JP6646553B2 - Program, apparatus, and method for detecting abnormal state from time-series event group - Google Patents

Description

  The present invention relates to a technology for detecting an abnormal state from a time-series event group accompanied by a state change.

  In an ICT (Information and Communication Technologies) network, a large number of various events may occur from one cause. For example, when a failure occurs in one communication device, a large number of unique events occur at the time of abnormality from many different communication devices such as servers and routers. A network administrator needs to quickly detect a communication device in which a failure has occurred and shorten the abnormal state period as much as possible. Generally, an abnormal state in a network is directly detected by an alert transmitted by a communication device by itself.

  On the other hand, when an abnormal state occurs, an alert is not always issued. An attempt is made to operate normally as a whole network while allowing the behavior of a communication device in which a failure has occurred. Therefore, it is necessary to detect an abnormal state based on information other than the alert.

2. Description of the Related Art Conventionally, there is a technology for detecting an abnormal state using a time-series event group transmitted from a communication device.
For example, there is a technique using a machine learning algorithm such as naive Bayes, a support vector machine, and a decision tree (for example, see Patent Documents 1 to 3). According to this technique, an abnormal state is detected based on a combination of generated events.
There is also a technique using a time-series event group with a small number of occurrences using a Markov model with time (for example, see Non-Patent Document 1). According to this technology, an abnormal state is detected by associating an event occurrence sequence and an occurrence time interval.

JP-A-2012-128583 JP 2013-191672 A JP 2013-13075 A

Yoshiyoshi Kondo et al., "Proposal of Fault Detection Method Using Markov Model with Time", IPSJ SIG Technical Report, Vol.2016-IOT-32 No.18, 2016/03, [online], [September 22, 2016 Search], Internet <URL: https://ipsj.ixsq.nii.ac.jp/ej/index.php?active_action=repository_view_main_item_detail&page_id=13&block_id=8&item_id=157703&item_no=1>

According to the techniques described in Patent Documents 1 to 3, it is not possible to detect the spread of an abnormal state to the entire network because the order of occurrence and the time interval of events are not considered.
Further, according to the technology described in Non-Patent Document 1, since the determination is made based only on the probability of occurrence of a time-series event, the probability of the determination of the abnormality is low. In particular, there has been a problem that a determination threshold for determining whether or not an abnormal state is present is arbitrarily set, and the criteria for determining an abnormal state in a time-series event are not optimized.

  In the first place, if a large number of various event groups can be separated in a normal state / abnormal state in real time, it can be considered that a fault location causing the cause can be easily estimated. However, in general, the relevance between events is extremely complicated and lacks regularity, so that it is difficult to distinguish and determine a normal state / abnormal state.

  On the other hand, the inventors of the present application may be able to detect different behaviors between the normal event group and the abnormal event group if the event indicates a state change. I thought. That is, if the determination threshold value that causes different behavior can be optimally set, the probability of the determination of the abnormality can be increased. I thought.

  Accordingly, an object of the present invention is to provide a program, an apparatus, and a method capable of optimally setting a threshold for determining whether or not an abnormal state is present based on a change in the state of an event from various time-series event groups. And

According to the present invention, there is provided a program for causing a computer mounted on an apparatus for determining an abnormality to a time-series operation event group E ′ _M to be implemented,
Markov model learning means for learning a time-based Markov model that calculates the transition probability from state i to state j according to the staying time of state i, using all event groups E _N in the time series based on the teacher data;
For each of the normal event group P ⁰ and the abnormal event group P ^{1 in the} past time series based on the teacher data, the addition value or the multiplication value of the transition probability in the state transition is calculated as the evaluation value, and the appearance for the evaluation value is calculated. Evaluation value distribution calculating means for calculating an evaluation value distribution R that counts frequencies;
The transition probability g _xixj between states i to j is the minimum evaluation value R ⁰ _min of the evaluation value distribution R ⁰ of the normal event group and the maximum evaluation value R ¹ of the evaluation value distribution R ¹ of the abnormal event group. Weighting the coefficient α _xixj that maximizes the difference from ¹ _max, and causing the computer to function as evaluation threshold calculation means for calculating an evaluation threshold,
The evaluation value distribution calculating means further calculates an evaluation value distribution R for the operation-time event group E ′ _M ,
When the evaluation value distribution of the operation event group E ′ _M is biased below the evaluation threshold value, the computer is further caused to function as abnormality determination means for determining an abnormality.

According to another embodiment of the program of the present invention,
The transition probability from state i to state j according to the staying time of state i is
g _ij × F _ij (T)
g _ij : Probability of transition between states i to j F _ij (T _i ): State transition for state i to state j within stay time T _i = t _j −t _i in state _i It is also desirable to have the computer function as represented by probabilities.

According to another embodiment of the program of the present invention,
Event group _{E N = {e 1, e} 2, ···, e N} each event e _n in the, e _n, including the generation time and generating post-state = (t _n, x _n)
t _n: e _n the time of occurrence of
x _n: after the occurrence state of e _n, x _n ∈Y
Y: the total set of states can be caused by an event group E _N
Y = {y ₁ , y ₂ ,..., Y _s }
It is also preferable to make the computer function as described above.

According to another embodiment of the program of the present invention,
In the event group E _N , an event group P _{v, K obtained} by cutting out a predetermined number K of continuous time series by a sliding window method is as follows:
The normal time event group P ^{0 in the} past time series is an event group determined to be normal in each event group P _{v, K} ,
Abnormal event group P ¹ of the time series of the past, each event group P _v, is abnormal when the determined event group in _{K P v, K = {e} v, e v + 1, ··· , e _{v + K-1} ｝, v = (1,2, ..., N-K + 1)
P = {P _{1, K} , P _{2, K} , ..., P _{N-K + 1, K} }
P ⁰ = {P ⁰ | P ⁰ is a normal event group, P ⁰ ∈P}
P ¹ = {P ¹ | P ¹ is an abnormal event group, P ¹ ∈P}
It is also preferable to make the computer function as described above.

According to another embodiment of the program of the present invention,
The coefficient α _xixj is calculated by optimizing as a linear programming problem based on the following objective function and constraints.
Maximization α _max = R ⁰ _min -R ¹ _max
Restrictions:
^{R (P 0) = {R} (p 0) | p 0 ∈P 0}: the set R (P ¹⁾ of the evaluation value based on the normal-time event group ^{= {R (p 1) |} p 1 ∈P 1}: Set of evaluation values based on abnormal event group R ⁰ _min = min (R (P ⁰ )): Minimum evaluation value based on normal event group R ¹ _max = min (R (P ¹ )): Normal event group Based evaluation value R ⁰ _min > R ¹ _max : the evaluation value based on the normal event group is a larger value α _xixj > 0
It is also preferable to make the computer function as described above.

According to another embodiment of the program of the present invention,
Evaluation threshold calculating means calculates a minimum evaluation value R ⁰ _min evaluation value distribution based on the normal time of the event group, the median between the maximum evaluation value R ¹ _max of the evaluation value distribution based on abnormal event group, as an evaluation threshold It is also preferable to operate the computer in such a manner as to perform the operation.

According to another embodiment of the program of the present invention,
An event is a data packet transmitted from a communication device,
It is also preferable to make the computer function such that the state is “with link + first speed”, “with link + second speed”, and “without link” at each port of the communication device.

According to the present invention, there is provided an apparatus for determining an abnormality with respect to a time-series operation event group E ′ _M ,
A Markov model learning unit that learns a time-based Markov model that calculates a transition probability from the state i to the state j according to the staying time of the state i, using all event groups E _N in the time series based on the teacher data;
For each of the normal event group P ⁰ and the abnormal event group P ^{1 in the} past time series based on the teacher data, the addition value or the multiplication value of the transition probability in the state transition is calculated as the evaluation value, and the appearance for the evaluation value is calculated. Evaluation value distribution calculating means for calculating an evaluation value distribution R that counts frequencies;
The transition probability g _xixj between states i to j is the minimum evaluation value R ⁰ _min of the evaluation value distribution R ⁰ of the normal event group and the maximum evaluation value R ¹ of the evaluation value distribution R ¹ of the abnormal event group. Weighting a coefficient α _xixj that maximizes the difference from ¹ _max, and evaluation threshold calculation means for calculating an evaluation threshold,
The evaluation value distribution calculating means further calculates an evaluation value distribution R for the operation-time event group E ′ _M ,
It is characterized in that it further comprises abnormality determining means for determining an abnormality when the evaluation value distribution of the in-operation event group E ′ _M is biased below the evaluation threshold.

According to the present invention, there is provided an abnormality determination method for a device which determines an abnormality with respect to a time-series operation event group E ′ _M ,
The equipment is
As a learning stage,
Using all sets of events E _N time series based on the training data, and the eleventh step of learning Timed Markov model to calculate the probability of transition from state i corresponding to the residence time of the state i to state j,
For each of the normal event group P ⁰ and the abnormal event group P ^{1 in the} past time series based on the teacher data, an added value or a multiplied value of the transition probability in the state transition is calculated as an evaluation value, and the appearance for the evaluation value is calculated. A twelfth step of calculating an evaluation value distribution R obtained by counting the frequency,
The transition probability g _xixj between states i to j is the minimum evaluation value R ⁰ _min of the evaluation value distribution R ⁰ of the normal event group and the maximum evaluation value R ¹ of the evaluation value distribution R ¹ of the abnormal event group. Weighting a coefficient α _xixj that maximizes the difference from ¹ _max, and calculating a thirteenth step of calculating an evaluation threshold.
As an operation stage,
A twenty-first step of calculating an added value or a multiplied value of transition probabilities in a state transition as an evaluation value for the operation-time event group E ′ _M , and calculating an evaluation value distribution R obtained by counting appearance frequencies with respect to the evaluation value; ,
When the evaluation value distribution of the in-operation event group E ′ _M is biased below the evaluation threshold value, the 22nd step of determining an abnormality is further executed.

  ADVANTAGE OF THE INVENTION According to the program, apparatus, and method of this invention, the program, apparatus, and method which can optimally set the determination threshold value whether it is an abnormal state based on the change of the state of an event from various time-series event groups The purpose is to provide.

FIG. 1 is a system configuration diagram having an abnormality determination device of the present invention. FIG. 3 is a functional configuration diagram of the abnormality determination device according to the present invention. It is explanatory drawing showing the state transition in Markov model learning with time. FIG. 9 is an explanatory diagram illustrating evaluation thresholds for determination using an evaluation value distribution in a normal state and an evaluation value distribution in an abnormal state. FIG. 9 is an explanatory diagram illustrating a determination as to whether or not an abnormal state exists from a group of events during operation.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a system configuration diagram having the abnormality determination device of the present invention.

According to FIG. 1, the abnormality determination device 1 is arranged in a business network and detects an abnormal state in many communication devices. Each communication device transmits an "event" indicating its own state, not limited to an alarm for notifying an abnormality (for example, a link down or a signal synchronization error). The abnormality determination device 1 detects an abnormal state by collecting the event group. As a communication device arranged in a company network, for example, there is a route control device such as a router or a switch.
The carrier network may be, for example, an access network such as LTE (Long Term Evolution) or WiMAX (Worldwide Interoperability for Microwave Access), or a core network such as IMS.

An “event” is a data packet including a state transmitted from a communication device.
The “state” is, for example, in the case of a switch, such as “with link + first speed”, “with link + second speed”, and “without link” at each port.
Also, each event e _n in an event group _{E N = {e 1, e} 2, ···, e N} includes occurrence time and after occurrence state.
e _n = (t _n , x _n )
e _n : nth event
t _n: e _n the time of occurrence of
x _n: the generation state after event e _n, information indicating the correlation with other events is not included at all, as compared to only each other event, but can not find its correlation.

  FIG. 2 is a functional configuration diagram of the abnormality determination device according to the present invention.

  According to FIG. 2, the abnormality determination device 1 of the present invention includes a teacher data storage unit 10, an entire event group input unit 110, a learning event group input unit 120, and an operation event group input unit 210. Further, the abnormality determination device includes a Markov model learning unit 11, evaluation value distribution calculation units 12 and 21, an evaluation threshold value calculation unit 13, and an abnormality determination unit 22. These functional components are realized by executing a program that causes a computer mounted on the device to function. In addition, the flow of processing of these functional components can be understood as an abnormality determination method using the device.

Further, the abnormality determination device 1 of the present invention is divided into a <model learning stage>, an <evaluation threshold learning stage>, and an <operation stage>.
The abnormality determination device 1 includes an all event group input unit 110 and a Markov model learning unit 11 as a model learning stage.
Further, the abnormality determination device 1 includes a learning event group input unit 120, an evaluation value distribution calculation unit 12, and an evaluation threshold calculation unit 13 as an evaluation threshold learning stage.
Further, the abnormality determination device 1 includes an operation event group input unit 210, an evaluation value distribution calculation unit 21, and an abnormality determination unit 22 as an operation stage.

[Teacher data storage unit 10]
The teacher data storage unit 10 stores the “normal event group” and the “abnormal event group” collected in the past as teacher data in advance. Here, a time-series event group is stored so as to distinguish between a normal time and an abnormal time.
In the model learning stage, the teacher data storage unit 10 outputs all event groups.
In the evaluation threshold learning stage, the teacher data storage unit 10 outputs the normal event group and the abnormal event group separately.

<Model learning stage>
[All event group input unit 110]
The all event group input unit 110 receives all event groups from the teacher data storage unit 10 and outputs them to the Markov model learning unit 11.

[Markov model learning unit 11]
The Markov model learning unit 11 uses all the time-series event groups E _N based on the teacher data to “time-markov model with transition calculated from state i to state j according to the staying time of state i”. To learn.

The “Markov model” refers to a probabilistic model having a property that a future state is determined only by a current state and is not related to past behavior.
"Markov model with time" is a Markov model in which the state transition probability depends on time, and the state transition in which the transition probability changes according to the staying time in the transition source state from one state to the next state Refers to a model.

  FIG. 3 is an explanatory diagram showing a state transition in Markov model learning with time.

For example the state x _n events e _n occurs after the communication device, the all-state group Y which may be caused by an event group E _N, the following relationship.
x _n ∈ Y = {y ₁ , y ₂ ,..., y _s
y: state of Markov model with time
x _n : state after the occurrence of e _n One state transition x _h → from any two consecutive events e _h , e _{h + 1} (h = 1,2,..., N−1) in E _N x _{h + 1} . At this time, the time spent in the transition source state is represented by t _{h + 1} −th _h .
All state transitions are extracted from E _N , and the following is calculated for y _i → y _j (i, j = 1, 2,..., S).
g _ij : transition probability f _yiyj (T _i ) between the state y _i to the state y _j : for the state transition of y _i → y _j , the stay time T _i = t _j −t _{i in} the state y _i Probability Density Representing Distribution The state transition in FIG. 3 is constructed by learning with all event groups in the teacher data.

<Evaluation threshold learning stage>
[Learning event group input unit 120]
The learning event group input unit 120 separately inputs the normal event group and the abnormal event group from the teacher data storage unit 10, and outputs the event group to the evaluation value distribution calculation unit 12.

[Evaluation Value Distribution Calculation Unit 12]
The evaluation value distribution calculation unit 12 calculates, as an evaluation value, an addition value or a multiplication value of transition probabilities in a state transition for each of the normal event group and the abnormal event group in the past time series based on the teacher data. An evaluation value distribution R obtained by counting the appearance frequency for the evaluation value is calculated.

A predetermined number K of continuous time series is cut out from each of the event groups E _{N in the} normal / abnormal state by a sliding window method to obtain an event group P _{v, K.
Pv, K} = { _ev , _{ev + 1} , ..., _{ev + K-1} }, v = (1,2, ..., N-K + 1)
K: Length continuous from E _N (arbitrary integer)
A set of the extracted event groups P _{v, K} is represented as follows.
P = {P _{1, K} , P _{2, K} , ..., P _{N-K + 1, K} }

Then, it is divided into two sets for normal time and abnormal time.
The normal event group P ^{0 in the} past time series is an event group determined to be normal in each event group P _{v, K.}
P ⁰ = {P ⁰ | P ⁰ is a normal event group, P ⁰ ∈P}
Abnormal event group P ¹ of the time series of the past is the abnormality judged event group in each event group P _{v, K.}
P ¹ = {P ¹ | P ¹ is an abnormal event group, P ¹ ∈P}

An evaluation value is calculated from each element of P ⁰ and P ¹ to create an evaluation value distribution R (P _{v, K} ).
_{R (P v, K) =} q (x v) Σ v + K-2 i = v (g xixi + 1 × F xixi + 1 (t i + 1 -t i))
F _yiyj (T _i ) = ∫ ₀ ^Ti f _yiyj (u) du
q (x _n ): Probability that x _n is the initial state among all states
F _ij (T _i ): Probability of state transition within stay time T _i = t _j −t _i at y _i for transition from y _i to y _j “from state i according to stay time of state i to state The transition probability to j is represented by the following equation.
g _ij × F _ij (T)

Then, evaluation value distribution calculation unit 12, the evaluation value of the evaluation value distribution R ⁰ and abnormal event groups normally when an event group distribution R ¹ and, respectively, to output to the evaluation threshold value calculation unit 13.

[Evaluation Threshold Calculation Unit 13]
Evaluation threshold calculating unit 13, with the evaluation value distribution R ⁰ of the normal time of the event group and the evaluation value distribution R ¹ of abnormal events group, calculates the evaluation threshold of a predetermined condition.

  FIG. 4 is an explanatory diagram showing evaluation thresholds for determination using the evaluation value distribution in a normal state and the evaluation value distribution in an abnormal state.

According to FIG. 4A, the distribution of the appearance frequency with respect to the evaluation value is shown separately for the normal state and the abnormal state.
The evaluation value calculated from the normal event group is larger than the evaluation value calculated from the abnormal event group. In addition, the boundary between the evaluation value distribution of the normal event group and the evaluation value distribution of the abnormal event group serves as an index (evaluation threshold) for determining normal / abnormal.

(First Embodiment in Optimization of Evaluation Threshold)
According to FIG. 4B, the distribution of the appearance frequency with respect to the evaluation value is shown separately for the normal state and the abnormal state.
Here simply, the evaluation threshold value calculation unit 13, the median and the minimum evaluation value R ⁰ _min evaluation value distribution based on normal time event group, the maximum evaluation value R ¹ _max of the evaluation value distribution based on abnormal events group _Is calculated as the evaluation threshold _Rz .
z = (R ⁰ _min + R ¹ _max ) / 2

(Second Embodiment in Optimization of Evaluation Threshold)
According to FIG. 4 (c), different evaluation value distributions are _shown for the normal state and the abnormal state in which the coefficient α _xixj is weighted.
An evaluation value distribution R ⁰ of the normal time of event groups, as evaluation value of abnormal event group and the distribution R ¹ is away, it is possible to determine exactly normal state / an abnormal state.
Therefore, the evaluation threshold calculating unit 13 calculates the transition probability g _xixj between the state i and the state j , the minimum evaluation value R ⁰ _min of the evaluation value distribution R ⁰ of the normal event group, and the evaluation of the abnormal event group. The coefficient α _xixj that maximizes the difference between the value distribution R ^{1 and} the maximum evaluation value R ¹ _max is weighted to calculate an evaluation threshold.

A coefficient α _xixj is weighted to the above-described expression of the evaluation value distribution R (P _{v, K} ).
_{R (P v, K) =} q (x v) Σ v + K-2 i = v (α xixi + 1 × g xixi + 1 × F xixi + 1 (t i + 1 -t i))
It is _assumed that the coefficient α _yiyj has been calculated as an optimization as a linear programming problem based on the following objective function and constraints.
Objective function:
Maximization α _max = R ⁰ _min -R ¹ _max
Restrictions:
^{R (P 0) = {R} (p 0) | p 0 ∈P 0}: the set R (P ¹⁾ of the evaluation value based on the normal-time event group ^{= {R (p 1) |} p 1 ∈P 1}: Set of evaluation values based on abnormal event group R ⁰ _min = min (R (P ⁰ )): Minimum evaluation value based on normal event group R ¹ _max = min (R (P ¹ )): Normal event group Based evaluation value R ⁰ _min > R ¹ _max : the evaluation value based on the normal event group is a larger value α _xixj > 0

<Operation stage>
[Operation event group input unit 210]
The operation event group input unit 210 inputs the time-series operation event group E ′ _M and outputs it to the evaluation value distribution calculation unit 21.

[Evaluation Value Distribution Calculation Unit 21]
The evaluation value distribution calculation unit 21 calculates the evaluation value distribution R ′ for the in-operation event group E ′ _M as described above.
From a time-series operation event group E ′ _M = {e ′ ₁ , e ′ ₂ ,..., E ′ _M }, a predetermined number K of continuous time series is determined by a sliding window method using an event group P ′ _v, Cut out _K.
P ' _{w, K} = {e _w , e _{w + 1} , ..., e _{w + K-1} }, w = (1,2, ..., M-K + 1)
A set of the extracted event groups P _{v, K} is represented as follows.
P '= {P'1 _{, K} , P'2 _{, K} , ..., P'M _{-K + 1, K} }
Then, an evaluation value R (P ′ _{w, K} ) is calculated for each element of P ′.

[Abnormality determination unit 22]
When the evaluation value distribution R ′ of the in-operation event group E ′ _M is biased below the evaluation threshold _Rz , the abnormality determination unit 22 determines that an abnormality has occurred.

  FIG. 5 is an explanatory diagram illustrating a determination as to whether or not an abnormal state exists from a group of events during operation.

According to FIG. 5A, the center of the evaluation value distribution R ′ based on the event group during operation is biased below the evaluation threshold _Rz . In this case, the event group during operation is determined to be abnormal.
According to FIG. 5B, the center of the evaluation value distribution R ′ based on the event group at the time of operation is biased higher than the evaluation threshold _Rz . In this case, the event group at the time of operation is determined to be normal.

  In the above-described embodiment, the event has been described as a packet transmitted from the communication device arranged in the carrier network, but the present invention is not limited to this. That is, if the event group indicates a state change, an abnormality can be determined in various uses. For example, the present invention can be applied to various large-scale business systems such as a power generation / transmission system, a distribution system such as water supply, and various production / manufacturing plants.

  As described above in detail, according to the program, the apparatus, and the method of the present invention, from various time-series event groups, the threshold value for judging whether or not the state is abnormal is optimally set based on the state change of the event. can do.

  For the above-described various embodiments of the present invention, various changes, modifications, and omissions in the scope of the technical idea and viewpoint of the present invention can be easily performed by those skilled in the art. The foregoing description is merely an example, and is not intended to be limiting. The invention is limited only as defined by the following claims and equivalents thereof.

DESCRIPTION OF SYMBOLS 1 Abnormality determination apparatus 10 Teacher data storage part 110 All event group input part 11 Markov model learning part 120 Learning event group input part 12, 21 Evaluation value distribution calculation part 13 Evaluation threshold value calculation part 210 Operation event group input part 22 Abnormality determination part

Claims (9)

A program for causing a computer mounted on a device for determining an abnormality to the time-series operation event group E ′ _M to be functioning,
Markov model learning means for learning a time-based Markov model that calculates the transition probability from state i to state j according to the staying time of state i, using all event groups E _N in the time series based on the teacher data;
For each of the normal event group P ⁰ and the abnormal event group P ^{1 in the} past time series based on the teacher data, an added value or a multiplied value of the transition probabilities in the state transition is calculated as an evaluation value. Evaluation value distribution calculating means for calculating an evaluation value distribution R in which appearance frequencies are counted;
The transition probability g _xixj between states i to j is the minimum evaluation value R ⁰ _min of the evaluation value distribution R ⁰ of the normal event group and the maximum evaluation value R ¹ of the evaluation value distribution R ¹ of the abnormal event group. the difference between the ¹ _max Te weighting coefficients alpha _XiXj maximize, causes the computer to function as an evaluation threshold calculating means for calculating the evaluation threshold,
The evaluation value distribution calculating means further calculates an evaluation value distribution R for the operation-time event group E ′ _M ,
A computer-readable storage medium storing a program for causing a computer to further function as abnormality determination means for determining an abnormality when the evaluation value distribution of the in-operation event group E ′ _M is biased below the evaluation threshold. The transition probability from the state i to the state j according to the staying time of the state i is:
g _ij × F _ij (T)
g _ij : Probability of transition between states i to j F _ij (T _i ): State transition for state i to state j within stay time T _i = t _j −t _i in state _i The program according to claim 1, wherein the program causes a computer to function as a probability. Event group _{E N = {e 1, e} 2, ···, e N} each event e _n in the, e _n, including the generation time and generating post-state = (t _n, x _n)
t _n: e _n the time of occurrence of
x _n: after the occurrence state of e _n, x _n ∈Y
Y: the total set of states can be caused by an event group E _N
Y = {y ₁ , y ₂ ,..., Y _s }
The program according to claim 1, wherein the program causes a computer to function as described above. In the event group E _N , an event group P _{v, K obtained} by cutting out a predetermined number K of continuous time series by a sliding window method is as follows:
The normal time event group P ^{0 in the} past time series is an event group determined to be normal in each event group P _{v, K} ,
Abnormal event group P ¹ of the time series of the past, each event group P _v, is abnormal when the determined event group in _{K P v, K = {e} v, e v + 1, ··· , e _{v + K-1} ｝, v = (1,2, ..., N-K + 1)
P = {P _{1, K} , P _{2, K} , ..., P _{N-K + 1, K} }
P ⁰ = {P ⁰ | P ⁰ is a normal event group, P ⁰ ∈P}
P ¹ = {P ¹ | P ¹ is an abnormal event group, P ¹ ∈P}
The program according to any one of claims 1 to 3, which causes the computer to function as described above. The coefficient α _xixj is calculated by optimizing as a linear programming problem based on the following objective function and constraints.
Maximization α _max = R ⁰ _min -R ¹ _max
Restrictions:
^{R (P 0) = {R} (p 0) | p 0 ∈P 0}: the set R (P ¹⁾ of the evaluation value based on the normal-time event group ^{= {R (p 1) |} p 1 ∈P 1}: Set of evaluation values based on abnormal event group R ⁰ _min = min (R (P ⁰ )): Minimum evaluation value based on normal event group R ¹ _max = min (R (P ¹ )): Normal event group Based evaluation value R ⁰ _min > R ¹ _max : the evaluation value based on the normal event group is a larger value α _xixj > 0
The program according to any one of claims 1 to 4, which causes a computer to function as described above. The evaluation threshold value calculation means, the minimum evaluation value R ⁰ _min evaluation value distribution based on the normal time of the event group, the median between the maximum evaluation value R ¹ _max of the evaluation value distribution based on abnormal events group, the evaluation threshold The program according to any one of claims 1 to 5 , wherein the program is caused to function as a computer. The event is a data packet transmitted from the communication device,
2. The computer according to claim 1, wherein the state is such that the state of each port of the communication device is "with link + first speed", "with link + second speed", and "without link". The program according to any one of items 6 to 6 . A device for determining an abnormality with respect to a time-series operation event group E ′ _M ,
A Markov model learning unit that learns a time-based Markov model that calculates a transition probability from the state i to the state j according to the staying time of the state i, using all event groups E _N in the time series based on the teacher data;
For each of the normal event group P ⁰ and the abnormal event group P ^{1 in the} past time series based on the teacher data, an added value or a multiplied value of the transition probabilities in the state transition is calculated as an evaluation value. Evaluation value distribution calculating means for calculating an evaluation value distribution R in which appearance frequencies are counted;
The transition probability g _xixj between states i to j is the minimum evaluation value R ⁰ _min of the evaluation value distribution R ⁰ of the normal event group and the maximum evaluation value R ¹ of the evaluation value distribution R ¹ of the abnormal event group. the difference between the ¹ _max Te weighting coefficients alpha _XiXj maximizing, and having an evaluation threshold calculating means for calculating the evaluation threshold,
The evaluation value distribution calculating means further calculates an evaluation value distribution R for the operation-time event group E ′ _M ,
An apparatus, further comprising: abnormality determination means for determining an abnormality when the evaluation value distribution of the in-operation event group E ′ _M is biased below the evaluation threshold. An abnormality determination method for an apparatus that determines an abnormality with respect to a time-series operation event group E ′ _M ,
The device comprises:
As a learning stage,
Using all sets of events E _N time series based on the training data, and the eleventh step of learning Timed Markov model to calculate the probability of transition from state i corresponding to the residence time of the state i to state j,
For each of the normal event group P ⁰ and the abnormal event group P ^{1 in the} past time series based on the teacher data, an added value or a multiplied value of the transition probabilities in the state transition is calculated as an evaluation value. A twelfth step of calculating an evaluation value distribution R obtained by counting the appearance frequency;
The transition probability g _xixj between states i to j is the minimum evaluation value R ⁰ _min of the evaluation value distribution R ⁰ of the normal event group and the maximum evaluation value R ¹ of the evaluation value distribution R ¹ of the abnormal event group. the difference between the ¹ _max Te weighting coefficients alpha _XiXj to maximize run a thirteenth step of calculating the evaluation threshold,
As an operation stage,
A twenty-first step of calculating an added value or a multiplied value of the transition probabilities in the state transition for the operation event group E ′ _M as an evaluation value, and calculating an evaluation value distribution R obtained by counting the appearance frequency with respect to the evaluation value; When,
A method for determining an abnormality of the apparatus, further comprising the step of: determining that the evaluation value distribution of the in-operation event group E ′ _M is abnormal when the distribution of the evaluation values is less than or equal to the evaluation threshold value.

Images