 is selected, the records in the table including the practical work column 902, the maximum abnormality degree column 903, and the abnormality detection number column 904 can be rearranged. In the example of FIG. 15, since the "Max (abnormality)" check box is checked, the records in the table are sorted in descending order of the value in the maximum abnormality column 903.

The user of the business abnormality detection device 300 of this embodiment can discover a business abnormality without checking a large amount of time-series data stored in the business index time-series data 330 one by one. Further, on the display screen 900, the business abnormalities detected can be sorted according to the purpose of the business analysis, so that the user of the business abnormality detection device 300 can start the detailed investigation from the business abnormality having a high priority, which is efficient. Business analysis can be carried out. In the above-described embodiment, for example, the business abnormality detection device 300 may be constructed by a single computer or as a client-server system. When the business abnormality detection device 300 is constructed as a client-server system, for example, the server executes the main processing of the business abnormality detection device 300, and the client executes the display processing.

Further, the specific values in the above-described embodiment are merely examples for explanation, and are not limited to these values. Further, in the present embodiment, the business abnormality detection device 300 detects the business abnormality of the analysis target system 100 that performs the business, but may detect an abnormality in a series of processes executed by any system.

Further, in the above-described embodiment, the business abnormality detection device 300 generates estimated time-series data which is a reference model for detecting the business abnormality, and detects the business abnormality using the generated estimated time-series data. The model generation device independent of the business abnormality detection device 300 may perform the estimated time series data generation processing, and the business abnormality detection device 300 may detect the business abnormality using the estimated time series data received from the model generation device.

The present invention is not limited to the above-described examples, and includes various modifications. For example, the above-described embodiment has been described in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to those having all the described configurations. It is also possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. Further, it is possible to add / delete / replace a part of the configuration of each embodiment with another configuration.

Further, each of the above configurations, functions, processing units, processing means and the like may be realized by hardware by designing a part or all of them by, for example, an integrated circuit. Further, each of the above configurations, functions, and the like may be realized by software by the processor interpreting and executing a program that realizes each function. Information such as programs, tables, and files that realize each function can be stored in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

In addition, control lines and information lines are shown as necessary for explanation, and not all control lines and information lines are necessarily shown in the product. In practice, it can be considered that almost all configurations are interconnected.

11 Processor, 12 Memory, 13 Auxiliary Storage Device, 14 Input Device, 15 Output Device, 100 Analysis Target System, 200 Operation History Information, 250 Abstract Operation History Information, 300 Business Abnormality Detection Device, 310 Operation History Information Abstraction Unit, 320 Business index time series data generation unit, 330 Business index time series data, 340 Estimated time series data generation unit, 350 Abnormality judgment unit

Claims (10)

It is a model generator that generates a model for detecting business abnormalities realized by a program executed by the system to be analyzed.
Including processor and memory
The memory is
Operation history information indicating the program executed by the analysis target system, the time when the program was executed, and
Among the programs that can be executed by the analysis target system, the start work information indicating the start work, which is a program that can be the starting point of one or more programs that execute a series of processes, is retained.
The processor
The programs sorted in the order of the time indicated by the operation history information are divided into a group of programs starting with the start work.
A model generation device that calculates, as the model, time-series data of business indexes, which are statistics indicating the operation status in the operation history information, for at least a part of the program groups included in the program group. The model generator according to claim 1.
The start work information indicates the order in which the start work can be performed.
The at least a part of the program group is a model generation device in which the start work having the lowest execution order indicated by the start work information is the first program group. The model generator according to claim 1.
The business index is the number of times of execution of the at least a part of the program group in the operation history information for each predetermined length period, and in the operation history information of the at least a part of the program group in a predetermined length period. A model generator that includes at least one of the execution times. The model generator according to claim 1.
The processor
For each of the programs sorted in the order of the time indicated by the operation history information, a program having a plurality of types of other programs that can be executed immediately before and immediately after the execution of the program is specified.
A model generator that determines the specified program as the start work and stores it in the start work information. The model generator according to claim 1.
The memory holds the abnormality detection target history information indicating the program executed by the analysis target system and the time when the program was executed during the abnormality detection target period.
The processor
The programs rearranged in the order of the time indicated by the abnormality detection target history information are divided by the start work to generate an abnormality detection target program group starting from the start work.
The time-series data of the business index of the abnormality detection target program group in the operation history information is generated as the abnormality detection target time-series data.
A model generation device that compares the model with the time-series data of the abnormality detection target, and determines whether or not an abnormality has occurred in the operating status of the programs of the abnormality detection target program group during the abnormality detection target period. The model generator according to claim 5.
The processor
The residual of the model and the time series data to be detected by the abnormality is calculated.
Using the average value and standard deviation of the residuals, the degree of anomaly obtained by normalizing the residuals was calculated.
A model generation device that determines that the abnormality has occurred when there is a period in which the degree of abnormality is equal to or higher than a predetermined threshold value in the abnormality detection target period. The model generator according to claim 6.
Connected to the display device,
When the processor determines that the abnormality has occurred, the information indicating the detection target program group in which the abnormality has occurred, the maximum value of the abnormality degree, and the period during which the abnormality degree is equal to or more than the predetermined threshold value. And, a model generator that outputs to the display device. The model generator according to claim 7.
When the processor determines that the abnormality has occurred, the program of the detection target program group in which the abnormality has occurred is described in the order of increasing or decreasing the total number of periods during which the abnormality degree is equal to or higher than a predetermined threshold value. A model generator that outputs to the display device. The model generation device is a model generation method that generates a model for detecting business abnormalities realized by a program executed by the analysis target system.
The model generator includes a processor and a memory.
The memory is
Operation history information indicating the program executed by the analysis target system, the time when the program was executed, and
Among the programs that can be executed by the analysis target system, the start work information indicating the start work, which is a program that can be the starting point of one or more programs that execute a series of processes, is retained.
The model generation method is
The processor divides the programs sorted in the order of the time indicated by the operation history information into a group of programs starting with the start operation.
A model generation method in which the processor calculates time-series data of a business index, which is a statistic indicating an operation status in the operation history information, as the model for at least a part of the program groups included in the program group. It is a model generation program that causes the model generation device to execute the process of generating the model for detecting the business abnormality realized by the program executed by the analysis target system.
The model generator includes a processor and a memory.
The memory is
Operation history information indicating the program executed by the analysis target system, the time when the program was executed, and
Among the programs that can be executed by the analysis target system, the start work information indicating the start work, which is a program that can be the starting point of one or more programs that execute a series of processes, is retained.
The model generator
A process of dividing the programs sorted in the order of the time indicated by the operation history information into a group of programs starting from the start work, and
A model in which the processor executes a process of calculating time-series data of a business index, which is a statistic indicating an operation status in the operation history information, as the model for at least a part of the program groups included in the program group. Generation program.

Images