JP5690690B2 - Abnormality detection device, abnormality detection method, and abnormality detection program - Google Patents

Description

The present invention, abnormal detecting device, a malfunction detection method, and the abnormality detecting program.

  Baseline analysis is known as a technique for detecting a failure of a device connected to a network. For example, in Patent Document 1, a temporal objective function that correlates with anomalies is derived from current real-time performance data obtained from a network, and a temporal variation of the objective function is performed from historical performance data obtained from the network. A maximum threshold is derived, and the objective function derived from the current real-time performance data is compared with the maximum threshold at the time corresponding in time to the time associated with the current real-time performance data. A baseline analysis method is described that determines that an anomaly exists when an objective function derived from real-time performance data indicates that it is greater than a maximum threshold for a longer period of time.

JP 2001-057555 A

  However, the fault detection method using the baseline analysis according to the prior art has been used for the purpose of detecting a silent fault that is not detected as an error. Therefore, in the prior art, information regarding whether or not a silent failure has occurred during baseline analysis has not been used. Further, in the prior art, mechanical statistical processing is performed in which the measured values of the data of each device are compared with the baseline every time span at regular intervals. Therefore, in the prior art, the time span setting at the time of detection does not match the time span at the time of failure occurrence, and the baseline serving as a reference for the normal value is generated including the value at the time of abnormality. Therefore, the reliability of the baseline was not certain. In other words, there is a problem that the abnormality may not be detected.

The present invention has been made in view of the above, that can abnormality detection reliably abnormal detecting device, to provide an abnormality detection method, and the abnormality detecting program.

(1) The present invention has been made to solve the above-described problems, and one aspect of the present invention is a measurement value representing an operation status of the monitored system other than the failure occurrence period of the monitored system. A baseline generation apparatus comprising a baseline generation unit that extracts a measurement value and generates baseline information indicating a normal range of the measurement value based on the extracted measurement value.

(2) Further, according to one aspect of the present invention, a measurement value other than a failure period of the monitored system is extracted from measurement values representing an operation state of the monitored system, and the measurement is performed based on the extracted measurement value. A baseline generation unit that generates baseline information indicating a normal range of values, an operation history storage unit that stores information related to an operation on the monitored system, and a failure period extraction unit that determines a failure period based on the information related to the operation And an abnormal value determination unit that determines whether or not the measured value measured during the failure period is an abnormal value based on the baseline information.

(3) Further, according to one aspect of the present invention, in the abnormality detection device, the failure period extraction unit is information corresponding to information input from an operator, and is based on the information related to the operation. It is characterized by determining a period.

(4) Further, according to one aspect of the present invention, in the abnormality detection apparatus, the monitoring target system includes a plurality of devices, and the measurement values are measurement values for a plurality of measurement items, and the base The line generation unit generates baseline information regarding each of the measurement items, and the abnormality detection device generates an abnormality from the plurality of devices based on the measurement item of the measurement value determined to be the abnormal value. It is characterized by comprising an abnormal device detection unit for detecting a device that is connected.
(5) Further, according to one aspect of the present invention, in the method in the baseline generation apparatus, the baseline generation apparatus has a measured value representing an operation state of the monitored system other than the failure occurrence period of the monitored system. A baseline generation method characterized by having a baseline generation step of extracting a measurement value and generating baseline information indicating a normal range of the measurement value based on the extracted measurement value.
(6) Further, according to one aspect of the present invention, a measurement value other than a failure occurrence period of the monitoring target system is extracted from the measurement values indicating the operation status of the monitoring target system in a computer of the baseline generation device, It is a baseline generation program for executing a baseline generation procedure for generating baseline information indicating the normal range of the measurement values based on the extracted measurement values.

  According to the present invention, abnormality can be reliably detected.

It is a key map of a failure detection system concerning this embodiment. It is a schematic block diagram which shows the structure of the failure detection apparatus which concerns on this embodiment. It is a flowchart which shows an example of the operation | movement of operation information collection which concerns on this embodiment. It is the schematic which shows an example of the operation information which concerns on this embodiment. It is a flowchart which shows an example of operation | movement of the measured value collection which concerns on this embodiment. It is the schematic which shows an example of the operation information which concerns on this embodiment. It is the schematic which shows an example of the failure period information table which concerns on this embodiment. It is a flowchart which shows the baseline production | generation process which concerns on this embodiment. It is the schematic which shows an example of the baseline table which concerns on this embodiment. It is the schematic which shows an example of the abnormal value failure location correspondence table which concerns on this embodiment. It is a flowchart which shows the fault location specific process which concerns on this embodiment.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a conceptual diagram of a failure detection system 1 according to the present embodiment. In the illustrated example, the failure detection system 1 includes a monitoring target network 10, network devices 11 a to 11 e, an input / output device 12, and a failure detection device 13.
The monitoring target network 10 is a network to which the failure detection system 1 detects a failure. The monitored network 10 is a home LAN (Local Area Network), a LAN provided by a network provider, a WAN (Wide Area Network), or the like. The monitoring target network 10 includes network management devices such as a gateway GW, a router RT, a switch SW, and a hub Hub, and network devices 11a to 11e such as general PCs (each also referred to as a network device 11). The gateway GW, the router RT, the switch SW, and the hub Hub output measurement value information to the monitoring target network 10. The measurement value information includes measurement value content information (measurement items and measurement values) such as UPnP (Universal Plug and Play) information, SNMP (Simple Network Management Protocol) information, DHCP (Dynamic Host Configuration Protocol) information, and the like. Measurement time information indicating the measured time (also referred to as measurement time) is included.

  The network devices 11a to 11e (each also referred to as a network device 11) are electronic devices connected to the monitoring target network 10 via a network interface. The network device 11 outputs operation information and measurement value information to the monitoring target network 10 via the network interface. Here, the operation information is information output from the network device 11 due to an operation performed on the network device 11 by a user. The operation information includes operation time information indicating the time when the operation was performed, operation content information indicating the operation content, and operation status information indicating whether an error has occurred as a result of the operation.

  The input / output device 12 includes an input device such as a keyboard and a touch panel and an output device such as a display. The input / output device 12 is connected to the failure detection device 13. The input / output device 12 receives failure occurrence information including the time when the failure occurred from an operator or user (hereinafter referred to as an operator) of the support center. The input / output device 12 displays a location where a failure has occurred and a countermeasure for the failure.

The failure detection device 13 collects operation information and measurement value information from the monitoring target network 10. The failure detection device 13 records the collected history of operation information and history of measurement value information. The failure detection device 13 extracts a failure period, which is a time when a failure has occurred, based on the failure occurrence information input from the input / output device 12 and the history of recorded operation information. The failure detection device 13 generates a baseline using measurement value information at a measurement time other than the extracted failure period.
This baseline is obtained by arranging, in time series, numbers obtained by counting items having the same or similar measurement items at a predetermined time.
The failure detection device 13 compares the base line generated in advance with the communication status at the time of failure occurrence, and determines a communication abnormality location. The failure detection device 13 causes the input / output device 12 to display the determined result.

FIG. 2 is a schematic block diagram showing the configuration of the failure detection apparatus 13 according to this embodiment.
In the illustrated example, the failure detection apparatus 13 includes an operation information collection unit 101, an input unit 102, an operation history DB (Data Base; operation history recording unit) 103, an operation history extraction unit 104, a failure period extraction unit 105, and a failure period DB 106. A measurement value information collection unit 107, a measurement value history DB 108, a baseline generation unit 109, a baseline DB 110, an abnormal value determination unit 111, an abnormal value / failure location correspondence DB 112, and an output unit (abnormal device detection unit) 113. Composed.

The operation information collection unit 101 collects operation information from the monitoring target network 10. Here, the operation information includes operation content information, operation time information, and operation status information. The operation content information is information such as the following (a) to (e).
(A) Information indicating that the network device 11 is connected to or disconnected from the monitored network.
(A) Information indicating that the power source of the network device 11 of the monitoring target network is turned on or turned off.
(C) Information indicating that the network device 11 of the monitoring target network has started or stopped.
(D) Information indicating that the service Y has been implemented in the network device 11 of the monitored network.
(E) Information indicating that an error has occurred due to the service Y being performed in the network device 11 of the monitored network.
Here, the service Y is, for example, a web browser, UPnP, DHCP, or the like.
The operation information collection unit 101 writes operation information in the operation history DB 103. When the operation information stored in the operation history DB 103 reaches a predetermined number, the operation information collection unit 101 deletes the operation information having the oldest time stamp and records newly input operation information.

The input unit 102 receives failure occurrence information from the operator via the input / output device 12. Here, the failure occurrence information is information indicating a failure encountered by the network user. For example, the failure occurrence information is information transmitted by the user to the operator such as “early June”, “Web browser access”, and “error”. The input unit 102 generates failure time information, failure content information, and failure status information candidates based on the input failure occurrence information. Here, the failure time information is information indicating a time (failure period) when there is a failure. The failure content information is information indicating an operation in which a failure has occurred (for example, ftp access, Web access) and the IP address and MAC address of the network device 11 in which the failure has occurred. The failure status information is information indicating a failure status such as an error occurrence, for example. For example, the input unit 102 causes the input / output device 12 to display failure time information, failure content information, and failure status information candidates, and generates failure time information, failure content information, and failure status information selected by the operator. .
The input unit 102 outputs the generated failure time information, failure content information, and failure status information to the operation history extraction unit 104.

  The operation history DB 103 stores the operation information input from the operation information collection unit 101 in the operation history information table. The operation history information table is a table composed of a history of operation information input in the past. Note that details of the operation history information table stored in the operation history DB 103 will be described later with reference to the drawings.

The operation history extraction unit 104 compares the failure time information, the failure content information, and the failure status information input from the input unit 102 with the operation time information, the operation content information, and the operation status information recorded in the operation history DB 103. Operation information that satisfies all the following conditions (a) to (c) is extracted from the history DB 103.
(A) The operation time information is included in the time range indicated by the failure time information.
(A) The operation content information matches the failure content information or matches the information derived by a predetermined rule set in advance.
(C) The operation status information matches the failure status information.
The operation history extraction unit 104 outputs the extracted operation information to the failure period extraction unit 105.

  The failure period extraction unit 105 extracts the failure period and the corresponding IP address and MAC address based on the operation information extracted by the operation history extraction unit 104. Here, the failure period refers to a period from the oldest time indicated by the operation time information to the latest time indicated by the operation time information among the extracted operation information. The failure period extraction unit 105 outputs failure period information indicating the extracted failure period to the failure period DB 106 and the abnormal value determination unit 111.

  The failure period DB 106 stores the failure period information input from the failure period extraction unit 105 in the failure period information table. Details of the failure period information table stored in the failure period DB 106 will be described later with reference to the drawings.

The measurement value information collection unit 107 collects measurement value information from the monitoring target network 10. Here, the measurement value information includes measurement value time information and measurement value content information. The measurement value time information indicates the measurement time when the measurement value is measured at the measurement point. The measurement value content information includes, for example, UPnP information generated by the measurement point (for example, the number of packets on the WAN (Wide Area Network) side of the BBR (Broadband Router), the number of packets on the LAN side), SNMP information (for example, hub) , The number of input / output packets for each port of the switch, the number of collision packets, etc.), DHCP information (for example, the number of Discover command transmissions, the number of OFFER responses, etc.).
The measurement value information collection unit 107 writes the measurement value information in the measurement value history DB 108. Details of the measurement value information will be described later with reference to the drawings.

  The measurement value history DB 108 stores the measurement value information input from the measurement value information collection unit 107 in the measurement value information table. That is, the measurement value history table is a table configured from a history of measurement value information input in the past. The details of the measurement value history information table stored in the measurement value history DB 108 will be described later with reference to the drawings.

The baseline generation unit 109 reads out failure period information from the failure period DB 106. The baseline generation unit 109 reads from the measurement value history DB 108 each measurement value information in a period other than the failure period indicated by the failure period information (referred to as a normal operation period). The baseline generation unit 109 extracts each measurement value from each measurement value information. For example, among the measurement values for each day over the past month, the baseline generation unit 109 performs measurement for each measurement value included in the normal operation period for each predetermined baseline unit time (for example, 10 minutes). An average value and variance (average value and variance of each measurement value per baseline unit time are collectively referred to as a baseline) are calculated (referred to as baseline creation processing). The baseline generation unit 109 writes the baseline information indicating the calculated baseline in the baseline DB 110. That is, the baseline generation unit 109 generates a baseline based on the measurement values measured during the normal operation period.
The baseline DB 110 records the baseline information generated by the baseline generation unit 109.

  The abnormal value determination unit 111 determines whether or not the measurement value indicated by the measurement value information is an abnormal value. Specifically, the abnormal value determination unit 111 receives failure period information from the failure period extraction unit 105. The abnormal value determination unit 111 reads measurement value information corresponding to the failure period indicated by the failure period information from the measurement value history DB 108. The abnormal value determination unit 111 reads baseline information corresponding to the failure period indicated by the failure period information from the baseline DB 110. The abnormal value determination unit 111 determines whether or not the measured value is abnormal based on the measured value in the failure period and the baseline (for example, average value, variance) indicated by the baseline information. For example, the abnormal value determination unit 111 performs measurement when the measured value in the failure period satisfies the relationship of average value−n × dispersion ≦ measured value ≦ average value + n × dispersion (n is a predetermined positive number). The value is determined to be normal. The abnormal value determination unit 111 determines that the measured value is abnormal when this relationship is not satisfied. The abnormal value determination unit 111 performs the above determination for each measurement value using the corresponding baseline, and determines whether each measurement item is normal or abnormal. The abnormal value determination unit 111 outputs the determination result of each measurement item to the output unit 113.

  The abnormal value / failure location correspondence DB 112 stores an abnormal value / failure location correspondence table indicating the relationship between the MAC address, the measurement item, and the failure location. Details of the abnormal value / failure location correspondence table will be described later with reference to the drawings.

  The output unit 113 receives the determination result of each measurement item from the abnormal value determination unit 111. When the determination result of each measurement value is determined to be abnormal, the output unit 113 is determined to be abnormal with reference to the abnormal value / failure location correspondence table recorded in the abnormal value / failure location correspondence DB 112. Information on the failure location of the device corresponding to the measurement item is extracted, and the extracted information is output to the input / output device 12. When the determination result of the measurement value is not determined to be abnormal, the output unit 113 outputs information indicating that no abnormality has been found to the input / output device 12.

FIG. 3 is a flowchart showing an example of operation information collection operation according to the present embodiment.
(Step S <b> 101) The operation information collection unit 101 acquires operation information from the monitoring target network 10. Thereafter, the process proceeds to step S102.
(Step S102) The operation information collection unit 101 determines whether or not the number of operation information in the operation history information table recorded in the operation history DB 103 is greater than a predetermined number. When it determines with the number of operation information being larger than the predetermined number (Yes), it progresses to step S103. When it determines with the number of operation information not being larger than the predetermined number (No), it progresses to step S104.
(Step S103) The operation information collection unit 101 deletes the oldest operation information from the operation history information table. Thereafter, the process proceeds to step S104.
(Step S104) The operation information collection unit 101 writes the operation information acquired in step S101 in the operation history DB 103. Thereafter, the process returns to step S101.

  In step S102, the determination is made based on whether or not the number of operation information is larger than a predetermined number. However, the determination may be made based on whether or not the time stamp of the operation information is older than a predetermined period. Good.

  FIG. 4 is a schematic diagram illustrating an example of operation information stored in the operation history DB 103 according to the present embodiment. As shown in the figure, the operation history table includes columns of items of a time stamp indicated by the operation time information, an IP address, a MAC address, a device name, an operation content indicated by the operation content information, and an error status indicated by the operation status information. Have. The operation history table is two-dimensional tabular data composed of rows and columns in which operation information is stored for each time stamp.

For example, in the operation information with the reference 4a, the time stamp is 2011/6/3 17:03:40, the IP address is undecided, the MAC address is unknown, the device name is “CenterSW”, and the operation content is “Link Up”. The error status indicates normal.
The operation information with the reference 4b includes a time stamp of 2011/6/3 17:04:20, an IP address of 192.168.1.30, a MAC address of 00: 1b: ba: e0: b4: 9c, and a device. The name is “AsyaTV”, the operation content is “Acquire address by DHCP”, and the error status is normal.
The operation information with the reference 4c includes a time stamp of 2011/6/3 17:10:05, an IP address of 192.168.1.30, a MAC address of 00: 1b: ba: e0: b4: 9c, and a device. The name is “AsyaTV”, the operation content is “view video with DLAN”, and the error status is normal.

FIG. 5 is a flowchart showing an example of the measurement value collection operation according to the present embodiment.
(Step S <b> 201) The measurement value information collection unit 107 acquires measurement value information from the monitoring information network 10. Thereafter, the process proceeds to step S202.
(Step S202) The measurement value information collection unit 107 determines whether or not the number of measurement value information in the measurement value information table recorded in the measurement value history DB 108 is greater than a predetermined number. If it is determined that the number of pieces of measurement value information is greater than the predetermined number (Yes), the process proceeds to step S203. If it is determined that the number of pieces of measurement value information is not greater than the predetermined number (No), the process proceeds to step S204.
(Step S203) The measurement value information collection unit 107 deletes the oldest measurement value information from the measurement value history DB. Thereafter, the process proceeds to step S204.
(Step S204) The measurement value information collection unit 107 writes the measurement value information acquired in step S201 in the measurement value history DB 108. Thereafter, the process proceeds to step S201.

FIG. 6 is a schematic diagram illustrating an example of a measurement value history table stored in the measurement value history DB 108 according to the present embodiment. As shown in the figure, the measurement value history table has columns of time stamp, IP address, MAC address, measurement item, and measurement value, which are measurement value time information. The measurement value history table is two-dimensional tabular data composed of rows and columns in which measurement value information is stored for each time stamp.
For example, in the measurement value information with the reference numeral 6a, the time stamp is 2011/6/3 17:00:01, the IP address is 192.168.1.28, and the MAC address is 00: 1b: ba: e0: b4: 9c indicates that the operation item is “Wan side packet transmission” and the measurement value is “25”.
The measurement value information to which reference numeral 6b is attached is that the time stamp is 2011/6/3 17:00:10, the IP address is 192.168.1.28, the MAC address is 00: 1b: ba: e0: b4: 9c, This indicates that the operation item is “packet input” and the measurement value is “55”.
The measurement value information to which reference numeral 6c is attached has a time stamp of 2011/6/3 17:02:11, an IP address of 192.168.1.42, a MAC address of 00: 22: 15: df: 69: 83, The operation content is “packet collision” and the measurement value is “10”.

FIG. 7 is a schematic diagram illustrating an example of a failure period information table stored in the failure period DB 106 according to the present embodiment. As shown in the figure, the failure period information table has columns of items of failure start time, failure end time, IP address, and MAC address indicated by the failure period information. The failure period information table is two-dimensional tabular data composed of rows and columns storing failure end times, IP addresses, and MAC addresses for each failure start time.
For example, the failure period information with the symbol 7a has a failure start time of 2011/6/3 17:02:11, a failure end time of 2011/6/3 17:35:00, and an IP address of 192.168.1. 42, indicating that the MAC address is 00: 22: 15: df: 69: 83.
The failure period information with the reference numeral 7b has a failure start time of 2011/6/3 18:25:37, a failure end time of 2011/6/3 19:14:20, and an IP address of 192.168.1.28. The MAC address is 00: 1b: ba: e0: b4: 9c.

FIG. 8 is a schematic diagram illustrating an example of a baseline table according to the present embodiment. As shown in the figure, the baseline table is data in a two-dimensional tabular format composed of rows and columns each having columns of average values and variances of measured values for each baseline unit time. Here, for each type of measurement value and the MAC address of the measurement object, a column for each item of average value and variance of the measurement value is provided. In the baseline table, for example, average values and variances of the measurement values included in the normal operation period among the measurement values for each day in the past month are recorded.
The data with the sign 9a has an average value of 750 packet inputs and a variance of 78 at the time of 00:00:00 to 00:10:00, with the MAC address 00: 1a: ba: e0: b4: 9c. The packet collision average value is 12, the variance is 3, the MAC address is 00: 22: 15: df: 69: 83, the average number of packets is 2645, the variance is 230, the average packet collision value is 45, and the variance is 9 It is shown that. Actually, baselines are stored for all measured values at all measurement points, but are omitted in this figure because they are complicated.

FIG. 9 is a flowchart showing the baseline generation processing according to the present embodiment.
(Step S301) The baseline generation unit 109 determines whether or not a predetermined period has elapsed. Here, the fixed period is, for example, 10 minutes. If it is determined that a predetermined period has elapsed (Yes), the process proceeds to step S302. If it is determined that the predetermined period has not elapsed (No), the process proceeds to step S301.
(Step S302) The baseline generation unit 109 reads the failure period information from the failure period DB 106, and extracts the failure period indicated by the failure period information. The baseline generation unit 109 calculates a normal operation period based on the failure period. Thereafter, the process proceeds to step S303.

(Step S303) The baseline generation unit 109 reads the measurement value included in the normal operation period calculated in Step S302 from the measurement value information recorded in the measurement value history DB 108. Thereafter, the process proceeds to step S304.
(Step S304) The baseline generation unit 109 calculates an average value and a variance (baseline) of each measurement value for each baseline unit time for each measurement value read in Step S303. The baseline generation unit 109 writes the calculated baseline in the baseline DB 110. Thereafter, the process proceeds to step S301.

FIG. 10 is a schematic diagram illustrating an example of the abnormal value / failure location correspondence table according to the present embodiment. As shown in the drawing, the abnormal value / failure location correspondence table is data in a two-dimensional tabular format composed of rows and columns having items of failure locations for each abnormal value.
The data with the sign 10a has a MAC address of 11: 22: 33: 44 when the Web server access count of the measurement point with the MAC address of 00: 22: 15: df: 69: 83 shows an abnormal value. : 55: 66 indicates that there is a high possibility that the HTTP server is out of order. When the number of packets at the measurement point of the MAC address 00: 1b: ba: e0: b4: 9c indicates an abnormal value, the data with the sign 10b indicates that the MAC address is 22: 33: 44: 55: 66. : 77 indicates that there is a high possibility that 77 routers are out of order. The data with the sign 10c has a MAC address of 33: 44: 55: 66: when the packet collision number at the measurement point of the MAC address 00: 02: c1: 4a: 7d: b6 shows an abnormal value. 77:88 indicates that the DHCP server is likely to be out of order.
The abnormal value / failure location correspondence table is created in advance based on a combination having a high correlation between the measurement item and the failure.

FIG. 11 is a flowchart showing a failure location specifying process according to the present embodiment.
(Step S401) The input unit 102 receives failure occurrence information from the operator. Here, the failure occurrence information is, for example, failure time information (“early June”), failure content information (“Web browser access”), failure status information (“error”). Thereafter, the process proceeds to step S402.
(Step S402) The operation history extraction unit 104 extracts an event corresponding to the failure occurrence information input in step S401 from the operation history DB 103. For example, operation information whose operation time information is included in “early June”, operation content information is “Web browser access”, and operation status information is “error” is extracted from the operation history DB. The operation history extraction unit 104 outputs the extracted operation information to the failure period extraction unit 105. Thereafter, the process proceeds to step S403.

(Step S403) The failure period extraction unit 105 extracts the time between the oldest time stamp and the newest time stamp as the failure period from the operation information extracted in Step S402. The failure period extraction unit 105 writes failure period information indicating the extracted failure period in the failure period DB 106 and outputs the failure period information to the abnormal value determination unit 111. Thereafter, the process proceeds to step S404.
(Step S404) The abnormal value determination unit 111 reads measurement value information corresponding to the failure period indicated by the failure period information extracted in step S403 from the measurement value history DB 108. The abnormal value determination unit 111 reads the baseline information corresponding to the failure period extracted in step 403 from the baseline DB 110. Thereafter, the process proceeds to step S405.

(Step S405) The abnormal value determination unit 111 compares the measurement value indicated by the measurement value information with the baseline indicated by the baseline information for each measurement point and each type of measurement value, and determines whether or not the measurement value is abnormal. Determine whether. Specifically, the abnormal value determination unit 111 determines whether or not the measured value in the failure period satisfies the relationship of average value−n × dispersion ≦ measured value ≦ average value + n × dispersion (n is a predetermined positive number). Determine. If it is determined that the relationship is satisfied (Yes), the process proceeds to step S405. If it is determined that the relationship is not satisfied (No), the process proceeds to step S407.

(Step S406) The output unit 113 extracts a failure location corresponding to the measurement value determined to be abnormal in step S405 from the abnormal value / failure location correspondence table. Thereafter, the process proceeds to step S407.
(Step S407) When the output unit 113 determines that the measurement is an abnormal value in Step S405, the output unit 113 outputs the display information indicating the failure location extracted in Step S406 to the input / output device 12. If the measurement is not determined to be an abnormal value in step S405, the output unit 113 outputs display information indicating that no abnormality has been found to the input / output device 12. The input / output device 12 displays the display information input from the output unit 113. Thereafter, the process proceeds to an end process.

  As described above, in this embodiment, the failure detection apparatus 13 includes an operation history DB 103 that records operation history information in which information related to operation of the network device 11 and time when the operation on the network device 11 is performed, and a network. The failure period of the network device 11 is specified based on the measurement value history DB 108 that records the measurement history information that links the measurement value that represents the operation status of the device 11 and the time when the measurement value was measured, and the operation history information. A failure period extraction unit 105, a baseline generation unit 109 that extracts measurement values associated with times other than the failure period based on the failure period and measurement history information, and generates baseline information of the extracted measurement values; The baseline information generated by the baseline generation unit 109 is compared with the measurement value associated with the time during the failure occurrence period to compare the network. And an abnormal value determining unit 111 for detecting an abnormality of the click device 11. Accordingly, the failure detection device 13 extracts abnormal values by comparing the data in the time zone in which the failure occurs with the baseline created based on the data in the period in which the failure does not occur. The rate is improved, and the ability to estimate the failure location can be improved. That is, the failure detection device 13 can reliably detect an abnormality.

  In the present embodiment, the extraction unit 105 specifies the failure occurrence time based on information from the user and the operation history. Thereby, it is possible to extract an accurate operation history output from the network device 11 from the operation history DB based on the user's memory, and to specify the failure occurrence time based on the extracted operation history. Thereby, since the abnormal value determination can be performed in the time when the failure has truly occurred, the accuracy of the abnormal value determination is improved.

  In this embodiment, the operation history extraction unit 104 extracts operation information based on failure occurrence information input from the operator, and the failure period extraction unit 105 uses failure period information based on the extracted operation information. Extracted. However, the extraction of the failure period information is not limited to this, and the failure period extraction unit 105 obtains the failure period information based on the operation information extracted by the operation history extraction unit 104 based on the operation status information recorded in the operation history DB 103. It may be extracted.

  Each unit and each DB of the failure detection device 13 may be a part of another device connected via a network.

  In this embodiment, information included in UPnP information, SNMP information, DHCP information, and the like is used as the measurement value. For example, the number of packets transmitted by the network device 11 per unit time is used as the measurement value. Also good.

The failure period may be extracted as follows, for example.
(A) A predetermined time from the occurrence of an event is defined as a failure period.
(A) A time between occurrence times of a certain event and another certain event is defined as a failure period.
(C) A failure period is defined by adding a certain time before and after the time between occurrence times of a certain event and another certain event.

  Note that the failure period extraction unit 105 may set the period as a failure period when the frequency of occurrence of a certain event within a predetermined time exceeds a predetermined value or falls below a predetermined value.

  In the baseline generation process, the baseline generation unit 109 generates a baseline excluding all measurement values for all devices included in the failure period, but relates to a device determined to be a failure in the failure period. A baseline may be created by excluding only measured values. In addition, the baseline may be created by excluding only the apparatus determined to have a failure in the failure period and only the measurement value determined to be a failure.

  When the time is not recorded in the operation information or the measurement value information, the time when the failure detection device 13 collects the operation information or the measurement value information may be used as the operation time information or the measurement value time information. In that case, the collected time is handled as the time when the operation is performed or the time when the measured value is measured.

Note that a part of the failure detection apparatus 13 in the above-described embodiment, for example, the failure period extraction unit 105, the baseline generation unit 109, and the abnormal value determination unit 111 may be realized by a computer. In that case, the program for realizing the control function may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by a computer system and executed. Here, the “computer system” is a computer system built in the failure detection device 13 and includes an OS and hardware such as peripheral devices. The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Furthermore, the “computer-readable recording medium” is a medium that dynamically holds a program for a short time, such as a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line, In such a case, a volatile memory inside a computer system serving as a server or a client may be included and a program that holds a program for a certain period of time. The program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.
Moreover, you may implement | achieve part or all of the failure detection apparatus 13 in embodiment mentioned above as integrated circuits, such as LSI (Large Scale Integration). Each functional block of the failure detection apparatus may be individually made into a processor, or a part or all of them may be integrated into a processor. Further, the method of circuit integration is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor. Further, in the case where an integrated circuit technology that replaces LSI appears due to progress in semiconductor technology, an integrated circuit based on the technology may be used.

  As described above, the embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to the above, and various design changes and the like can be made without departing from the scope of the present invention. It is possible to

DESCRIPTION OF SYMBOLS 1 ... Failure detection system, 10 ... Network to be monitored, 11, 11a-11e ... Network equipment, 12 ... I / O device, 13 ... Failure detection device, 101 ... Operation information collection , 102 ... Input unit, 103 ... Operation history DB, 104 ... Operation history extraction unit, 105 ... Failure period extraction unit, 106 ... Failure period DB, 107 ... Measurement value information Collection unit 108 ... Measured value history DB 109 ... Baseline generation unit 110 ... Baseline DB 111 ... Abnormal value determination unit 112 ... Abnormal value / failure location correspondence DB, 113 ... Output unit, GW ... Gateway, Hub ... Hub, RT ... Router, SW ... Switch

Claims (6)

A measurement value other than the failure period of the monitoring target system is extracted from the measurement values representing the operation status of the monitoring target system, and baseline information indicating a normal range of the measurement value is generated based on the extracted measurement value. A baseline generator,
A failure period extraction unit that determines a failure period based on information on an operation on the monitored system ;
For the measurement value measured in the failure period, based on the baseline information, and the abnormal value determination unit to determine whether an abnormal value,
An abnormality detection device comprising: An operation history storage unit that stores information related to operations on the monitored system
Abnormality detecting apparatus according to claim 1, characterized in that it comprises a.   The abnormality detection device according to claim 2, wherein the failure period extraction unit is information corresponding to information input from an operator, and determines the failure period based on information related to the operation. The monitored system is composed of a plurality of devices,
The measurement value is a measurement value for each of a plurality of measurement items,
The baseline generation unit generates baseline information regarding each of the measurement items,
The abnormality detection device is:
The apparatus according to claim 2, further comprising: an abnormal device detection unit that detects a device in which an abnormality has occurred from the plurality of devices based on a measurement item of the measurement value determined to be the abnormal value. Anomaly detection device. A measurement value other than the failure period of the monitoring target system is extracted from the measurement values representing the operation status of the monitoring target system, and baseline information indicating a normal range of the measurement value is generated based on the extracted measurement value. Process,
Determining a failure period based on information relating to operations on the monitored system ;
A step of determining whether or not the measurement value measured during the failure period is an abnormal value based on the baseline information;
The abnormality detection method characterized by having. In the computer of the abnormality detection device,
A measurement value other than the failure period of the monitoring target system is extracted from the measurement values representing the operation status of the monitoring target system, and baseline information indicating a normal range of the measurement value is generated based on the extracted measurement value. A baseline generation step;
A failure period extraction step for determining a failure period based on information on an operation on the monitored system ;
For it said measured measurement values to the failure period, based on the baseline information, and the abnormal value determination step of determining whether or not an abnormal value,
Abnormality detection program to execute.

Images