JP6417343B2 - Time-series data abnormality monitoring apparatus and time-series data abnormality monitoring method - Google Patents

Description

  The present invention relates to a time-series data abnormality monitoring apparatus and a time-series data abnormality monitoring method for monitoring time-series data fluctuations due to communication traffic of a network device and detecting an abnormality in time-series data.

  In network operation management, it is very important to monitor an abnormality in the communication state (communication traffic) of a network device, and various abnormality monitoring methods have been proposed. For example, there is an abnormality detection device described in Patent Document 1. In this device, an abnormality score is calculated from an angle difference between a current vector indicating a state between devices in the current network and a reference vector, and further, the abnormality score is compared with a threshold, and based on the magnitude relationship. Network abnormality is judged.

  That is, the balance of the traffic volume between the network devices is expressed by a multidimensional vector, the angle with the reference vector is defined as an abnormality level (abnormal score), and the correlation loss of the traffic volume is detected as a balance breakdown (abnormality).

  For example, as shown in FIG. 5A, it is assumed that traffic amounts T1, T2, and T3 during communication of three network devices are measured from Monday to Sunday and graphed. Each traffic volume T1 to T3 is represented by traffic volumes T1a, T2a, T3a leveled at a predetermined distribution rate (ratio) as shown in FIG. 5B. Further, as shown in FIG. 5C, the upward and downward trends of the traffic amounts T1 to T3 are represented by vectors Va and Vb.

  It is assumed that the traffic amount T3 on Wednesday shown in FIG. 5A suddenly drops and rises in the direction of the arrow Y1 in a V shape like the waveform indicated by reference numeral T3b. In this case, as indicated by reference numeral T3c in FIG. 5B, the balance of the waveforms T1a to T3a leveled at a predetermined ratio is lost, and the traffic volume on Wednesday rapidly changes downward in a V shape. .

  At this time, as shown in FIG. 5 (c), the vector Va for other days except Wednesday is directed in the upward direction, but the vector Vb of the V-shaped fluctuation part on Wednesday is the right shoulder. It will face in the downward slope direction. Thus, when the vector Vb fluctuates and differs from the other vectors Va, the waveform of the portion corresponding to the fluctuation vector Vb is inverted and represented as indicated by reference numeral T3d in FIG. When the inverted mountain-shaped waveform T3d exceeds a predetermined threshold value th1, the alarm is activated as an abnormality in the traffic amount. In this way, it is possible to identify a network device that is behaving abnormally. In this technique, an abnormality is detected while looking at the balance of a plurality of traffic volumes T1 to T3, so that it is less susceptible to weekly fluctuations such as holidays such as weekdays and weekends and special days.

JP 2012-007590 A JP 2012-258077 A

  However, in the balance analysis technique described above, the influence of the specific day is reduced by using the ratio of the traffic amounts T1a to T3a as shown in FIG. This technique is effective in many cases. However, when there is a fluctuation pattern with a very large difference in traffic volume, such as weekdays and holidays, as in the telephone service used by companies, the waveform is not leveled between weekdays and holidays. Differences in expression occur. For this reason, as described above, there is a case where an abnormality cannot be properly detected by a vector.

  Therefore, as in the technique described in Patent Document 2, a plurality of network devices are grouped, and the ratio of the time series data of the traffic amount between the devices is calculated. When a predetermined analysis model (described later) is applied to the time series data of each ratio and a change different from the normal time is detected, the traffic amount corresponding to the service of the network device is monitored by setting it as abnormal. The analysis model is, for example, a model for determining an abnormality when the ratio fluctuates more than a certain value because the ratio of each time series data is not changed in normal times. In addition, since the ratio fluctuates with the period T in normal times, there is also a model that determines that an abnormality occurs when the period T fluctuates beyond a certain value.

  An example of such an analysis model will be described. For example, a weekday fluctuation pattern P1 and a weekend / holiday fluctuation pattern P2 are represented in a graph in which the horizontal axis in FIG. 6A represents time t and the vertical axis represents traffic volume. Each pattern P1, P2 is a plot of one point of traffic data at 3 minute intervals on the time t axis. Since one day is 24 hours, the value obtained by multiplying this by 60 minutes and dividing this result by 3 minutes is 480 points. In other words, the time t-axis assumes 1 day as (24 hours × 60 minutes) ÷ 3 minutes = 480 points.

  However, in the traffic volume for the day, as indicated by the symbol P1a during the lunch break of the weekday fluctuation pattern P1, the traffic volume rapidly decreases and increases in a V shape. On the other hand, there is no such variation in the holiday variation pattern P2. In this case, the fluctuation patterns P1 and P2 between weekdays and holidays are represented by balance values as shown in FIG. This balance value represents each fluctuation pattern P1, P2 as a waveform in a mirror state for each weekday and holiday.

  Here, if each of the patterns P1 and P2 is determined with the same reference pattern in the analysis model, inconsistency occurs in either one. For example, when the weekday variation pattern P1 is compared and determined with a reference pattern corresponding to the weekday variation pattern P1, the lunch break time is determined to be normal although the pattern P1 falls in a V shape. However, the holiday variation pattern P2 is determined to be abnormal because the lunch break time has not decreased. As described above, the holiday variation pattern P2 is a pattern according to an actual holiday, so that it is normally normal, but is determined to be abnormal, and the determination is different from the original result. As described above, when the time-series data to be monitored has different fluctuation patterns such as weekdays and holidays, and morning and night, there is a problem that abnormality of fluctuation cannot be detected properly.

  For this reason, for example, calendar information (date, weekday, holiday information) or the like is introduced into the system, and the accuracy is improved by changing the applied analysis model using the introduced value. However, in this case, there are special days that cannot be determined from the calendar information, such as a recommended holiday, a special holiday such as a morning or afternoon holiday, a founding anniversary, a Bon holiday or a year-end and New Year holiday that is different for each company. Also in this case, it is not possible to properly detect abnormality in fluctuation of the time series data.

  Furthermore, in the case of telephone traffic, for example, traffic rises and fluctuates rapidly after the start of selling popular concert tickets, or even when an earthquake occurs. Such a sudden change cannot be dealt with by an analysis model to which calendar information is applied, and cannot be predicted and registered by a person in advance. For this reason, it is impossible to properly detect abnormality in fluctuation of the time series data.

  The present invention has been made in view of such circumstances, and a time-series data abnormality monitoring device capable of appropriately detecting an abnormality caused by unspecified fluctuations in time-series data such as communication traffic of a network device and time It is an object to provide a series data abnormality monitoring method.

As means for solving the above-mentioned problem, the invention according to claim 1 is directed to monitoring time-series data fluctuations indicated by the traffic volume of network device communication and detecting time-series data abnormality. A monitoring device for obtaining various fluctuation patterns according to different conditions from the time series data, classifying the various fluctuation patterns in a storage means and storing them, and a future value of the time series data that does not exist An estimation unit that estimates and obtains an estimated value, and obtains various past fluctuation patterns corresponding to a time zone of the estimated value from the storage means, and each of the obtained various fluctuation patterns and the estimation A comparison unit that compares a value and obtains a plurality of differences between the estimated value and each of the various variation patterns, and the smallest difference among the plurality of differences obtained by the comparison unit. A selection unit to select a variation pattern of response, the time series data corresponding to the fluctuation pattern said selected corresponds to the selected change pattern of said determined for each type of variation patterns threshold A time-series data abnormality monitoring apparatus comprising: an abnormality detection unit that detects an abnormality when a threshold value is exceeded.

The invention according to claim 3, monitors the variation of the time-series data represented by the traffic volume of the communication network device, in time series data abnormality monitoring method according to series data abnormality monitoring device when detecting an abnormality of the time-series data The time-series data abnormality monitoring device obtains various fluctuation patterns according to different conditions from the time-series data, classifies and stores the various fluctuation patterns in a storage means, and the time-series data Estimating and obtaining an estimated value that is a future value that does not exist; acquiring various past variation patterns corresponding to the estimated estimated time zone from the storage means; Comparing each of the estimated values with each other and obtaining a plurality of differences between the estimated values and each of the various variation patterns; and the plurality of obtained differences Of the steps of selecting a variation pattern corresponding to the smallest difference, the time series data corresponding to the fluctuation pattern wherein the selected is, is the selection of said determined for each type of variation patterns threshold And a step of detecting an abnormality when a threshold value corresponding to the fluctuation pattern is exceeded.

  According to the configuration of claim 1 and the method of claim 3, an estimated value that is a future value of time-series data is obtained, and a difference from the estimated value among various past fluctuation patterns in the same time zone as this estimated value. Is selected as the adaptive model. Then, an abnormality is detected when the current time-series data corresponding to the variation pattern as the selected adaptive model exceeds a predetermined threshold. For this reason, the adaptive model corresponding to the present time series data can detect the fluctuation of the time series data. Therefore, it is possible to appropriately detect an abnormality caused by an unspecified variation in time-series data such as communication traffic of the network device.

  According to a second aspect of the present invention, the estimation unit holds the time series data in a time series order for a predetermined time, and obtains the time series obtained by extrapolating the time series data having the predetermined time width. The time-series data abnormality monitoring apparatus according to claim 1, wherein an extrapolation result in a range where no data exists is obtained as the estimated value.

  According to this configuration, it is possible to appropriately estimate and obtain an estimated value that is a future value of time-series data as real-time data that does not exist.

  According to the present invention, it is possible to provide a time-series data abnormality monitoring apparatus and a time-series data abnormality monitoring method capable of appropriately detecting an abnormality caused by unspecified fluctuations in time-series data such as communication traffic of a network device. .

It is a block diagram which shows the structure of the time series data abnormality monitoring apparatus which concerns on 1st Embodiment of this invention. The horizontal axis represents time t, and the vertical axis represents traffic volume. (A) is a graph showing a fluctuation pattern P1 on weekdays and a fluctuation pattern P2 on weekends and holidays, and (b) is a graph of time series data. FIG. 5C is a graph showing an extrapolation result that is an estimation of a future value, and FIG. 5C is a graph showing an extrapolation result of other time-series data. It is explanatory drawing of the extrapolation which is estimation of the future value of time series data. It is a flowchart for demonstrating the operation | movement which detects the abnormality of the communication traffic of the network apparatus by the time series data abnormality monitoring apparatus of this embodiment. It is explanatory drawing of the conventional balance analysis technique of the traffic volume from Monday to Sunday, (a) is a graph figure of three traffic volume T1, T2, T3, (b) is predetermined distribution of three traffic volume T1-T3. FIG. 5C is a graph showing the level of the three traffic volumes T1 to T3, and FIG. 8D is a graph showing the balance loss of one waveform. (A) is a graph showing the time t on the horizontal axis and the traffic volume on the vertical axis, and a graph showing the fluctuation pattern P1 on weekdays and the fluctuation pattern P2 on weekends and holidays. It is the graph which represented the balance value of the fluctuation pattern with the waveform in the mirror state.

Embodiments of the present invention will be described below with reference to the drawings.
<Configuration of First Embodiment>
FIG. 1 is a block diagram showing a configuration of a time-series data abnormality monitoring apparatus according to the first embodiment of the present invention.
A time-series data abnormality monitoring device (abnormality monitoring device) 10 shown in FIG. 1 detects an unspecified rapid fluctuation in communication traffic of a network device such as a telephone or a communication terminal as an abnormality. The abnormality monitoring apparatus 10 includes a fluctuation pattern calculation unit 11, a data estimation unit 12, a comparison unit 13, a selection unit 14, an abnormality detection unit 15, a data storage unit 16, a variation pattern storage unit 17, an abnormality And a detection result storage unit 18. The variation pattern storage unit 17 constitutes a storage unit described in the claims.

  An input / output device 20 such as a personal computer having a communication function is connected to the abnormality monitoring device 10. The input / output device 20 is connected to various network devices (not shown), and the traffic volume measured during communication of the network device is input as time-series data. The input time-series data is output from the input / output device 20 to the fluctuation pattern calculation unit (also referred to as calculation unit) 11 and the data storage unit 16. The data storage unit 16 stores the time series data in time series order.

  The calculation unit 11 creates a fluctuation pattern by a method of calculating fluctuations such as performing clustering using average or variance for the time series data input from the input / output device 20. Here, clustering means, for example, calculating an average value of time-series data and classifying it as the same variation pattern if the average value is within a certain value. For example, if the average value of the time series data input in a predetermined time width is 5 ± 1 and 10 ± 1, it can be classified into a variation pattern of 5 ± 1 and a variation pattern of 10 ± 1. In this way, by performing clustering using average and variance on the time series data, the time series data is classified according to the conditions of the average value and the variance value, and the variation pattern for each condition is represented by the variation pattern storage unit 17. It is classified and stored.

  An example of the variation pattern created by being classified by the calculation unit 11 is shown in FIG. FIG. 2A is a graph in which the horizontal axis represents time t and the vertical axis represents traffic volume. The time t on the horizontal axis represents one day as (24 hours × 60 minutes) ÷ 3 minutes = 480 points. On the time t-axis, one point of time-series data (traffic amount) at intervals of 3 minutes is plotted to represent a weekday fluctuation pattern P1 and a weekend / holiday fluctuation pattern P2.

  In the weekday fluctuation pattern P1, on the time t-axis, the traffic volume from 0 point corresponding to midnight to 140 points from the predetermined time before the company work time is approximately zero. In addition, immediately after gradually rising from around 140 points, it suddenly rose and leveled off. After that, after falling in a V shape as indicated by reference numeral P1a in a time width of about 250 points corresponding to the lunch break, it rises and levels. Furthermore, it has fallen in the vicinity of 340 points corresponding to the vicinity of the end time.

  The holiday fluctuation pattern P2 is almost the same as weekdays from 0 to 140 points, but gradually rises from a gentle slope from around 140 points and then becomes flat, gradually from around 340 points corresponding to the vicinity of the closing time on weekdays. Standing down to the right.

  Further, the calculation unit 11 illustrated in FIG. 1 associates the classified variation patterns with the time-series data stored in the data storage unit 16 from the input / output device 20. With this association, it is defined which variation pattern the stored time-series data is classified into. Further, the calculation unit 11 outputs the time series data input from the input / output device 20 to the data estimation unit (also referred to as estimation unit) 12 as it is.

  The estimation unit 12 holds the time series data input from the calculation unit 11 for a predetermined time in order of time series, and estimates a future value of the time series data that does not exist from the held time series data of the predetermined time width. I do. For this estimation process, for example, extrapolation is used. Extrapolation is to apply numerical data to some function and estimate a value in a range (outside) without numerical data. In simple terms, extrapolation by a linear function (linear extrapolation, linear extrapolation) is performed. As shown in FIG. 3, this is to obtain an estimated value k1 on an extension line obtained by connecting the measured values j1, j2, and j3 of the traffic volume plotted along the time t-axis with lines.

  An estimation example of the estimation unit 12 will be described with reference to FIGS. As shown in FIG. 2B, the estimation unit 12 first determines a window W having an arbitrary time width (80 point width), and sets the window W to a predetermined position on the time t axis (for example, between 60 to 140 points). Stipulated in

  The estimation unit 12 extends the time series data from the calculation unit 11 by connecting with a line along the time axis of the window W width, and obtains an estimated value using this extension line. For example, when the time-series data currently output from the calculation unit 11 is data corresponding to the weekday fluctuation pattern P1, an estimated value P1e corresponding to the broken line extension line of the weekday fluctuation pattern P1 is obtained. On the other hand, in the case of data corresponding to the holiday variation pattern P2, an estimated value P2e corresponding to the broken line extension line of the holiday variation pattern P2 is obtained. In this case, since the weekday fluctuation pattern P1 and the holiday fluctuation pattern P2 between 60 and 140 points in the window W1 have a traffic volume of approximately zero, both the estimated values P1e and P2e corresponding to the fluctuation patterns P1 and P2 are , Not much difference.

  On the other hand, when the estimation unit 12 sets the window W in the time zone (90 to 170 points) shown in FIG. 2 (c), the difference between the weekday fluctuation pattern P1 and the holiday fluctuation pattern P2 corresponding thereto during the rising process is widened. ing. For this reason, there is a large difference between the estimated values P1f and P2f corresponding to the weekday of the window W width estimated by the estimating unit 12 and the extended lines of the holiday variation patterns P1 and P2. The estimation unit 12 outputs the estimated value P1f corresponding to the weekday variation pattern P1 obtained from the time series data currently input or the estimated value P2f corresponding to the holiday variation pattern P2 to the comparison unit 13.

  The comparison unit 13 acquires the past weekday and holiday variation patterns P1, P2 in the time zone corresponding to the estimated value P1f or P2f input from the estimation unit 12 from the variation pattern storage unit 17. The obtained weekday and holiday fluctuation patterns P1 and P2 are compared with the estimated value P1f or P2f, the difference between the estimated value P1f or P2f and the weekday fluctuation pattern P1 (referred to as weekday difference), and the estimated value P1f or P2f Then, the difference (referred to as holiday difference) with the holiday variation pattern P2 is obtained. These weekday difference and holiday difference are output to the selection unit 14.

The selection unit 14 selects the variation pattern P1 or P2 having the smaller difference between the weekday difference and the holiday difference as the adaptive model. For example, if the weekday difference is small, the weekday fluctuation pattern P1 is selected as the adaptive model. The selected adaptive model (for example, weekday fluctuation pattern P1) is output to the abnormality detection unit 15.
The comparison unit 13 and the selection unit 14 may be combined into one function unit (for example, a comparison / selection unit).

  The abnormality detection unit 15 acquires time-series data corresponding to the weekday fluctuation pattern P1 as the adaptive model selected by the selection unit 14 from the data storage unit 16, and compares the acquired time-series data with a threshold th2 (described later). To detect abnormalities. The abnormality detection unit 15 stores various threshold values th2 corresponding to various variation patterns (weekday and holiday variation pattern estimated values P1f and P2f) in a storage unit (not shown) such as a memory. The threshold value th2 is used to determine whether or not the time-series data (traffic amount) that is an abnormality detection target is abnormal.

  Therefore, the abnormality detection unit 15 detects the abnormality by comparing the time series data acquired from the data storage unit 16 with the threshold value th2 corresponding thereto. For example, the abnormality detection unit 15 detects an abnormality by comparing the time-series data corresponding to the acquired weekday fluctuation pattern P1 with the threshold value th2 corresponding thereto. At this time, the abnormality detection unit 15 detects an abnormality if the average value of the time-series data exceeds the threshold th2.

  In addition, the abnormality detection unit 15 may derive an inclination from the differentiation of the time series data, and may detect an abnormality if the inclination exceeds another threshold th3. Note that the threshold th3 is for determining an abnormality if the inclination exceeds a predetermined angle.

  Further, the abnormality detection unit 15 stores the abnormality detection result in the abnormality detection result storage unit 18. The stored abnormality detection result is notified to the input / output device 20. The normal detection result may also be stored according to a predetermined condition or the like.

<Operation of Embodiment>
Next, an operation of detecting an abnormality in communication traffic of the network device by the time-series data abnormality monitoring device 10 will be described with reference to a flowchart shown in FIG.
In step S1 shown in FIG. 4, the traffic volume measured at the time of communication under different conditions of the network device (not shown) is input from the input / output device 20 to the calculation unit 11 of the abnormality monitoring device 10 as time series data. The data storage unit 16 stores the data in chronological order.

  In step S <b> 2, the calculation unit 11 performs various clustering processes using average and variance on the input time series data to create various variation patterns. For example, as shown in FIG. 2A, it is assumed that a weekday fluctuation pattern P1 and a holiday fluctuation pattern P2 are created. The created patterns P1 and P2 are stored in the variation pattern storage unit 17.

  Further, the calculation unit 11 associates each variation pattern P1 and P2 created in step S1 with the time-series data stored in the data storage unit 16 from the input / output device 20. By this association, it is defined which variation pattern P1, P2 the stored time-series data is classified. Furthermore, the calculation unit 11 outputs the time series data input from the input / output device 20 to the estimation unit 12 as it is.

  In step S <b> 3, the estimation unit 12 estimates a future value (estimated value) that does not exist in the time series data acquired from the calculation unit 11 by extrapolation. That is, a line is connected and extended along the time axis of the window W width between 90 and 170 points shown in FIG. 2C, and an estimated value which is a future value of the time series data is obtained by this extension line. For example, if the time-series data output in real time from the calculation unit 11 is data corresponding to the weekday fluctuation pattern P1, an estimated value P1f corresponding to the broken line extension of the window W of the weekday fluctuation pattern P1 is obtained. The estimation unit 12 outputs the obtained estimated value P1f to the comparison unit 13.

  In step S <b> 4, the comparison unit 13 acquires the past weekday and holiday variation patterns P <b> 1 and P <b> 2 in the time zone corresponding to the estimated value P <b> 1 f input from the estimation unit 12 from the variation pattern storage unit 17. Next, in step S5, the comparison unit 13 compares the acquired weekday and holiday fluctuation patterns P1 and P2 with the estimated value P1f, and compares the difference between the estimated value P1f and the weekday fluctuation pattern P1 (weekday difference), and A difference (holiday difference) between the estimated value P1f and the holiday variation pattern P2 is obtained. These weekday difference and holiday difference are output to the selection unit 14.

  In step S6, the selection unit 14 selects a smaller difference between the holiday difference and the weekday difference, for example, the weekday fluctuation pattern P1 corresponding to the smaller weekday difference as the adaptive model. The weekday fluctuation pattern P1 of the selected adaptive model is output to the abnormality detection unit 15.

  In step S <b> 7, the abnormality detection unit 15 acquires time series data corresponding to the weekday fluctuation pattern P <b> 1 as the selected adaptive model from the data storage unit 16. In step S8, the abnormality detection unit 15 compares the acquired average value of the time series data with the threshold value th2 corresponding thereto. In step S9, the abnormality detection unit 15 determines whether or not the average value exceeds the threshold th2 in the comparison in step S8.

  As a result, when it is determined that the number exceeds (Yes), the abnormality detection unit 15 detects an abnormality in step S10 and stores the abnormality detection result in the abnormality detection result storage unit 18. On the other hand, if it is determined (No) that it does not exceed, it is detected as normal in step S11.

<Effect of embodiment>
As described above, the time-series data abnormality monitoring apparatus 10 according to the present embodiment monitors time-series data fluctuations due to communication traffic of a network device and detects the abnormality of the time-series data. The characteristic configuration.
(1) Various variation patterns corresponding to different conditions are obtained from time series data, and the calculation unit 11 classifies and stores the various variation patterns in the variation pattern storage unit 17, and future values that do not exist in the time series data. And an estimation unit 12 that estimates and calculates a certain estimated value. Also, various past fluctuation patterns corresponding to the estimated time zone of the estimated value are acquired from the fluctuation pattern storage unit 17, each of the acquired various fluctuation patterns is compared with the estimated value, and the estimated value and A comparison unit 13 for obtaining a plurality of differences from each of the various variation patterns, and a selection unit 14 for selecting a variation pattern corresponding to the smallest difference among the plurality of differences obtained by the comparison unit 13 as an adaptive model. . Furthermore, it is configured to include an abnormality detection unit 15 that detects an abnormality when the time-series data corresponding to the selected variation pattern as the adaptive model exceeds a predetermined threshold.

  According to this configuration, an estimated value that is a future value of time-series data is obtained, and a variation pattern having the smallest difference from the estimated value among various past variation patterns in the same time zone as this estimated value is used as an adaptive model. select. Then, an abnormality is detected when the current time-series data corresponding to the variation pattern as the selected adaptive model exceeds a predetermined threshold. For this reason, the adaptive model corresponding to the present time series data can detect the fluctuation of the time series data. Therefore, even if an abnormality occurs due to unspecified fluctuations in time-series data such as communication traffic of the network device, the abnormality can be properly detected.

  (2) The estimation unit 12 holds the time-series data in a time-series order for a predetermined time, and extrapolates the time-series data having the predetermined time width so that the time-series data does not exist. The extrapolation result was obtained as an estimated value.

  Thereby, it is possible to appropriately estimate and obtain an estimated value that is a future value of time series data as real-time data.

  In addition, about a concrete structure, it can change suitably in the range which does not deviate from the main point of this invention.

10 Time series data abnormality monitoring device (Abnormality monitoring device)
11 Fluctuation pattern calculation unit (calculation unit)
12 Data estimation part (estimation part)
13 Comparison Unit 14 Selection Unit 15 Abnormality Detection Unit 16 Data Storage Unit 17 Fluctuation Pattern Storage Unit 18 Abnormality Detection Result Storage Unit 20 Input / Output Device

Claims (3)

A time-series data abnormality monitoring device that monitors fluctuations in time-series data indicated by a communication traffic amount of a network device and detects an abnormality in the time-series data,
Obtaining various variation patterns according to different conditions from the time series data, a calculation unit that classifies and stores the various variation patterns in a storage unit;
An estimation unit that estimates and obtains an estimated value that is a future value that does not exist in the time series data;
The past various variation patterns corresponding to the estimated time zone of the estimated value are acquired from the storage means, each of the acquired various variation patterns is compared with the estimated value, and the estimated value and the various variations are compared. A comparison unit for obtaining a plurality of differences from each of the patterns;
Among a plurality of difference calculated by the comparison unit, a selection unit to select a change pattern corresponding to the smallest difference,
Wherein the time series data corresponding to the selected fluctuation pattern, the various abnormality detection unit for detecting an abnormality when exceeding the selected threshold corresponding to a variation pattern of the threshold value determined for each change pattern And a time-series data abnormality monitoring device. The estimation unit holds the time-series data in a time-series order for a predetermined time, and extrapolates a range where the time-series data does not exist, obtained by performing extrapolation on the held time-series data having a predetermined time width. The time series data abnormality monitoring apparatus according to claim 1, wherein a result is obtained as the estimated value. A time-series data abnormality monitoring method by a time-series data abnormality monitoring apparatus that monitors fluctuations in time-series data indicated by communication traffic volume of a network device and detects abnormality of the time-series data,
The time-series data abnormality monitoring device is
Obtaining various variation patterns according to different conditions from the time series data, classifying and storing the various variation patterns in a storage means;
Estimating and determining an estimated value that is a future value of the time series data; and
The past various variation patterns corresponding to the estimated time zone of the estimated value are acquired from the storage means, each of the acquired various variation patterns is compared with the estimated value, and the estimated value and the various variations are compared. Obtaining a plurality of differences from each of the patterns;
Among a plurality of difference to which the obtained, the steps of selecting a variation pattern corresponding to the smallest difference,
And a step in which the time-series data corresponding to the fluctuation pattern said selected senses abnormal when exceeding the selected threshold corresponding to a change pattern of said determined for each type of variation patterns threshold An apparatus monitoring control method, which is executed.