JP7331567B2 - Information processing device, information processing method, and computer program - Google Patents

Description

The present disclosure relates to technology for generating information related to information system monitoring.

Information systems in operation are monitored in order to detect that an abnormality has occurred in the information system. As a technique for monitoring an information system, for example, there is a technique for detecting the occurrence of an abnormality by setting a certain threshold for the performance value of the information system and determining whether or not the performance value exceeds the threshold. However, since the normal performance value may vary depending on the time zone in which the information system is operating, there is a possibility that an abnormality cannot be detected accurately if the threshold remains constant.

On the other hand, in Patent Document 1, regarding a database management system, a baseline indicating a predicted performance value is generated from performance values for a certain period of time, and the baseline value and the actually obtained performance value are compared. A technique for detecting an anomaly is disclosed.

Patent Literature 2 discloses a technique for detecting anomalies in network traffic, which estimates a statistic in consideration of the periodicity of traffic, and sets a threshold value for determining anomalies that takes into account traffic fluctuations that occur in each period. there is

In Patent Document 3, a provisional baseline calculated based on past configuration information and performance values regarding an information system, and a baseline obtained by correcting the provisional baseline using a correlation value to correspond to the current information system. is used to monitor an information system.

Patent Literature 4 discloses a technique of storing a baseline for each piece of configuration information of an information system, and resetting the baseline corresponding to the post-change configuration information when a system change is detected.

As a related technique, Patent Document 5 discloses a technique for shortening the baseline generation period by using the performance values of a plurality of virtual processing units belonging to the same scaling group when generating the baseline. It is

JP-A-2004-164637 Japanese Patent Application Laid-Open No. 2008-311719 WO2013/069138 WO2011/125138 WO2017/168484

The information system may undergo system changes due to version upgrades and the like. In this case, the normal performance values of the information system may change, so it is desirable to reset the baseline according to the system change.

Patent Literatures 1, 2 and 5 do not disclose consideration of system changes in setting the baseline.

In the technique of Patent Document 3, a baseline is generated according to a system change, but in order to generate it, a system having configuration information similar to the configuration information after the system change must not have been operated in the past. must. Therefore, if a system having such configuration information has not been operated in the past, there is a possibility that an appropriate baseline cannot be generated.

In the technique disclosed in Patent Document 4, the baseline corresponding to the configuration information after the system change is stored in advance, or if it is not stored, the user needs to set an appropriate baseline. If you have a baseline in advance, you must have run a system with that configuration information in the past. When the user sets, depending on the experience of the user, the accuracy of monitoring may become unstable.

The present disclosure has been made in view of the above problems, and is mainly to provide an information processing device or the like that can continue highly accurate monitoring even when there is a system change in monitoring an information system. purpose.

An information processing apparatus according to an aspect of the present disclosure includes baseline generating means for generating a baseline used for detecting an abnormality in an information system based on performance values obtained from the information system, the baseline When the configuration of the information system is changed, the generation means generates a baseline based on the performance value in the configuration before the change, the performance value in the configuration after the change, and a weight, wherein the weight is , the performance value in the configuration before the change and the performance value in the configuration after the change indicate the ratio of contribution to the generation of the baseline, and the weight is the performance value in the configuration before the change and the second calculated value based on the performance value in the post-change configuration.

An information processing method according to an aspect of the present disclosure is a method for generating a baseline used for detecting an abnormality in an information system based on performance values obtained from the information system, wherein the configuration of the information system is changed, a baseline is generated based on the performance value in the configuration before the change, the performance value in the configuration after the change, and a weight, and the weight is the performance in the configuration before the change and the performance value in the configuration after the change indicate the ratio of contribution to the generation of the baseline, and the weight is a first calculated value based on the performance value in the configuration before the change; It is determined according to the difference from the second calculated value based on the performance value in the post-change configuration.

A program according to one aspect of the present disclosure causes a computer to execute a process of generating a baseline used for detecting an abnormality in an information system based on performance values obtained from the information system, and in the process of generating causing a computer to generate a baseline based on the performance value in the configuration before the change, the performance value in the configuration after the change, and a weight when the configuration of the information system is changed, the weight being , the performance value in the configuration before the change and the performance value in the configuration after the change indicate the ratio of contribution to the generation of the baseline, and the weight is calculated by a computer in the configuration before the change A determination is made according to the difference between the first calculated value based on the performance value and the second calculated value based on the performance value in the post-change configuration.

Advantageous Effects of Invention According to the present disclosure, in monitoring an information system, it is possible to obtain an effect that highly accurate monitoring can be continued even when there is a system change.

It is a block diagram showing an example of hardware constitutions of a computer device which realizes an information processor in each embodiment. It is a block diagram showing an example of composition of a surveillance system concerning a 1st embodiment. It is a figure which shows typically an example of the baseline in each embodiment. 1 is a block diagram showing an example of a functional configuration of an information processing apparatus according to a first embodiment; FIG. 4 is a flowchart for explaining the operation of the information processing apparatus according to the first embodiment; It is a block diagram which shows an example of a structure of the monitoring system concerning 2nd Embodiment. It is a figure which shows an example of a functional structure of the information processing apparatus concerning 2nd Embodiment. It is a figure which shows an example of the performance information table concerning 2nd Embodiment. It is a figure which shows an example of the structure change information table concerning 2nd Embodiment. FIG. 10 is a diagram showing an example of timings at which performance values are acquired according to the second embodiment; FIG. FIG. 10 is a diagram showing an example of timings at which performance values are acquired when the configuration is changed according to the second embodiment; It is a figure which shows an example of the baseline table concerning 2nd Embodiment. 9 is a flowchart for explaining the operation of a configuration information acquisition unit according to the second embodiment; 9 is a flowchart for explaining an operation related to abnormality detection of the information processing apparatus according to the second embodiment; FIG. 11 is a flowchart for explaining the operation of a baseline generation unit according to the second embodiment; FIG. It is a figure which shows an example of the baseline table updated concerning 2nd Embodiment. It is a figure which shows an example of the baseline table concerning the modification 2 of 2nd Embodiment. FIG. 14 is a diagram showing an example of the relationship between changes in configuration information of an information system and timings at which performance values are acquired, according to Modification 3 of the second embodiment;

<Hardware Configuration Example of Information Processing Device>
Hardware constituting the information processing apparatus according to the first and second embodiments described below will be described. FIG. 1 is a block diagram showing an example of a hardware configuration of a computer device that implements an information processing device according to each embodiment. Each block shown in FIG. 1 can be implemented by a computer device 10 that implements the information processing apparatus and information processing method in each embodiment, and a combination of software.

As shown in FIG. 1 , computer device 10 includes processor 11 , RAM (Random Access Memory) 12 , ROM (Read Only Memory) 13 , storage device 14 , input/output interface 15 , bus 16 , and drive device 17 .

The storage device 14 stores a program (computer program) 18 . The processor 11 uses the RAM 12 to execute a program 18 related to this information processing apparatus. Specifically, for example, the program 18 includes a program that causes a computer to execute the processes shown in FIG. 5 or FIGS. 12, 13, and 14. FIG. When the processor 11 executes the program 18, components of the information processing apparatus (baseline generation units 110 and 111, anomaly detection unit 120, performance information acquisition unit 130, and configuration information acquisition unit 140, which will be described later) ) is realized. In addition, the program 18 may be stored in the ROM 13 . The program 18 may be recorded on the recording medium 20 and read using the drive device 17, or may be transmitted from an external device (not shown) to the computer device 10 via a network (not shown).

The input/output interface 15 exchanges data with peripheral devices (keyboard, mouse, display device, etc.) 19 . The input/output interface 15 functions as means for acquiring or outputting data. A bus 16 connects each component.

Note that there are various modifications of the method for realizing the information processing apparatus. For example, the information processing device can be implemented as a dedicated device. Also, the information processing device can be realized based on a combination of a plurality of devices.

A processing method of recording a program for realizing each component in the function of each embodiment on a recording medium, reading the program recorded on the recording medium as a code, and executing it on a computer is also included in the scope of each embodiment. . That is, a computer-readable recording medium is also included in the scope of each embodiment. Moreover, the recording medium on which the above-described program is recorded and the program itself are also included in each embodiment.

The recording medium is, for example, a floppy (registered trademark) disk, hard disk, optical disk, magneto-optical disk, CD (Compact Disc)-ROM, magnetic tape, non-volatile memory card, or ROM, but is not limited to these examples. In addition, the program recorded on the recording medium is not limited to a program that executes processing by itself, but in cooperation with other software and functions of an expansion board, it runs on an OS (Operating System) to execute processing. A program for executing the program is also included in the category of each embodiment.

<First Embodiment>
Next, an overview of the information processing apparatus according to the first embodiment will be described.

FIG. 2 is a block diagram showing an example of the configuration of the monitoring system 1000. As shown in FIG. As shown in FIG. 2 , the monitoring system 1000 includes an information processing device 100 and an information system 200 . A monitoring system 1000 is a system that monitors the information system 200 . The information system 200 monitored by the monitoring system 1000 is not limited to one, and may be multiple.

The information system 200 is a system that can be upgraded and implements services by executing a program by a computing device (not shown). The information system 200 is communicably connected to the information processing apparatus 100 .

Based on the performance values of the information system 200, the information processing apparatus 100 generates a baseline indicating the permissible range of performance values. A performance value is, for example, a CPU usage rate or a memory usage amount when the information system 200 is in operation. Performance values are not limited to this example. The generated baseline is used to detect anomalies in the information system 200. FIG.
FIG. 3 is a diagram schematically showing an example of baselines. The baseline indicates the acceptable range of performance values. The vertical axis in FIG. 3 represents the performance value of the monitored object, and the horizontal axis represents time. The solid line graph is a graph representing the reference value of the baseline. The reference value is, for example, an average value, a median value, a mode value, or the like of the performance values of the monitored object obtained periodically. A dotted line graph is a graph obtained by adding or subtracting a predetermined value to or from the reference value. The predetermined value is a value based on the monitored performance value. In the example of FIG. 3, the magnitude of the predetermined value corresponds to the magnitude of h. The baseline indicates the range represented by d, ie the range between the two dashed graphs. Further, in the example of FIG. 3, when the performance value to be monitored is a value outside the range between the dotted line graphs, that is, the absolute value of the difference between the performance value to be monitored and the reference value is exceeded, a monitored anomaly is detected.

[Details of information processing device 100]
FIG. 4 is a block diagram showing an example of the functional configuration of the information processing apparatus 100. As shown in FIG. As shown in FIG. 4 , the information processing apparatus 100 includes a baseline generator 110 .

The baseline generation unit 110 generates a baseline used for detecting anomalies in the information system 200 based on performance values obtained from the information system 200 .

The baseline generation unit 110 generates performance values acquired before the configuration is changed (hereinafter also referred to as pre-change performance values) and performance values acquired after the configuration is changed (hereinafter also referred to as post-change performance values). ) is used to generate a baseline. At this time, when the configuration of the information system 200 is changed, the baseline generation unit 110 determines the ratio of the contribution of the pre-change performance value and the post-change performance value to the generation of the baseline. This ratio is called a weight. When determining the weight, the baseline generation unit 110 calculates or acquires a first calculated value based on the pre-change performance value and a second calculated value based on the post-change performance value. The weight is determined according to the difference from the calculated value of 2. This weighting causes the percentage of performance values obtained before the configuration change to contribute to the generation of the baseline to increase continuously or stepwise as the difference decreases. Also, as the difference increases, the proportion of the performance values obtained after the configuration is changed that influence the generation of the baseline increases continuously or stepwise.

Note that the first calculated value and the second calculated value may each be an average value, a median value, a mode value, or the like of performance values. Alternatively, the first calculated value may be a baseline reference value before the configuration is changed.

That is, when the configuration of the information system 200 is changed, the baseline generator 110 generates a baseline based on the pre-change performance value, the post-change performance value, and the weight. At this time, the weight indicates the ratio of the pre-change performance value or the post-change performance value contributing to the generation of the baseline, and the first calculated value based on the pre-change performance value and the second is determined according to the difference from the calculated value of

[Operation of information processing apparatus 100]
Next, the operation of the information processing device 100 will be described. The operation of the information processing apparatus 100 will be described below using the flowchart of FIG. In this specification, each step of the flowchart is expressed using a number attached to each step, such as "S101".

The baseline generator 110 determines whether or not the configuration of the information system 200 has been changed (S101). If the configuration of the information system 200 has been changed (“YES” in S101), the baseline generation unit 110 generates the first calculated value based on the pre-change performance value of the information system 200 and the post-change performance value of the information system 200. A weight is determined according to the difference from the second calculated value based on the value (S102).

The baseline generation unit 110 generates a baseline based on the performance values acquired before the configuration change, the performance values acquired after the configuration change, and the weights determined in the process of S102. (S103).

As described above, the information processing apparatus 100 according to the first embodiment generates a baseline based on the pre-change performance value, the post-change performance value, and the weight when the configuration of the information system 200 is changed. . At this time, the weight indicates the ratio of the pre-change performance value or the post-change performance value contributing to the generation of the baseline, and the first calculated value based on the pre-change performance value and the second is determined according to the difference from the calculated value of That is, the information processing apparatus 100 can determine the ratio of contribution of the pre-change performance value and the post-change performance value to the generation of the baseline according to the difference in the information before and after the configuration change. With this configuration, the information processing apparatus 100 according to the first embodiment has the effect of being able to continue highly accurate monitoring even when there is a system change in monitoring the information system.

<Second embodiment>
A monitoring system including an information processing apparatus according to the second embodiment will be described below.

FIG. 6 is a block diagram showing an example of the configuration of the monitoring system 1001 according to this embodiment. As shown in FIG. 6 , the monitoring system 1001 includes an information processing device 101 , an information system group 201 , a container management device 300 and a monitoring terminal 400 . The monitoring system 1001 is a system that monitors information systems included in the information system group 201 .

The information system group 201 includes information systems to be monitored by the monitoring system 1001 . In the example of FIG. 6, the information system group 201 has container instances 211-1 to 211-N (N is a natural number) as information systems. The container instances 211-1 to 211-N are virtual computing devices that implement information systems using container-type virtualization technology. Each of the container instances 211-1 through 211-N implements an information system by operating a program on the container instance. That is, in this embodiment, the objects to be monitored by the monitoring system 1001 are the container instances 211-1 to 211-N. Hereinafter, the container instances 211-1 through 211-N are also collectively referred to as the container instance 211. FIG.

Note that although there are a plurality of container instances 211 in the example of FIG. 6, the number of container instances 211 may be one. In addition, in this embodiment, an example in which an information system realized by using virtualization technology, particularly container-type virtualization technology is used as a monitoring target will be described, but the monitoring target is not limited to this. For example, the monitored object may be an information system implemented using host-type virtualization technology or hypervisor-type virtualization technology, or an information system implemented on a physical computing device that does not use virtualization technology. may be

The container management device 300 is communicably connected to the information processing device 101 and the information system group 201 . The container management device 300 manages each container instance 211 . The container management device 300, for example, starts, stops, and upgrades the container instance 211. FIG. Also, the container management device 300 transmits the configuration information of the container instance 211 to the information processing device 101 . At this time, the configuration information is changed or added according to the startup of the container instance 211, version upgrade, or the like.

The monitoring terminal 400 may be, for example, a personal computer or a device such as a smart phone or a tablet, and displays information based on notifications obtained from the information processing device 101 . A user of the monitoring system 1001 can view information about the monitoring system 1001 or operate the monitoring system 1001 using the monitoring terminal 400 .

The information processing device 101 is communicably connected to the information system group 201 , the container management device 300 , and the monitoring terminal 400 . The information processing apparatus 101 generates a baseline based on performance values of information systems included in the information system group 201 . The outline of the baseline generated by the information processing apparatus 101 is the same as the outline of the baseline described in the first embodiment.

[Details of information processing device 101]
FIG. 7 is a block diagram showing the functional configuration of the information processing apparatus 101 according to this embodiment. The information processing apparatus 101 includes a baseline generation unit 111 , an anomaly detection unit 120 , a performance information acquisition unit 130 , a configuration information acquisition unit 140 and a storage unit 150 .

The performance information acquisition unit 130 periodically acquires performance information from the container instance 211 to be monitored. Performance information is information including performance values of the information system. The performance information acquisition unit 130 stores the acquired performance information in the storage unit 150, for example, in the form of a performance information table. FIG. 8 is a diagram illustrating an example of a performance information table; In the example of FIG. 8, each record in the performance information table is associated with the time when the performance information was acquired, the image name of the information system, and the values of the CPU usage and memory usage, which are the performance values of the information system. It is For example, the record in the first row in the performance information table in FIG. (Mega Byte)”. In the present embodiment, an example in which CPU utilization and memory usage are used as performance value items (hereinafter referred to as “performance items”) will be described, but the performance items are not limited to this example.

The configuration information acquisition unit 140 acquires configuration information of each container instance 211 from the container management device 300 . Configuration information is information about the configuration of the information system. For example, the configuration information includes version information of the information system and the type of change. The configuration information acquisition unit 140 stores the acquired configuration information in the storage unit 150 in the form of a configuration change information table. FIG. 9 is a diagram illustrating an example of a configuration change information table; In the example of FIG. 9, each record in the configuration change information table includes the time when the configuration change was performed, the type of change, the image name of the information system, the version type after the configuration change, and the version before the configuration change. is associated with the version type of For example, the record in the first row in the configuration change information table in FIG. Indicates that the version has been upgraded. Also, the record in the third line indicates that "web server O" was newly constructed at "June 4, 2019, 21:00", and the version of web server O is "1.0". Hereinafter, the latest version after the configuration change is called the current version, and the version before the configuration change is called the old version.

When the baseline generation unit 111 receives a generation instruction to generate a baseline, the baseline generation unit 111 reads performance information acquired from the container instance 211 and configuration information of the information system realized by the container instance 211 from the storage unit 150 . . The baseline generator 111 generates a baseline based on the read performance information and configuration information. At this time, the baseline generator 111 generates a baseline for each performance item of each information system.

The generation instruction may be transmitted from the monitoring terminal 400 to the baseline generation unit 111 by a user's operation, or may be transmitted from an external device (not shown). Further, the information processing device 101, the container management device 300, or the monitoring terminal 400 may have a configuration for automatically transmitting a generation instruction to the baseline generation unit 111 at a predetermined timing.

Next, a method of generating a baseline in this embodiment will be described using mathematical expressions. First, a general baseline generation method will be described.
[Formula 1]

Formula 1 is an example of a general baseline calculation formula. x _i in Expression 1 represents the performance value obtained i times before, counting from the time point when the baseline generation unit 111 receives the generation instruction. That is, the performance value is periodically acquired by the performance information acquisition unit 130, and when i=1, _x1 represents the performance value acquired one time ago, that is, the latest performance value. X is the average of performance values obtained from the monitored information system within a predetermined period. Here, the predetermined period indicates a range from the time when the generation instruction is received to the time when the performance value is obtained n times before (n is a natural number). At this time, 1≤i≤n. In this embodiment, n is called a window size. Also, the period during which the performance information is acquired from the point of time when the generation instruction is received to the number of times before the window size is referred to as the period of the window size. FIG. 10A is a diagram showing an example of the timing of acquiring the performance value and the period of the window size. The horizontal axis represents time, and the scale represents the timing at which the performance value was acquired. As shown in FIG. 10A, the performance value acquired at the timing of i=1 is the latest performance value acquired one time before when the generation instruction was received. For example, if n=10, the period from i=1 to i=10 is the window size period. Here, X in the first term of Equation 1 is called a reference value. Also, the second term in Equation 1 is also expressed as 3σ. That is, the baseline ranges from X-3σ to X+3σ. In the example of FIG. 3, 3σ corresponds to h, and the range from X−3σ to X+3σ corresponds to d.

By the way, the configuration of the monitored information system may be changed within the period of the window size. In this embodiment, the baseline generator 111 has a function that takes this case into account. That is, the baseline generation unit 111 changes the calculation method of the reference value X (the first term in Equation 1) when the configuration of the information system is changed within the period of the window size.
[Formula 2]

Formula 2 is an example of a formula for calculating the reference value when the configuration of the information system to be monitored is changed within the period of the window size. X _old in Equation 2 indicates the baseline reference value before the configuration is changed. At this time, X _old may be the average value of the pre-change performance values. X _new indicates the average value of performance values after change. Also, n indicates the window size, and m indicates the number of post-change performance values. nm indicates the number of pre-change performance values. That is, Equation 2 represents the moving average of the performance values before and after the configuration change. Note that a period in which the performance value is obtained nm times before the configuration change is referred to as a first period. A period from when the configuration is changed until the performance value is acquired after m times is referred to as a second period. FIG. 10B is a diagram illustrating an example of the timing at which performance values are acquired, the first period, and the second period when the configuration is changed. In the example of FIG. 10B, n=10 and configuration changes between i=4 and i=5. The period from before the configuration change to i=10 is the first period, and the period from the configuration change to i=1 is the second period. At this time, the number of performance values acquired in the first period is six, and the number of performance values acquired in the second period is four. That is, m=4 and nm=6. Also, in the example of FIG. 10B, X _old is a baseline reference value generated using performance values x ₅ to x ₁₀ obtained before the time when the configuration was changed, that is, before i=5. be. X _new is the average value of the performance values x ₄ to x ₁ obtained from i=4 to i=1.
[Formula 3]

Formula 3 is an example of a calculation formula for calculating the reference value, which is characteristic of this embodiment. Formula 3 is a calculation formula obtained by multiplying Formula 2 by a weight P. More specifically, it is a formula obtained by multiplying the performance value acquired in the first period, that is, the part related to the pre-change performance value in Formula 2 by the weight P. Depending on the value of P, the ratio of contribution of the pre-change performance value and the post-change performance value to the desired reference value changes. In this embodiment, P is a value of 0 or more and 1 or less, but the upper limit and lower limit of P are not limited to this example. P is a number that approaches 1 as the difference between X _old and X _new decreases, and approaches 0 as the difference increases. For example, P is the probability that the performance value is less than (X _{old −} |X _old −X ^new |) and ₍ X _old + │X _old −X _new │) or more. Various existing methods may be used to calculate the respective probabilities.

The baseline generation unit 111 calculates a reference value using Equation 3 when the configuration of the information system to be monitored is changed within the period of the window size. For example, assuming that the window size is 80 and the number of performance values of the container instance 211 acquired in the post-change configuration is 30, Equation 3 is expressed as Equation 4 below.
[Formula 4]

Now assume that P was determined to be 0.2 based on the difference between X _old and X _new . In this case, the reference value is calculated by Equation 4 as shown in Equation 5 below.
[Formula 5]

In Equation 5, the proportion of X _old used to calculate the reference value is smaller than when Equation 2 is used, that is, the calculated reference value approaches X _new . As the difference between X _old and X _new widens, the post-change performance value is likely to approach X _new . Therefore, by increasing the ratio of X _new used for calculating the reference value according to the difference between X _old and X _new , the accuracy of the calculated reference value is increased. In other words, a reference value that is better suited to the configuration of the container instance 211 after modification is obtained.

Further, when the window size is 80, the number of performance values of the information system acquired in the configuration after the change is 30, the values of X _old and X _new are the same, and P is 1, Equation 3 gives , the reference value is calculated as in Equation 6 below.
[Formula 6]

In this case, since the reference value does not change before and after the configuration change, the baseline generation unit 111 uses the reference value calculated as described above and Equation 1 to regenerate the baseline in the configuration before the change. do.

In addition, if the moving average is used to calculate the reference value as described above, the ratio of X _old increases when many performance values after the change are not acquired, such as immediately after the configuration is changed. Therefore, even if the performance value obtained immediately after the configuration change temporarily deviates from the original value, the calculation of the reference value is not significantly affected, and highly accurate monitoring can be maintained.

In addition, the calculation formula of Numerical formula 3 mentioned above is an example. When calculating the baseline reference value, use the weight according to the difference between the calculated value based on the pre-change performance value (first calculated value) and the calculated value based on the post-change performance value (second calculated value) If so, the baseline reference value may be calculated using a formula different from Formula 3. For example, a formula obtained by multiplying the performance value obtained in the second period, that is, the portion related to the post-change performance value in Formula 2 by the weight P may be used. Moreover, the first calculated value and the second calculated value are not limited to the average value of the performance values, and may be the median value, the mode value, or the like.

After generating the baseline for each performance item of the information system as described above, the baseline generation unit 111 stores the generated baseline in the storage unit 150 . In this embodiment, the baseline generation unit 111 stores the generated baselines in the storage unit 150 in the form of a baseline table.

FIG. 11 is a diagram showing an example of a baseline table. In the example of FIG. 11, each record of the baseline table contains the image name of the information system implemented by the container instance 211, the type of the current version of the information system, the baseline for the CPU usage rate, and the memory usage amount. is associated with the baseline for For example, the record in the first row in the baseline table in FIG. It shows that the baseline is "255±3σ". Note that “3σ” indicates the second term of Equation 1.

The anomaly detection unit 120 detects an anomaly of the container instance 211 based on the performance information obtained from the container instance 211 and the baseline corresponding to the performance items of the information system implemented by the container instance 211 . For example, when the obtained performance value exceeds the range (baseline) from X−3σ to X+3σ, the abnormality detection unit 120 determines that an abnormality has occurred, and notifies the monitoring terminal 400 of the occurrence of the abnormality. to notify.

The storage unit 150 stores a performance information table, a configuration change information table, and a baseline table. A plurality of storage units 150 may be provided, and the performance information table, baseline table, and configuration change information table may be stored in different storage units 150 . Moreover, the storage unit 150 may be arranged outside the information processing apparatus 101 .

[Operation of information processing apparatus 101]
Next, the operation of the information processing apparatus 101 according to this embodiment will be described. The anomaly detection unit 120 of the information processing apparatus 101 in this embodiment determines whether or not the performance value included in the performance information acquired from the container instance 211 exceeds the allowable range indicated by the baseline. Then, when the performance value exceeds the allowable range, the abnormality detection unit 120 determines that an abnormality has occurred in the container instance 211 and notifies the monitoring terminal 400 of the occurrence of the abnormality. The baseline generation unit 111 of the information processing apparatus 101 according to the present embodiment generates the baseline used when determining whether the acquired performance value exceeds the allowable range indicated by the baseline within the period of the window size. The generation method is changed according to whether the configuration of the container instance has been changed.

The operation of the information processing apparatus 101 will be described below with reference to the flowcharts of FIGS. 12 to 14. FIG. In the operation described below, it is assumed that the storage unit 150 stores the performance information table shown in FIG. 8, the configuration change information table shown in FIG. 9, and the baseline table shown in FIG.

FIG. 12 is a flowchart for explaining the operation of the configuration information acquisition unit 140. As shown in FIG. When the configuration of any one of the container instances 211 is changed due to activation or version upgrade, the container management device 300 sends a notification including configuration information about the container instance 211 whose configuration has been changed to the configuration information acquisition unit 140. Send to The configuration information acquisition unit 140 receives a notification including configuration information of the container instance 211 from the container management device 300 (S201). The configuration information acquisition unit 140 stores the received configuration information in the storage unit 150 in the form of a configuration change information table. Here, for example, it is assumed that the configuration information acquisition unit 140 acquires the first row record of the configuration change information table shown in FIG.

FIG. 13 is a flowchart for explaining the operation related to abnormality detection of the information processing apparatus 101 . The performance information acquisition unit 130 periodically acquires performance information from each container instance 211 . Then, the performance information acquisition unit 130 stores the acquired performance information in the storage unit 150 in the form of a performance information table (S301). The baseline generation unit 111 determines whether or not a generation instruction has been notified (S302). If there is no generation instruction (“NO” in S302), the baseline generator 111 does not generate a new baseline.

When the generation instruction is notified (“YES” in S302), the baseline generation unit 111 generates a baseline based on the performance information table and the configuration change information table stored in the storage unit 150 (S303).

FIG. 14 is a flowchart for explaining the operation of the baseline generator 111 in the process of S303. The baseline generator 111 first reads the configuration change information table (S401). The baseline generation unit 111 determines whether or not the configuration information of the information system has been changed within the period of the window size. For example, in the configuration change information table of FIG. 9, "database A" is changed from version "1.0" to version "1.1" at "21:30 on June 4, 2019". Then, the baseline generation unit 111 reads the performance information table, and confirms the acquisition time of the performance information acquired before the window size number of times after receiving the generation instruction for the “database A”. At this time, if the acquisition time of the performance information is later than "June 4, 2019, 21:30", the baseline generation unit 111 determines that the configuration information has not been changed within the period of the window size. I judge.

If the configuration information has not been changed within the period of the window size ("NO" in S402), the performance values of the information system of the current version are used to generate a baseline based on Equation 1 (S403).

When the acquisition time of the performance information acquired before the number of times of the window size after the baseline generation unit 111 received the generation instruction is before "21:30 on June 4, 2019", the baseline generation unit 111 determines that the configuration information has been changed within the period of the window size. If the configuration information has been changed within the period of the window size ("YES" in S402), the baseline generation unit 111 first calculates a calculated value (second calculated value) is acquired (S404). For example, the baseline generator 111 calculates an average value of performance values acquired in the current version. The baseline generation unit 111 acquires the baseline reference value (first calculated value) of the old version (before change) within the period of the window size (S405). For example, the baseline table shown in FIG. 11 stores baselines for the old version (version 1.0) of "Database A". At this time, the baseline generation unit 111 acquires the reference value “44” from the baseline table for the baseline related to the CPU usage rate, and acquires the reference value 255 for the baseline related to the memory usage. Then, the baseline generator 111 calculates a weight according to the difference between the calculated value calculated in S404 and the reference value obtained in S405 (S406).

Next, the baseline generation unit 111 generates a baseline based on the performance values of the current version, the performance values of the old version, and the weights calculated in S406 within the period of the window size (S407). The baseline generation unit 111 stores the generated baseline in the storage unit 150 and updates the baseline table. FIG. 15 is a diagram illustrating an example of updated baselines. FIG. 15 stores a baseline for "Database A" of version "1.1".

Returning to FIG. 13, the abnormality detection unit 120 reads the baseline table from the storage unit 150 and determines whether the acquired performance value is abnormal (S304). Then, if the performance value is abnormal ("YES" in S304), the abnormality detection unit 120 notifies the monitoring terminal 400 that an abnormality has occurred (S305). For example, regarding “database A”, the anomaly detection unit 120 reads the baseline table shown in FIG. 14 and acquires the baseline of the current version of “database A”. When monitoring the performance value related to the CPU usage rate, the abnormality detection unit 120 determines that an abnormality has occurred when the acquired performance value is outside the range of 45−3σ to 45+3σ. If there is no abnormality in the performance value ("NO" in S305), the flow is terminated.

As described above, the information processing apparatus 101 according to the second embodiment generates a baseline based on the pre-change performance value, the post-change performance value, and the weight when the configuration of the information system is changed. At this time, the weight indicates the ratio of the pre-change performance value or the post-change performance value contributing to the generation of the baseline, and the first calculated value based on the pre-change performance value and the second is determined according to the difference from the calculated value of With this configuration, the information processing apparatus 101 can determine the ratio of the influence of the pre-change performance value and the post-change performance value on baseline generation according to the difference in information before and after the configuration change. Therefore, the information processing apparatus 101 according to the second embodiment has the effect of being able to continue highly accurate monitoring even when there is a system change in monitoring the information system.

[Modification 1]
An example in which the weight P is not used immediately after the configuration change when calculating the baseline reference value will be described.

For example, in the process of S402, even if the configuration information is updated within the period of the window size, the baseline generation unit 111 determines that the number of performance values acquired in the post-change configuration exceeds a predetermined number. Unless otherwise, the processes of S403 and S404 to S407 are not performed. At this time, the baseline generation unit 111 generates the baseline using the performance values (pre-change performance values) acquired in the old version. Then, when the configuration information is updated within the period of the window size and the number of performance values acquired in the post-change configuration is equal to or greater than a predetermined number, the baseline generation unit 111 performs process.

Note that the predetermined number according to Modification 1 is a predetermined constant value, but is not limited to this. For example, if the window size is also changed when the configuration of the information system is changed, the predetermined number may be a value that varies according to the changed window size.

In this way, when the number of performance values acquired in the post-change configuration is equal to or greater than a predetermined number, the baseline is generated using weights, so that the performance values immediately after the configuration change become unstable. Even if the performance value temporarily deviates from the original value during a period when it is likely to become, the influence of the value on the generation of the baseline reference value can be suppressed. That is, the information processing apparatus 101 according to this modification can generate a baseline more appropriately.

[Modification 2]
An example in which multiple baselines may be generated for an information system having the same configuration will be described. For example, the operating status of an information system may differ depending on the time of day. In such a case, baselines corresponding to a plurality of time periods with different operating conditions are generated.

FIG. 16 is a diagram showing an example of a baseline table when multiple baselines are generated for the same version of the information system. In FIG. 16, unlike the baseline table shown in FIG. 11, "timing" information is provided. Here, "timing" is information indicating the timing at which the performance value was acquired. The first line shows a baseline generated using performance values obtained at "21:00 on Monday" for "Database A" of version "1.0".

In S403 or S404 to S407, the baseline generation unit 111 according to Modification 2 acquires the pre-change performance value at a specific timing (for example, 21:00 on Monday before the time when the configuration is changed). The baseline is generated using the performance values that have been changed and the performance values after the change that are acquired at specific timings (for example, at 21:00 on Mondays after the time when the configuration was changed).

At this time, when determining whether or not the acquired performance value is abnormal, if the performance value is acquired at a specific timing, the abnormality detection unit 120 detects the baseline corresponding to the specific timing. use. In the example of FIG. 16 , when determining whether or not the performance value acquired at “21:00 on Monday” is abnormal, the abnormality detection unit 120 uses the baseline shown in the first row of the baseline table.

Although the day of the week and the time are used as an example of the specific timing, the timing is not limited to this example. The specific timing may be the date, for example.

As described above, in this modified example, a baseline is generated using performance values obtained at specific timings. Accordingly, the information processing apparatus 101 according to Modification 2 can generate a baseline corresponding to specific timing when the information system outputs a characteristic performance value at specific timing, for example. Lines can be generated better. The information processing apparatus 101 according to Modification 2 can select, for example, a baseline corresponding to the timing at which the performance value is acquired and monitor the information system, so that highly accurate monitoring can be performed. .

[Modification 3]
Information about the old version, such as the performance value and the first calculated value in the configuration of the old version, which is used for generating the baseline, does not have to be the version immediately before the current version.

FIG. 17 is a diagram illustrating an example of the relationship between changes in configuration information of an information system and timings at which performance values are acquired. The horizontal axis indicates time, and the scale indicates the timing at which the performance information acquisition unit 130 acquires the performance value. The arrows on the horizontal axis represent the period during which the information system was operating with each version. At this time, the information system has been changed from version 1.0 to version 1.1, and from version 1.1 to version 1.2. Version 1.2 is the current version in Variation 3.

When generating the baseline, the baseline generation unit 111 of the information processing apparatus 101 according to the third modification, for example, determines that the number of performance values acquired in the version immediately before the current version is a predetermined number. If the number is less than , use the performance value in the version two versions before the current version. In the example of FIG. 17, one performance value is acquired in version 1.1, which is the version immediately before the current version. Assuming that the predetermined number is 5, the number of performance values obtained in version 1.1 is less than the predetermined number. Therefore, if YES in the process of S402, the baseline generation unit 111 compares the performance values acquired in version 1.0 and the performance values acquired in version 1.2 instead of version 1.1. is used to generate the baseline.

Note that the predetermined number in Modification 3 may be a predetermined constant value, or may be a variable value such as the number of post-change performance values.

Also, the baseline generation unit 111 according to the third modification indicates that a certain percentage or more of the performance values obtained in the version immediately preceding the current version indicate abnormal values based on the baseline. In this case, the baseline may be generated using the performance values in the version two versions before the current version.

Note that the performance value used by the baseline generation unit 111 is not limited to the performance value in the version two versions before the current version. For example, when the versions one and two versions before the current version do not satisfy a predetermined condition (for example, when the number of performance values is less than a predetermined number), the baseline generation unit 111 generates three versions of the current version. Performance values in versions one or more versions earlier may be used.

In this way, when the configuration is changed, the information processing apparatus 101 according to Modification 3, according to whether or not the performance value acquired in the version immediately before the current version satisfies a predetermined condition, A baseline is generated using the performance values obtained in the current version and the performance values obtained two or more times before the current version. As a result, the information processing apparatus 101 can suppress the influence of the performance values on generation of the baseline of the version immediately before the current version when the performance values in the version immediately before the current version are not sufficiently acquired. can. That is, since a more appropriate baseline can be generated, the information processing apparatus 101 according to this modification can perform monitoring with higher accuracy.

The present disclosure has been described above with reference to the above-described embodiments. However, the disclosure is not limited to the embodiments described above. That is, within the scope of the present disclosure, various aspects that can be understood by those skilled in the art, such as various combinations and selections of the various disclosed elements described above, can be applied.

Reference Signs List 100, 101 information processing device 110, 111 baseline generation unit 120 anomaly detection unit 130 performance information acquisition unit 140 configuration information acquisition unit 200 information system 201 information system group 300 container management device 400 monitoring terminal 1000, 1001 monitoring system

Claims (9)

Baseline generation means for generating a baseline used for detecting anomalies in an information system based on performance values obtained from the information system,
The baseline generation means generates a baseline based on the performance value in the configuration before the change, the performance value in the configuration after the change, and a weight when the configuration of the information system is changed,
The weight indicates the ratio of the performance value in the configuration before the change and the performance value in the configuration after the change contributing to the generation of the baseline,
The weight is determined according to a difference between a first calculated value based on the performance value in the configuration before the change and a second calculated value based on the performance value in the configuration after the change,
Information processing equipment. The first calculated value is an average value of the performance values in the configuration before the change,
The second calculated value is an average value of the performance values in the configuration after the change,
The information processing device according to claim 1 . The baseline generating means is
The first calculated value based on the performance value obtained in the first period before the time when the configuration was changed, and the performance obtained in the second period after the time when the configuration was changed determining the weight according to the difference from the second calculated value based on the value;
generating the baseline based on the performance value obtained in the first period, the performance value obtained in the second period, and the weight;
The information processing apparatus according to claim 1 . further comprising performance information acquisition means for acquiring performance information including the performance value from the information system at a predetermined cycle;
When the configuration of the information system is changed and the number of performance values acquired in the second period is less than a predetermined number, the baseline generation means performs the generating the baseline based on performance values;
The information processing apparatus according to claim 3. The first calculated value is calculated based on the performance value acquired at each specific timing among the performance values in the configuration before the change,
The second calculated value is calculated based on the performance value obtained at each specific timing among the performance values in the configuration after the change,
The weight is determined according to the difference between the first calculated value and the second calculated value,
The baseline generating means obtains the performance value obtained at each specific timing among the performance values in the configuration before the change, and the performance value in the configuration after the change at each specific timing generating a baseline based on the performance values obtained in and the weights;
The information processing apparatus according to any one of claims 1 to 4. When the configuration of the information system is changed and the performance value in the configuration before the change does not satisfy a predetermined condition, the baseline generating means satisfies the predetermined condition, the information which satisfies the predetermined condition. generating the baseline using the performance value in the configuration before the system was changed even before the change as the performance value in the configuration before the change;
The information processing apparatus according to any one of claims 1 to 5. When the performance value is outside the allowable range indicated by the baseline, an abnormality of the information system is detected, and an external device communicably connected to the information processing device is notified of the detection of the abnormality. further comprising an anomaly detection means for
The information processing apparatus according to any one of claims 1 to 6. A method for generating a baseline used for detecting an abnormality in an information system based on performance values obtained from the information system,
when the configuration of the information system is changed, generating a baseline based on the performance value in the configuration before the change, the performance value in the configuration after the change, and a weight;
The weight indicates the ratio of the performance value in the configuration before the change and the performance value in the configuration after the change contributing to the generation of the baseline,
The weight is determined according to a difference between a first calculated value based on the performance value in the configuration before the change and a second calculated value based on the performance value in the configuration after the change,
Information processing methods. causing a computer to generate a baseline used for detecting abnormalities in an information system based on performance values obtained from the information system;
In the generating process, when the configuration of the information system is changed, the computer generates a baseline based on the performance value in the configuration before the change, the performance value in the configuration after the change, and a weight. let
The weight indicates the ratio of the performance value in the configuration before the change and the performance value in the configuration after the change contributing to the generation of the baseline,
determining the weight by a computer according to a difference between a first calculated value based on the performance value in the configuration before the change and a second calculated value based on the performance value in the configuration after the change;
program.

Images